Risk Intelligence: The New Business Imperative Kathie Schwerdtfeger Partner, Deloitte & Touche LLP Texas Association of College & University Auditors April 5-7, 2011 Agenda • Why is Risk Intelligence the New Business Imperative? • What is Risk? • Linking Risk to Stakeholder Value • Assessing & Responding to Risk • Defining the Risk Intelligent Enterprise™ • Building the Risk Intelligent Enterprise™ • Success Factors • Questions 1 Copyright © 2010 Deloitte Development LLC. All rights reserved. Why is Risk Intelligence the New Business Imperative? Why is Risk Intelligence the New Business Imperative? • Public sector entities are constantly being exposed to new risks • Current economy forces budget reductions & a need for efficiency • Government entities should take advantage of educated risks • Manage risk and exceed your entity’s stakeholders’ expectations 3 Copyright © 2010 Deloitte Development LLC. All rights reserved. What is Risk? What is Risk? • Risk is the potential for loss caused by an event, or series of events, that can adversely affect the achievement of an entity’s objectives • Two Areas of Risk – Un-rewarded – Rewarded • Four Major Types of Risk – Strategic – Operational – Financial – Reputation 5 Copyright © 2010 Deloitte Development LLC. All rights reserved. Two Areas of Risk • Un-rewarded Risk – No premium for entity if managed well – Examples: • Financial misstatements • Compliance with mandatory laws and regulations • Rewarded Risk – Premium will result if managed well – Examples: • New Stakeholders • New programs • New technologies • New business models 6 Copyright © 2010 Deloitte Development LLC. All rights reserved. Four Major Types of Risk Strategic Risk • Risks external to the organization, such as the economic climate (i.e. Budget deficits, joblessness,, aging population, ) Operational Risk • Risks related to the entity’s procedures and technologies used to achieve objectives Financial Risk • Risks relating to the entity’s financial system of record which ensure the entity is not exposed to avoidable financial risks Reputation Risk • Risks involving the public reputation of the entity 7 Copyright © 2010 Deloitte Development LLC. All rights reserved. Linking Risk to Stakeholder Value Linking Risk to Stakeholder Value •Shareholders vs. Stakeholders • Corporations are in business to create value by earning a return on investment for shareholders • Government entities are in business to create value by earning a return on investment for stakeholders •Value for a government entity’s stakeholders is: • Created by taking educated risks • Lost by failing to manage risks •There is a range of optimal risk taking which supports optimal return – the “Sweet Spot” 9 Copyright © 2010 Deloitte Development LLC. All rights reserved. The Risk Taking “Sweet Spot” Return (stakeholder value) Insufficient risk taking Optimal risk taking Excessive risk taking “Sweet spot” Risk 10 Copyright © 2010 Deloitte Development LLC. All rights reserved. Assessing & Responding to Risk Assessing & Responding to Risk •Many entities use the “likelihood and impact” approach to assessing risk – What if there is no prior history of the event? – How can you measure the likelihood if no statistical support exists? Impact on entity High Low 12 Medium Medium High Critical Critical Low Medium Medium High Critical Low Low Medium Medium High Low Low Low Medium Medium Low Low Low Low Medium Likelihood of occurrence High Copyright © 2010 Deloitte Development LLC. All rights reserved. Assessing & Responding to Risk •Government entity executives should consider: – How vulnerable the entity is to managing both high impact-low likelihood risks and the impact of multiple risks occurring together? – Assurance should be gained that these scenarios are appropriately managed Risk impact on value (Inherent Risk) High Low 13 Assurance of Preparedness Enhance Risk Mitigation Prevent Detect Correct Escalate Redeploy Resources Measure for Cumulative Impact Vulnerability (Residual Risk) High Copyright © 2010 Deloitte Development LLC. All rights reserved. Defining the Risk Intelligent Enterprise™ Characteristics of a Risk Intelligent Enterprise™ •The Entity: – Understands and manages the full spectrum of risks – Understands the difference between rewarded and un-rewarded risk – Understands the interaction of different risks – Understands that likelihood is not the most appropriate measure for certain types of risks – Establishes a clear linkage to stakeholder value – Has risk management embedded as a day-to-day activity 15 Copyright © 2010 Deloitte Development LLC. All rights reserved. A Framework for Risk Intelligence Governance Monitor, assure & escalate Develop & deploy strategies Risk intelligence to create & Identify risks preserve value Design & test controls Respond to risks People External factors Technology Sustain & continuously improve External factors Assess & measure risks Process 16 Copyright © 2010 Deloitte Development LLC. All rights reserved. The Risk Intelligence Capability Model •How capable is your entity today? How capable does it need to be? •Every entity is at a different stage of development 4: Systematic 5: Risk Intelligent 3: Top-down 1: Tribal & Heroic Un-rewarded risk 17 2: Specialist silos Rewarded risk Copyright © 2010 Deloitte Development LLC. All rights reserved. The Risk Intelligence Capability Model Stage 1: Tribal & Heroic •Ad-hoc/chaotic •Depends primarily on individual heroics, capabilities and verbal wisdom 1: Tribal & Heroic Un-rewarded risk 18 Rewarded risk Copyright © 2010 Deloitte Development LLC. All rights reserved. The Risk Intelligence Capability Model Stage 2: Specialist Silos •Ad-hoc/chaotic •Depends primarily on individual heroics, capabilities and verbal wisdom •Reaction to adverse events by specialists •Discrete roles established for small set of risks •Typically finance, insurance, compliance 1: Tribal & Heroic 2: Specialist Silos Un-rewarded risk 19 Rewarded risk Copyright © 2010 Deloitte Development LLC. All rights reserved. The Risk Intelligence Capability Model Stage 3: Top-down •Ad-hoc/chaotic •Depends primarily on individual heroics, capabilities and verbal wisdom •Reaction to adverse events by specialists •Discrete roles established for small set of risks •Typically finance, insurance, compliance 1: Tribal & Heroic 2: Specialist Silos Un-rewarded risk 20 •Tone set at the top •Policies, procedures, risk authorities defined and communicated •Business function •Primarily qualitative •Reactive 3: Top-down Rewarded risk Copyright © 2010 Deloitte Development LLC. All rights reserved. The Risk Intelligence Capability Model Stage 4: Systematic •Ad-hoc/chaotic •Depends primarily on individual heroics, capabilities and verbal wisdom •Reaction to adverse events by specialists •Discrete roles established for small set of risks •Typically finance, insurance, compliance 1: Tribal & Heroic 2: Specialist Silos Un-rewarded risk 21 •Tone set at the top •Policies, procedures, risk authorities defined and communicated •Business function •Primarily qualitative •Reactive •Integrated response to adverse events •Performance-linked metrics •Rapid escalation •Cultural transformation underway •Bottom-up •Proactive 3: Top-down 4: Systematic Rewarded risk Copyright © 2010 Deloitte Development LLC. All rights reserved. The Risk Intelligence Capability Model Stage 5: Risk Intelligent •Built into decisionmaking •Ad-hoc/chaotic •Depends primarily on individual heroics, capabilities and verbal wisdom •Reaction to adverse events by specialists •Discrete roles established for small set of risks •Typically finance, insurance, compliance 1: Tribal & Heroic 2: Specialist Silos Un-rewarded risk 22 •Tone set at the top •Policies, procedures, risk authorities defined and communicated •Business function •Primarily qualitative •Reactive •Integrated response to adverse events •Performance-linked metrics •Rapid escalation •Cultural transformation underway •Bottom-up •Proactive •Conformance with enterprise risk management processes is incentivized •Intelligent risktaking •Sustainable 3: Top-down 4: Systematic 5: Risk Intelligent •"Risk management is everyone's job" Rewarded risk Copyright © 2010 Deloitte Development LLC. All rights reserved. What are the Inhibitors? •Heavy focus on managing only unrewarded risks •Too many risks identified; link to stakeholder value has not been clearly established •Differences in risk terminology, measurement, and reporting •Risk identification and assessment is a sporadic once-a-year activity for certain functions; not everyday 23 Copyright © 2010 Deloitte Development LLC. All rights reserved. Utilizing Technology to Manage Risk Develop & deploy strategies Identify risks Assess & measure risks Respond to risks Design & test controls Monitor, assure & escalate Sustain & continuously improve 24 Copyright © 2010 Deloitte Development LLC. All rights reserved. Building the Risk Intelligent Enterprise™ Nine Principles for Building the Risk Intelligent Enterprise™ 26 Common Definition of Risk Common Risk Framework Key Roles Clearly Defined Common Risk Management Infrastructure Transparency & Visibility Executive Management’s Responsibility Business Units’ Responsibility Support Functions Objective Assurance Functions Copyright © 2010 Deloitte Development LLC. All rights reserved. Building the Risk Intelligent Enterprise™ Principle # 1 • A common definition of risk, which addresses both value preservation and value creation, is used consistently throughout the entity – Discuss the positives rather than the negatives – If confusion exists among the entity, you will not reap the potential rewards of risk management – Approach implementation as a change management project - new culture supported by people, processes, and technology 27 Copyright © 2010 Deloitte Development LLC. All rights reserved. Building the Risk Intelligent Enterprise™ Principle # 2 • A common risk framework supported by appropriate standards is used throughout the entity to manage risks – Provides a structure that helps the entity decide which opportunities to pursue and which hazards to avoid – The framework must be sturdy enough to support the entity’s risk management objectives, unique strategies, and organizational structure – Must be adaptable to regulatory standards 28 Copyright © 2010 Deloitte Development LLC. All rights reserved. Building the Risk Intelligent Enterprise™ Principle # 3 • Key roles, responsibilities, and authority relating to risk management are clearly defined and delineated within the entity – Risk management is like a finely tuned symphony orchestra; multiple roles are played simultaneously in often complex arrangements – Everyone may consider risk management someone else’s job – You must give clear messaging at the individual level to convey what Risk Intelligence mean, why it is important, and what your people need to do on a daily basis 29 Copyright © 2010 Deloitte Development LLC. All rights reserved. Building the Risk Intelligent Enterprise™ Principle # 4 • A common risk management infrastructure is used to support the business units and functions in the performance of their risk responsibilities – Risk does not exist in isolation, so neither can risk managers – Organizational silos must be bridged – Business units and functions must use the same supporting technologies and processes where possible and practicable – This principle involves: • Synchronizing • Harmonizing • Rationalizing 30 Copyright © 2010 Deloitte Development LLC. All rights reserved. Building the Risk Intelligent Enterprise™ Principle # 5 • Governing bodies have appropriate transparency and visibility into the organization’s risk management practices to discharge their responsibilities – To fulfill their responsibilities and to provide value, board members should: • Put risk on the agenda every time • Inventory the current risk structure to see if the silos are bridged • Engage in periodic risk dialogue to help identify potential new risks • Understand the entity’s risk appetite and diet • Ask for independent reassurance 31 Copyright © 2010 Deloitte Development LLC. All rights reserved. Building the Risk Intelligent Enterprise™ Principle # 6 • Executive management is charged with primary responsibility for designing, implementing, and maintaining an effective risk program – If you treat risk management as a part-time job, you might soon find yourself looking for one – Form an executive-level risk committee – Chief Risk Officer (CRO) • Helps develop policy and common approaches across business units • Communicates and monitors the organization’s risk appetite • Reports risk information to the management and board-level oversight functions 32 Copyright © 2010 Deloitte Development LLC. All rights reserved. Building the Risk Intelligent Enterprise™ Principle # 7 • Business units are responsible for the performance of risks they take within the risk framework established by executive management – “If you own the business unit, you own the risk” – Risk owners have the responsibility to: • Identify, measure, monitor, control, and report on risks to executive management, • Promote risk awareness, and • Reprioritize business unit activities 33 Copyright © 2010 Deloitte Development LLC. All rights reserved. Building the Risk Intelligent Enterprise™ Principle # 8 • Certain functions have a pervasive impact on the business and provide support to the business units as it relates to the organization’s risk program – Certain functions do not just own risk, they also help support it • Information Technology • Human Resources • Finance • Legal – Develop and enforce company-wide policies, procedures, and controls – Support each business unit and help them understand their requirements for intelligent risk taking – Collect key information for management and perform risk mitigation analyses 34 Copyright © 2010 Deloitte Development LLC. All rights reserved. Building the Risk Intelligent Enterprise™ Principle # 9 • Certain functions provide objective assurance as well as monitor and report on the effectiveness of an organization’s risk program to governing bodies and executive management – These functions provide reassurance that the internal control and risk structure operates effectively • Internal Audit • Risk Management Committee • Compliance Committee – Not responsible for directing the business – Monitor and enhance the effectiveness of the organization’s risk management activities 35 Copyright © 2010 Deloitte Development LLC. All rights reserved. Nine principles for building the Risk Intelligent Enterprise™ In a Risk Intelligent Enterprise… 1. …a common definition of risk, which addresses both value preservation and value creation, is used consistently throughout the organization. 2. …a common risk framework supported by appropriate standards is used throughout the organization to manage risks. 3. …key roles, responsibilities, and authority relating to risk management are clearly defined and delineated within the organization. 4. …a common risk management infrastructure is used to support the business units and functions in the performance of their risk responsibilities. 5. …governing bodies (e.g., boards, audit committees, etc.) have appropriate transparency and visibility into the organization’s risk management practices to discharge their responsibilities. 6. …executive management is charged with primary responsibility for designing, implementing, and maintaining an effective risk program. 7. …business units (departments, agencies, etc.) are responsible for the performance of risks they take within the risk framework established by executive management 8. …certain functions (e.g., finance, legal, IT, HR, etc.) have a pervasive impact on the business and provide support to the business units as it relates to the organization’s risk program. 9. …certain functions (e.g., internal audit, risk management, compliance, etc.) provide objective assurance as well as monitor and report on the effectiveness of an organization’s risk program to governing bodies and executive management. 36 Copyright © 2010 Deloitte Development LLC. All rights reserved. Success Factors Success Factors •Focus on creating stakeholder value, not creating risk management processes •Emphasize integration of risk intelligence into core business and decision making processes •Believe that risk management is a fundamental component of business performance management •View the implementation of Risk Intelligence as a change management project and have a clear roadmap •No need to go into the process alone; reach out to other organizations for help 38 Copyright © 2010 Deloitte Development LLC. All rights reserved. Questions? Contact Information Kathie Schwerdtfeger Partner Deloitte & Touche LLP 400 West 15th Street, Suite 1700 Austin, Texas 78701 Tel: +1 512 691 2333 kschwerdtfeger@deloitte.com www.deloitte.com 40 Copyright © 2010 Deloitte Development LLC. All rights reserved. About Deloitte Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Copyright © 2010 Deloitte Development LLC. All rights reserved. Member of Deloitte Touche Tohmatsu Limited