Sie sind auf Seite 1von 52

DEVELOPING THE APPROPRIATE RISK

APPETITE FOR YOUR ERM PROGRAM


Bruce McCuaig
Vice President, Risk & Compliance – Paisley GRC Solutions
Thomson Reuters
WELCOME TO THE WEBCAST
• A question and answer period will follow the presentation
– To submit a question, click on the Question and Answer hyperlink
located just above the slide window on your webcast player and
type your question in the open box and hit submit
– Any questions about technical problems, materials, etc. will be
answered via email

• Download the presentation


– Click the link just above the presentation in the window you are
currently viewing labeled Supporting Materials to download the
entire slide presentation

© 2010 Thomson Reuters. All Rights Reserved. 2


ABOUT THOMSON REUTERS
• We are the world’s leading source of workflow solutions for businesses and professionals, with 2009
revenues of $13 billion
• Through two divisions we serve high-end professional and business customers:

Markets Division Professional Division

Tax & Healthcare


Legal
Accounting and Science

26,500 Employees 12,900 Employees 4,000 Employees 4,500 Employees


$7.5B in Revenue $3.6B in Revenue $1.0B in Revenue $.9B in Revenue

• Provides financial • Westlaw relied upon • Checkpoint used by • Scientific: used by


applications for over by 98% of the world’s 100% of the top 100 over 20 million
half a million major law firms US accounting firms researchers
professionals globally • Healthcare: informing
decisions affecting
over 150M lives
© 2010 Thomson Reuters. All Rights Reserved.
ABOUT PAISLEY GRC SOLUTIONS
• Provide comprehensive solutions for governance,
risk and compliance (GRC)
– Technology, methodology, professional services
• Paisley GRC solutions provide a common platform for:
– Financial controls management
– Internal audit
– Operational risk management
– Compliance
– IT governance
– Enterprise risk management

© 2010 Thomson Reuters. All Rights Reserved.


PRESENTER
• Bruce McCuaig — CA, CIA, CCSA

– Vice president, risk and compliance

– Over 30 years in risk and control management

– Directs the company’s ORM program

– Works with clients seeking to implement risk-based approaches for


their GRC initiatives and to drive improvements in existing risk
management initiatives

– Experienced speaker, writer and published author

– Senior executive in oil and gas, mining industries; currently a board


member and audit committee chair
© 2010 Thomson Reuters. All Rights Reserved.
ANTHROPOMORPHISM: ATTRIBUTING HUMAN
CHARACTERISTICS TO NON-HUMAN ENTITIES
• What should I eat, what do I need to eat, what do I want to
eat, what’s healthy, what’s tasty, what’s fresh, what’s hot,
what’s cold, what’s first, what’s last, what’s left, how long is
the line, what did I eat yesterday, when’s the next meal,
what is the cost?

© 2010 Thomson Reuters. All Rights Reserved.


DEVELOPING THE APPROPRIATE RISK
APPETITE FOR YOUR ERM PROGRAM
• Importance of risk appetite

• Understanding risk appetite

• Obstacles to measuring risk appetite

• Establishing risk appetite

• Feeding risk appetite

• Developing risk appetite metrics

• Sustaining the risk appetite process


© 2010 Thomson Reuters. All Rights Reserved.
IMPORTANCE OF
RISK APPETITE

© 2010 Thomson Reuters. All Rights Reserved.


IMPORTANCE OF RISK APPETITE
• Clearly defined risk appetite is the ultimate measure of an
organization’s risk management processes and skills. It
requires:
– Clear definition of stakeholders and their requirements
– Articulated enterprise objectives
– Rigorous risk management processes
– Extensive participation and collaboration
– Clear understanding of risk downside and upside
– Sound methodology and technology

• Managing through risk appetite analysis will enable more


transparent decision making for all stakeholders.

© 2010 Thomson Reuters. All Rights Reserved.


IMPORTANCE OF RISK APPETITE — ERM
• Risk appetite should integrate with corporate strategy
– What adverse outcomes or events are intolerable
• We won’t risk the loss of our license to do business
• We will not expose our employees or customers to environmental
hazards
– What strategies are outside the boundaries
• We will not grow by acquisition
• We will not do business in …
– What financial consequences are tolerable
• % of capital for a financial institution
• Share price decline
– What financial or operating parameters are important
• We will not exceed a debt/equity ratio of 50%
• We will not tolerate unscheduled downtime in hosting operations

© 2010 Thomson Reuters. All Rights Reserved.


IMPORTANCE OF RISK APPETITE — ERM
• Enterprise risk management is a process, effected by an entity’s board of
directors, management and other personnel, applied in strategy setting and
across the enterprise, designed to identify potential events that may affect the
entity, and manage risk to be within its risk appetite, to provide reasonable
assurance regarding the achievement of entity objectives. (COSO ERM)

ERM Context

Process
Process
Strategic Objective Process
Organization
Organization

Enterprise Risk
Key Performance
Bus Process
Indicators

Loss Events
Risk
Issues
Key Risk Indicators
Action Plans Risk Treatment

© 2010 Thomson Reuters. All Rights Reserved.


IMPORTANCE OF RISK APPETITE — ERM
• Risk appetite decisions are made at the ERM level
• Based on data from deep within the organization and
business processes
ERM Context

Process
Process
Strategic Objective Process
Organization
Organization

Enterprise Risk
Key Performance
Bus Process
Indicators

Loss Events
Risk
Issues
Key Risk Indicators
Action Plans Risk Treatment

© 2010 Thomson Reuters. All Rights Reserved.


UNDERSTANDING
RISK APPETITE

© 2010 Thomson Reuters. All Rights Reserved.


UNDERSTANDING RISK APPETITE
• Characteristics of risk appetite
– Financial institutions may be able to express risk appetite against
specific risks in objective terms
• Insure the second $100 million of flood damage risk in lower Manhattan
(zip codes 10011, 10012, 10013)
• Invest $100 million in the sovereign debt of Greece
– Many aspects of risk appetite are extremely subjective, qualitative
in nature and are expressed at the process or business level
• Will not outsource our data processing to a third-party
• Divest our non-core properties
– Risk appetite decisions are the result of complex emotional,
behavioral, quantitative considerations

© 2010 Thomson Reuters. All Rights Reserved.


UNDERSTANDING RISK APPETITE IN ERM
• ERM practices must produce this information

Risk Appetite…
the amount of risk, broadly
defined, that an organization
is willing to accept in pursuit
of stakeholder value

COSO: Strengthening ERM for Strategic Perspective

© 2010 Thomson Reuters. All Rights Reserved.


OBSTACLES TO
MEASURING
RISK APPETITE

© 2010 Thomson Reuters. All Rights Reserved.


OBSTACLES TO MEASURING RISK APPETITE
• Little or no guidance exists
• Definitions are vague, abstract and interdependent
• No regulatory framework requires risk appetite
• No reporting framework exists for risk appetite
• Potential legal implications in accepting risk
• Dangerous knowledge in the hands of competitor
• It is hard to determine, changes frequently, and takes time
and resources
• Improved knowledge is no guarantee of rational risk
appetite
© 2010 Thomson Reuters. All Rights Reserved.
ESTABLISHING
RISK APPETITE

© 2010 Thomson Reuters. All Rights Reserved.


ESTABLISHING RISK APPETITE
EXISTING RISK PROFILE
• Standard classification of risks and controls is useful
to ensure completeness
Sample Risk Types
Environmental risks Financial risks Supply risks Management risks
Business continuity Capital availability Commodity prices Corporate governance
Business market environment Credit counterparty Supply chain Data security
Environmental Financial market risk Financial instability Employee health and safety
Liability lawsuits Inflation Corruption Intellectual property
Natural disasters/weather Interest rates Trade embargo Labor disputes
Pandemic Liquidity Labor skills shortage
Physical damage Credit downgrade M&A/restructuring
Political risk Currency controls Managing complexity
Regulatory/legislative Government Outsourcing problems
intervention
Terrorism Project management
Reputation
Technology failure
Source: Standard and Poor’s

© 2010 Thomson Reuters. All Rights Reserved.


ESTABLISHING RISK APPETITE
EXISTING RISK PROFILE
• Event risks can be ranked by risk level and risk
management decisions made

© 2010 Thomson Reuters. All Rights Reserved.


ESTABLISHING RISK APPETITE
EXISTING RISK PROFILE
• Develop the risk profile for strategic objectives and
supporting business organizations and processes

Intellectual property risk Corporate

Fraud
risk
Business Unit Business Unit Business Unit Business Unit

Process A Process B Process C

Line of Business

Business continuity risk


Vendor
Third-
party
risk Political risk
Sub-contractor

© 2010 Thomson Reuters. All Rights Reserved.


FEEDING
RISK APPETITE

© 2010 Thomson Reuters. All Rights Reserved.


FEEDING RISK APPETITE
• Risk appetite requires continuous, reliable information
about risk – a consistent methodology is required
1. Strategic 2. Enterprise
Objective/Org Risk

7. Assess 3. Assess
KPI/KRI Process
Results Risks

4. Manage
Process
Risks

5. Identify
Issues

6. Assign Risk 8. Assign Actions


Appetite Index to Adjust Risk to
Desired Level

© 2010 Thomson Reuters. All Rights Reserved.


FEEDING RISK APPETITE
Where in our organization
1.Strategic 2. Enterprise and process context must we
Objective/Org Risk focus on risk appetite?

What impact information do we have and


7. Assess 3. Asses what do we need? What is our risk profile? What
KPI/KRI Process risks are approaching tolerance limits? What is their
direction and velocity?
Results Risks

What indicator 4. Manage What concerns are emerging from


information do Process our performance information?
we have? Can Risks Any impediments?
we explain
performance
gaps with
Issues? Issues are driven by unmitigated risks,
5. Identify performance variations, concerns and
Issues impediments.

6. Assign Risk 8. Assign Actions


Appetite Index to Adjust Risk to
Desired Level

© 2010 Thomson Reuters. All Rights Reserved.


FEEDING RISK APPETITE
• Driving out risk appetite data

INDICATORS

IMPACTS
Risk Appetite…
the amount of risk, broadly
IMPEDIMENTS defined, that an organization
is willing to accept in pursuit
of stakeholder value
CONCERNS

RISK TRANSFER

© 2010 Thomson Reuters. All Rights Reserved.


FEEDING RISK APPETITE

ELEMENTS OF ENTERPRISE RISK APPETITE


PROCESS RISK RISK RISK DESIRED
APPETITE CAPACITY TOLERANCE RISK LEVEL

INDICATORS X X

IMPACTS X X

IMPEDIMENT X

CONCERN X X
RISK
X X
TRANSFER

© 2010 Thomson Reuters. All Rights Reserved.


DEVELOPING
RISK APPETITE
METRICS

© 2010 Thomson Reuters. All Rights Reserved.


DEVELOPING RISK APPETITE — INDICATORS
• How are we doing today? Are we achieving our
strategic/process objectives. What is our risk tolerance?

Indicators refers to anything known about how effective the current


practices are with respect to achieving a strategic or related process
objective. Often evidence already exists relating to the current
effectiveness of management processes and risk treatments.
The indicator category will be directly impacted by the quality of
indicator/measurement controls currently in use.

• Caution: Most GRC practitioners do not consider


business performance indicators in their risk and control
assessments today.

© 2010 Thomson Reuters. All Rights Reserved.


DEVELOPING RISK APPETITE
INDICATOR INFORMATION
• What kinds of information do managers use as indicator information
– Indicator information can be qualitative or quantitative
– As a general rule, good managers know their numbers and can describe
some quantitative indicators

• “Our claims processing is 25% faster than our KPI”


• “We are able to ship 90% of new product orders within 1 business days”
• “Quality defects are below .05% of production”
• “Unscheduled downtime > 5 minutes is running at .001%”

• Look for granular and quantitative indicators. Little or vague indicator


information suggests poor performance measurement mechanisms.
Should you be taking risks at all?

© 2010 Thomson Reuters. All Rights Reserved.


DEVELOPING RISK APPETITE
INDICATOR INFORMATION SOURCES
• If you cannot articulate specific relevant performance
indicators your risk appetite will be a guess
– Specifically, indicator information should be derived from
• Key performance indicator variances
• Budget variances
• Reported incidents
• Reported near misses
• Competitive benchmarking reports
• Customer surveys
• Analyst reports
• Rating agency reports

• If you cannot describe how you are doing today, you do not
understand your strategic objectives or current risk profile

© 2010 Thomson Reuters. All Rights Reserved.


DEVELOPING RISK APPETITE
IMPACT INFORMATION
• How bad would it be if we failed? If you don’t understand
impact information at the strategic and process level you
can’t determine your risk capacity and tolerance.
Impact information describes how bad it would be if a strategic or
process objective was not achieved in whole or part.
Non-achievement of some strategic objectives, or significant
process failures can literally mean the demise of an organization
or the firing of the staff responsible.
Are there risks whose consequences are too dire to tolerate?

• Caution: Many GRC practitioners and many regulators are


impact intolerant.

© 2010 Thomson Reuters. All Rights Reserved.


DEVELOPING RISK APPETITE
IMPACT INFORMATION
• What kind of information do managers use as impact
information?
– Information about known or probable losses or exposures
– Qualitative judgments about potential impacts
– If we do not comply, the regulators could suspend our license
• We would lose $100,000 in revenue per day
– New product development will require most of our 2010 capital
– Cleaning up an oil spill in the Gulf could cost billions

• Look for granular and quantitative impact information. Little


or vague impact information suggests no incident/loss event
reporting or other analysis.

© 2010 Thomson Reuters. All Rights Reserved.


DEVELOPING RISK APPETITE
IMPACT INFORMATION SOURCES
• What kinds of facts or tools are available to managers to
gather impact information
– Loss events/incident
– Historical regulatory sanctions
– Scenario analysis
– Stress testing
– Monte Carlo simulation
– Legal actions
– Product returns
– Financial risk exposures
– Insurance risk exposures
– Inherent risk assessment
– Key risk indicators

© 2010 Thomson Reuters. All Rights Reserved.


DEVELOPING RISK APPETITE — IMPEDIMENTS
• What can I not change right now? If you do not understand
impediments you can not assess risk tolerance.

Identification of impediments provides an excellent opportunity to


formally articulate situations outside of the control of an executive
that are frustrating and resulting in sub-optimal performance or non
achievement of a stated strategic or process objective.

• Note that many impediments can be turned into


opportunities if they can be resolved.

© 2010 Thomson Reuters. All Rights Reserved.


DEVELOPING RISK APPETITE
IMPEDIMENT INFORMATION
• Impediments generally consist of
– Resource constraints or other factors beyond their control
– Barriers imposed by technology, competitors, the environment or
regulators
– Regulators will not allow us to buy competitors
– Global warming is impacting our market share
– Trade restrictions prevent us from exporting offshore

• There will always be impediments. No one has unlimited


resources or unconstrained authority. Be cautious when
managers claim significant impediments in the absence of
other information.

© 2010 Thomson Reuters. All Rights Reserved.


DEVELOPING RISK APPETITE
IMPEDIMENT SOURCES
• What kinds of facts or tools are available to gather
impediment information – resource reductions or deferrals.
– Regulatory change
– Economic constraints
– Competitor action
– Reorganizations
– Acquisitions/divestments

• A detailed but balanced and realistic list of impediments


suggests managers are thinking out-of-the-box. Can they
see any opportunities in the impediments?

© 2010 Thomson Reuters. All Rights Reserved.


DEVELOPING RISK APPETITE — CONCERNS
• What solvable problems am I living with now? If you do not
have good concern information you can’t adjust your risk
capacity.
Concerns is a term used to describe any problems that are known or
suspected that are directly related to the strategic objective or related
process being assessed. This category allows broad expression of the
executives thoughts and concerns related to the achievement of the
strategic or process objective. Ineffective risk treatments such as
missing or poorly functioning controls should be considered.

• Risk appetite means accepting many concerns and the


related risk.

© 2010 Thomson Reuters. All Rights Reserved.


DEVELOPING RISK APPETITE
CONCERN INFORMATION
• Generally concerns appear as things within the power of
the executive to resolve but require a shift in priorities or
resources.
– We do not have a contract with the operator of our back-up site.
– Our pricing models are all in unsecure Excel spreadsheets.
– Our drill rigs in the Gulf do not have back up blow out preventers.

• There will always be concerns. If managers can’t describe


concerns they don’t understand their desired level of risk.
If managers understand only their concerns, they are risk
averse and may be making sub optimal risk appetite
decisions.

© 2010 Thomson Reuters. All Rights Reserved.


DEVELOPING RISK APPETITE
CONCERN INFORMATION SOURCES
• Concern information is some of the easiest and most
common to gather.
– Internal audit issues
– External audit findings
– Audit recommendations/actions
– IT reported incidents/ privacy violations/hacker attacks
– Management issues
– Regulator findings
– Consultant reports
– Hot lines
– Incident reports

• Concerns are manifested as issues/actions and


recommendations. If risk is understood, many concerns
could be left unaddressed.

© 2010 Thomson Reuters. All Rights Reserved.


DEVELOPING RISK APPETITE
RISK TRANSFER
• What risks am I shifting to someone else? How does it
affect my risk capacity?

Risk transfer/insurance category is used to collect information on risk


transfer or insurance mechanisms that mitigate or affect residual risk status.

• Cost effective risk transfer is a largely forgotten and


underused risk treatment. It must be understood.

© 2010 Thomson Reuters. All Rights Reserved.


DEVELOPING RISK APPETITE
RISK TRANSFER INFORMATION
• Many managers are not aware of the risk transfer
mechanisms currently in place.
– Employees are bonded for fidelity issues
– Our drilling contractor is responsible for rig safety
– We have the right to return unsold inventory to our vendors
– Currency or credit risk is hedged or insured
– Natural event risk is insured

• Non-financial risk transfer mechanisms are often scattered


around the business. Costs are often not known or not
allocated. Can they be exploited for gain?

© 2010 Thomson Reuters. All Rights Reserved.


DEVELOPING RISK APPETITE
RISK TRANSFER INFORMATION SOURCES
• Sources of risk transfer information include
– Insurance policies, deductibles
– Contractual agreements with vendors
– Outsourcing service level agreements
– Procurement strategies
– Financial hedging strategies/instruments
– Warrantees and guarantees
– Joint ventures

• Risk transfer mechanisms increase risk capacity. It is


important to understand their cost and how they can
leverage capacity.

© 2010 Thomson Reuters. All Rights Reserved.


DEVELOPING RISK APPETITE
RISK APPETITE INDEX
• Risk appetite is dynamic and requires synthesizing large
amounts of qualitative and quantitative data

• There is no one right risk appetite

• Risk appetite requires judgment and continuous review as


circumstances change

© 2010 Thomson Reuters. All Rights Reserved.


DEVELOPING RISK APPETITE
RISK APPETITE INDEX
High: Inaction on unacceptable items is unlikely to result in material negative impacts.
Minimal impediments or concerns. Current risk level is below capacity and performance is
not being optimized. Manageable by process owners.
Significant: Inaction on unacceptable items result in minor negative impacts. Moderate
additional levels of risk are tolerable within existing risk profile. Manageable by business
managers.

Moderate: Inaction on unacceptable items could result in continuation of moderate


negative impacts. Selective risks could be assumed within risk appetite or risk treatment
could be adjusted cost effectively. Monitor by business managers.
Acceptable: Inaction on specific unacceptable items certain to result in continuation of
negative consequences. Limited or no additional risk without adjusting risk capacity or risk
treatment.
Selective: Inaction on most unacceptable items virtually certain to result in continuation of
severe negative impacts. Senior level attention urgently required to review risk appetite.

Excessive: Inaction on unacceptable items will result in the continuation of potentially


catastrophic impacts. Senior level attention urgently required to avert a catastrophic
negative impact on the organization.
Negative: The current risk appetite exceeds capacity and is causing disastrous impact on
the organization. Immediate top priority action from executives is necessary to adjust risk
appetite to within acceptable levels.

© 2010 Thomson Reuters. All Rights Reserved.


DEVELOPING RISK APPETITE
RISK APPETITE INDEX — EXAMPLE 1
• Strategic objective - Grow individual life insurance premiums by 10%
• ABC life insurance underwriting process
• Risk appetite score 5 (Selective) to 6 (Excessive)
– Concern Rigorous adherence to practices could put ABC at a competitive
disadvantage. Competitors are very lax.
– Concern Procedures do not require that the clients alleged doctor is currently
registered and practicing.
– Concern Examining doctors are not required to take steps to verify that the person
that they are examining and reporting on is in fact the applicant.
– Concern Internal audit and/or other specialists have not done any specific fraud
vulnerability reviews in this area.
– Indicators Fraudulent claims up 10% year over year.
– Impact Even a small number of fraudulent claims has the potential to impact total
corporate earnings (e.g., A small organized scheme could hit earning for over 50
million.)
– Impediment Regulators are closely watching business practices in this area.

© 2010 Thomson Reuters. All Rights Reserved.


DEVELOPING RISK APPETITE
RISK APPETITE INDEX — EXAMPLE 2
• Strategic objective: Become the industry low cost producer
• Strategic procurement process – manufacturing inventory
• Risk appetite score 1 (High) to 2 (Significant)
– Indicator Cost of purchased goods down 5% year over year
– Indicator 0 days production lost due to parts shortages
– Impact Inventory levels exceed 60 days production requirements
– Impact Inventory carrying costs up 10% from last year
– Concern Plant managers incentive based on parts acquisition cost
– Concern Plant managers authorized unlimited purchases against
blanket purchase orders

© 2010 Thomson Reuters. All Rights Reserved.


DEVELOPING RISK APPETITE
CRITICAL ELEMENTS
• Management must make the risk appetite decisions

• Management must certify reliability of data


– Penalties and sanctions must exist for bad data

• GRC professionals must drive standards and quality

• Risk appetite decisions must be reflected in capital


allocation

© 2010 Thomson Reuters. All Rights Reserved.


DEVELOPING RISK APPETITE
ORGANIZATION MAPPING
• Risk appetite indices assigned to organization/process

ABC
Corporation

Division 1 Division 2 Division 3 Division 4 Division 5

Business Unit A Business Unit B Business Unit C

Process X Process Y

© 2010 Thomson Reuters. All Rights Reserved.


SUSTAINING THE
RISK APPETITE
PROCESS

© 2010 Thomson Reuters. All Rights Reserved.


SUSTAINING THE RISK APPETITE PROCESS
• Risk appetite is a powerful concept but must be carefully
operationalized

• Operationalizing risk appetite requires rigorous, consistent


methodology to drive a variety of qualitative and
quantitative information

• Risk appetite development will challenge and stretch audit


and risk professional standards and guidelines

• Management must be far more involved in GRC processes


and methodologies

© 2010 Thomson Reuters. All Rights Reserved.


SUSTAINING THE RISK APPETITE PROCESS
LEVERAGE TECHNOLOGY
• Technology provides the work
flow and central repository to
operationalize the workflow
around the risk appetite
process
• Technology provides the central
repository to capture, analyze
and report on both qualitative
and quantitative information
• Technology provides the
vehicle for management to
become involved with the risk
appetite process on a
continuous basis
© 2010 Thomson Reuters. All Rights Reserved.
QUESTION & ANSWER
• Phone
– 888.288.0283 (U.S. and Canada)
– 320.286.5870 (All other countries)
• Email
– paisleyinfo@thomsonreuters.com
– bruce.mccuaig@thomsonreuters.com
• Visit
– paisley.thomsonreuters.com
– Blog: inside-grc.com
– Twitter: twitter.com/paisleygrc
– Facebook: Paisley GRC Software

© 2010 Thomson Reuters. All Rights Reserved.

Das könnte Ihnen auch gefallen