Module 31: ERM implementation Flashcards

1
Q

4 Major processes to establish when implementing ERM

A
  1. Corporate governance
  2. Risk assessment and quantification
  3. Risk management
  4. Reporting and monitoring
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

When scoping an ERM implementation project, the key considerations are: (3)

A
  • resourcing - internal vs external
  • proportionality - to the risks and the size / sophistication of the business
  • top-down and/or bottom-up
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

2 Key challenges in ERM implementation

A
  • lack of risk awareness

- inappropriate risk culture

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

3 Typical benefits of implementation as risk capabilities mature are, in turn:

A
  • loss reduction
  • uncertainty management
  • performance optimisation
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

4 Areas to consider when assessing the maturity of an ERM framework

A
  • corporate governance (eg risk appetite definition)
  • risk language and culture
  • competencies and performance management
  • RM processes and responsibilities
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Outline the relevance of proportionality in the context of the implementation of an ERM framework

A

The IAA note highlights that the ERM framework appropriate to one organisation `will not be appropriate for a different organisation. One size does not fit all.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Outline the relevance of the Pareto rule in the context of the implementation of an ERM framework

A

In order to ensure ERM adds value, risk management activities need to feed through into action.

Decisions on which actions to take are taken based on the data, information and analysis provided to the organisation decision-makers (eg senior managers and ultimately the Board).

Lam points out that Pareto’s rule applies here. He suggests that 80% of the effort should be in the data collection, analysis and reporting, leaving 20% to be in the decision-making.
However, 80% of the value of ERM is a result of informed decision-making.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Outline 4 key questions (based on key building blocks) that a company should ask itself to ensure a successful ERM implementation.

A
  1. Governance structure and politics - who is responsible for risk oversight and critical RM decisions?
  2. Risk assessment and quantification - how (ex-ante) will they make these decisions?
  3. Risk management - what decisions will they make to optimise the risk/return profile of the organisation?
  4. Reporting and Monitoring - how (ex-post) will such decisions be monitored?
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

5 Types of controls aimed at limiting downside losses

A

Credit controls
To reduce the probability of default and maximise recovery.

Investment and liquidity policies
To minimise portfolio losses and ensure liquidity, perhaps by adopting lower-risk investment policies.

Other internal controls
To reduce the probability and severity of operational losses.

Audit processes
To ensure the finances of the company are in order.

Insurance coverage
To transfer risk to third parties.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

3 Activities a business might undertake to optimise performance

A
  1. Active management of its credit risk portfolio
    Pricing for risk and disaggregating (breaking down) its credit business into distinct activities.
  2. Active management of its balance sheet.
    Considering all assets and liabilities (not just the investment portfolio) with a view to optimising the risk / reward trade-off.
  3. Re-engineering of processes to minimise operational risk and to better understand and reduce costs.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

5 Successful strategies for improving risk awareness

A
  1. Set the tone from the top
    It is critical that the CEO acts as a role model by displaying the desired behaviours.
  2. Ask the right questions concerning “risk”:
    - risk / return balance
    - limits and other controls to minimise the downside risk
    - systems
    - knowledge
  3. Establish a common risk taxonomy
    A common language and risk classification structure ensures consistent measurement and facilitates aggregation when reporting.
  4. Provide induction training and ongoing education.
  5. Link compensation to risk to reward desired behaviours.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

5 Stages of Lam’s ERM maturity model

A
  1. definition and planning
  2. early development
  3. standard practice
  4. business integration
  5. business optimisation
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

5 Stages of Lam’s ERM maturity model

  1. definition and planning
A

This stage consists of organising resources to define and scope an ERM program.

Activities include:

  • identifying internal and external requirements for the ERM programme
  • obtaining Board and management support
  • developing overall framework and plan
  • appointing key personnel
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

5 Stages of Lam’s ERM maturity model

  1. early development
A

This stage consists of formalising roles and responsibilities, identifying risks and education.

Activities include:

  • establishing ERM policies and risk functions
  • identifying key risks
  • co-ordinating risk and control processes across the functions
  • educating and training (especially for the Board).
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

5 Stages of Lam’s ERM maturity model

  1. Standard practice
A

This stage consists of improving risk assessment capabilities and developing risk quantification processes.

Standard practice activities include:

  1. establishing risk databases for events and losses
  2. developing key risk indicators (KRIs)
  3. establishing risk models for market, credit and operational risks
  4. measuring risk-adjusted performance.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

5 Stages of Lam’s ERM maturity model

  1. Business integration
A

This stage consists of integrating ERM into business management, operations and remuneration.

Activities include:

  • evaluating business risks
  • quantifying the cost of risk to support pricing and risk transfer decisions.
  • automating risk reporting
  • allocating capital according to risk
  • using risk triggers to prompt business decisions
  • measuring the effectiveness of ERM processes and linking to executive remuneration
17
Q

5 Stages of Lam’s ERM maturity model

  1. Business optimisation
A

This stage consists of optimising business performance, integrating ERM into strategy development and enhancing relationships with key stakeholders.

Business optimisation activities include:

  1. Expanding the scope of ERM to include strategic risk
  2. Integrating ERM into strategic planning processes
  3. Allocating capital and resources to optimise risk-adjusted performance.
18
Q

McKinsey 4-stage risk maturity model

A

This model is more focussed on outputs / benefits than on actions / processes.

4 Stages of maturity:

  1. Initial risk transparency
    - – compliance with basic standards
    - – reduction of regular surprises
  2. systemic loss reduction
    - – ability to avoid large losses
    - – stability to enable growth plan
    - – professionalised management
  3. risk-return management
    - – improved return on equity
    - – becoming competitive with industry standards
  4. risk as competitive advantage
    - – senior management focussed on risk-adjusted performance.
19
Q

Deloitte 5-stage risk maturity model

A
  1. “unaware” / planning
    ad-hoc / chaotic risk management depend primarily on individual capabilities.
  2. “fragmented” / specialist silos
    Reaction to adverse events by specialists, discrete roles established for small set of risks, basic regulatory compliance.
  3. top-down - tone set at the top
    policies, procedures, risk authorities defined and communicated;
    measurement is primarily qualitative, reactive risk management
  4. systematic
    Co-ordinated risk management across silos, integrated responses to adverse events, rapid escalation and risk culture transformation underway.
  5. risk intelligent
    “risk management is everyone’s job”
    enterprise risk management processes are built into decision making using performance-linked metrics
20
Q

3 IAA stages of ERM maturity

A
  • early
  • intermediate
  • advanced
21
Q

3 IAA stages of ERM maturity:

early

A

risk management and internal control activities exist in part, are inconsistently applied and not well understood by management and the relevant employees in limited business areas.

Significant opportunities for enhancement remain.

22
Q

3 IAA stages of ERM maturity:

intermediate

A

Risk management and internal control activities are established, yet not consistently applied or fully understood by management and relevant employees in key functions / business areas.

Moderate opportunities for enhancement remain.

23
Q

3 IAA stages of ERM maturity:

advanced

A

Risk management and internal control activities are established, consistently applied and well understood by management and relevant employees across the organisation.

Opportunities for enhancement remain to align and coordinate activity across the organisation.

24
Q

Outline the key questions to consider when assessing the maturity of an ERM framework

A
  • the Board - what is their role?
  • risk appetite - how well is it defined, reviewed and communicated?
  • risk management policy - how comprehensive is it?
  • management accountabilities - how clearly are they defined?
  • management commitment and leadership - how committed is the management to ERM?
  • the RMF - what responsibilities and resources does it have?
  • risk “language” - how well developed and documented is it?
  • risk management culture - how well developed is it?
  • performance management and reward systems - how well aligned with ERM are they?
  • risk and solvency assessments - how sophisticated are they?
  • risk management processes - how comprehensive are they?
  • reporting and monitoring processes and systems - how comprehensive are they?
  • internal audit of compliance with risk management policy - how comprehensive is it?
  • new activities - to what extent are risk management techniques applied?
  • business continuity plans / analysis - how comprehensive are they?