Add to collection(s) Add to saved
  1. Business
  2. Management
  3. Project Management

ERM Implementation Narrative

Proposal to Assist COMPANY
With the Development and Implementation of a
Global Enterprise Risk Management (ERM) Strategy
Activities critical to the completion of the Global ERM Strategy have been identified; this
document provides further explanation and details about the most important activities, including
deliverables.
Define the scope of the ERM Program
Scope definition will provide the project boundaries and discipline that are critical to the success
of any significant initiative. The organizational units involved, timeline and deliverables will be
determined at this early stage.
Deliverable: Project Charter
Current State Assessment
A comprehensive current state assessment provides the foundation for the rest of the
implementation. We will review existing background material, including business strategy and
key initiatives, previous risk assessments, available risk management program documentation,
etc. Previous incidents/events and their corresponding impact to the organization will also be
reviewed. Interviews with key stakeholders will help the project team better understand
stakeholder expectations of the global risk management profile project going forward, as well as
providing input around key risks and incidents, and the capability of the organization to manage
them. This process is not only critical for the development of various building blocks of the
Program – strategy, processes, risk appetite, roles & responsibilities, etc. – but is also key to
building buy-in and garnering necessary participation for the project to be successful in the long
term.
The following questions need to be answered during the current state assessment to help shape
the overall ERM approach:
o Top down (Executive-driven) vs. bottom up (sub-business unit and function)
o Degree of quantification
o Coordination and collaboration among risk related functions
o Impact of decision making at an operational and strategic level
Deliverable: High Level Current Assessment Report
Strategic Plan
An effective strategic planning process will go a long way in helping develop an ERM program
that is dynamic and productive over the long-term. The plan itself is not as important as the
planning process – including the sharing of ideas and the garnering of management and other
1
stakeholder support. This collaboration will help to embed the ERM process in the culture of the
organization very early on. In the end, the plan provides a vehicle to communicate your vision
for the risk program to staff, business partners, management, and other key stakeholders.
Deliverable: Program Strategic Plan
ERM Methodology and Terminology
The development and implementation of a common methodology for identifying, assessing,
managing and reporting on risk is essential to ensure consistent results and a manageable risk
profile. The DelCreo enterprise risk management framework (pictorial is included below)
provides a baseline for the definition and implementation of that approach. Furthermore, several
key elements of that framework have been identified as critical components of the ERM
Program.
ERM Framework
Business Objectives/
Value Drivers
Risk Drivers
Strategy
Capability
Risk Functions
Internal
Audit
Risk
Mgmt
BCP
Organization
• Enterprise Risk
Committee
• CRO or ERM
Manager
ERM
Regulatory
Compliance
Grow
Revenue
IT
Security
Legal
EH&S
Risks
•
•
•
•
•
Strategic
Operational
Stakeholder
Financial
Intangible
Control
Cost
Allocation of
Capital
•
•
•
•
•
•
Functions
Process
Organization
Culture
Tools
EnterpriseWide Integration
• Risk Attributes
•
•
•
•
Knowledge Mgmt
Metrics
Training
Communication
Risk Management Process
Risk Strategy
• Appetite
• Prioritize
• Treatment
Approach
Risk Strategy
& Appetite
Assess Risk
Capability
Culture
Program
Strategy
• Develop
• Deploy
• Continuously
Improve
Tools
• RiskWeb
• Early Warning
System
• Assessment and
Quantification tools
Enterprise-wide
Integration
Treat Risk
Monitor &
Report
•
•
•
•
Strategic Planning
Programs/PMO
Processes
Functions
Risk Attributes
•
•
•
•
•
Lifecycle
Individual
Portfolio
Qualitative
Quantitative
© 2004 DelCreo, Inc. All rights reserved.
U.S. Toll-free 866.DELCREO | International 001/801.756.4180
info@delcreo.com | www.delcreo.com
Risk Appetite
Risk appetite is a common risk management term. It is a framework an organization uses to
measure its appetite, or desire to accept or not accept a given level of risk. Risk appetite should
be defined in terms of various types of impacts, in order to allow a range of risk exposures to be
assessed and assigned a risk level. Each risk level should have a corresponding response,
commensurate to the existing risk exposure, which can be applied throughout the organization.
2
The following questions will assist in the definition of the risk appetite and the acceptable level
of risk:
 Where do we feel we should allocate our limited time and resources to minimize risk
exposures? Why?
 What level of risk exposure requires immediate action? Why?
 What level of risk requires a formal response strategy to mitigate the potentially material
impact? Why?
 What events have occurred in the past, and at what level were they managed? Why?
The Risk Appetite has three key elements:
1. Impact helps the user assess the potential consequences of a risk/event to the
organization. The development of the Impact table is a critical element of the Global
Risk Profile process.
2. Likelihood measures the probability that the risk/event will come to fruition and will
actually result in a loss.
3. Risk Appetite is a two-dimensional scorecard that drives mitigating action commensurate
with the exposure the organization faces.
Risk Appetite – Impact Table
1000 +
WW
product
issue or
business
impact
> 6%
WW
employee
impact
Med
2-5%
10-100
500999
Regional
issue
with high
public
exposure
2% 4%
Low
1-2%
2-10
50-499
Local
issues
with high
public
exposure
< 2%
> 7 days
Global
Media
Coverage
Criminal or civil
liability for
executives (i.e.,
Sarbanes-Oxley)
Regional
employee
issue broad
awareness
$1m to
$5m
$2-10m
3-7 days
National
Media
Coverage
Potential noncompliance may
result in criminal or
civil liability for
executives (i.e.,
Sarbanes-Oxley)
Local
employee
issue with
broad
awareness
$100K
to $1m
$200K to
$2m
1-3 Days
Local
Media
Coverage
Process to bring
organization into
compliance has not
been defined and/or
followed.
© 2004 DelCreo, Inc. All rights reserved.
U.S. Toll-free 866.DELCREO | International 001/801.756.4180
info@delcreo.com | www.delcreo.com
3
Legislative/
Regulatory
>$10m
Loss of
life or
other
physical
injury
Impact on the
Brand/Rep
> $5m
Threat To
Employee
Satisfaction
Reporting Delay
Variance from
targeted customer
satisfaction metric
100 +
Regulatory
Compliance
Revenue
Scope of incident
>5%
Brand/ Rep
Cost
# of “small”
merchants
impacted
High
Financial
Employee Safety
# of “large”
merchants
impacted
Employees
% of transactions
impacted
Customer Satisfaction
Risk Level
Value
Drivers
DelCreo’s rapid development process will culminate in the development of an initial Risk
Appetite in the form of a Risk Appetite Table. The process includes the following steps:
 Review available documentation of organization and functional strategies, risk
management processes, risk assessments, incident/crisis management data, etc.
 Identify key stakeholders. Stakeholders can be any person, group or entity that can place
a claim on the organization's attention, resources or output, or is affected by that output.
 Conduct a facilitated workshop to identify stakeholder value drivers (the interests,
benefits and outputs that stakeholders demand) and key risk indicators (the specific
measures of value), determining thresholds associated with varying levels of risk
mitigation effort (i.e. greater than $100M impact requires escalation to CFO).
 Draft Impact, Likelihood, and Risk Appetite Tables.
 Review and validate with key stakeholders, revising as appropriate.
 Consider the need for training/awareness activities to ensure consistent application of the
Risk Appetite by the organization.
 Embed the elements of the Risk Appetite in risk management processes (i.e. risk
assessment) as well as incident/crisis management and some compliance activities.
The current state assessment process will provide significant input into the risk appetite
development activities
Risk Classification System
The development of a risk classification system is an essential enabler of an ERM Program. The
classification system creates a common nomenclature that facilitates discussions about risk
issues throughout the organization and the development of information systems that gather,
track, and analyze information about various risks. As the Program develops the ability to
correlate cause and effect, identify interdependencies, and track loss experience information
related to classes of risks, the ERM process will help focus limited resources on your most
critical risks.
An example of a risk classification system follows:
4
Types of Risk
We seek to apply one method to identify risks, prioritize them, and balance risk
mitigation investment & resources across risk categories and across the
business domains where feasible.
Regulatory compliance cuts across all types of risk
Strategic
•
•
•
•
•
•
•
•
•
•
•
•
Macro Trends
Competitor
Economic
Resource Allocation
Program/Project
Organization
Structure
Strategic Planning
Governance
Brand/Reputation
Ethics
Crisis
Partnerships/JVs
Operational
•Business
Interruption
•Privacy
• Processes
• Physical Assets
• Technology
Infrastructure
• Legal
• Human Resources
• Environmental
• Hazard
© 2004 DelCreo, Inc. All rights reserved.
U.S. Toll-free 866.DELCREO | International 001/801.756.4180
info@delcreo.com | www.delcreo.com
4
Stakeholder
•
•
•
•
•
•
•
•
Hosted organizations
Customers
Line employees
Management
Suppliers
Government
Partners
Community
Financial
•
•
•
•
•
•
•
Warranty cost
Market
Accounting
Credit
Cash Management
Taxes
Regulatory
Compliance
• Insurance
• Transaction Fraud
Intangible
•
•
•
•
•
•
Brand/Reputation
Knowledge
Intellectual Property
Information Systems
Databases
Information for
Decision Making
18
Risk Treatment Framework
For the organization’s most critical risks, we seek to apply a common methodology to balance
risk mitigation investment & resources across risk categories and across the business domains
where feasible. Many alternatives exist for treating (managing, mitigating, preventing) risk:
 Accept Risk: Continue normal operations unchanged, with the decision to accept the
risk exposure faced.
 Reduce Risk: Reduce the exposure to existing risks through improvement in controls
and other management processes.
 Transfer Risk: Transfer the risk exposure, perhaps from one business unit to another
or from the organization to a third party (i.e. insurer, outsourcing).
 Avoid Risk: Eliminate risk through the dissolution of a key business unit or
operating area.
 Acquire Risk: Management decides that the organization has a core competency
managing this risk, and seeks to acquire additional risk exposures of this type in
exchange for additional compensation.
 Share Risk: Share risk through partnerships, outsourcing agreements, or other risk
sharing vehicles like insurance associations.
5
Risk Management Processes
Although risk management processes may be relatively easy to understand, formal
documentation and implementation of processes to be used across the organization is critical.
Effective risk management processes must be consistently applied across different risk areas, and
integrated into normal business operations as appropriate. Risk management processes we will
consider for formal development include, but are not limited to:








Establishing risk policies, procedures, and standards
Risk identification – documentation of the risk universe
Risk assessment – prioritization of key risks
Risk measurement – quantification of residual risk
Risk treatment – evaluation of alternatives and implementation of optimal treatments
Continuously monitor risk profile and existing risk treatments
Continuously monitor risk management program capabilities
Report on risks and effectiveness of risk management program and capabilities
Deliverables: ERM Methodology and Terminology:
Risk Appetite Table
Risk and Treatment Classification System
Risk Process Documentation
Definition of ERM Roles and Responsibilities
In a fully functioning ERM process, various risk management functions participate by
exchanging information and cooperating on risk mitigation activities. The project will identify
the existing processes by which risk information is exchanged among the functions and
businesses, and the effectiveness of that collaboration. DelCreo uses client tested methodology
to bring together those groups responsible for risk management activities – including Treasury,
Internal Audit, Insurance, Privacy, Physical Security, Information Security, Legal, Credit,
Business Continuity Planning, Crisis Management and others as appropriate – to determine the
people, processes and technology that will be enablers to reaching the goals of the ERM
Program.
6
Enterprise Risk Management Roles &
Responsibilities
Responsibilities
•Approve risk appetite
•Review portfolio of risk and evaluates against risk
appetite
•Understand and approve risk mgment capabilities
BOD
CEO
•Set risk appetite
•Provide risk decision direction to SVPs
CFO
CIO
COO
•Assign responsibility of specific risk mgmt policies,
activities, etc. to business/risk personnel
•Communicate risk appetite
Responsibilities
•Evaluate, monitor, and report on the
adequacy and effectiveness of the risk
management process
•Monitor regulatory compliance
Internal
Audit
Enterprise Risk
Management
Security, Risk, Control and
Compliance Functions
•Cascade risk appetite, processes, etc.
•Establish and maintain effective risk management
processes
•Aggregate and analyze risk portfolio
•Coordinate risk management resources
•Develop and deploy risk management technology
•Design and implement risk measurements
•Collect, aggregate, analyze and report risk
measurements information
•Host risk council
•Manage risk areas
•Participate in risk council
•Risk measurement & tracking
© 2004 DelCreo, Inc. All rights reserved.
U.S. Toll-free 866.DELCREO | International 001/801.756.4180
info@delcreo.com | www.delcreo.com
The responsibilities of Program participants would typically include:







Provide risk management program leadership, strategy, focus and direction.
Set the organization’s risk appetite.
Develop risk classification and measurement systems.
Develop and implement escalation metrics and triggers (events v. incidents v. crises).
Develop and monitor early warning systems, based on escalation metrics and triggers.
Develop and deliver organization-wide risk management training.
Coordinate risk management activities.
An effective ERM Program should have representation from executives and risk functions, as
well as business unit risk managers. Participants may include C-level executives, Treasury,
Legal, Information Security, Internal Audit and EH&S, as well as risk managers or other
business managers from the organization’s business units. Including a range of voices will
improve the quality of Program results and help to further embed risk awareness into strategic
business decisions and operations.
Deliverable: Defined roles and responsibilities of ERM Program participants
7
Perform Risk Assessment
A risk is defined as the uncertainty of an adverse event occurring and its impact on an
organization’s value and ability to achieve objectives. The primary objective of a risk
assessment is to identify and assess the pool of risk exposures at an organization so that future
efforts will be focused on managing the most significant risks. This process is driven by much of
the work completed earlier in this implementation plan (i.e. Risk Appetite, Risk and Treatment
Classification Frameworks).
A critical – and often overlooked – component of the risk assessment process is gaining
consensus about the effectiveness of existing risk treatments. The term “risk treatment” is often
synonymous with mitigation, prevention or control, but DelCreo uses the term treatment to
encompass more than those other terms do – each of which imply activities that aim to reduce
the organization’s risk exposure. An organization must consider activities that increase or
optimize the risk profile, thus providing higher expected returns on investments.
Considerations when assessing the effectiveness of existing risk treatments include, but are not
limited to:
•
•
•
•
•
Measurable results of the treatment activity (i.e. fewer accidents, decrease in trading
losses, zero lawsuits)
Cost and other resource considerations
Applicability to multiple risks
Sunk costs
Lifecycle of the treatment(is the treatment bringing maximum value today or is that still
to come in the future)
Stakeholders will be asked to participate in the following processes:
•
•
•
•
•
Risk Identification – identify the universe of risks faced by the organization; consider
those risks which participants have some reasonable degree of visibility into during the
course of their job responsibilities.
Risk Treatment Identification – for each risk identified, consider the risk treatments (or
other management processes) in place to combat the likelihood and/or impact of the risk.
Risk Treatment Assessment – evaluate the effectiveness of existing treatments in place;
this will help the project team make an accurate assessment of the risk exposure and
derive residual risk during the risk assessment process.
Risk Assessment – capture data, using quantitative and qualitative analytical methods,
around the likelihood and impact of risk exposures, as well as the treatments in place to
mitigate risk.
Risk Prioritization – gain consensus based on the previous four steps to create a
prioritized view of risk exposures (which includes assignment of risks to owners and the
development of related action plans); the Global Risk Profile is the primary output of the
risk analysis.
We recommend that the initial risk assessment use a qualitative approach based on previous risk
assessments, a review of past incidents and crises, interviews with key stakeholders, detailed
8
testing as appropriate, and other observations made during the course of the implementation.
The Risk Appetite (described above) will provide the benchmark against which risk will be
evaluated and ultimately prioritized.
Deliverable: Global Risk Profile
Risk Mapping
Financial
risks
high frequency
Frequency
losses
Political risks
Workers
Patent infringement
Property values
Comp
Benefits
Business
Interruption
Product liability
low frequency
low
severity
Not insured/not
insurable
high
‘Unexpected’ cost of risk
Insurable/hedgeable
Partially
Insurable/hedgeable
‘Budgetable’ cost of risk
over several accounting
periods
© 2004 DelCreo, Inc. All rights reserved.
U.S. Toll-free 866.DELCREO | International 001/801.756.4180
info@delcreo.com | www.delcreo.com
9
‘Expected cost of risk
over several accounting
periods
Related documents
Risk Management - University of Connecticut
Risk Management - University of Connecticut
The Top Four Essential Objectives to Auditing ERM
The Top Four Essential Objectives to Auditing ERM
Cancer Complications
Cancer Complications
Tamer Saka - International Istanbul Insurance Conference
Tamer Saka - International Istanbul Insurance Conference
Comcover Fact Sheet - Department of Finance
Comcover Fact Sheet - Department of Finance
WCMSRiskManagement
WCMSRiskManagement
Client Intake Form
Client Intake Form
Risk Strategy and Governance Within
Risk Strategy and Governance Within
Download