Date post: | 11-Jan-2016 |
Category: |
Documents |
Upload: | veronica-matthews |
View: | 220 times |
Download: | 4 times |
Enterprise Risk Management (“ERM”):
More Value and More Challenges
Dolores Atallo-HazelgreenDeloitte & Touche LLP
April, 2007
Copyright © 2007 Deloitte Development LLC. All rights reserved. 2
Today’s topics
• Introduction
• ERM: Setting Expectations
• ERM Marketplace Perspective– Deloitte & Touche LLP 2006 Global Risk Survey
• ERM: Unlocking the Value
• Questions and Comment
Copyright © 2007 Deloitte Development LLC. All rights reserved. 3
ERM: Setting Expectations
Copyright © 2007 Deloitte Development LLC. All rights reserved. 4
ERM: Setting Expectations
“… a process, effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”
Source: COSO Enterprise Risk Management – Integrated Framework. 2004. Committee of the Sponsoring Organizations (COSO).
Although there are multiple definitions of ERM, COSO provides a broad definition to support a broad mandate:
Copyright © 2007 Deloitte Development LLC. All rights reserved. 5
• A process for providing a risk adjusted view of the achievability of enterprise objectives
• A means to enhance informed decision making and risk taking
• An aggregated portfolio view of risks and vulnerabilities and their potential interactions
• A methodology that supports accountability for risk across the organization
• A substitute for management’s judgment
• A bureaucratic exercise that is isolated from the business units
• A guarantee of a zero risk environment
ERM IS ERM IS NOT
ERM: Setting Expectations
Copyright © 2007 Deloitte Development LLC. All rights reserved. 6
• Align risk appetite and strategy• Enhance risk response decision
making• Reduce operational surprises and
losses• Identify and manage cross-enterprise
risks• Seizing opportunity• Improving the deployment of capital• Ensure effective compliance and
regulatory reporting• Focus on Achievement of Objectives
– Strategic
– Operations
– Reporting
– Compliance
ERM Foundation
Linkage of ERM to Business Decisions: ERM Goals
• Internal environment• Objective setting• Event Identification• Risk Assessment• Risk Response• Control Activities• Information and Communication• Monitoring
Top-Down and Bottom-Up: Components of ERM
Copyright © 2007 Deloitte Development LLC. All rights reserved. 7
ERM: Enterprise-Wide View of Risk
ERM function
Board of DirectorsSenior Management
Risk Committees
Business Units
Data Collection• Risk metric inputs
Operationalized View• Practices and procedures• Guidance on risk mitigation
and limit information
Aggregation and Integration• Risk metrics and limit data• Business unit risk
assessment reporting
The Top Down View• Risk appetite, risk policies,
guidelines, and framework
Illustrative
Copyright © 2007 Deloitte Development LLC. All rights reserved. 8
Why ERM: Drivers in Marketplace
Institution
Competition• Significant, well capitalized
competition in all sectors• Consolidation results in
winner survivor bias, continually strengthening competitive environment
Institution
Regulators• Detailed, comprehensive risk
based regulatory requirements• Regulatory capital required for
all risks taken• Proactive regulatory approach
taken
Products• Explicitly focused on risk transfer,
risk/reward, risk mitigation• Priced including effects of risk• Revalued on MTM basis daily or
more frequently• Innovation continues at high level
of complexity
Customers• Competition and provider’s
inability to differentiate increase customer power and pricing pressure
• Create credit risk which must be priced or otherwise accounted for
Investors• Superior risk adjusted returns
sought out – winners rewarded
• Low appetite for unexpected losses
Rating Agencies• Rating agency expectations for
sophisticated risk management• S&P requirements for ERM
benchmarking• High leverage in industry
increases RA focus
Copyright © 2007 Deloitte Development LLC. All rights reserved. 9
Concern for Cost and Overlapping Initiatives
You'd better be good at controlling expenses," Kenneth D. Lewis, Chairman, President, and
CEO Bank of America
"In this interest rate environment we're just going to have to be focused on expenses all the time," Kennedy Thompson,
Chairman and CEO Wachovia Corp.
"It's hard to predict when the environment will improve, but
we're going after the things that we can control, which is
the cost structure” Kerry Killinger, Chairman and CEO
Washington Mutual
“We mustn't allow inefficiencies into our business. We must
carefully manage costs going forward, so that we can
maintain our ability to continue to invest” Clive Standish, CFO
of UBS
"Our 2007 priorities are clear: generating sustainable growth in
U.S. consumer,… focusing sharply on expense management, and remaining highly disciplined in credit management," Charles
Prince, CEO of Citibank
“We have commenced some initiatives to look at our
operating expenses" Alan Levan, Chairman and CEO
BankAtlantic
“The evolution of the financial markets and the number of significant governance issues recently faced by
complex financial firms clearly underscore the need to view risk
management on an enterprise-wide basis… The silo approach to
compliance has prevailed for far too long.” Federal Reserve Governor
Susan Bies
A consolidated – or “enterprise-wide – approach to compliance risk management has become
“mission critical” for large, complex banking organizations….
Federal Reserve Governor Mark Olsen
• Increasing Laws and Regulations
• Overlapping Requirements / Increasing Costs
Regulator expectationsRegulator expectations Current Industry FocusCurrent Industry Focus
Copyright © 2007 Deloitte Development LLC. All rights reserved. 10
ERM: Value Proposition
• Compliance with laws and regulations, particularly regarding governance and oversight
• Favorable views from credit agencies, insurers, analysts and other stakeholders
• Improved understanding on the part of senior management and the board about the nature of risk in their business, including concentrations of risk exposures across risk types and business units
• Identifying situations where the enterprise’s aggregate risk exposure exceeds its risk appetite
• Freeing up capital and making improved capital investment and capital allocation decisions
• Promoting a risk-aware operating culture and accountability
• Enhancing reputation and transparency
Copyright © 2007 Deloitte Development LLC. All rights reserved. 11
ERM Marketplace Perspective:
Deloitte & Touche LLP2006 Global Risk Survey
Copyright © 2007 Deloitte Development LLC. All rights reserved. 12
Increasing Trend of Risk as a Board Responsibility
• Risk management continues to be elevated in priority– 70% of institutions said risk
management
– 60% of participating institutions reported that the board takes at least a “somewhat active” role in risk management
– 76% of institutions reported that their risk committee of the board played a “somewhat active” role in overseeing risk management
Copyright © 2007 Deloitte Development LLC. All rights reserved. 13
Strategic Role of the Chief Risk Officer (CRO)
CRO Reporting
Institutionswith a CRO
Copyright © 2007 Deloitte Development LLC. All rights reserved. 14
44% of institutions said they have a centralized approach, 35% said decentralized, while the remaining 21% used a mixed of both
• Key is to tailor the approach to the institution’s governance approach, organizational structure, size and operating philosophy
Risk Oversight Approach Varies
Copyright © 2007 Deloitte Development LLC. All rights reserved. 15
Traditional Risk Management Viewed as More Effective Risk Management
Effectiveness– Over 70% of
participants rated their institutions highly in managing market, credit and liquidity.
– With companies placing a greater dependence on models, an emerging risk that needs to be considered is model risk
Copyright © 2007 Deloitte Development LLC. All rights reserved. 16
• Despite its appeal, ERM implementation is still fairly limited – only 35% of institutions have an ERM program in place
• Continued interest in integrating ERM with the organization's decision making framework – 2/3 reported having a formal, enterprise-level statement of their risk appetite that is either quantitative or qualitatively defined and approved
ERM- A work in Progress
Copyright © 2007 Deloitte Development LLC. All rights reserved. 17
• Most institutions lack quantitative understanding of costs and benefits– Only 13% of firms
in the survey quantify ERM costs and just 4% quantify ERM value.
• ERM benefits cited most often:
-“improved understanding of risks”, “improved regulator perception” and “reduction in losses due to risk events”
ERM Value Exceeds the Costs for Many Institutions
Copyright © 2007 Deloitte Development LLC. All rights reserved. 18
Risk Types Included in ERM Vary
Copyright © 2007 Deloitte Development LLC. All rights reserved. 19
– Less than half the institutions have integrated ERM with IT risk or strategic planning
– Only about one-third have integrated it with budgeting or project management risk, and even fewer with vendor risk assessments
Lacks Integration with Other Initiatives
Copyright © 2007 Deloitte Development LLC. All rights reserved. 20
Technology Integration Concerns
• 58% of executives saying it is a major concern
• Additional concerns were:
• a lack of flexibility in extending current systems
• high cost of maintenance and vendor fees
• inability to provide frequent and timely reporting
Copyright © 2007 Deloitte Development LLC. All rights reserved. 21
Recap of Key Themes
• Risk Management responsibility is being elevated to the Board level much more commonly than in prior years
• The importance of the CRO role continues to increase with majority of CROs reporting directly to the CEO or the Board
• Fully implemented ERM is still work in progress
• Most institutions perceive benefits of the ERM programs to outweigh the costs, but few have quantified them
• Integration throughout the organization and with other risk initiatives is still a challenge in most cases
Copyright © 2007 Deloitte Development LLC. All rights reserved. 22
ERM:Unlocking the Value
Copyright © 2007 Deloitte Development LLC. All rights reserved. 23
ERM: Value in the Sum and the Parts
IntegrationIntegrationEconomic Capital
& Value Based Management
Economic Capital & Value Based Management
Risk Management
Risk Management
Integrate Risk Learning
Capability
Integrate Risk Learning
Capability
Strategic Planning & Oper. Charges
Strategic Planning & Oper. Charges Risk MitigationRisk Mitigation
Risk Quantification
Risk Quantification
Quantitative Analysis &
Scoring
Quantitative Analysis &
Scoring
Calibration with Loss Event & Qual
Data
Calibration with Loss Event & Qual
Data
Risk Indexing and Aggregation
Risk Indexing and Aggregation
Performance & Risk Metrics Dashboard
Performance & Risk Metrics Dashboard
Assessment &Design
Assessment &Design
Business Unit Risk Analysis &
Diagnostics
Business Unit Risk Analysis &
Diagnostics
Business Process Structure & Value
Chain Assessment
Business Process Structure & Value
Chain Assessment
Cultural Risk AssessmentCultural Risk Assessment
Key Metrics & Risk Indicators Identification
Key Metrics & Risk Indicators Identification
Structure &Strategy
Structure &Strategy
Current Initiatives & Goals Review
Current Initiatives & Goals Review
Risk Identification Framework
Risk Identification Framework
Operational Risk Policies &
Procedures
Operational Risk Policies &
Procedures
Vision Strategy & Operational
Structure
Vision Strategy & Operational
Structure
Executive Management & Board Support
Executive Management & Board Support
Roles and Responsibilities
Roles and Responsibilities
Corporate Governance
Copyright © 2007 Deloitte Development LLC. All rights reserved. 24
ERM: Value in the Sum of the Parts
Vision
Governance
Culture
Methodology
Common Language
Risk Policies
Risk Appetite
Risk Assessment
Risk Measurement
Risk Monitoring
Reporting
Independent Verification/ Testing
Copyright © 2007 Deloitte Development LLC. All rights reserved. 25
ERM: Establishing a Shared Vision
Risks are treated as a portfolio at the enterprise level and are correlated and aggregated across risk types and business units.
Risk management is enterprise-wide and encompasses all risk types including strategic and operational.
Risk management functions independently within business units. Risk types managed are limited to hazard, financial, and compliance.
Risk management activities are ad hoc. No overarching risk management philosophy or objectives are defined.
Risk management is built into decision-making. The organization selectively seizes opportunities because of its special ability to exploit risks.
Description
• Calculation of risk measures that can be aggregated
• Risk treatment integrated and costs optimized
• Risks clearly linked to strategic objectives• Defined and documented• Forward looking• Clear accountability
• Capabilities vary across BUs• No cross-BU coordination• Some expertise within limited number of
risk types such as market, credit, or hazard
• Success depends on individuals• People are unaware of risks• Risks managed reactively
• Focus on value creation and preservation• Institutionalized • Confidence in ability to manage risks based
on track record
Commentary
Level 4Integrated
Level 3Comprehensive
Level 2Fragmented
Level 1Initial/Ad Hoc
Level 5Strategic
Maturity
No risk management capabilities are in place. There is a lack of any recognizable process.
• Applies to new entities• Ephemeral state
Level 0Nonexistent
Copyright © 2007 Deloitte Development LLC. All rights reserved. 26
Executive CommitteeExecutive
CommitteeAudit
CommitteeAudit
CommitteeERM FunctionERM FunctionBusiness UnitsBusiness Units Risk Committees
Risk Committees
RatifyRatifyApproveApproveOverseeOverseeMonitor & AggregateMonitor & Aggregate
Take and Manage Risks
Take and Manage Risks
• Ownership of business unit activities which give rise to risk and responsibility for risk management and mitigation
• Risk identification and self-assessments
• Developing strategy & taking actions to manage and mitigate risks within policy and risk appetite
• Providing assertions on risk exposure and controls for their business area / function
• Business Unit Risk Managers coordinate the Business Unit risk assessment, monitoring, and mitigation activities
• Ownership of business unit activities which give rise to risk and responsibility for risk management and mitigation
• Risk identification and self-assessments
• Developing strategy & taking actions to manage and mitigate risks within policy and risk appetite
• Providing assertions on risk exposure and controls for their business area / function
• Business Unit Risk Managers coordinate the Business Unit risk assessment, monitoring, and mitigation activities
• Establishment of consistent risk policies, governance framework, standards, and information reporting mechanisms to facilitate effective risk management
• Monitoring and participation in specific risk committees for the purpose of providing the enterprise view
• Providing summary information and analysis to the Executive Committee to assess, evaluate, and act on risk
• Establishment of consistent risk policies, governance framework, standards, and information reporting mechanisms to facilitate effective risk management
• Monitoring and participation in specific risk committees for the purpose of providing the enterprise view
• Providing summary information and analysis to the Executive Committee to assess, evaluate, and act on risk
• Oversight over risks within scope of authority
• Oversight and approval of measurement and management methodologies for risks within scope
• Oversight of changes in risk profile
• Oversight of Business Unit management of designated risk categories
• Oversight over risks within scope of authority
• Oversight and approval of measurement and management methodologies for risks within scope
• Oversight of changes in risk profile
• Oversight of Business Unit management of designated risk categories
• Approval of key documents, such as:
– ERM Policy,
– Risk Appetite,
– Risk Governance Model,
– Authorities,
– Committee Charters
• Monitoring risk exposure status
• Approving Board reporting package
• Monitoring Business Unit mitigation plans and their status for top risks
• Approve limit exceptions
• Approval of key documents, such as:
– ERM Policy,
– Risk Appetite,
– Risk Governance Model,
– Authorities,
– Committee Charters
• Monitoring risk exposure status
• Approving Board reporting package
• Monitoring Business Unit mitigation plans and their status for top risks
• Approve limit exceptions
• Ratification of key documents, such as:
– ERM Policy,
– Risk Appetite,
– Risk Governance Model,
– Authorities,
– Committee Charters
• Ratification of key documents, such as:
– ERM Policy,
– Risk Appetite,
– Risk Governance Model,
– Authorities,
– Committee Charters
ERM Governance: Key Stakeholder Roles and Responsibilities
Internal AuditInternal Audit
ValidateValidate
• Independent Verification and Testing of:
– Internal Controls,
– Quality of the Operational Risk Management Program,
– Quality and integrity of risk models
• Independent Verification and Testing of:
– Internal Controls,
– Quality of the Operational Risk Management Program,
– Quality and integrity of risk models
Illustrative
Copyright © 2007 Deloitte Development LLC. All rights reserved. 27
ERM: Migrating from “minimizing risk” to “managing risk”
Focus on establishing a culture within the organization that “manages risks” rather than just “minimizes risks”
Need to identify what is your organization’s style and ability to absorb an ERM initiative
Cultural issues with the great impact on organizations: Tone at the top Organizational alignment Communication Embedding ERM in organizational processes
Focus on establishing a culture within the organization that “manages risks” rather than just “minimizes risks”
Need to identify what is your organization’s style and ability to absorb an ERM initiative
Cultural issues with the great impact on organizations: Tone at the top Organizational alignment Communication Embedding ERM in organizational processes
CultureCulture
Copyright © 2007 Deloitte Development LLC. All rights reserved. 28
ERM Methodology
ERM policies and procedures should include identifying, measuring, monitoring and controlling operational risk across the organization
Well defined ERM umbrella can provide and receive information to satisfy multiple initiatives
Common language needs to be established including risk categories and risk appetite
Delineation between “risk taking” and “risk management”
Data capture, analytical frameworks, reporting and escalation protocols
Enterprise-wide view of risk
ERM policies and procedures should include identifying, measuring, monitoring and controlling operational risk across the organization
Well defined ERM umbrella can provide and receive information to satisfy multiple initiatives
Common language needs to be established including risk categories and risk appetite
Delineation between “risk taking” and “risk management”
Data capture, analytical frameworks, reporting and escalation protocols
Enterprise-wide view of risk
MethodologyMethodology
Copyright © 2007 Deloitte Development LLC. All rights reserved. 29
ERM: Measuring Risk Across a Maturity Continuum
Risk Assessment and Scoring
Risk Assessment and Scoring
Key Risk
Indicators (KRIs)
Key Risk
Indicators (KRIs)
Loss Event and Scenario Modeling
Loss Event and Scenario Modeling
Economic Capital Modeling and
Allocation
Economic Capital Modeling and
Allocation
Key Characteristics
• Risk framework
• Self-assessment
• Assessable entities are identified
• Impact and Likelihood
• Unmitigated Risk, Control Effectiveness, and Residual Risk
• Quantitative Risk Scale
• High, Medium, Low dollar thresholds
• Risk Scoring, Analysis and Quantification
Key Characteristics
• Risk framework
• Self-assessment
• Assessable entities are identified
• Impact and Likelihood
• Unmitigated Risk, Control Effectiveness, and Residual Risk
• Quantitative Risk Scale
• High, Medium, Low dollar thresholds
• Risk Scoring, Analysis and Quantification
Key Characteristics
• External and Internal Loss event categories identified
• Loss event database
• Causation factors captured
• Near misses captured
• Direct and Indirect Costs are tracked
• Thresholds set for reporting
• Scenario modeling performed by business experts to supplement loss data
Key Characteristics
• External and Internal Loss event categories identified
• Loss event database
• Causation factors captured
• Near misses captured
• Direct and Indirect Costs are tracked
• Thresholds set for reporting
• Scenario modeling performed by business experts to supplement loss data
Key Characteristics
• Overall framework and methodology for determining and allocating economic capital
• Methodologies should address all relevant risk types for entity
• Loss distribution (frequency and severity)
• Statistical models to estimate risk exposure
• Calculation engines (e.g., Monte Carlo simulation engine for Value at Risk)
Key Characteristics
• Overall framework and methodology for determining and allocating economic capital
• Methodologies should address all relevant risk types for entity
• Loss distribution (frequency and severity)
• Statistical models to estimate risk exposure
• Calculation engines (e.g., Monte Carlo simulation engine for Value at Risk)
Key Characteristics
• Indicators relevant as proxy’s of risk levels for different risk types
• Possible metrics categories include those indicative of business volume, operational efficiency, error rates, losses or potential losses, control effectiveness
• Indicators selected should be relevant as risk measures for specific risks and analyzed whether they are leading, lagging or coincident risk measures
Key Characteristics
• Indicators relevant as proxy’s of risk levels for different risk types
• Possible metrics categories include those indicative of business volume, operational efficiency, error rates, losses or potential losses, control effectiveness
• Indicators selected should be relevant as risk measures for specific risks and analyzed whether they are leading, lagging or coincident risk measures
Copyright © 2007 Deloitte Development LLC. All rights reserved. 30
Enterprise-wide view of Risk Information Management, Reporting and Escalation
ERM function
Board of DirectorsSenior Management
Risk Committees
Business Units
Data Collection• Risk metric inputs
Operationalized View• Practices and procedures• Guidance on risk mitigation
and limit information
Aggregation and Integration• Risk metrics and limit data• Business unit risk
assessment reporting
The Top Down View• Risk appetite, risk policies,
guidelines, and framework
Illustrative
Copyright © 2007 Deloitte Development LLC. All rights reserved. 31
Serves as a Central Data Repository
Allows for Customized Reporting
Encourages Action Planning
Provides on-going Monitoring
Promotes Accountability
Supplies Management Reporting
Presents Consistent Formatting.
Tools are Needed to Support Your Risk Management Process and Manage DataTools play an important supportive role in providing efficiency and consistency in the on-going risk management process. The right people and process drive the quality of the information, the tool manages the information. The role of tools includes, but is not limited to:
Copyright © 2007 Deloitte Development LLC. All rights reserved. 32
ERM: Sample Supporting Architecture
Risk Data Warehouse
Market Risk Engine
Credit Risk Engine
Treasury/ALM Risk Engine
Operational Risk Engine
Hazard Risk Engine
Strategic Risk Engine
• Limits
• VaR
• Correlations
• Pricing Engines
• Transactions
• Limits
• CVaR, CE, PFE
• Correlations
• Pricing Engines
• Counterparty Info.
• Transactions
• Limits
• VaR
• Correlations
• Pricing Engines
• Transactions
• OpVar, Exposure
• Qualitative Exposure
• Scenarios
• KRIs
• RCSA
• Internal Loss Data
• External Loss Data
• Fraud & AML
• Tolerances
• Financial Projections
• Scenarios
• Initial Financials & Projections
Extract, Transform and Load
Data Quality Management Engine
• OpVar, Exposure
• Qualitative Exposure
• Scenarios
• KRIs
• RCSA
• Internal Loss Data
• External Loss Data
Enterprise Applications
IT Management
Systems
HR Management
Systems
Financial Systems
Audit Systems
Risk Management Applications
Workflow Management
System
Document Management
System
Issue Management
System
Risk Treatment Systems
Enterprise Level Analysis & Reporting
Risk Correlation
Risk AppetiteCapital
Calculation & Modeling
Aggregate Risk Portfolio
Scenario Analysis
Risk Reporting
DashboardingMonitoring/
Alerts/Limits/ KRIs
Copyright © 2007 Deloitte Development LLC. All rights reserved. 33
Integration Brings Both Challenges and Value
Marketplace recognition that many risk and control initiatives overlap
• Demand for Efficiency
• Demand for Data
• Demand for Value
Sarbanes-Oxley
Internal PoliciesBasel II
SEC Public Co Standards
FDICIA
PeoplePeople
ProcessProcess
TechnologyTechnology
Illustrative
Copyright © 2007 Deloitte Development LLC. All rights reserved. 34
NowNow
Management Reporting
Regulatory Requirements
Risk Initiatives
1)2)…………..
10)
Shared Information
LaterLater
MaybeMaybe
Unlocking ERM Value: Finding Opportunities for Integration
Complexity
Copyright © 2007 Deloitte Development LLC. All rights reserved. 35
Sustained Integrated
Infra-structure
Sustained Integrated
Infra-structure
ERM Integration: Unlocking Value
InputsInputsOutputsOutputs
1. Catalogue Existing Lines of Business1. Catalogue Existing Lines of Business
4. Refine and Optimize Processes4. Refine and Optimize Processes
2. Identify, Catalog and Assess Existing Risks & Controls
2. Identify, Catalog and Assess Existing Risks & Controls
6. Streamline Governance6. Streamline Governance
5. Rationalize Infrastructure & IT 5. Rationalize Infrastructure & IT
3. Inventory Risk, Requirements and Controls3. Inventory Risk, Requirements and Controls
7. Assess outputs to Desired Goals and Success Factors
7. Assess outputs to Desired Goals and Success Factors
Transformational StepsTransformational Steps
Existing ‘Silos’
Existing ‘Silos’
Regulatory Environment Requirements
Regulatory Environment Requirements
Internal PoliciesInternal Policies
Market Pressures
/Competition
Market Pressures
/Competition
Managed Costs and
Operational Efficiency and Effectiveness
Managed Costs and
Operational Efficiency and Effectiveness
Streamlined Governance
and Interaction
Streamlined Governance
and Interaction
Improved TransparencyImproved
Transparency
Copyright © 2007 Deloitte Development LLC. All rights reserved. 36
Integrated ERM
Business Process [Policies, Procedures, Controls, Systems, People]Business Process [Policies, Procedures, Controls, Systems, People]
Loss Event
Data Base
OFFICE OF THE CROAggregate / Analyze / ReportOFFICE OF THE CROAggregate / Analyze / Report
Risk Events and Losses
Risk Events and Losses
Identify Risks (Market, Credit, Operational, Reputational,
Financial Reporting, etc.)
Identify Risks (Market, Credit, Operational, Reputational,
Financial Reporting, etc.)
BOD and Sr. MgmtBOD and Sr. MgmtRegulators (e.g., SEC, FHFB, OCC, etc.)Regulators (e.g.,
SEC, FHFB, OCC, etc.)
Estimate Risk ExposureE.g., Subject Matter Experts for Reputational Risk and Risk Analytics Engines for Market,
Credit, and Operational Risk
Estimate Risk ExposureE.g., Subject Matter Experts for Reputational Risk and Risk Analytics Engines for Market,
Credit, and Operational Risk
Internal AuditInternal Audit
Mitigate RiskMitigate Risk Allocate CapitalAllocate Capital
• Risk Exposure• Capital Allocation• Losses• Compliance with SOX• IA Testing Results, etc.
•Capital Requirements Compliance•SOX Attestation
Illustrative
Business Units, Finance, Legal Dept, etc.Business Units, Finance, Legal Dept, etc.
“RULES”
INTERNAL AUDIT
GOVERNANCE
RISK ASSESSMENT & MONITORING
RISK TAKING AND RISK MANAGEMENT
Risk Assessment Results to feed the Risk Based Audit Plan
Report Control Deficiencies (e.g., SOX)
• Ratified Risk Policies
• Ratified Risk Appetite
Test Internal Controls
Including SOX controls
Test Internal Controls
Including SOX controls
• Methodology• Policies• Risk Limits• Guidance• Enterprise View
• Reporting
Copyright © 2007 Deloitte Development LLC. All rights reserved. 37
ERM Case for Integration: Key Challenges
• Does underlying technology support integration?
• Does the organization have a commonly shared language for risk?
• Should integration efforts be divided into short-term and long-term efforts, or conducted at once?
• What has and has not worked for other organizations in integration, and what does that mean for my organization?
Although organizations are interested in integration, as the results of the 2006 Risk Management Survey confirm, most are still in the process of investigating options and planning for future efforts. Some challenges commonly faced by organizations include:
Copyright © 2007 Deloitte Development LLC. All rights reserved. 38
Questions and Comments
Dolores Atallo-HazelgreenFirm Director
Deloitte & Touche LLP(212) 436- 5346
Copyright © 2007 Deloitte Development LLC. All rights reserved. 39
About DeloitteDeloitte refers to one or more of Deloitte Touche Tohmatsu, a Swiss Verein, its member firms, and their respective subsidiaries and affiliates. As a Swiss Verein (association), neither Deloitte Touche Tohmatsu nor any of its member firms has any liability for each other’s acts or omissions. Each of the member firms is a separate and independent legal entity operating under the names “Deloitte”, “Deloitte & Touche”, “Deloitte Touche Tohmatsu”, or other related names. Services are providedby the member firms or their subsidiaries or affiliates and not by the Deloitte Touche Tohmatsu Verein.
In the U.S., Deloitte & Touche USA LLP is the U.S. member firm of Deloitte Touche Tohmatsu and services are provided by the subsidiaries of Deloitte & Touche USA LLP (Deloitte & Touche LLP, Deloitte Consulting LLP, Deloitte Financial Advisory Services LLP, Deloitte Tax LLP and their subsidiaries), and not by Deloitte & Touche USA LLP. The subsidiaries of the U.S. member firm are among the nation’s leading professional services firms, providing audit, tax, consulting and financial advisory servicesthrough nearly 30,000 people in more than 80 cities. Known as employers of choice for innovative human resources programs, they are dedicated to helping their clients and their people excel. For more information, please visit the U.S. member firm’s Web site at www.deloitte.com/us.
Copyright © 2007 Deloitte Development LLC. All rights reserved.