Enterprise Risk Management for Internal Auditors

The New York Chapter of the Institute of Internal Audit - 39th Annual Audit Seminar
May 18, 2012 Patchin Curtis, Director Michele Crish, Senior Manager Michael Schor, Senior Manager

Contents
Defining Risk and Risk Management State of Enterprise Risk Management (ERM) Risk Management Framework Role of Internal Audit A Discussion Leading Practices and Insights from Deloittes Global Risk Survey Questions and Answers

Copyright 2012 Deloitte Development LLC. All rights reserved.

Risk management in the news

Given the central role of effective, firmwide risk management in maintaining strong financial institutions, it is clear that supervisors must redouble their efforts to help organizations improve their riskmanagement practicesWe are also considering the need for additional or revised supervisory guidance regarding various aspects of risk management, including further emphasis on the need for an enterprise-wide perspective when assessing risk
-Ben Bernanke, US Federal Reserve Bank Chairman, 2008

Strong risk management and robust financial regulation are the bedrock of a stable financial system
-Hugo Banziger, Deutsche Banks Chief Risk Officer and a Member of the Management Board, 2010

I am fully convinced that going forward, continued improvement of risk management by banks, despite their size, will not only impact on their behavior but also their performance.
-Liu Mingkang, Chairman, China Banking Regulatory Commission, 2004

A fundamental shortcoming is the wide disparity between the rapid pace of financial innovation and the risk management infrastructure on which this innovation was built. historic or statistical measures of risk and exposure, such as value-at-risk, past loss experiences and name concentration in the traditional banking book have proved inadequate.
- Nout Wellink , BIS Chairman, 2008

A bank in which every employee understands his or her responsibility for managing risk is likely to be more sound than a bank in which risk management is always seen as someone else's responsibility. While risk management starts at the business-line level, a well-run bank also has in place an effective program for enterprise-wide risk management that is supported by strong internal controls.
- Sara Raskin, Federal Reserve Bank Governor, 2011

Copyright 2012 Deloitte Development LLC. All rights reserved.

Defining Risk and Risk Management

Defining risk
Risk is the potential for loss or harm or the diminished opportunity for gain that can adversely affect the achievement of an organizations objectives, as defined by our Risk Intelligence approach
Risk

Focus of Deloittes approach

Risk Intelligence addresses the risks and rewards of value creation

Unrewarded Risk: Nothing is gained from taking the risk

Relates to risk areas such as regulatory compliance

Rewarded Risk: Provides a premium if managed well

Relates to strategy and business decisions, where value is created

Risk does not just relate to events that cause damage to the business - consider risk that applies to value creation If risk associated with value creation is not properly managed, a company may not reap potential rewards A companys leadership team must understand the companys risk and reward profile

Neglecting compliance could result in business termination

If companies avoid too many risks, they will forgo associated rewards

Focusing on rewarded risk enables continued creation and preservation of value, even in turbulent times.
4
Copyright 2012 Deloitte Development LLC. All rights reserved.

Defining risk management

A leading definition for Enterprise Risk Management is:
A process, effected by an entitys board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its appetite, to provide reasonable assurance regarding the achievement of entity objectives.*

ERM IS
A process for providing a risk adjusted view of the achievability of enterprise objectives A means to enhance informed decision making and risk taking An aggregated portfolio view of risks and vulnerabilities and their potential interactions A methodology that supports accountability for risk across the organization

ERM IS NOT
A substitute for managements judgment A bureaucratic exercise that is isolated from the business units A guarantee of a zero risk environment

*Source: Committee of Sponsoring Organization of the Treadway Commission COSO

Copyright 2012 Deloitte Development LLC. All rights reserved.

Role of risk management evolves

Traditional View
View on managing single risk factors / single impact events within various organizational silos Measure risk and ensure that exposure concentrations are contained within pre-specified (arbitrary) limits Performance measured on ex-post basis in Return on Assets (ROA) or contribution terms. Business Unit Return on Equity (ROE), if measured, based on simply equity allocations Institutions overall capital ratio Regulatory capital

Credit Risk

Business Risk Liquidity Risk

Evolving View
View on managing risk enterprise-wide Measure risk, allocate capital based on risk, and measure performance relative to the cost of risk (economic capital) Clarify risk/return economics for line management, and incorporate into pricing and customer profitability Risk adjusted performance for business units, customers and portfolios utilize the same approach Greater link between CFO and Chief Risk Officer Evolving risk management capabilities is to build upon an institutions strengths and existing capabilities
6
Copyright 2012 Deloitte Development LLC. All rights reserved.

Reputation

Operational Risk

Country Risk

Compliance

Market Risk

Benefits and challenges of risk management

Risk management provides many benefits throughout the organization and beyond. However, implementing an ERM program may pose challenges across the organization, especially with risk language, risk infrastructure and risk data

Benefits
More integrated and comprehensive assessment of risks, and an objective, consistent approach to managing them Enhanced clarity around risk management roles and responsibilities Help create a more common language and improved view of risk across the institution Improved understanding and monitoring on the nature of risk in the business Promote a risk-aware operating culture and accountability Receive favorable treatment from credit agencies, insurers, analysis and other stakeholders

Challenges
Defining ERM: lack of organizational objectives and confusing, contradictory terminology Assessing risk profile in line with strategic decisions Siloed view of risk Identifying and aggregating various risk types Risk measurement: no one tool exists Enabling technology: no one system addressing ERM

Copyright 2012 Deloitte Development LLC. All rights reserved.

Current trends in risk management

1. Clear governance practices embedded into the organizational structure:
Increase oversight, interaction and communication with board and senior management risk operating committees Communicate a statement of the risk philosophy and appetite of the firm that is actionable and can be assessed Document and clarify roles and responsibilities Develop integrated market and credit risk framework processes

2. Risk and return balance and risk management priorities:

Decision making is risk/return oriented and in partnership risk is right sized to organization Compensation structure is aligned with risk and reward Risk management function has risk veto authority with clear escalation/resolution processes

3. Investment in infrastructure and risk capabilities:

Enhance valuation and exposure measurement capabilities (i.e. Ability to value and measure the risks associated with all transactions) Re-prioritize infrastructure investment areas, focus on risk exposure aggregation, netting and product coverage

4.

Transparency, disclosure and communication:

Need to provide informative, customized and actionable information to senior management, board and business lines Risk management should seek guidance and have access to the board in order to understand their objectives and perspective Increased external disclosures to shareholders, regulators, rating agencies

Copyright 2012 Deloitte Development LLC. All rights reserved.

State of ERM

Benchmarking ERM Capabilities

Deloittes ERM capability maturity model

Stakeholder Value

Optimized Integrated Initial Siloed Comprehensive

Stages of Risk Management Capability Maturity

Representative Attributes Describing Each Maturity Level Initial

Ad hoc/chaotic Reactive Processes undefined and undocumented Depends primarily on individual heroics, capabilities, and verbal wisdom

Siloed
Independent risk management activities Limited focus on the linkage between risks Limited alignment of risk to strategies Disparate monitoring & reporting functions

Comprehensive
All risk types and business units encompassed End to end business risk management process implemented Common framework, program statement, policy, and risk assessment criteria Dedicated team or function

Integrated
Risk interactions and dependencies rigorously evaluated Risks to develop overarching risk profile aggregated Enterprise-wide at risk measure adopted Risk modeling/scenarios

Optimized
Risk discussion is embedded in strategic planning, capital allocation, product development, etc. Use of dynamic early warning indicators Linkage to performance measures and incentives

10

Copyright 2012 Deloitte Development LLC. All rights reserved.

ERM Capability of Various Industries

Stakeholder Value

Some industries have been focused longer on ERM and made greater strides
Optimized Integrated Initial Siloed Comprehensive

Reasons for higher ERM capabilities in certain industries: Highly regulated industry with intense scrutiny from government entities Sophisticated risk analysis inherent to the business Nature of operations is high risk

ERM Maturity Financial Services Insurance Energy Mining Industrials

Note: Gradients indicate that a small number of outliers define the upper end of the range.

Technology Life Sciences Retail

11

Note: Placement of industries in this chart is judgmental, but based on Deloittes depth of ERM knowledge and experience with a wide variety of industries.
Copyright 2012 Deloitte Development LLC. All rights reserved.

Risk Management Framework

Defining a risk management framework

A risk management framework provides a structure that helps organizations decide which opportunities to pursue and which hazards to avoid
The ERM framework recognizes the dual nature of risk and devotes sufficient resources both to risk taking for reward and protection of existing assets. The elements of the ERM framework include: Tone at the top Leaders adopt a broad outlook and governance of risk and integrate risk considerations into strategic decision-making Capable processes, systems and trained people act on both risks and opportunities in a timely and coordinated manner A consistent risk assessment approach is used across the organization to manage all classes of risk in an effective and efficient manner
Escalation & monitoring

Risk Governance

Stakeholder Risk Strategy & expectations appetite performance

Risk Management Infrastructure

Policies & procedures

Capability

Information & reporting

Tools and technology

Risk Management Processes

Risk identification Risk measurement Risk assessment Risk response

Integration with the business

Risk Intelligence (RI) is Deloittes risk management philosophy that is focused on maintaining the right balance between risk and reward. Simply put, organizations create value by taking risks and lose value by failing to manage them. An effective risk management program focuses simultaneously on value protection and value creation. Deloitte calls organizations that have attained this advanced state of risk management capability a Risk Intelligent Enterprise.

13

Copyright 2012 Deloitte Development LLC. All rights reserved.

Making ERM practical

Risk Governance
Common Definition of Risk Common Risk Framework Roles & Responsibilities Transparency for Governing Bodies

Companies achieving higher maturity levels observe the 9 principles

A common definition of risk, which addresses both value preservation and value creation, is used consistently throughout the organization A common risk framework supported by appropriate standards is used throughout the organization to manage risks Key roles, responsibilities, and authority relating to risk management are clearly defined and delineated within the organization Governing bodies (e.g., Boards, Audit Committees, etc.) have appropriate transparency and visibility into the organizations risk management practices to discharge their responsibilities

Risk Infrastructure & Management

Common Risk Infrastructure A common risk management infrastructure that is used to support the business units and functions in the performance of their risk responsibilities Executive management is charged with designing, implementing and maintaining an effective risk program Other functions (e.g., internal audit, risk management, compliance, etc.) provide objective assurance as well as monitor and report on the effectiveness of an organization's risk program to governing bodies and executive management

Executive Management Responsibility

Objective Assurance and Monitoring

Risk Ownership & Processes

Business Unit Responsibility Support of Pervasive Functions
14

Business units are responsible for the performance of their business and the management of risks they take within the risk framework established by executive management Certain functions have a pervasive impact on the business and not only provide support to the business units as it relates to the organization's risk program, but also enhance and enable success when strategically aligned and considered as essential elements of the program
Copyright 2012 Deloitte Development LLC. All rights reserved.

Operating models
Control/Compliance Operating Philosophy
Risk organization may be perceived to be enforcer of risk policies and rules Centralized risk function often assumes ownership and management of particular risks Drive risk management/ process/ function integration and alignment Integrate and coordinate crossfunctional risk interdependencies Extensive reliance on policies and procedures Many activities focused on monitoring compliance Risk organization may be Risk organization may be perceived to be a burden on the perceived to be business partner business Support/conduct risk Line management ownership of assessments using various risks techniques Avoids unnecessary disruption to Identify likely/potential critical risks and proactively engage risk the business owners, build tools, processes, etc. Focus on enhancing risk informed decision making and managing risks during execution of decisions Requires tool/process Identify high level risk trends development investments Gather information and report to Utilization of tools/process is center for data analysis optional Tools/process may not be fully utilized or adopted by business/risk owners Risk organization should provide quality services to business units
Copyright 2012 Deloitte Development LLC. All rights reserved.

Center for Excellence

Reporter / Central Analysis

Risk Culture

Typical Attributes

15

Risk roles & responsibilities - Illustrative

An example of risk management roles and responsibilities throughout an organization
Business Units Take and Manage Risks
Ownership of business unit activities which give rise to risk and responsibility for risk management and mitigation Risk identification and selfassessments Developing strategy & taking actions to manage and mitigate risks within policy and risk appetite Providing assertions on risk exposure and controls for their business area / function Business Unit Risk Managers coordinate the Business Unit risk assessment, monitoring, and mitigation activities
16

ERM Function Monitor & Aggregate

Establishment of consistent risk policies, governance framework, standards, and information reporting mechanisms to facilitate effective risk management Monitoring and participation in specific risk committees for the purpose of providing the enterprise view Providing summary information and analysis to the Executive Committee to assess, evaluate, and act on risk

Risk Committees Oversee

Oversight over risks within scope of authority Oversight and approval of measurement and management methodologies for risks within scope Oversight of changes in risk profile Oversight of Business Unit management of designated risk categories

Executive Committee Approve

Approval of key documents, such as: ERM Policy Risk Appetite Risk Governance Model Authorities Committee Charters Monitoring risk exposure status Approving Board reporting package Monitoring Business Unit mitigation plans and their status for top risks Approve limit exceptions

Audit Committee Ratify

Ratification of key documents, such as: ERM Policy Risk Appetite Risk Governance Model Authorities Committee Charters

Internal Audit Validate

Independent Verification and Testing of: Internal Controls Quality of the Enterprise Risk Management Program Quality and integrity of risk models

Copyright 2012 Deloitte Development LLC. All rights reserved.

Three lines of defense

Risk management responsibility can be viewed as three lines of defense: management, Chief Risk Officer (CRO)/ Risk function, and Internal Audit
Board of Directors

1st Line of Defense Top Management and New Business Dev.

Promote a strong risk culture and sustainable riskreturn decision making Portfolio optimization on the macro and micro level Promote a strong culture of adhering to limits and managing risk exposure Ongoing monitoring of risks

2nd Line of Defense Risk Management Function

Combination of watchdog, trusted advisor, enforcer Understand how the business makes money and actively challenge initiatives if appropriate Top talent with business experience engaging with management and NBD as equals Independent from management and staff that originate risk exposures Overarching risk oversight unit across all risk types and business units

3rd Line of Defense Internal Audit

Good understanding of the business and risk management Top talent within auditto challenge the front office and risk management function Independent oversight function with ability to enforce fulfillment of findings Ability to link business and risk with process and IT know-how

External Auditor

Regulator

17

Copyright 2012 Deloitte Development LLC. All rights reserved.

Risk appetite
At the highest level, risk appetite defines the amount of overall risk that a firm is willing to accept in pursuit of its business objectives
Risk appetite principles:
Defined by senior management and approved by the Board of Directors Aligned with business objectives and should be linked to KPIs Responsibility distributed across the organization to all levels of management Embedded in policy development, business and strategic planning, resource allocation, and various business and risk processes
Risk Appetite Scale
Action and correction Strategic goals & value drivers

Risk appetite statement

Risk monitoring / reporting framework

Risk metrics and limits

Risk Seeking
Description Taking risk is considered part of companys strategy New market expansion and acquisition activities

Risk Tolerant
Company takes an aggressive approach towards taking risk Portfolio management, innovation

Risk Neutral
Company takes a balanced approach to risk taking Operations, asset / liability management

Risk Averse
Company accepts as little risk as possible Heath, safety, environment, security, fraud, financial reporting, regulatory compliance and reputation

Example risk appetite by business activity

18

Copyright 2012 Deloitte Development LLC. All rights reserved.

Risk processes
Key risk processes to establish a robust risk management framework:
Risk Identification 1 2 Risk Assessment 3 Risk Measurement 4 Risk Response & Mitigation 5 Risk Monitoring & Reporting

Structured around enterprise wide framework of risk categories and definitions Both top down and bottom up process

Provide a qualitative and quantitative view of risk Assessed on the Gross / Inherent basis and on the Net / Residual basis taking into consideration existence of risk mitigation Level of complexity of the risk assessment should correlate to level of significance of the risk Need BU involvement

Range of risk measurement methodologies exist Data availability and quality is key Most start with qualitative form of risk assessment Examples include: risk assessment & scoring, KRIs, loss event and scenario modeling, economic capital modeling and allocation

Appropriate response is dependent on companys strategic objectives, risk appetite, level of action required and return/ reward / cost of the mitigation plan Can range from fully mitigate to partial mitigation, to accept and no mitigation Establish a risk mitigation framework

Risks usually monitored individually and then aggregated and reported RM Function usually aggregates and reports Effective risk reporting should include info on key risks enterprise wide, provide clear picture of risk profile and emerging risks, and focus on KRIs, limits and thresholds Risk dashboard

19

Copyright 2012 Deloitte Development LLC. All rights reserved.

Role of Internal Audit A Discussion

Internal Audits role in ERM

Two key factors to consider when determining Internal Audit's role with respect to ERM include: 1. Whether the activity raises any threats to the internal auditors' independence and objectivity 2. Whether it is likely to improve the organization's risk management, control, and governance processes.

Core internal audit roles in regards to ERM

Legitimate internal audit roles with safeguards

Roles internal audit should not undertake

21*Source: The Institute of Internal Auditors (IIA) Position Statement

Copyright 2012 Deloitte Development LLC. All rights reserved.

Leading Practices and Insights from Deloittes Global Risk Management Survey Seventh Edition

Global Risk Management Survey 2011

The seventh edition of the bi-annual Global Risk Management Survey represents Deloittes most recent look at the state of risk management across the global financial services industry

The survey was conducted during Q3 2010 We solicited responses from CROs or their equivalents at financial services firms around the world 131 financial institutions with a total of over $17 trillion in assets participated Topics included: Risk governance Enterprise risk management Basel II, Solvency II, and economic capital Managing risk types Risk management systems & technology infrastructure

Source: Navigating in a Changed World, Deloitte Global Risk Management Survey, 7th edition http://www.deloitte.com/assets/Dcom-UnitedStates/Local%20Assets/Documents/us_fsi_grms_031711.pdf Copyright 2012 Deloitte Development LLC. All rights reserved. 23

About the survey

Participating institutions were primarily diversified financial services companies, commercial and retail banks, and insurance companies Headquartered in a variety of geographies, many responding institutions are global companies The range of asset sizes includes some of the worlds largest institutions as well as smaller, regional institutions

Primary Business

Geography

Asset Size

Note: Some graphs do not add to 100% due to rounding.

24

Copyright 2012 Deloitte Development LLC. All rights reserved.

Risk governance findings and insights

The scope and responsibilities of the Board, Chief Risk Officer and risk management function continue to grow, with more and more responsibilities being added.
Which of the following steps has your organization taken in response to recent concerns regarding risk governance?

25

Copyright 2012 Deloitte Development LLC. All rights reserved.

Risk governance findings and insights

Increasingly, risk management responsibilities are being incorporated into goals and compensation decisions across organizations. This trend will likely continue to grow.
To what extent are responsibilities for risk management incorporated into performance goals and compensation across the organization?
60% 49% 56%

50%

40%
43%

30%

37%

28%

28%

31%

31% 22%

20%
22% 26%

20% 13%

25%

29% 19% 17%

10%
12% 13% 6% 2% 6% 2%

10%
7% 10% 3%

0%

3%

3%

3%

2008 2010 Senior management

2008 2010 Middle management

2008 2010 Finance personnel

2008 2010 Operations personnel

2008 2010 Staff personnel

Completely

Substantially

26

Copyright 2012 Deloitte Development LLC. All rights reserved.

Enterprise risk management findings and insights

The adoption of ERM programs continues to grow 79% of all respondents said they have or are currently implementing an integrated ERM program, versus 59% two years ago. The perceived value of ERM is also on the rise.
How much value do you believe your organization has received from its ERM program, or equivalent, in each of the following areas?

27

Copyright 2012 Deloitte Development LLC. All rights reserved.

Enterprise risk management findings and insights

Boards of Directors have been substantially increasing the scope and frequency of risk management related reporting.
Which of the following types of risk information does your organization currently report to the Board of Directors?

28

Copyright 2012 Deloitte Development LLC. All rights reserved.

Managing risk types overview across risk types

A number of new risk types were added to the survey in 2010; for those risks also in the 2008 survey, the assessment of risk management effectiveness has not increased significantly for most risk types.
How effective do you think your organization is in managing each of the following types of risks?
90% 80% 70% 60% 50% 40% 30% 20% 10% 0%
77% 76% 74% 71% 71% 71% 71% 64% 64% 62% 60% 56% 54% 54% 53%

49% 48% 47% 45% 44% 44% 43%

41%

37% 37% 36%

Extremely / Very effective

29

Copyright 2012 Deloitte Development LLC. All rights reserved.

Risk infrastructure and data findings and insights

The integration of risk systems and data continues to present challenges across all financial services sectors. Data management and data integrity are increasingly important areas of focus for many major financial institutions.
How effective do you think your organization is in the following aspects of risk data strategy and infrastructure?
38%

37%

33%

31%

29%

28%

27%

30

Copyright 2012 Deloitte Development LLC. All rights reserved.

Leading practices
Role of the board of directors: Increased focus on governance and oversight for risk management and on approving a clearly stated-risk framework, policies and risk appetite statement Role of the chief risk officer: Increased responsibility and visibility: direct reporting lines to the board and/or CEO and leading ERM program, including risk governance, reporting and analytics, where appropriate Three lines of defense: Define risk framework that clearly identifies roles, responsibilities and monitoring across the organization Risk appetite statement: Approving an enterprise-level statement of risk appetite and integrating into business activities, e.g. limits Risk metrics: Focus on key risk metrics in decision-making across the organization, including strategy planning, budgeting, and performance measurement Chief Compliance Officer and Compliance Program: Emphasis on building enterprise-wide, independent compliance risk management program consistent with regulatory guidance and elevating visibility of CCO and direct reporting line to the board Risk reporting: Continued challenges with integration of systems and data; yet focus remains on aggregation and analysis across asset classes and business. Enhanced reporting to management and the board
Copyright 2012 Deloitte Development LLC. All rights reserved.

31

Take-aways for consideration

As an internal auditor evaluating an ERM Program, the following are considerations:

Risk management likely continues to be an area of substantial focus, given market conditions and regulatory change No two institutions are alike: Business strategy and the mix of component businesses and jurisdictions will help drive decision-making Risk governance boards have been increasingly proactive in risk management and this will likely continue The CRO is increasingly a more senior executive position Even traditional risks such as operational risks can benefit from more attention; additional risks may need focus Continued and increased use of risk measurement models and approaches, including stress testing, require assessment of models and assumptions Data integrity and data analysis become increasingly important as systems are integrated and reporting needs increase

32

Copyright 2012 Deloitte Development LLC. All rights reserved.

Questions and Answers

This presentation contains general information only and Deloitte is not, by means of this presentation, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. In addition, this presentation contains summarized survey results, which are included for informational and discussion purposes only. Participant survey responses were taken as is and were not confirmed or validated by Deloitte. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte, its affiliates, and related entities shall not be responsible for any loss sustained by any person who relies on this presentation.

About Deloitte Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting. Copyright 2012 Deloitte Development LLC. All rights reserved. Member of Deloitte Touche Tohmatsu Limited