Module 31: ERM implementation

Question 1

4 Major processes to establish when implementing ERM

Answer 1

1. Corporate governance
2. Risk assessment and quantification
3. Risk management
4. Reporting and monitoring

Question 2

When scoping an ERM implementation project, the key considerations are: (3)

Answer 2

• resourcing - internal vs external
• proportionality - to the risks and the size / sophistication of the business
• top-down and/or bottom-up

Question 3

2 Key challenges in ERM implementation

Answer 3

• lack of risk awareness

- inappropriate risk culture

Question 4

3 Typical benefits of implementation as risk capabilities mature are, in turn:

Answer 4

• loss reduction
• uncertainty management
• performance optimisation

Question 5

4 Areas to consider when assessing the maturity of an ERM framework

Answer 5

• corporate governance (eg risk appetite definition)
• risk language and culture
• competencies and performance management
• RM processes and responsibilities

Question 6

Outline the relevance of proportionality in the context of the implementation of an ERM framework

Answer 6

The IAA note highlights that the ERM framework appropriate to one organisation `will not be appropriate for a different organisation. One size does not fit all.

Question 7

Outline the relevance of the Pareto rule in the context of the implementation of an ERM framework

Answer 7

In order to ensure ERM adds value, risk management activities need to feed through into action.

Decisions on which actions to take are taken based on the data, information and analysis provided to the organisation decision-makers (eg senior managers and ultimately the Board).

Lam points out that Pareto’s rule applies here. He suggests that 80% of the effort should be in the data collection, analysis and reporting, leaving 20% to be in the decision-making.
However, 80% of the value of ERM is a result of informed decision-making.

Question 8

Outline 4 key questions (based on key building blocks) that a company should ask itself to ensure a successful ERM implementation.

Answer 8

1. Governance structure and politics - who is responsible for risk oversight and critical RM decisions?
2. Risk assessment and quantification - how (ex-ante) will they make these decisions?
3. Risk management - what decisions will they make to optimise the risk/return profile of the organisation?
4. Reporting and Monitoring - how (ex-post) will such decisions be monitored?

Question 9

5 Types of controls aimed at limiting downside losses

Answer 9

Credit controls
To reduce the probability of default and maximise recovery.

Investment and liquidity policies
To minimise portfolio losses and ensure liquidity, perhaps by adopting lower-risk investment policies.

Other internal controls
To reduce the probability and severity of operational losses.

Audit processes
To ensure the finances of the company are in order.

Insurance coverage
To transfer risk to third parties.

Question 10

3 Activities a business might undertake to optimise performance

Answer 10

1. Active management of its credit risk portfolio
   Pricing for risk and disaggregating (breaking down) its credit business into distinct activities.
2. Active management of its balance sheet.
   Considering all assets and liabilities (not just the investment portfolio) with a view to optimising the risk / reward trade-off.
3. Re-engineering of processes to minimise operational risk and to better understand and reduce costs.

Question 11

5 Successful strategies for improving risk awareness

Answer 11

1. Set the tone from the top
   It is critical that the CEO acts as a role model by displaying the desired behaviours.
2. Ask the right questions concerning “risk”:
   - risk / return balance
   - limits and other controls to minimise the downside risk
   - systems
   - knowledge
3. Establish a common risk taxonomy
   A common language and risk classification structure ensures consistent measurement and facilitates aggregation when reporting.
4. Provide induction training and ongoing education.
5. Link compensation to risk to reward desired behaviours.

Question 12

5 Stages of Lam’s ERM maturity model

Answer 12

1. definition and planning
2. early development
3. standard practice
4. business integration
5. business optimisation

Question 13

5 Stages of Lam’s ERM maturity model

1. definition and planning

Answer 13

This stage consists of organising resources to define and scope an ERM program.

Activities include:

• identifying internal and external requirements for the ERM programme
• obtaining Board and management support
• developing overall framework and plan
• appointing key personnel

Question 14

5 Stages of Lam’s ERM maturity model

2. early development

Answer 14

This stage consists of formalising roles and responsibilities, identifying risks and education.

Activities include:

• establishing ERM policies and risk functions
• identifying key risks
• co-ordinating risk and control processes across the functions
• educating and training (especially for the Board).

Question 15

5 Stages of Lam’s ERM maturity model

3. Standard practice

Answer 15

This stage consists of improving risk assessment capabilities and developing risk quantification processes.

Standard practice activities include:

1. establishing risk databases for events and losses
2. developing key risk indicators (KRIs)
3. establishing risk models for market, credit and operational risks
4. measuring risk-adjusted performance.

Question 16

5 Stages of Lam’s ERM maturity model

4. Business integration

Answer 16

This stage consists of integrating ERM into business management, operations and remuneration.

Activities include:

• evaluating business risks
• quantifying the cost of risk to support pricing and risk transfer decisions.
• automating risk reporting
• allocating capital according to risk
• using risk triggers to prompt business decisions
• measuring the effectiveness of ERM processes and linking to executive remuneration

Question 17

5 Stages of Lam’s ERM maturity model

5. Business optimisation

Answer 17

This stage consists of optimising business performance, integrating ERM into strategy development and enhancing relationships with key stakeholders.

Business optimisation activities include:

1. Expanding the scope of ERM to include strategic risk
2. Integrating ERM into strategic planning processes
3. Allocating capital and resources to optimise risk-adjusted performance.

Question 18

McKinsey 4-stage risk maturity model

Answer 18

This model is more focussed on outputs / benefits than on actions / processes.

4 Stages of maturity:

1. Initial risk transparency
   - – compliance with basic standards
   - – reduction of regular surprises
2. systemic loss reduction
   - – ability to avoid large losses
   - – stability to enable growth plan
   - – professionalised management
3. risk-return management
   - – improved return on equity
   - – becoming competitive with industry standards
4. risk as competitive advantage
   - – senior management focussed on risk-adjusted performance.

Question 19

Deloitte 5-stage risk maturity model

Answer 19

1. “unaware” / planning
   ad-hoc / chaotic risk management depend primarily on individual capabilities.
2. “fragmented” / specialist silos
   Reaction to adverse events by specialists, discrete roles established for small set of risks, basic regulatory compliance.
3. top-down - tone set at the top
   policies, procedures, risk authorities defined and communicated;
   measurement is primarily qualitative, reactive risk management
4. systematic
   Co-ordinated risk management across silos, integrated responses to adverse events, rapid escalation and risk culture transformation underway.
5. risk intelligent
   “risk management is everyone’s job”
   enterprise risk management processes are built into decision making using performance-linked metrics

Question 20

3 IAA stages of ERM maturity

Answer 20

• early
• intermediate
• advanced

Question 21

3 IAA stages of ERM maturity:

early

Answer 21

risk management and internal control activities exist in part, are inconsistently applied and not well understood by management and the relevant employees in limited business areas.

Significant opportunities for enhancement remain.

Question 22

3 IAA stages of ERM maturity:

intermediate

Answer 22

Risk management and internal control activities are established, yet not consistently applied or fully understood by management and relevant employees in key functions / business areas.

Moderate opportunities for enhancement remain.

Question 23

3 IAA stages of ERM maturity:

advanced

Answer 23

Risk management and internal control activities are established, consistently applied and well understood by management and relevant employees across the organisation.

Opportunities for enhancement remain to align and coordinate activity across the organisation.

Question 24

Outline the key questions to consider when assessing the maturity of an ERM framework

Answer 24

• the Board - what is their role?
• risk appetite - how well is it defined, reviewed and communicated?
• risk management policy - how comprehensive is it?
• management accountabilities - how clearly are they defined?
• management commitment and leadership - how committed is the management to ERM?
• the RMF - what responsibilities and resources does it have?
• risk “language” - how well developed and documented is it?
• risk management culture - how well developed is it?
• performance management and reward systems - how well aligned with ERM are they?
• risk and solvency assessments - how sophisticated are they?
• risk management processes - how comprehensive are they?
• reporting and monitoring processes and systems - how comprehensive are they?
• internal audit of compliance with risk management policy - how comprehensive is it?
• new activities - to what extent are risk management techniques applied?
• business continuity plans / analysis - how comprehensive are they?