Transcript Presentation - Internal - GTA

Enterprise Risk Management
Expectations Outpacing Capabilities and
The Audit Committee’s Role
July 30, 2013
Presented by: Suzette E. Ramsden (B.Sc., CISA, CBRA, CRMA)
Caribbean Association of Audit Committee Members Inc.
7th Annual General Meeting and Conference
“Governance, Audit and Compliance: Changing the Way We Do Business
Hilton Trinidad Hotel & Conference Centre: July 29-30, 2013
Enterprise-Wide Risk Management
“Enterprise Risk Management is a process, effected by the entity’s
board of directors, management, and other personnel, applied in
strategy setting and across the enterprise, designed to identify
potential events that may affect the entity, and manage risk to be
within the risk appetite, to provide reasonable assurance regarding
the achievement of objectives”
COSO’s Enterprise Risk Management – Integrated Framework (2004)
2
ERM in Today’s Global Economy
“Risk Management is at the top of the global executive agenda as
companies face an array of threats that grow more complex
by the day. The risks are multitudinous and ever-present, and
those companies that fail to manage them well imperil their future”
3
Keeping Pace
“…challenges are growing faster than most organizations’
abilities to respond: today’s complex environment requires an
even stronger capability to master and optimize Risk
Management.”
4
Contributors
Risk Management capabilities are not advancing fast enough
Significant gaps and weaknesses in the management of
Enterprise Risk
Inability to manage risk in an integrated and holistic way
5
Constantly Evolving
“When Risk Management is a strategic tool, the risk program and
profile will constantly evolve..”
6
Shift in the Aftermath
In the aftermath of the Global Financial Storm
Risk-Taking
Risk-Savvy
Risk-Averse
Unmanaged
Risk
Ensure
Risk
Risk Programs
Programs
don’t go stale
Ever-Expanding
Economy
Models
Relevant to new
Stagnant
Economic
Economies
Environment
7
ERM Roles
Oversight - Effectively oversee the organization’s
Enterprise-Wide Risk Management.
regarding
theManagement
status of the performance
Although theProvide
ultimateassurance
accountability
for Risk
Risk Management
processes;
thatlooking
they to
remains withorganization’s
the Board of Directors,
boards are
increasingly
are active,
and effective.
board committees
to credible
provide assurance
regarding the status of the
organization’s Risk management processes
Audit Committee
Charter
An independent, objective assurance and consulting
activity to provide objective assurance to the board on
the effectiveness of Risk Management.
8
Audit Committee Agenda
SO...
What should audit
committees look for in a
company’s Enterprise-Wide
Risk Management
endeavours to ensure
abilities are not lagging
behind expectations?
9
Intersection of Strategy and Risk
Enterprise Risk Management resources and actions
must be integrated into Strategic Planning process
Tool for collaborative
decision-making
embedded into
management
routines such
as strategic
planning
Engaging in discussion
and dialogue with
designated risk owners
(senior mgnt) to
keep abreast of
emerging risks
10
Assessing Risk Exposures
Ensure consistency in the way risk is being assessed
across the enterprise
Is your organization conducting regular top down and middle-up
assessments and alignment of them to create a comprehensive risk
profile of the enterprise?
Is Management focusing on those lower level operational risk that
could frustrate accomplishment of the Board’s objectives for the
company ?
Are risks being aggregated and the inter-relationships identified to
have a clear understanding of the velocity at which risks may occur.
Is guidance provided to the business units and functional groups to
ensure that they have a consistent approach that is focused on
business objectives?
11
Articulate Risk Appetite
Risk Appetite
Develop a formal Risk Appetite Statement
How do you know
whether you have
taken too much or
not enough risk
Calculate the
monetary value at
which a loss or risk
event would jeopardize
its credit rating
Stress-test the resilience
of their balance sheets by
calculating the monetary
value at which solvency
would be jeopardized.
Risk appetite
embedded into the
business units and
functional areas
Aggregate risk
exposure
monitored in
monetary terms
12
Three Lines of Defense
Enhance Risk Management via Business Units, Risk &
Compliance and Internal Audit functions
Are Risk Management
capabilities keeping pace
with the changing needs
of the enterprise and
expectations of
stakeholders?
Is risk information
between lines of defense
visible, freely shared and
Business
Unit
communicated to
support
dependencies?
Is consistent risk training
being conducted across
your three lines of
defense?
Are processes and
technologies in place to
monitor and measure risk
in a way that get the
three lines of defense
closer in
alignment?
Do your Board,
shareholders and
regulators understand
your risk program?
Is Risk Management
embedded in business
processes in a way
that enhances
transparency?
Risk & Compliance
Internal Audit
13
Barriers to Convergence
Resources must be adequate to facilitate convergence
or integration of risk and control functions
Lack of executive
support
Lagging
governance
structures
Insufficient
numbers of
people
Risk and control
silos
Stagnant risk and
control oversight
functions
Lack of skills and
human talent
Obstructed flow
of risk
information
Absence of
technology
enablers
Changing goals
and less clarity of
risk data
Duplication and
redundancy
14
Creating a Risk-Resilient Culture:
A call to action
Risk
Management
Framework
Key Questions
• How do you establish
stakeholders’ expectations?
• How do you communicate
Risk Management to the
organization?
• How do you ensure that
these Risk Management
expectations are followed?
Risk
Governance
Structure
Risk
Resilient
Culture
15
How can KPMG Help
Framework
Element
Description
Risk Governance
Establish an approach to developing, supporting, and
embedding the risk strategy and accountabilities
Risk Assessment
Identify, assess, and categorize risks across the enterprise
Risk Quantification
and Aggregation
Measure, analyze, and consolidate enterprise risks
Risk Monitoring
and Reporting
Report, monitor, and conduct activities to provide insights into
risk management strengths and weaknesses
Risk and Control
Optimization
Use risk and control information to improve performance
16
KPMG Contact Information
Robert Alleyne
Managing Partner
1-868-623-1081
[email protected]
Dushyant Sookram
Partner, Advisory
1-868-623-1081
[email protected]
Neil Bhola
Manager, Advisory
1-868-623-1081
[email protected]
Suzette Ramsden
Manager, Advisory
1-868-623-1081
[email protected]
KPMG
69-71 Edward Street
Port-of-Spain
Trinidad and Tobago
KPMG
69-71 Edward Street
Port-of-Spain
Trinidad and Tobago
KPMG
69-71 Edward Street
Port-of-Spain
Trinidad and Tobago
KPMG
69-71 Edward Street
Port-of-Spain
Trinidad and Tobago
17
Thank You
18