as an essential tool for good corporate governance

advertisement
Enterprise Risk Management (ERM) as an
essential tool for good corporate governance
Rahaju Pal
Director, Enterprise Risk Services
September 2010
Contents
•
Corporate Governance - Key elements
•
Evolution of Corporate Governance – India
•
Why ERM
•
ERM for Corporate Governance
•
Deloitte’s nine principles for building a Risk Intelligent Enterprise
•
ERM – Key Challenges
•
Route to Risk Intelligent Governance
•
Key takeaways
•
About Deloitte
2
©2010 Deloitte Touche Tohmatsu India Private Limited
Corporate Governance – Key elements
Core Principles
• Shareholder rights
• Independence
• Accountability and disclosure
• Board roles and responsibilities
Intent
• Ensure integrity of accounting and financial reporting
• Include independent audit
• Ensure appropriate controls over
– Financials
– Monitoring risks
– Compliance with laws and regulations
OECD principles of Corporate Governance:
“The Board should fulfill certain key functions including: Ensuring the integrity of
the corporation’s accounting and financial reporting systems, including the
independent audit, and that appropriate systems of control are in place, in
particular, systems for risk management, financial and operational control, and
compliance with the law and relevant standards.”
3
©2010 Deloitte Touche Tohmatsu India Private Limited
Corporate Governance – Key elements
Factors driving state of governance
• Globalization
• Growth initiatives
• Accelerated decision-making
• More proactive Boards
• Increased competition
• Recent scandals
Key players involved
• CEO / CFO
• Board of Directors
• Audit Committees and other committees of Board
• Shareholders
• Regulators
4
©2010 Deloitte Touche Tohmatsu India Private Limited
Evolution of Corporate Governance – India
Confederation of Indian Industry (CII), Associated Chambers of Commerce and Industry
(ASSOCHAM) and Securities and Exchange Board of India (SEBI) constituted following
committees to recommend initiatives in Corporate Governance for Indian Corporate.
Kumar Mangalam
Birla Committee 1999
Naresh Chandra
Committee 2002
Narayan Murthy
Committee 2003
SEBI constituted the Kumar
Mangalam Birla Committee
in
1999
which
made
recommendations
for
changes in clause 49 of
listing agreement primarily
covering
Constituted by Department of
company Affairs (DCA) which
covered
essentially
the
Auditor
–
Company
relationship and the concept
of CEO/CFO certification in
line with Sarbanes Oxley Act
in the United States.
Constituted by SEBI to
examine the quality and
uniformity of disclosures
made under Clause 49 and
made recommendations for
improvements,
drawing
upon the existing best
practices
and
the
recommendations made by
the earlier committees.
•Composition of the Board
of Directors
•Audit Committee
•Directors Remuneration
•Disclosures
Clause 49 of the Listing agreement with Stock Exchanges governs the corporate
governance requirements for the Indian Coroporate Sector.
5
©2010 Deloitte Touche Tohmatsu India Private Limited
Why ERM
Meet
Legal
Requirements
Letter of the Law
Spirit of the Law
• High profile corporate scandals in USA (Enron, Worldcom etc.) followed
by encouragement from SEC & NYSE to adopt Risk Management
activities.
• In India Clause 49 of the listing agreement stipulates Risk Management
as mandatory compliance requirement.
• Financial analysts and rating agencies are increasingly interested in a
company’s ERM capability.
– Moody’s and Standard & Poor’s have ERM listed as one of their evaluation criteria
– Even Indian Rating Agencies – CRISIL , ICRA , CARE consider quality of Corporate
Governance and Risk Management while assigning their ratings to companies
6
©2010 Deloitte Touche Tohmatsu India Private Limited
Why ERM
•
•
•
•
•
•
7
contd..
When a corporate catastrophe occurs, questions quickly arise as to whether the board
was complacent in its oversight responsibilities. Perceived complacency can be costly:
in case of Satyam the role of independent directors were questioned
S & P announced on Month X, 2008 that an analysis of ERM capability will be a factor
in determining a company’s overall credit rating. Evaluations will be conducted as an
integral part of their normal credit review process. Discussions with company managers
will focus on the following major areas of ERM capability:
• Risk-management culture and governance
• Risk Controls
• Emerging Risk Preparation
• Strategic risk management
Maintaining and improving credit ratings will help reduce cost of capital and support
greater flexibility in managing debt
Board directors are already demanding increased risk information - this issue will drive
even higher expectations
Shareholders and other stakeholders expect management to take more effective steps
to minimize the frequency and severity of losses and missed earnings projections
Now more than ever, directors are expected to exercise due diligence and care.
Directors are understandably concerned about personal liability and reputation at risk.
But without better risk intelligence that comes from an effective enterprise risk
management (ERM) approach, it will be difficult for the board to meet stakeholder
expectations.
©2010 Deloitte Touche Tohmatsu India Private Limited
ERM for Corporate Governance
• Top-down involvement
(board and executive
management)
• Common infrastructure to
identify, assess and
respond to risks
• Discipline around making
risk-informed decisions
• Require risk management
as a competency
across level
Deloitte’s nine fundamental principles assist organisations to become Risk Intelligent
8
Deloitte’s nine principles for building a Risk Intelligent
Enterprise
Risk Governance
Common Definition of Risk
A common definition of risk, which addresses both value preservation and value creation, is
used consistently throughout the organization
Common Risk Framework
A common risk framework supported by appropriate standards is used throughout the
organization to manage risks.
Roles & Responsibilities
Key roles, responsibilities, and authority relating to risk management are clearly defined and
delineated within the organization
Transparency for Governing Bodies
Governing bodies (e.g., Boards, Audit Committees, etc.) have appropriate transparency and
visibility into the organizations risk management practices to discharge their responsibilities
Risk Infrastructure & Management
Common Risk Infrastructure
A common risk management infrastructure that is used to support the business units and
functions in the performance of their risk responsibilities
Executive Management Responsibility
Executive management is charged with designing, implementing and maintaining an effective
risk program
Objective Assurance and Monitoring
Other functions (e.g., internal audit, risk management, compliance, etc.) provide objective
assurance as well as monitor and report on the effectiveness of an organization's risk program
to governing bodies and executive management.
Risk Ownership
9
Business Unit Responsibility
Business units are responsible for the performance of their business and the management of
risks they take within the risk framework established by executive management
Support of Pervasive Functions
Certain functions have a pervasive impact on the business and not only provide support to the
business units as it relates to the organization's risk program, but also enhance and enable
success when strategically aligned and considered as essential elements of the program
©2009 Deloitte Touche Tohmatsu India Private Limited
ERM – Key Challenges
Factors driving state of ERM
• Risk is becoming personal for Board Members and Executives
• Risk is managed in silos
• Risk Management is focused on ‘Unrewarded Risk’ rather than ‘Rewarded Risk’
Creating
shareholder
value
New product
development
Increased revenue
Increased market
share
Penalties and fines
Preserving
shareholder
value
Fraud
Lawsuits
10
+
V
A
L
U
E
−
©2010 Deloitte Touche Tohmatsu India Private Limited
ERM – Key Challenges
contd..
Key questions for Board to ask
• What is the company’s policy and process for managing risks on an integrated,
enterprise-wide basis?
• What are the company’s key risks and vulnerabilities, and what are the plans to
address them?
• Who has the authority to take risk on behalf of the company?
Some of the common ERM challenges are:
Strategy
• Unclear risk strategy and
philosophy
• Lack of actionable details and
support from top management
towards implementation of the
risk strategy
• Lack of transparency and
understanding of risk issues at
Board and Executive levels
11
Execution
Behavior
• Lack of consistent practices and
critical success factors across
organization
• Ineffective change management
and communication to manage
organizational resistance to new
ERM practices
• Unclear definition of the roles
and responsibilities of the riskrelated functions and risk
owners
• Risk related activities positioned
as redundant except ones
required for compliance
• Business units treating risk
management as interference of
the management into their
functioning
• Decision-making driven by
earnings rather than riskadjusted results
©2010 Deloitte Touche Tohmatsu India Private Limited
Stakeholder Value
Journey that most companies make on the road to Risk
Intelligence
Deloitte's Risk Intelligence maturity model
Risk
Intelligent
Systematic
Unaware
Fragmented
Top Down
Stages of Risk Management Capability Maturity
Typical Symptoms
Unaware
• Ad hoc/chaotic
• Depends primarily on
individual heroics,
capabilities, and
verbal wisdom
12
Fragmented
Top Down
Systematic
• Independent risk
management
activities
• Limited focus on the
linkage between
risks
• Limited alignment of
risk to strategies
• Disparate monitoring
& reporting functions
• Common framework,
program statement,
policy
• Routine risk
assessments
• Communication of
top strategic risks to
the Board
• Executive/Steering
Committee
• Knowledge sharing
across risk functions
• Awareness activities
• Formal risk
consulting
• Dedicated team
• Coordinated risk
management
activities across silos
• Risk appetite is fully
defined
• Enterprise-wide risk
monitoring,
measuring, and
reporting
• Technology
implementation
• Contingency plans
and escalation
procedures
• Risk management
training
Risk
Intelligent
• Risk discussion is
embedded in
strategic planning,
capital allocation,
product
development, etc.
• Early warning risk
indicators used
• Linkage to
performance
measures and
incentives
• Risk
modeling/scenarios
• Industry
benchmarking used
regularly
©2009 Deloitte Touche Tohmatsu India Private Limited
Actions for Risk Intelligent Governance
• Define the board’s risk oversight role
•
•
•
•
Define the board’s risk governance roles and responsibilities
Consider board composition
Establish an enterprise-wide risk management framework
Perform site visits
• Foster a Risk Intelligent culture
•
•
•
•
Lead by example in communicating about risk
Build cohesive teams with management
Reward Risk Intelligent behavior
Consider a third-party assessment
• Help management incorporate Risk Intelligence into strategy
• Design processes for integrating risk management into strategic
planning
• Monitor strategic alignment
• Establish accountability
13
©2010 Deloitte Touche Tohmatsu India Private Limited
Actions for Risk Intelligent Governance
contd
• Help define the risk appetite
• Distinguish between risk appetite and risk tolerance
• Serve as a sounding board
• Execute the Risk Intelligent governance process
•
•
•
•
Work with management on process design
Monitor the overall risk management process
Conduct formal risk management program assessments
Clarify accountability at the board and management levels
• Benchmark and evaluate the governance process
•
•
•
•
14
Use internal monitoring and feedback
Participate in continuing education and updates
Solicit independent viewpoints
Include risk as a topic in the annual board self-assessment
©2010 Deloitte Touche Tohmatsu India Private Limited
The program and organization structure for Risk
Intelligent Enterprise
Board of Directors
Executive
Risk
Oversight
People
Process
Technology
Common Risk Infrastructure
Risks
Risk
Ownership
BU A
BU B
BU C
BU D
Identify
Risks
Governance
15
Internal
Audit
Executive Risk Committee
Assess
&
Evaluate
Risks
Strategy &
Planning
Respond
to Risks
Design
& Test
Controls
Monitor,
Assure,
Escalate
Operations /
Infrastructure
Compliance
Reporting
Sustain and Continuously Improve
Develop and Deploy Strategies
Risk
Governance
©2009 Deloitte Touche Tohmatsu India Private Limited
Our customised approach for ERM
Designing the ERM
program
Scoping and planning
Objectives
The objectives of this phase are:
• Project set up and governance
• Assess the current state of risk
management
• Assess the maturity of risk management
activities within the organisation.
The objective of this phase is to design an
ERM Program that will enable achieving
the strategic objectives of the organization
and comply with risk management
guidelines
Risk Prioritisation
Workshops
The objective of the workshop module is to
sensitize the senior management on the
significance of active risk management
and their role in the program.
Manage risks on
an ongoing basis
Assess
workshop
needs
Risk
workshops
Approach
Conduct risk
workshops
across
management
levels
Risk Diagnostic Tool
Key
Deliverables
16
• Project scope and governance
documentation.
• Risk Management architecture
and framework elements
Risk intelligence Framework
•
•
•
•
•
Governance Structure
ERM policy document
Guidelines on Risk Appetite Framework
Risk reporting design
Risk assessment at a business process level
Develop
workshop
plan and
material
Risk Maturity Development
Framework
• Risk registers across key business processes of
the Company
• Risk Workshops (2)
• Identification of top 20 risks of the organisation
• Root cause analysis and risk profiling for top 20
risks indentified
• Risk prioritisation and reporting
©2010 Deloitte Touche Tohmatsu India Private Limited
Relevant tools from Deloitte
The Risk Intelligence Diagnostic Tool
The Risk Intelligence Map
Risk Infrastructure
& Oversight
Risk Intelligence Whitepaper Series
17
©2010 Deloitte Touche Tohmatsu India Private Limited
Key takeaways
Risk Intelligent governance stands among the most valuable contributions a
board can make to its organization. As seasoned business leaders, board’s
combined breadth of perspective, depth of experience, and knowledge of the
enterprise can lend support to the organization’s risk management efforts that is
not only invaluable, but also unavailable elsewhere.
The competitive benefits of Risk Intelligent Governance include:
• A means to improve strategic flexibility for both upside and downside scenarios
• Employ risk management for competitive advantage
• Assist in shaping the organization’s response to regulatory issues
• Drive long-term growth while preserving assets
• A common risk management infrastructure with sufficient autonomy for individual
business units/functions to exploit their specialized knowledge and expertise
• The ability to provide a “comfort level” to the Board and other stakeholders that the full
range of risks is understood and managed
In the present business scenario, where being and staying profitable is a paramount objective, a Risk
Intelligent EnterpriseTM can look forward to a bottom line impact
18
©2010 Deloitte Touche Tohmatsu India Private Limited
Deloitte’s leadership position in risk consulting
The Kennedy Vanguard for Risk Consulting Practices, 2009
* “The Forrester WaveTM: Risk
Consulting Services, Q1 2009”,
Michael Rasmussen and Chris
McClean
“Deloitte’s approach to risk consulting engagements focuses on
risk management’s crucial role in creating and protecting
business value. An important thought leader in the space,
Deloitte also leads the market with a full range of services from
risk strategy and process design down to technology
development and implementation. Deloitte stood out with this
holistic approach as well as its emphasis on a “risk intelligence”
framework for driving enterprise wide communication and
action.”*
19
©2010 Deloitte Touche Tohmatsu India Private Limited
A unique multi disciplinary practice of professionals
 Deloitte’s operations in India
constitutes a large and important
part of the global firm. Our success
can be attributed to the following:
 Multi Disciplinary services – Our
traditional and non traditional
service offerings are the most
comprehensive in the industry and
allow us to help our clients grow
while managing risks. We service
our clients out of the 13 offices
across India
 Global Resource Pool – Our
practice is structured to ensure the
best talent reaches the customer.
Teams are rigorously trained in
applying proprietary Deloitte
methodologies and have access to
Deloitte’s Global Knowledge
databases and research
 Industry Experience – We draw
upon industry leaders to augment
our knowledge, stay on top of
developing trends and build
experienced team with key team
members having been involved in
corporate and business unit
strategy development across a
range of industries and
geographies
We have worked with the largest Banks, Insurance and Asset Management companies on
Strategy, Operations, Technology, and Risk Management projects
20
Shaping the industry through world-class thought
leadership
• Deloitte Research is a cross-industry group, which is known in the marketplace for
bringing new perspective to real-world concerns. Deloitte Research is comprised of
leading thinkers on strategic, economic, regulatory, technology, and industry issues.
• GFSI develops industry and sector-specific research on hot topics and business
issues.
• Deloitte Strategy, Research and Innovation Group (SR&I) is a centralized research
and development organization built on the firm’s deep understanding of business and
industry trends, in-depth capabilities in client and market analysis and competitive
strategies, and the insightful work of our research professionals that includes issuespecific expertise and innovative ideas related to our clients’ unique business
challenges. Our SR&I organization enables Deloitte to better understand the issues that
are important to clients and how our resources can be brought to solve their business
challenges. SR&I has long had a Center of Excellence in India to support escalating
client demand for research services. This unique operation enables the
SR&I organization to literally work around the clock, giving our clients access to best-inclass industry research and analysis
Representative industry association relationships
•
•
•
•
•
•
•
•
•
•
21
CFA Institute (formerly AIMR)
Investment Company Institute (ICI)
National Investment Company Service
Association (NICSA)
Managed Funds Association
Money Management Institute
Global Alternative Investment Management
(GAIM)
American Chamber of Commerce in Japan
(ACCJ), Investment Management Subcommittee
Japanese Institute of Certified Public
Accountants (JICPA), Investment Trusts
Subcommittee
Securities Analysts Association of Japan (SAAJ),
IPS Verification Committee
Korea Accounting Standards Board(KASB),
Working Group on Uniform Accounting Standard
for Asset Management
•
•
•
•
•
•
•
•
Guernsey International Fund Association
(GIFA)
Jersey Fund Managers Association
(JFMA)
Dublin Funds Industry Association (DFIA)
Alternative Investment Management
Association (AIMA)
Association Luxembourgeoise des Fonds
d’Investissement (ALFI)
ALFI hedge fund working group
Auditors’ Institute Committee on Banking
and Asset Management
AIMA and the Investment Management
Association
©2009 Deloitte Touche Tohmatsu India Private Limited
In this material Deloitte refers to Deloitte Touche Tohmatsu India Private Limited (DTTIPL), a Company established under the Indian Companies
Act, 1956, as amended.
DTTIPL is a member firm of Deloitte Touche Tohmatsu, a Swiss Verein, whose member firms are legally separate and Independent entity. Please
see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu and its member firms
This material prepared is intended to provide general information on a particular subject or subjects and are not an exhaustive treatment of such
subject(s).Further, the views and opinions expressed herein are the subjective views and opinions of DTTIPL based on such parameters and
analyses which in its opinion are relevant to the subject.
Accordingly, the information in this material is not intended to constitute accounting, tax, legal, investment, consulting, or other professional advice
or services. The information is not intended to be relied upon as the sole basis for any decision which may affect you or your business. Before
making any decision or taking any action that might affect your personal finances or business, you should consult a qualified professional adviser .
None of Deloitte Touche Tohmatsu, its member firms, or its and their respective affiliates shall be responsible for any loss whatsoever sustained by
any person who relies on this material.
© 2010 Deloitte Touche Tohmastu India Private Limited
22
©2010 Deloitte Touche Tohmatsu India Private Limited
Download