Transcription of Enterprise Risk Management - EY
1 Enterprise Risk Management An integrated approach towards effective and sustainable risk Management Enterprise Risk Management an integrated approach towards effective and sustainable risk Management | 1. Why now? Firms in the financial services industry have made significant progress in strengthening their risk Management practices since the financial crisis. Advances have been made in how risk is governed, measured, monitored, mitigated and managed. Given the pace of change and the extent of new regulations, much of this risk Management progress has been focused on individual components of risk Management . This fragmented approach can lead to blind spots', inefficient coordination and Management and insufficient insight into risks . To operate effectively and sustainable, firms need a major change in how they approach risk Management . The need for a next step in risk Management is supported by the following developments: I mpact of regulatory requirements: Firms are facing a regulatory environment which has materially changed over the years.
2 A sizeable portion of these regulations impacts the risk Management agenda. Besides, formal communications from supervisors do frequently cite risk Management requirements. This continuously changing environment asks for a risk Management approach that is able to stand and incorporate new regulations and requirements. S. takeholder expectations: Investor demands for sustainable returns has been increasing over the last years. The ongoing pressure on revenue and costs requires firms to operate new business models that are able to deliver sustainable performance. Within this context, it is crucial to translate this objective to a risk Management approach that is forward-looking and linked with the overall strategy of the organization, as a precondition for sustainable performance. To remain at the forefront of today's market, firms should adopt an integrated approach that capitalizes on the value gained from upgrading risk Management and is appropriate for these new and enduring demands.
3 EY believes that future success requires an integrated approach on Enterprise risk Management that delivers on both firm, stakeholder and regulatory requirements. 2 | Enterprise Risk Management an integrated approach towards effective and sustainable risk Management What is Enterprise risk Management ? A process, ongoing and flowing through an entity M. anaged within the risk appetite at all levels Enterprise risk Management ffected by people E. (ERM) is a process, effected at every level of an by an entity's board of directors, organization Management and other personnel, Enterprise -wide at strategic level, designed to identify potential events that may affect the entity, and manage risks to remain within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives1. L. inked to the strategy, mission ble to provide reasonable A. and vision of the assurance to an entity's organization Management and board of directors G.
4 Eared to the achievement of Enterprise -wide objectives According to this definition, every organization needs to have an ERM process in place. This ERM process needs to be applied across the Enterprise , at every level, and includes taking an entity level integrated view on risk. Also the regulatory authorities stipulate the need for an ERM approach and have imposed requirements with regard to the relationship between risk Management and capital adequacy in the form of the ICAAP (Internal Capital Adequacy Assessment Process) for banks and the ORSA (Own Risk and Solvency Assessment) for insurance companies. The main requirements emphasize that all of the company's material risks must be taken into account and that capital adequacy is directly related to the company's risk profile. In order to be able to meet these requirements, firms should consolidate past progress and realize gains from an adequate and integrated ERM framework. 1. Derived from COSO Enterprise Risk Management Integrated Framework, september 2004.
5 Enterprise Risk Management an integrated approach towards effective and sustainable risk Management | 3. What should you consider in designing an integrated approach? EY has developed an integrated ERM framework (Figure 1), that incorporates all elements that together form a strong basis for effective, Enterprise -wide and integrated risk Management . The framework complies with the regulatory landscape and is able to stand new regulations and requirements that are and will be applicable for the financial services industry. ERM Framework People Risk Governance Risk Culture Talent & Incentives Strategy & Risk Appetite Culture mechanisms Resourcing Board risk oversight Behavior outcomes Three Lines of Defense Policy framework Infrastructure and operations Market risk Liquidity risk Ability to identify, aggregate and report on all risks External Market data Data: Consistent, complete, accurate and auditable Integration of risk & finance systems architecture IT, data Management , risk information Credit risk Insurance risk Operational risks Diversification Correlation Conduct risk Reputational risk Other risks Strategic risk Compliance risk Risk identification Risk assessment & measurement Risk monitoring Identify key risk exposures (including Qualitative methods ( , assessment Focus on dashboarding, exceptions emerging risks ) methods) and trends Focus on risk drivers Quantitative methods ( , risk Limits monitoring and clear escalation Identify risk correlations/diversification scenarios and risk modeling)
6 Procedures Focus on Controls driven by stakeholders Combination of top-down and Focus on key controls Key risk & control indicators External environment and regulations bottom-up approaches Economic Capital calculation Continuous process monitoring Enterprise wide stress testing Company risk profile Expanding Regulatory framework Risk Management & embedding risk culture Impact of Rating agencies Risk Based business decisions and pricing Risk Adjusted Performance Measurement Transaction acceptance based on risk profile Economic Capital budgeting and allocation Consumer protection Compensations & remunerations Risk remediation and action tracking Train desired behaviors and address behavioral issues Internal Control Framework Enterprise risk reporting & disclosures Information to drive business decisions and linkage to Effort to aggregate existing risk reporting packages to strategic/ business planning develop comprehensive view of risks Reporting on capital and liquidity Management External reporting Risk Management and Finance alignment Figure 1.
7 The main components of this ERM framework are highlighted on the next page. 4 | Enterprise Risk Management an integrated approach towards effective and sustainable risk Management Risk Governance People Risk Culture Risk governance is the basis for all risk Effective ERM is for a large part A sound risk culture promotes sound Management activities and includes dependent on having the right people, risk-taking and ensures that emerging strategy & risk appetite, board risk in the right roles, with the right skills, risks and excessive risk-taking oversight and the three lines of incented to deliver the organization's activities are assessed, addressed defense mechanism. In setting the goals, while appropriately managing and escalated in a timely manner. This risk strategy and risk appetite it is risk. Board and senior Management places risk culture at the intersection important to realize a clear link with should provide for adequate of behavior and risk Management .
8 The company's long term objectives, resourcing of risk Management Risk culture provides a specific lens mission and vision. The organizational activities in all lines of defense and allowing general concerns about structure should provide for the an adequately balanced talent & culture to focus on risk-taking and effective and balanced fulfilment of incentives program. The risk function risk control activities. Although the roles of the board of directors, plays an important role in training risk Tone at the Top' is a very important senior Management , and adequate awareness of people throughout the element, focus should be also on board risk oversight in the various organization. how sound risk taking is embedded risk committees. The Three Lines of in the daily behaviors and decision Defense model helps to define these making processes throughout the fundamental roles and responsibilities organization. and to place primary accountability for risk where it originates.
9 External IT, data Infrastructure environment and Management and and operations regulations risk information Besides the expanding regulatory Board and senior Management To realize integrated and sustainable framework, the financial services need to have timely, accurate and ERM, aligning the core risk sector also has to cope with growing comprehensive risk information, which Management approaches across all demands related to the increasing is also expected by the stakeholders. risk types is key. Risk Management focus on consumer protection. This This requires adequate data should be embedded in the may lead to new business models Management and ERM information operational, day-to-day business which also brings new implementation systems that deliver the right decisions by means of a risk- and execution challenges for risk information at the right moment. IT based mindset and supportive risk Management . Moreover, other parties infrastructure and data Management infrastructure across the Enterprise .
10 Such as shareholders, investors need to enable a forward-looking This should enable reporting on the and rating agencies are placing and integrated view across the firm, company's risk profile in relation to the increasingly high demands on the that enables the board to make well risk appetite. structure and transparency of risk informed decisions. Management . Enterprise Risk Management an integrated approach towards effective and sustainable risk Management | 5. How to create effective and sustainable Enterprise risk Management ? The pace and scale of regulatory change over the last five years have limited firms' ability to address Enterprise risk Management in an integrated, strategic fashion. Firms have done their best to implement changes that have met evolving regulatory requirements. To enable firms to drive the changes in a way that delivers real value to the business and that meet regulators' new and broader expectations and those of investors, a new mindset is required.
