Enterprise Risk Management Reporting to the Board Garvin
Enterprise Risk Management Reporting to the Board Garvin Deokiesingh Chief Auditor and Head of Enterprise Risk
Agenda 1. 2. 3. 4. What to report How much to report What can it look like On-going discussion 2
Coordination with Executive Management • Process- analysis of risks within organization • Assess and prioritize risks – Assess risks mitigated, by controls and processes in place • Focus on key risks to manage • Measure risks and report – Quality of information available 3
Reporting to the Board What to report: • Increased pressures – Current environment – Regulatory pressures – Imperative to Board’s role on risk oversight • Decisions made based on risks • Assessment of progress against strategic risks – Board member’s skills • Education sessions 4
Reporting to the Board What to report: • Alignment to strategic plans – Focus on key risks of organization • Messaging of information is critical – Understanding what is needed – Assembling core functional data 5
Reporting to the Board How much to report: • Content and quantity/quality is always a challenge – – – Meetings with Chair and members as needed Risk metrics on key business drivers, as identified in strategic plan Performance information Risk adjusted information Overview of risk assessments and changes made • Risk partners such as Internal Audit/Compliance – Increased role in evaluating risks – Validate significant risks 6
Reporting to the Board What can it look like: Presentation • Aggregate actionable information for the Board – High level summary, managing level of content to be provided – Assessment from CRO – Link between key risks and objectives, linking actions performed and status – Aggregate on a rating scale, considering: • Financial • Operational • Regulatory 7
ENTERPRISE RISK MANAGEMENT Risk Management Framework - Risk identification Risk Name Description 1. Investment Performance (formerly Investment Management) Risk of sub-optimal investment performance caused by poor investment decisions, processes, team culture, structure and composition. Results in not delivering against investment and client objectives. 2. Investment Concentration – Global mandates Over-concentration of AUM by portfolio manager without a properly resourced team and documented succession plan with specific risks inherent in the Global mandates. 3. Product Development and Management (formerly Investment Strategy) Products/strategies are developed which do not meet customer needs as well as evolving market conditions. Failure to evaluate our products to ensure profitability and on-going economic viability. 4. Key Employee/Talent Management Unexpected loss of one or more key talent, as identified by annual employee assessment process. Specific attention to key portfolio managers and sales personnel. 5. Operational Loss from investment and trading operations, resulting in financial loss from inadequate or failed internal processes, peoples and systems, reputational harm and bad client outcomes. 6. Change Management and Projects (including Outsourcing/Insourcing activities) Potential operational, financial and reputational risks arising from the cumulative impact of managing a number of significant initiatives. This includes in-house operational activities, and processes transferred to 3 rd party providers. 7. Regulatory Change Adverse impact of regulatory changes that change the dynamics of the market for products including independent distribution network. 8. Retail Pricing MERs which are not competitively priced in comparison to our competitors, leading to underperforming gross sales and market share. 8
ENTERPRISE RISK MANAGEMENT Risk Assessment - Heat Map Financial, Regulatory and Operational Impact Very High 1. Investment Performance (Financial $20 M plus) 8. Retail Pricing 2. Investment Concentration High (Financial $5 M to $20 M) 3. Product Development and Management Medium (Financial $500 k to $5 M) 6. Change Management and Projects 4. Key Employee /Talent Management 7. Regulatory Change Low 5. Operational (Financial $0 k to $500 K Remote (once every 10 years) Unlikely (once in every 3 to 10 years) Possible (once in every 1 to 3 years) Likely (in the current year) Likelihood 9
ENTERPRISE RISK MANAGEMENT Emerging Risk Assessment Risk Name Description Cyber Security Risk of data, privacy and security breach increases as we internalize the transfer agency functions. Does IT’s roadmap consist of not only means of prevention but also predicting, detecting, correcting and recovery for if a breach does occur? Primarily focusing on prevention is not enough anymore. It is no longer a matter of if a breach should happen, but a matter of when. 3 rd Party Vendor Management With the new reliance on 3 rd party providers, we are sharing more remote access to new automated systems and data to facilitate these arrangements. It is not enough to focus on our own risk but on the risk posed by managing these relationships to allow the risks to be mitigated effectively and efficiently. Are privacy obligations being maintained when data is shared with third parties? Are we reviewing and monitoring vendor requirements annually to determine if updates are required? Reliance on Key Distributors Currently distribution of products is largely reliant on key partners. While we are creating other key partner relationships, there is a risk of over-reliance on a few key distributors. If these key relationships alter over time, there is a risk of sales will be significantly impacted without distribution for our products. 10
Appendix – Assessment of Progress 11
ENTERPRISE RISK MANAGEMENT AON Risk Maturity Index Survey The AON Risk Maturity Index survey is designed to capture and assess an organization’s risk management practices and provide participants with immediate feedback in the form of a Risk Maturity Rating and comments for improvement. Aon has partnered with The Wharton School of the University of Pennsylvania to develop the Index and conduct joint research on the relationships between risk management practices and business performance. Based upon the results of the AON Risk Maturity Index survey, AGF is at a Defined to Operational level of risk maturity. This corresponds to a 3. 25 on a 1 – 5 scale of Risk Maturity. Most organizations at this level of risk maturity exhibit the following: • Developed capabilities to identify, assess and prioritize risks across the organization • Developing capabilities to analyze risk consistently, using qualitative and quantitative techniques • Developing capabilities for monitoring existing risk exposure across the organization • Increasingly formal consideration of risk and risk management information in decision making • Developed understanding of Enterprise Risk Management (ERM) concepts and its application 12
ENTERPRISE RISK MANAGEMENT AON Risk Maturity Index Survey 13
ENTERPRISE RISK MANAGEMENT AON Risk Maturity Index Survey – Areas of Improvement Risk Characteristic Component Definition Risk Management Stewardship Risk Management Leader Involvement in Strategic Decisions The level of involvement by the risk management leader during key strategic decisions (e. g. , new product development, new market entry, M&A, etc. ) Risk Management Stewardship Extent of Collaboration Between Risk-Based Functions The degree of coordination in risk data gathering and analysis conducted by risk-based functions (e. g. , Internal Audit, Legal/Compliance, Enterprise Risk Management, etc) Risk Information & Decision Making Processes Alignment of Risk Management & Budgeting Processes The extent to which the organization uses risk management information to support and drive budgeting decisions Risk Information & Decision Making Processes Post-Mortems / Lessons Learned on Significant Strategic Decisions The organization's approach to conducting and incorporating risk information into look-backs / reviews of major decisions 14
ENTERPRISE RISK MANAGEMENT AON Risk Maturity Index Survey – Areas of Excellence Risk Characteristic Component Definition Risk Information & Human Capital Processes Human Capital Metrics The extent to which the organization identifies and uses metrics to monitor human capital processes and effectiveness Risk Analysis & Quantification Risk Assessment Criteria The development, relevance and consistency of criteria used to assess and prioritize risks Risk Analysis & Quantification Evaluating the Effectiveness of Risk Management Activities The organization's approach to analyzing and evaluating the effectiveness of specific risk management activities Risk Information & Decision Making Processes Use of Risk Information in Strategic Planning The organization's approach for gathering and incorporating risk information into the strategic planning processes 15
Questions? 16
- Slides: 16