Next-generation enterprise risk management - EY

1 Next-generation enterprise risk management Advancing strategy and performance in light of the COSO 2017 refresh Heading into the beginning of the year, the EY Center for Board Matters published the Top priorities for US boards in 2017, which highlighted the importance of seizing opportunities while enhancing risk management as a key board priority. In particular, we emphasized the need to apply a more balanced, agile and integrated approach to enterprise risk management in order to sustain growth and performance. The September 2017 release of the new COSO publication, Accommodates expectations for governance and oversight enterprise Risk management Integrating with Strategy and Recognizes the globalization of markets and operations, and Performance, which is an update of their 2004 ERM framework, the need to apply a consistent and tailored approach across supports this expanded approach to ERM. The COSO update geographies addresses the evolution of ERM and the need for organizations Presents new ways to leverage risk information in setting to improve their approach in managing risk to meet the demands objectives and monitoring developments in the context of of an evolving business environment.

2 It additionally highlights greater business complexity the importance of considering risk in both the strategy-setting process and in driving performance. Expands reporting to address expectations for greater stakeholder transparency The updated COSO Framework highlights the importance of Promotes evolving technologies and the use of data and integrating ERM with the strategies and performance objectives of an analytics in supporting decision-making organization. This update: Sets out core definitions, components and principles for all Provides greater insight into the value of ERM when setting and levels of management involved in designing, implementing and carrying out strategy conducting ERM practices Enhances alignment between business performance and ERM to improve the setting of performance targets and understanding the impact of risk on performance Next-generation ERM. Limitations of conventional ERM While the traditional compliance-based ERM approach is good for identifying and managing preventable risks , a company's Most companies' ERM programs operate with a compliance and strategic risks or external risks , such as cybersecurity, require a informational focus and result in a highly detailed catalog of wide- different approach based on open and explicit risk discussions.

3 Ranging risks that exist within the organization, ranging from the Many organizations apply a wide-ranging risk identification nominal to the potentially catastrophic. Oftentimes, historical process rather than first considering the risks embedded in their ERM processes have run independently and have not been business strategies. This may lead to some organizations failing integrated into the cadence of an organization's strategy-setting to understand how megatrends are presenting risks to already and performance management processes, sometimes resulting in established business models. mismanaged risks . The board's role in ERM. COSO defines ERM as The culture, capabilities, and practices, integrated with strategy-setting and performance, that organizations rely on to manage risk in creating, preserving, and realizing value and emphasizes that organizations are most successful when they leverage the consideration of culture, strategy and business objectives in risk management .

4 The framework is organized into five revised components and several underlying principles that overlay the business processes of the organization. enterprise risk management component* Board risk oversight responsibilities Governance and culture Assess appropriateness of strategy, and risk inherent Governance and culture together form a basis for all other components of in the strategy enterprise risk management . Governance sets the entity's tone, reinforcing Define board risk governance role and structure the importance of enterprise risk management , and establishing oversight Oversee alignment of performance and risk taking to responsibilities for it. Culture is reflected in decision-making. balance short- and long-term strategy achievement Understand how risks are monitored Strategy and objective setting Set expectations for integration of ERM into business ERM is integrated into the entity's strategic plan through the process of management processes setting strategy and business objectives.

5 With an understanding of business Discuss and understand risk appetite and alignment context, the organization can gain insight into internal and external factors with expectations and their effect on risk. An organization sets its risk appetite in conjunction Require management to demonstrate understanding of with strategy setting. The business objectives allow strategy to be put into risk capacity and ability to withstand large, unexpected practice and shape the entity's day-to-day operations and priorities. events Performance Review strategy against risk profile An organization identifies and assesses risks that may affect an entity's Set expectations for risk reporting including risk ability to achieve its strategy and business objectives. It then prioritizes risks appetite according to their severity and consideration of the entity's risk appetite. Understand risk assessment process The organization then selects risk responses and monitors performance for Understand most significant risks and response change.

6 In this way, it develops a portfolio view of the amount of risk assumed strategies in the pursuit of its strategy and entity-level business objectives. Understand scenarios that could alter risk profile Review and revision Ask about manifesting risks By reviewing ERM capabilities and practices, and the entity's performance Challenge management to demonstrate suitability and relative to its targets, an organization can consider how well the ERM functionality of ERM process capabilities and practices have increased value over time and will continue to drive value in light of substantial changes. Information, communication and reporting Identify information required to execute board Communication is the continual, iterative process of obtaining information oversight and sharing it throughout the entity. management uses relevant information Access internal and external information for oversight from both internal and external sources to support enterprise risk Obtain independent assessment of management management .

7 The organization leverages information systems to capture, perceptions and assumptions process, and manage data and information. By using information that applies to all components, the organization reports on risk, culture and performance. COSO's definition of the five components of the framework as published in enterprise Risk management Integrating with Strategy and Performance, September 2017. *. For more articles like this, please visit November 2017 | 2. Next-generation ERM. What is Next-generation ERM? EY's Next-generation ERM framework is based on the following three The big step in ERM lies in shifting from primarily enterprise components: risk monitoring to risk-enabled performance management it Advance: To achieve performance goals, organizations must effectively expands ERM from a protective risk management to advance their strategic thinking by: 1) identifying and assessing a protect and grow mindset.

8 We call this evolving discipline the risks that impact their business strategy and 2) responding Next-generation ERM. It adds a critical layer to the conventional to those risks applying three categories strategic, preventable approach by putting a focus on the need to embed and better and external. This enables organizations to expand their focus integrate strategy and performance risk considerations into existing from the risks they can control to include the ones they cannot ERM processes. or need to balance in order to better drive performance. The future of ERM will call for a shift to viewing risks along the lines Optimize: To efficiently and effectively respond to risk, of key uncertainties that drive variability of business results (such organizations must optimize their functions and processes. This as customer acceptance of new channels, technological capabilities, is driven by: 1) an operating model with clear ownership and and cybersecurity breaches) and aligning risk management with accountability across the three lines of defense; 2) alignment the entirety of the business.

9 By doing so, organizations can reduce of the right talent and skill sets to that model; and 3) designing performance variability and enhance an organization's resiliency processes to govern the execution of risk activities. This and its ability to anticipate and respond to the ever-evolving results in the structure and mechanisms necessary to facilitate dynamic risk landscape. coordination, communication and reporting throughout the enterprise . A robust ERM approach starts with organizational purpose and performance objectives as the foundation of risk identification. ERM Embed: Once the functions and processes are properly in programs need to not only analyze the risks to executing strategy, place, organizations can more easily embed and execute but must test the viability and longevity of the strategy itself. There solutions that help them respond and manage risk as a core is little value in seeking to mitigate the risks around executing aspect of their business.

10 These solutions, designed based on strategy if the organization does not stress test the strategy against the three categories above, enable the organization to prevent, key external risks . balance or limit the impact of risks . Leveraging enablers such as technology and digital solutions (such as automation and EY's recent Governance, Risk and Compliance Survey indicates analytics), organizations can support and sustain these solutions that organizations need to think about, manage and respond to while driving efficiencies and enhancing their risk management risk differently to better drive performance. Next-generation ERM practices. practices focus on advancing an organization's strategic thinking and identifying and assessing the risks that impact business strategy. Organizations should also evaluate areas where it should As ERM is evolving, so too is risk embrace taking risk, and aggressively seize the upside on taking reporting calculated risks .