eBook Content:

PRESENTING ERM
TO THE BOARD Increased Need for ERM Reporting ....2
2 Goals of Risk Management Reporting 5
4 Useful Presentations of Risk Information ...7
How Do You Get Here? ..17
The Future of ERM Board Reporting ...23

LogicManager Copyright 2016

 Increased Need for ERM Reporting

Chapter 1

Increased Need
for ERM
Reporting

LogicManager Copyright 2016

 Increased Need for ERM Reporting

Measurable Value of ERM

There is proven, scientific evidence that organizations with higher risk maturity have
stronger financial performance.

There is a time and maturity element to this spectrum of success, and the more ERM
best-practices that are implemented throughout the organization, the better the results.

Related Blog: Independent Research Proves 25% Market Value Premium

of Mature ERM Programs

Increased Pressures for ERM Reporting

Boards of Directors were previously only responsible for CEO-level activities and
decisions, but now their accountability is extended down to the threshold of
material impact of the risk, regardless of the level. Risk now needs to be
identified at the business process level where this material activity takes place.

These regulations, along with court cases like Stone vs. Ridder that uphold
them, now hold Board members personally responsible for risk management,
even through their supply chains, so private companies are not exempt. Boards
are now given a choice between having effective risk management, or disclosing
their ineffectiveness to the public. If they do neither, it is now considered fraud
or negligence, as not knowing about a risk is no longer a defense.

Related Blog: WSJ: Executives Report Inadequate Risk Management

LogicManager Copyright 2016

 Increased Need for ERM Reporting

Internal Audits New Role

Since the liability for error is so high, Internal Audit has been tasked to do the
fact-checking on the risk management information being presented to the
Board, in order to ensure its integrity up from the business process activity level.
The Institute of Internal Auditors (IIA) announced in 2012 the revision to its
International Professional Practices Framework (IPPF), effective Jan. 1, 2013.
These mandated changes require auditors to validate the most timely and most Revisions to Internal Audit Standards Approved
significant risks, especially those that impact the achieving of the organizations Changes to Take Effect January 2013
strategic objectives. October 8, 2012

Responsibilities for Risk Managers

The role of the enterprise risk manager is clear: to close the gap between
strategic level risk, and all the operational risks occurring on the font lines of
organizations. The risk manager is responsible for setting the standards,
practices and procedures for effective risk management and embedding them
in all existing business processes. The risk manager is now accountable for
measuring the effectiveness of their ERM programs.

This requires putting a mechanism in place to collect this risk information at

the activity level, where most operational risks materialize, and aggregate
this risk information to a level and format the Board cares about. This is to be
achieved while preserving the links between the information collected at the
activity level, and the associated resources involved. This makes the integrity
trail clear, and useful for internal audit to follow.

Related Blog: What to Present to Your Risk Committee

LogicManager Copyright 2016

 2 Goals of Risk Management Reporting

Chapter 2

2 Goals of Risk
Management
Reporting

LogicManager Copyright 2016

 2 Goals of Risk Management Reporting

Alignment of Risks and Activities to

Effectiveness of ERM efforts
Strategic Objectives and Key Concerns

ERM is a strategic process to gain competitive advantage through more

Getting an accurate pulse on strategic objectives is challenging, as these goals
efficient deployment of scarce resources, better decision-making and goal
are cross-functional and event based in nature, and as such are extremely
achievement and reduced exposure to negative events. As organizations
useful for the board and senior executives, but are impossible to take action
risk management competency levels improve, so does the ability of
on without operationalizing them, or breaking them down into root-cause
successfully managing all kinds of goals and risks.
actionable silo specific activities within processes, and this is where risk
management plays a role. Remember the business value studies of ERM on page 3? This is why the
board needs to know the effectiveness of your risk management program, to
determine and measure how much of this benefit the organization is getting.
RIMS Risk Maturity Model: Take a free assessment to see what
your organization scores on the Risk Maturity spectrum.

LogicManager Copyright 2016

 4 Useful Presentations of Risk Information

Chapter 3

4 Useful
Presentations of
Risk Information

LogicManager Copyright 2016

 4 Useful Presentations of Risk Information

DASHBOARD #1: METRICS PROGRESS

Displays the development of risk tolerance over time
Standardized risk assessments will enable you to start developing your risk tolerance indexes over time. Being able to view the trends gives the organizations
static risk profile context and a reference point. This enables you to determine appropriate norms and tolerance levels based on your organizations risk
appetite; so that necessary actions can be taken when you start seeing small changes in your risk profile before things get out of tolerance. You can only determine
if you are within your risk appetite if you can successfully associate value and meaning with your risks.

Actual

Tolerance

LogicManager Copyright 2016

 4 Useful Presentations of Risk Information

DASHBOARD #2: ROOT CAUSE

Offers an objective and transparent view across the organization
Your organizations risks can be brought together from around the organization and displayed on a heatmap, where upper right corner issues are most
critical. This heatmap shows all of an organizations risks based on highly accurate business process activity level observations. This information easily stays
current as any changes in assessments are immediately reflected.

LogicManager Copyright 2016

 4 Useful Presentations of Risk Information

Example Root Cause Dashboard

Reporting by Strategic Imperative
ERM programs are designed to leverage information assessed across multiple business silos and levels of the organization, and see the connections--the
root causes of problems--that cannot be seen by one silo alone. Besides viewing by plans, you can also view risk by a theme, like an initiative or key concern.
This enables organizations to move forward on an initiative because it can gives context to the risks, opportunities, and accountability surrounding the topic.

LogicManager Copyright 2016

 4 Useful Presentations of Risk Information

Example Root Cause Dashboard

Reporting by Strategic Imperative Cash Flow Predictability
Often, risk managers need to provide more detailed underlying data for risks that effect strategic goals; such as which business areas are involved, their
individual risk profile, and what mitigation and monitoring strategies are in place. Leveraging your risk taxonomy, you can easily pull up that information
and create more granular dashboard for strategic objectives, like Cash Flow Predictability.

In this example, the risk manager can clearly see that although several risks are identified for Cash Flow Predictability, the current failure to analyze risk
and performance metrics associated with strategy, should be her top priority. It has a higher inherent risk, as displayed by its plot position being in the
red background in the upper right corner and as well a higher overall residual index score, as shown in the table. With a full picture of all the issues, we
can determine a key mitigation activity in order to resolve the underlying issues at hand.

LogicManager Copyright 2016

 4 Useful Presentations of Risk Information

DASHBOARD #3: ENTERPRISE VIEW

Organizes information by strategic imperative
The risk manager should also drill down on the risks relating to strategic objectives, like Cash Flow Predictability. This allows her to present an aggregation of the risks
by their strategic imperative. Now she has real, actionable data and insight on what is underlying each of these points on her heat map.

By being able to make the connection between root cause indicators to the events or goals, you can present the information in a way the Board recognizes and can
easily understand. Your Board will be able to easily identify which business areas contribute to that concern or objective, and what the root cause issues are. This
makes your reports ACTIONABLE!

LogicManager Copyright 2016

 4 Useful Presentations of Risk Information

DASHBOARD #4: ERM PROGRESS

Measures the effectiveness of your ERM program
As we outlined earlier, a risk managers presentation to the Board should be two-fold. One part should demonstrate how risks across the organization will roll-up to
impact the Boards strategic objectives and key concerns, which we just covered. The second part should provide key measures that validate and track the progress of the
ERM program. The following are examples of measures that will quantify and measure the value your ERM program is providing:

ERM is cross-functional in nature, and cannot be done in silos. Process owners own the risk and risk managers own the completeness, timeliness, and accuracy of the risk
information. The more process owners are involved in risk assessments, the more accurate and forward-looking the information collected will be, both of which are
hugely valuable to the organization.

LogicManager Copyright 2016

 4 Useful Presentations of Risk Information

Example ERM Progress Dashboard

Reporting by the total number of risks identified and mitigated
In the graph below, the red bar shows the number of risks identified and the number of risks assessed for each business process or business unit area. This
tells the Board how many of the risks in the enterprise have been collected and evaluated.

Risk management does not stop at just risk identification and assessment. It is critical to show the board the state of ERM in terms of how many of those
risks identified and evaluated are covered by mitigation activities. Notice the gap between the red bar measuring number of risks identified and assessed,
and the green bar measuring the number covered by mitigation activities. Notice how the gap is getting reducing quarter by quarter? This is how you show
the state of ERM, and how it has evolved over the past several quarters.

Gap

LogicManager Copyright 2016

 4 Useful Presentations of Risk Information

Example ERM Progress Dashboard

Reporting by cut levels
Having a sense of your overall risk coverage is important. However, it is not nearly as valuable as knowing the coverage of your organizations key risks.
Use the uniform tolerance we just discussed to prioritize resources to the risks that need stronger coverage, rather than wasting resources on risks that
will have no major impact on your organization. This gap analysis with a tolerance level will also help you to identify emerging risks as they rise out of
tolerance, and it becomes clear that some mitigation activities in place are no longer sufficient.

You can do this same focus by filtering out low risks. This will only show the above average risks, and the corresponding mitigation activities that directly
impact each of the organizations corporate objectives and corporate business performance.

LogicManager Copyright 2016

 4 Useful Presentations of Risk Information

Example ERM Progress Dashboard

Reporting by systemic risk
Overtime you will be able to add other measures to your Board presentations, such as the alignment of risks across business silos. This is know as systemic
risk identification. This blue bar shows the detection of areas of upstream and downstream dependencies throughout your organization, such as when one
area of the organization is unknowingly causing strain on other areas. Additionally, this method will identify areas that would benefit from centralized
controls, so the extra work of maintaining separate activity-level controls is eliminated. This increases organizational efficiency.

LogicManager Copyright 2016

 How Do You Get Here

Chapter 4 What is the Challenge?

How Do You
Get Here?

The challenge is in assembling information across functions and levels, while

keeping one comprehensible picture of risk for the board. Today, how do you
quantify your organizations risks? Are you able to link operational risks to the
strategic goals they impact? These are the challenges we most often find risk
managers to be struggling with in order to provide the Board with the
information they want and need.

LogicManager Copyright 2016

 How Do You Get Here

RISK TAXONOMY IS THE SOLUTION

Organizations need to build a robust risk taxonomy, which provides a holistic view of all information and relationships across
the organization. Risk taxonomy is the practice and science of naming, classifying, and defining relationships between
resources, risks, goals and business processes in the enterprise.

Once information is structured and the relationships within your organization are explicit, and assessments of this information
are carried out on the same standards and assumptions. This makes them comparable, and able to be utilized cross-functionally
for more accurate and actionable risk management.

Related eBook: Integrating Governance Areas

LogicManager Copyright 2016

 How Do You Get Here

STEP 1. Take A Root-Cause Approach

The most effective way to collect risk data is to identify risk by root
cause. Root cause tells us why an event occurs. Identifying the root
cause of a risk provides information about what triggers a loss and
where an organization is vulnerable. Using root source categories
provides meaningful feedback as to what steps to take to mitigate risk.

Risk managers should provide a common root cause risk indicator library to process owners so that when multiple areas chose the
same risk, systemic risks as well as upstream and downstream dependencies can easily be identified and mitigated. This method also
identifies areas that would benefit from centralized controls so the extra work of maintaining separate activity level controls is
eliminated.

LogicManager Copyright 2016

 How Do You Get Here

Root-Cause Approach Example

Lets look at a simple example to demonstrate this point. A risk event may be that you have a headache.

In order to prevent a headache, we need to know why we have one. Armed with the knowledge of the source of a risk, we can proactively manage
risk and avoid future risk events. Mitigation activities should be aimed at root cause, and will differ depending on the source of risk.

In this simple example, it is easy to see why creating mitigation or control activities with the risk event or outcome, rather than the root cause, in
mind, can lead to very ineffective mitigation activities.

What the BOD and senior management know is that they want to avoid headaches. Your responsibility as risk manager is to determine what are the
potential root-causes of these headaches, and find out who is involved.

LogicManager Copyright 2016

 How Do You Get Here

STEP 2. Standardize Assessment Scale and Criteria

The key is to standardize your assessments. All assessments should be standardized with a common numerical scale and criteria. When these
assessments are carried out on the same standards and assumptions, they become objective, quantifiable, repeatable, comparable. They can be
utilized cross-functionally, which enables better analysis, issue resolution and issue escalation when necessary.

LogicManager Copyright 2016

 How Do You Get Here

STEP 3: Align Risks, Activities, and Goals

What the BOD and senior management know is that they want to avoid or achieve certain outcomes. Our responsibility as risk managers is to
determine what are the potential root-causes of these events or outcomes, and find out who is involved.

To do this, we need to connect root-cause risks to corporate goals. You can get these strategic goals from the strategic plans, and other places
within your organization. The next step is to identify a number of root cause risks that could threaten to derail this corporate goal. Next, work
with business areas to connect their activities to the strategic goals they will roll up to. You can then choose which of the risks you identified are
applicable to their business area.

LogicManager Copyright 2016

 The Future of ERM Board Reporting

Chapter 5 Risk Disclosures

The Future of Instead of 10K and 10Q risk disclosers being isolated as legal and
compliance processes that are merely defensible risks lacking
context, these disclosures actually will need to make the

ERM Board connection to the activity level.

Reporting

LogicManager Copyright 2016

 The Future of ERM Board Reporting

Connection to Activities Top-down and Bottom-up

Regulators are going to say, Show me your disclosures on risk and show
And visa-versa. It cant be an all top-down approach. Youve got to be
me how they connect to actual procedures and activities to control them
picking up on things that are happening at the activity level, rolling them
on at the business process activity level. What does this mean? You will
up and disclosing them and what you are doing about them as you
need to show how your disclosures have been operationalized and
discover them.
broken down to the activity level, the accountability, and what mitigation
activities you are doing for these things.

LogicManager Copyright 2016

 LogicManager's Enterprise Risk
Management
Vendor
Management
Regulatory
Compliance

All-in-One
ERM Software
IT Governance Financial Business
Provides all the content you need & all connected. and Security Reporting Continuity

Leadership: More than 2000 organizations use

our risk management solution.
Insight: Put your risk picture together.
Cloud Computing: No up-front investment
and no long-term commitment required. Audit Performance Policy
Management Management Management

Request a Demo

LogicManager Copyright 2016