Add to collection(s) Add to saved
  1. Business
  2. Finance

Risk Intelligence: The New Business Imperative

Risk Intelligence:
The New Business Imperative
Kathie Schwerdtfeger
Partner, Deloitte & Touche LLP
Texas Association of College & University Auditors
April 5-7, 2011
Agenda
•
Why is Risk Intelligence the New Business Imperative?
•
What is Risk?
•
Linking Risk to Stakeholder Value
•
Assessing & Responding to Risk
•
Defining the Risk Intelligent Enterprise™
•
Building the Risk Intelligent Enterprise™
•
Success Factors
•
Questions
1
Copyright © 2010 Deloitte Development LLC. All rights reserved.
Why is Risk Intelligence the
New Business Imperative?
Why is Risk Intelligence the New Business Imperative?
• Public sector entities are constantly being exposed to new risks
• Current economy forces budget reductions & a need for efficiency
• Government entities should take advantage of educated risks
• Manage risk and exceed your entity’s stakeholders’ expectations
3
Copyright © 2010 Deloitte Development LLC. All rights reserved.
What is Risk?
What is Risk?
• Risk is the potential for loss caused by an event, or series of events, that
can adversely affect the achievement of an entity’s objectives
• Two Areas of Risk
– Un-rewarded
– Rewarded
• Four Major Types of Risk
– Strategic
– Operational
– Financial
– Reputation
5
Copyright © 2010 Deloitte Development LLC. All rights reserved.
Two Areas of Risk
• Un-rewarded Risk
– No premium for entity if managed well
– Examples:
• Financial misstatements
• Compliance with mandatory laws and
regulations
• Rewarded Risk
– Premium will result if managed well
– Examples:
• New Stakeholders
• New programs
• New technologies
• New business models
6
Copyright © 2010 Deloitte Development LLC. All rights reserved.
Four Major Types of Risk
Strategic Risk
• Risks external to the organization, such as the economic climate
(i.e. Budget deficits, joblessness,, aging population, )
Operational Risk
• Risks related to the entity’s procedures and technologies used to
achieve objectives
Financial Risk
• Risks relating to the entity’s financial system of record which
ensure the entity is not exposed to avoidable financial risks
Reputation Risk
• Risks involving the public reputation of the entity
7
Copyright © 2010 Deloitte Development LLC. All rights reserved.
Linking Risk to
Stakeholder Value
Linking Risk to Stakeholder Value
•Shareholders vs. Stakeholders
• Corporations are in business to create value by earning a return on
investment for shareholders
• Government entities are in business to create value by earning a
return on investment for stakeholders
•Value for a government entity’s stakeholders is:
• Created by taking educated risks
• Lost by failing to manage risks
•There is a range of optimal risk taking which supports optimal return –
the “Sweet Spot”
9
Copyright © 2010 Deloitte Development LLC. All rights reserved.
The Risk Taking “Sweet Spot”
Return
(stakeholder value)
Insufficient
risk taking
Optimal
risk taking
Excessive
risk taking
“Sweet spot”
Risk
10
Copyright © 2010 Deloitte Development LLC. All rights reserved.
Assessing & Responding
to Risk
Assessing & Responding to Risk
•Many entities use the “likelihood and impact” approach to assessing risk
– What if there is no prior history of the event?
– How can you measure the likelihood if no statistical support exists?
Impact on entity
High
Low
12
Medium
Medium
High
Critical
Critical
Low
Medium
Medium
High
Critical
Low
Low
Medium
Medium
High
Low
Low
Low
Medium
Medium
Low
Low
Low
Low
Medium
Likelihood of occurrence
High
Copyright © 2010 Deloitte Development LLC. All rights reserved.
Assessing & Responding to Risk
•Government entity executives should consider:
– How vulnerable the entity is to managing both high impact-low likelihood risks
and the impact of multiple risks occurring together?
– Assurance should be gained that these scenarios are appropriately managed
Risk impact on value
(Inherent Risk)
High
Low
13
Assurance of
Preparedness
Enhance Risk
Mitigation
Prevent
Detect
Correct
Escalate
Redeploy
Resources
Measure for
Cumulative Impact
Vulnerability
(Residual Risk)
High
Copyright © 2010 Deloitte Development LLC. All rights reserved.
Defining the
Risk Intelligent Enterprise™
Characteristics of a Risk Intelligent Enterprise™
•The Entity:
– Understands and manages the full spectrum of risks
– Understands the difference between rewarded and un-rewarded risk
– Understands the interaction of different risks
– Understands that likelihood is not the most appropriate measure for certain
types of risks
– Establishes a clear linkage to stakeholder value
– Has risk management embedded as a day-to-day activity
15
Copyright © 2010 Deloitte Development LLC. All rights reserved.
A Framework for Risk Intelligence
Governance
Monitor,
assure &
escalate
Develop &
deploy
strategies
Risk intelligence
to create &
Identify
risks
preserve value
Design &
test controls
Respond
to risks
People
External
factors
Technology
Sustain &
continuously
improve
External
factors
Assess &
measure
risks
Process
16
Copyright © 2010 Deloitte Development LLC. All rights reserved.
The Risk Intelligence Capability Model
•How capable is your entity today? How capable does it need to be?
•Every entity is at a different stage of development
4: Systematic
5: Risk
Intelligent
3: Top-down
1: Tribal &
Heroic
Un-rewarded risk
17
2: Specialist
silos
Rewarded risk
Copyright © 2010 Deloitte Development LLC. All rights reserved.
The Risk Intelligence Capability Model
Stage 1: Tribal & Heroic
•Ad-hoc/chaotic
•Depends primarily
on individual
heroics, capabilities
and verbal wisdom
1: Tribal & Heroic
Un-rewarded risk
18
Rewarded risk
Copyright © 2010 Deloitte Development LLC. All rights reserved.
The Risk Intelligence Capability Model
Stage 2: Specialist Silos
•Ad-hoc/chaotic
•Depends primarily
on individual
heroics, capabilities
and verbal wisdom
•Reaction to
adverse events by
specialists
•Discrete roles
established for
small set of risks
•Typically finance,
insurance,
compliance
1: Tribal & Heroic
2: Specialist Silos
Un-rewarded risk
19
Rewarded risk
Copyright © 2010 Deloitte Development LLC. All rights reserved.
The Risk Intelligence Capability Model
Stage 3: Top-down
•Ad-hoc/chaotic
•Depends primarily
on individual
heroics, capabilities
and verbal wisdom
•Reaction to
adverse events by
specialists
•Discrete roles
established for
small set of risks
•Typically finance,
insurance,
compliance
1: Tribal & Heroic
2: Specialist Silos
Un-rewarded risk
20
•Tone set at the top
•Policies,
procedures, risk
authorities defined
and communicated
•Business function
•Primarily
qualitative
•Reactive
3: Top-down
Rewarded risk
Copyright © 2010 Deloitte Development LLC. All rights reserved.
The Risk Intelligence Capability Model
Stage 4: Systematic
•Ad-hoc/chaotic
•Depends primarily
on individual
heroics, capabilities
and verbal wisdom
•Reaction to
adverse events by
specialists
•Discrete roles
established for
small set of risks
•Typically finance,
insurance,
compliance
1: Tribal & Heroic
2: Specialist Silos
Un-rewarded risk
21
•Tone set at the top
•Policies,
procedures, risk
authorities defined
and communicated
•Business function
•Primarily
qualitative
•Reactive
•Integrated
response to
adverse events
•Performance-linked
metrics
•Rapid escalation
•Cultural
transformation
underway
•Bottom-up
•Proactive
3: Top-down
4: Systematic
Rewarded risk
Copyright © 2010 Deloitte Development LLC. All rights reserved.
The Risk Intelligence Capability Model
Stage 5: Risk Intelligent
•Built into decisionmaking
•Ad-hoc/chaotic
•Depends primarily
on individual
heroics, capabilities
and verbal wisdom
•Reaction to
adverse events by
specialists
•Discrete roles
established for
small set of risks
•Typically finance,
insurance,
compliance
1: Tribal & Heroic
2: Specialist Silos
Un-rewarded risk
22
•Tone set at the top
•Policies,
procedures, risk
authorities defined
and communicated
•Business function
•Primarily
qualitative
•Reactive
•Integrated
response to
adverse events
•Performance-linked
metrics
•Rapid escalation
•Cultural
transformation
underway
•Bottom-up
•Proactive
•Conformance with
enterprise risk
management
processes is
incentivized
•Intelligent risktaking
•Sustainable
3: Top-down
4: Systematic
5: Risk Intelligent
•"Risk management
is everyone's job"
Rewarded risk
Copyright © 2010 Deloitte Development LLC. All rights reserved.
What are the Inhibitors?
•Heavy focus on managing only unrewarded risks
•Too many risks identified; link to stakeholder value
has not been clearly established
•Differences in risk terminology, measurement, and
reporting
•Risk identification and assessment is a sporadic
once-a-year activity for certain functions; not
everyday
23
Copyright © 2010 Deloitte Development LLC. All rights reserved.
Utilizing Technology to Manage Risk
Develop & deploy
strategies
Identify risks
Assess &
measure risks
Respond to
risks
Design &
test controls
Monitor, assure
& escalate
Sustain &
continuously
improve
24
Copyright © 2010 Deloitte Development LLC. All rights reserved.
Building the
Risk Intelligent Enterprise™
Nine Principles for Building the Risk Intelligent Enterprise™
26
Common
Definition of
Risk
Common Risk
Framework
Key Roles
Clearly
Defined
Common Risk
Management
Infrastructure
Transparency
& Visibility
Executive
Management’s
Responsibility
Business
Units’
Responsibility
Support
Functions
Objective
Assurance
Functions
Copyright © 2010 Deloitte Development LLC. All rights reserved.
Building the Risk Intelligent Enterprise™
Principle # 1
• A common definition of risk, which addresses both value preservation
and value creation, is used consistently throughout the entity
– Discuss the positives rather than the negatives
– If confusion exists among the entity, you will not reap the potential rewards of
risk management
– Approach implementation as a change management project - new culture
supported by people, processes, and technology
27
Copyright © 2010 Deloitte Development LLC. All rights reserved.
Building the Risk Intelligent Enterprise™
Principle # 2
• A common risk framework supported by appropriate
standards is used throughout the entity to manage
risks
– Provides a structure that helps the entity decide which
opportunities to pursue and which hazards to avoid
– The framework must be sturdy enough to support the
entity’s risk management objectives, unique strategies,
and organizational structure
– Must be adaptable to regulatory standards
28
Copyright © 2010 Deloitte Development LLC. All rights reserved.
Building the Risk Intelligent Enterprise™
Principle # 3
• Key roles, responsibilities, and authority relating to
risk management are clearly defined and delineated
within the entity
– Risk management is like a finely tuned symphony
orchestra; multiple roles are played simultaneously in
often complex arrangements
– Everyone may consider risk management someone else’s
job
– You must give clear messaging at the individual level to
convey what Risk Intelligence mean, why it is important,
and what your people need to do on a daily basis
29
Copyright © 2010 Deloitte Development LLC. All rights reserved.
Building the Risk Intelligent Enterprise™
Principle # 4
• A common risk management infrastructure is used to
support the business units and functions in the
performance of their risk responsibilities
– Risk does not exist in isolation, so neither can risk
managers
– Organizational silos must be bridged
– Business units and functions must use the same
supporting technologies and processes where possible
and practicable
– This principle involves:
• Synchronizing
• Harmonizing
• Rationalizing
30
Copyright © 2010 Deloitte Development LLC. All rights reserved.
Building the Risk Intelligent Enterprise™
Principle # 5
• Governing bodies have appropriate transparency
and visibility into the organization’s risk management
practices to discharge their responsibilities
– To fulfill their responsibilities and to provide value, board
members should:
• Put risk on the agenda every time
• Inventory the current risk structure to see if the silos
are bridged
• Engage in periodic risk dialogue to help identify
potential new risks
• Understand the entity’s risk appetite and diet
• Ask for independent reassurance
31
Copyright © 2010 Deloitte Development LLC. All rights reserved.
Building the Risk Intelligent Enterprise™
Principle # 6
• Executive management is charged with primary responsibility for
designing, implementing, and maintaining an effective risk program
– If you treat risk management as a part-time job, you might soon find
yourself looking for one
– Form an executive-level risk committee
– Chief Risk Officer (CRO)
• Helps develop policy and common approaches across business units
• Communicates and monitors the organization’s risk appetite
• Reports risk information to the management and board-level oversight
functions
32
Copyright © 2010 Deloitte Development LLC. All rights reserved.
Building the Risk Intelligent Enterprise™
Principle # 7
• Business units are responsible for the performance of risks they take
within the risk framework established by executive management
– “If you own the business unit, you own the risk”
– Risk owners have the responsibility to:
• Identify, measure, monitor, control, and report on risks to executive
management,
• Promote risk awareness, and
• Reprioritize business unit activities
33
Copyright © 2010 Deloitte Development LLC. All rights reserved.
Building the Risk Intelligent Enterprise™
Principle # 8
• Certain functions have a pervasive impact on the
business and provide support to the business units as it
relates to the organization’s risk program
– Certain functions do not just own risk, they also help support it
• Information Technology
• Human Resources
• Finance
• Legal
– Develop and enforce company-wide policies, procedures, and
controls
– Support each business unit and help them understand their
requirements for intelligent risk taking
– Collect key information for management and perform risk
mitigation analyses
34
Copyright © 2010 Deloitte Development LLC. All rights reserved.
Building the Risk Intelligent Enterprise™
Principle # 9
• Certain functions provide objective assurance as well
as monitor and report on the effectiveness of an
organization’s risk program to governing bodies and
executive management
– These functions provide reassurance that the internal
control and risk structure operates effectively
• Internal Audit
• Risk Management Committee
• Compliance Committee
– Not responsible for directing the business
– Monitor and enhance the effectiveness of the
organization’s risk management activities
35
Copyright © 2010 Deloitte Development LLC. All rights reserved.
Nine principles for building the Risk Intelligent Enterprise™
In a Risk Intelligent Enterprise…
1.
…a common definition of risk, which addresses both value preservation and value creation, is
used consistently throughout the organization.
2.
…a common risk framework supported by appropriate standards is used throughout the
organization to manage risks.
3.
…key roles, responsibilities, and authority relating to risk management are clearly defined and
delineated within the organization.
4.
…a common risk management infrastructure is used to support the business units and
functions in the performance of their risk responsibilities.
5.
…governing bodies (e.g., boards, audit committees, etc.) have appropriate transparency and
visibility into the organization’s risk management practices to discharge their responsibilities.
6.
…executive management is charged with primary responsibility for designing, implementing,
and maintaining an effective risk program.
7.
…business units (departments, agencies, etc.) are responsible for the performance of risks
they take within the risk framework established by executive management
8.
…certain functions (e.g., finance, legal, IT, HR, etc.) have a pervasive impact on the business
and provide support to the business units as it relates to the organization’s risk program.
9.
…certain functions (e.g., internal audit, risk management, compliance, etc.) provide objective
assurance as well as monitor and report on the effectiveness of an organization’s risk program
to governing bodies and executive management.
36
Copyright © 2010 Deloitte Development LLC. All rights reserved.
Success Factors
Success Factors
•Focus on creating stakeholder value, not creating risk
management processes
•Emphasize integration of risk intelligence into core
business and decision making processes
•Believe that risk management is a fundamental
component of business performance management
•View the implementation of Risk Intelligence as a
change management project and have a clear roadmap
•No need to go into the process alone; reach out to
other organizations for help
38
Copyright © 2010 Deloitte Development LLC. All rights reserved.
Questions?
Contact Information
Kathie Schwerdtfeger
Partner
Deloitte & Touche LLP
400 West 15th Street, Suite 1700
Austin, Texas 78701
Tel: +1 512 691 2333
kschwerdtfeger@deloitte.com
www.deloitte.com
40
Copyright © 2010 Deloitte Development LLC. All rights reserved.
About Deloitte
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network
of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed
description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms. Please see
www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries.
Copyright © 2010 Deloitte Development LLC. All rights reserved.
Member of Deloitte Touche Tohmatsu Limited
Related documents
Position: Audit Intern
Position: Audit Intern
Name of Company DELOITTE VIETNAM COMPANY
Name of Company DELOITTE VIETNAM COMPANY
Claudia Cattani Member of the Board of Statuary Auditors Ferrovie
Claudia Cattani Member of the Board of Statuary Auditors Ferrovie
Paul Pacter
Paul Pacter
Microsoft Word File
Microsoft Word File
For FLYERS Please Click here - HFMA Metropolitan New York
For FLYERS Please Click here - HFMA Metropolitan New York
Big Data
Big Data
Download