Risk Management - The Institute of Internal Auditors

ERM and the Role of InternalAudit – Milwaukee IIA Chapter2011ADVISORY

Presentation Topics•Introduction•Evolution of Risk Management•Trends in Risk Management•ERM and Internal Audit© 2011 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network ofindependent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity.All rights reserved. The KPMG name, logo and “cutting through complexity” are registered trademarks or trademarks ofKPMG International. 45469CHI1

Evolution of RiskManagement

The Evolution of Risk ManagementBasicRemain in ComplianceMatureA Management ProcessAdvancedA Strategic ToolERA• People• IA and Audit Committee• IA:− Financial− Compliance• ProcessERM• Exec Management• Alignment to Strategy/Ops• Risk ManagementDiscipline• Enterprise-wideGRC• Technology• All Levels ofOrganization• Single Source of Truth• Convergence• Test Once – SatisfyMany© 2011 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network ofindependent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity.All rights reserved. The KPMG name, logo and “cutting through complexity” are registered trademarks or trademarks ofKPMG International. 45469CHI3

Enterprise Risk AssessmentBasicRemain in ComplianceERA• People• IA and Audit Committee• IA:− Financial− Compliance© 2011 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network ofindependent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity.All rights reserved. The KPMG name, logo and “cutting through complexity” are registered trademarks or trademarks ofKPMG International. 45469CHI4

Enterprise Risk Assessment (ERA)Creating ContentPrimaryActivitiesResources(Team toExecute)• Develop project plan andtimeline• Identify process enablingtools, templates, etc.• Confirm ERA approach,timing, expectations, anddeliverables with ProjectSponsor• Finalize participant list• Communicate project plan toparticipants• Identify client specific areasof focus (e.g. IT)• Identify information requeststo clientDeliverables • Project plan and timeline,including priority sequencedprocess steps• Identified tools and templatesportfolio• Customized ERA ProcessOverview• Participant List• Kickoff Communication• Information Request ListExampleTimelineProject PlanPlan Interviews• Develop interview template toensure consistency• Anticipate key business riskportfolio & sources• Develop preliminary keybusiness risk templates• Schedule interviews andfacilitated session(s)• Develop and share participantpre-read document• Interview preparation− Assess need for SubjectMatter Professional(s)(SMP)Client• Project Sponsor and/or their designee(s)• Scheduling and Logistics CoordinatorKPMG• Partner• Director/Manager• Senior Associate• Others as needed, including SMP(s)• Interview template• Key Business Risk (KBR):− Portfolio (BRP)− Sourcing Matrix− Definitions• Interview and facilitationschedule• Interviewee pre-readdocument• Interviewee-specific clientprovided informationWeek 1 Week 1Conduct InterviewsEvaluateValidateERA Deliverable, including:• Identify primary risk-taking • Update:Conduct facilitated session toactivities− BRPenable collaborative consensus• Identify key risks, sources & − Risk Assessmenton:examplesTemplates• Portfolio view of risk• Discuss risk appetite/− Sourcing Matrix− KBR portfolioboundaries (empowerment) − Monitor/Report• KBR Assessment Templates• Identify intra/interdependencies• Customize voting criteria • Risk rankings• Portfolio view of risk:• Risk management capabilities• Discuss key risk management − KBRs• Priority action stepscapabilities (P, P, T)− Radar Screen• Discuss risk monitoring and− Watch Listreporting process• Identify “top-down” vs.• Summarize & confirm key“bottom-up” gapsinterview findings with• Finalize facilitated sessionintervieweeplan• Confirm next steps• Distribute pre-readClient• Project Sponsor and/or their designee(s)• Designated participants• Note Taker/AggregatorKPMG• Partner and Director or Manager• Facilitator• Others as needed, including SMP(s)• Interview summaries • Facilitated session pre-read• Populated ResolverBallot TM • Launch ERM Journeydocument• Business Risk Portfolio− Sourcing Matrix• Risk Assessment Templates− BRP• Updated Sourcing Matrix− Risk Assessment• Heat mapTemplate• “Top-down” and “bottom-up”− Voting CriteriaGap Assessment− Priority action steps− Accountability− ResourcesWeeks 2 – 4Weeks 4 – 5 Week 5 +© 2011 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network ofindependent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity.All rights reserved. The KPMG name, logo and “cutting through complexity” are registered trademarks or trademarks ofKPMG International. 45469CHI5

Risk Portfolio ExampleEXTERNAL RISKS• Capital Availability• Competitor• Customer Needs• Economy• Financial Markets• Industry• Legal• Natural Hazard/Catastrophe• Public Relations• Regulatory• Sovereign/Political• Technological Innovation• TerrorismINTERNAL RISKSStrategic Operational Financial• Business ModelProcess• Collateral• Business Portfolio• Delivery Channels• Intellectual Property• Marketing/Advertising• Marketplace• Alignment• Business Interruption• Capacity• Change Response• Compliance• Contract Commitment• Customer Satisfaction• Cycle Time• Efficiency• Environmental• Health & Safety• KnowledgeManagement• Measurement• Partnering• Physical Security• Product/ServiceDevelopment• Product/Service Liability• Product/Service Failure• Product/Service Pricing• Relationship Management• Sourcing• StrategyImplementation• Supply Chain• TransactionProcessing• Commodities• Concentration• Counterparty• Credit• Default• Organization StructureManagement InformationHuman CapitalIntegrityTechnology• Equity• Planning• Product Life Cycle• Resource Allocation• Social Responsibility• Accounting Information• Budgeting & Forecasting• Completeness/Accuracy• Investment Evaluation• Investor Relations• Pension Fund• Regulatory Reporting• Relevance• Taxation• Accountability• Change Readiness• Communications• Competencies/Skills• Empowerment• Hiring/Retention• Leadership• Outsourcing• Performance Incentives• Succession Planning• Training/Development• Conflict of Interest• Employee Fraud• Ethical Decision-making• Illegal Acts• Management Fraud• Third-Party Fraud• Unauthorized Acts• Access• Availability• Data Integrity• e-Commerce• Infrastructure• Reliability• TechnologicalCapacity• Financial Instruments• Foreign Exchange• Interest Rate• Liquidity• Modeling• Opportunity Cost© 2011 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network ofindependent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity.All rights reserved. The KPMG name, logo and “cutting through complexity” are registered trademarks or trademarks ofKPMG International. 45469CHI6

Common Language:Compliance Risk ExampleDefinitionThe risk that a flaw in process design or operation, human error, oversight or indifference canresult in failure to conform with laws and regulations at the country, state and local level.Company representatives, including Board members, management, employees or third-partiesunder the “control and supervision” of the Company, do not comply with prescribed proceduresand policies.Company SourceInternationalContracts & PricingSuppliers/VendorsOther SBUs/BUsRisk Events• Compliance with applicable Domestic and International regulations are not followed timely• Compliance with environmental regulations are not followed timely• Non-compliance with SOX regulations can lead to a loss in investor confidence• Employees don’t fully understand and/or misinterpret periodic training contentExample Risk Mitigation Techniques• Periodic training and testing employee proficiency and understanding• Periodic/continuous monitoring of various internal databases and information flows• Periodic, at least annual, employee/vendor affirmation of compliance• “Whistle-blower” Hot Line© 2011 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network ofindependent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity.All rights reserved. The KPMG name, logo and “cutting through complexity” are registered trademarks or trademarks ofKPMG International. 45469CHI7

Ranking Criteria:Impact ExampleWhat is the event impact / consequence to the business? Residual vs. Inherent?5 Catastrophic4 Major3 Significant2 Minor1 InsignificantQuantitatively• Revenue• EPS/Profitability• Cash Flow• Debt Covenants• Capital Value• Investment PortfolioQualitatively• Reputation/Brand• Customer Satisfaction/Service• Level of Leadership Involvement• Key Alliances• Customer Retention• Employee Turnover• Market Share• Regulatory Licensing© 2011 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network ofindependent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity.All rights reserved. The KPMG name, logo and “cutting through complexity” are registered trademarks or trademarks ofKPMG International. 45469CHI8

Ranking Criteria:Likelihood ExampleWhat is the likelihood / frequency of occurrence for key risks? Residual vs. Inherent?5 Almost Certain4 Likely3 Moderate2 Unlikely1 RareEvent will occur in most circumstances, 90% or more of the time (e.g.snow in Minnesota in Jan and Feb)Event should occur, more than 50% probability and up to 90% certainty(e.g. snow in Minnesota in Dec)Event will probably occur, more than 25% and up to 50% probability (e.g.snow in Minnesota in Nov)Event could occur; more than 5% up to 25% probability(e.g. snow in Minnesota in Oct)Event would occur only in exceptional circumstances; < 5% probability(e.g. snow in Minnesota in May)© 2011 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network ofindependent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity.All rights reserved. The KPMG name, logo and “cutting through complexity” are registered trademarks or trademarks ofKPMG International. 45469CHI9

Ranking Criteria:Management Effectiveness ExampleDo we have the right level of the right risk management capabilities?People Process Technology5 OptimizedProcessReliantProactiveShort &Long-TermTechnologyAlignedRight Skills/Cross Train4 Managed3 Defined2 Repeatable1 InitialPeople ReliantReactiveShort-TermLittle TechnologyLack SkillsManagement© 2011 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network ofindependent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity.All rights reserved. The KPMG name, logo and “cutting through complexity” are registered trademarks or trademarks ofKPMG International. 45469CHI10

Mature ERA:Management Effectiveness Bubble DiagramLikelihood5.004.504.003.503.002.50Conflict ofInterestCurrencyCapital MarketsData IntegrityData PrivacyBudget /ForecastData AnalyticsSystem Reliability andKnowledge Retention AvailabilityCommunicationsRetirement ObligationsIT CapacityContract CommitmentsInformationSecurityFinancial /RegulatoryReportingEnvironment, Health andSafetyCommodities /DerivativesIntegrityand FraudLegendMgmt Gap≥ 22 < MgmtGap ≤ 1Mgmt Gap< 12.001.50Legal / RegulatoryPublic / Investor RelationsComplianceNatural Hazard /CatastropheInvestments LiquidityTaxation1.001.00 1.50 2.00 2.50 3.00 3.50 4.00 4.50 5.00Impact© 2011 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network ofindependent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity.All rights reserved. The KPMG name, logo and “cutting through complexity” are registered trademarks or trademarks ofKPMG International. 45469CHI11

Enterprise Risk AssessmentMaturity ModelEnterprise Risk Assessment Maturity ModelBasic Mature AdvancedVision/Strategy Internal Audit – Stand Alone Enterprise-wide Sharing/Communication Integrated GRC Process and ToolApproach Existing Data Interviews/Surveys/Self Assessment Collaboration/FacilitationApproach ElementsReporting CFO & Audit Committee Exec Mgmt & Entire Board Operational Management & Key Ops FunctionsRisk Ranking Impact & Likelihood Velocity Management EffectivenessCommunication Annual Audit Plan Proactively Sharing With Standard Setters Operationalizing & Mgmt Action ItemsQuality Internal Audit Process Risk Committee/Business Leader Review Third-party ReviewCollaboration Internal Audit View Only Facilitated Sessions External Subject Matter ProfessionalsAlignment Internal Audit Strategy Enterprise Strategy Converged Risk Management FunctionValue to Business Finance/Compliance Operational/Traditional Proactive/Innovation/OpportunitiesEmerging Risks Ad Hoc Identification Internal Identification Internal and External IdentificationCustomer Focus Audit Committee/CFO Entire Board/CEO Shareholders/OwnersScenarios/Interconnections Enterprise Risk Portfolio – Risk Listing Key Business Risk Scenarios Entire Enterprise Risk Portfolio ScenariosBusiness Risk Portfolio Audit Plan – Internal Audit Enterprise Risk Portfolio – Strategic Alignment Emerging Risk – Proactive IdentificationQuantification/History Sample Testing Process Design/Analysis/Testing Continuous Monitoring & AuditingExisting Inputs/Data Internal Audit Information Standard Setters – Business Risk Assessments External & Real-time InternalFrequency Annual Periodic ContinuousTools Spreadsheets and Word Trending/Analysis/Facilitation GRC Tool Based On Process RequirementsInterview Layers Internal Audit Executive Management BOD, External Professionals, Operations© 2011 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network ofindependent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity.All rights reserved. The KPMG name, logo and “cutting through complexity” are registered trademarks or trademarks ofKPMG International. 45469CHI12

Enterprise Risk ManagementMatureA Management Process• ProcessERM• Exec Management• Alignment to Strategy/Ops• Risk ManagementDiscipline• Enterprise-wide© 2011 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network ofindependent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity.All rights reserved. The KPMG name, logo and “cutting through complexity” are registered trademarks or trademarks ofKPMG International. 45469CHI13

Enterprise Risk Management Defined“Enterprise Risk Management is• A process,• Effected by an entity’s board of directors,management and other personnel,• Applied in strategy setting and across theenterprise,• Designed to identify potential events that mayaffect the entity,• Manage risks to be within its risk appetite, and• To provide reasonable assurance regarding theachievement of entity objectives.”Source: COSO Enterprise Risk Management – Integrated Framework (September 2004)© 2011 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network ofindependent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity.All rights reserved. The KPMG name, logo and “cutting through complexity” are registered trademarks or trademarks ofKPMG International. 45469CHI14

Enterprise Risk Management: Importance of FundamentalsKPMG’s ERM FrameworkCatastrophic6FrameworkElementDescriptionMajor135RiskGovernanceEstablishment of approach for developing,supporting, and embedding the risk strategyand accountabilitiesConsequenceModerateMinor1012713 151491684RiskAssessmentRiskQuantificationand AggregationIdentifying, assessing, and categorizing risksacross the enterpriseMeasurement, analysis, and consolidation ofenterprise risksInsignificant1711Remote Unlikely Possible Likely Almost certainRisk Monitoringand ReportingReporting, monitoring, and assurance activitiesto provide insights into risk managementstrengths and weaknessesLikelihoodRisk andControlOptimizationUsing risk and control information to improveperformanceCreating ContentIdentifying, evaluating andprioritizing enterprise risksCreating ProcessBuilding and maintaining a dynamic riskmanagement framework and process to achievesustainability© 2011 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network ofindependent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity.All rights reserved. The KPMG name, logo and “cutting through complexity” are registered trademarks or trademarks ofKPMG International. 45469CHI15

Risk Management Structure and GovernanceThree Lines of DefenseRisk GovernanceAssuranceProviders3 rdLINE OFDEFENSERISK PROCESS AND CONTENT Monitoring• Liaise with senior management and/or board• Rationalize and systematize risk assessment and governance reporting• Provide oversight on risk-management content/processes, followed bysecond line of defense (as practical)• Provide assurance that risk-management processes are adequate andappropriateAssuranceProvidersStandardSetters2 ndLINE OFDEFENSERISK PROCESS Accountability• Establish policy and process for risk management• Strategic link for the enterprise in terms of risk• Provide guidance and coordination among all constituencies• Identify enterprise trends, synergies, and opportunities for change• Initiate change, integration, operationalization of new events• Liaison between third line of defense and first line of defense• Oversight over certain risk areas (e.g., credit, market) and in terms ofcertain enterprise objectives (e.g., compliance with regulation)StandardSettersBusinessOwners1 stLINE OFDEFENSERISK CONTENT Accountability• Manage risks/implement actions to manage and treat risk• Comply with risk-management process• Implement risk-management processes where applicable• Execute risk assessments and identify emerging riskBusinessOwners© 2011 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network ofindependent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity.All rights reserved. The KPMG name, logo and “cutting through complexity” are registered trademarks or trademarks ofKPMG International. 45469CHI16

Second Line of DefenseKeys to Risk Management EvolutionStandard Setters / Risk Management• Establish policy and process for riskmanagement• Strategic link for the enterprise in termsof risk• Provide guidance and coordinationamong constituencies• Identify enterprise trends, synergies andopportunities for change• Initiate change, integration andoperationalize new events• Liaison between third line of defenseand first line of defense• Oversight over key risk areas (e.g.,credit) necessary to meet enterpriseobjectives (e.g., compliance)Risk Management LeaderStandard Setters2 nd Line of DefenseManagement Validation© 2011 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network ofindependent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity.All rights reserved. The KPMG name, logo and “cutting through complexity” are registered trademarks or trademarks ofKPMG International. 45469CHI17

Risk DisciplineInherent RiskThe intrinsic risk thecompany takes inoperating its business inthe absence of actionsmanagement might take tocontrol riskRisk Appetite & ToleranceRisk AppetiteMaximum amount of riskmanagement is willing to acceptto achieve strategic goals/objectives+Risk Tolerance=The range/variabilityof risk managementis willing to accept toachieve strategic goals/ObjectivesRisk ManagementToo Much Risk-TakingAcceptable Risk Taking:• Key Risk Indicators• Trend Analysis• Business DecisionsInsufficient Risk-Taking© 2011 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network ofindependent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity.All rights reserved. The KPMG name, logo and “cutting through complexity” are registered trademarks or trademarks ofKPMG International. 45469CHI18

ERM Scorecard for Key Business RisksPeople/Culture: Change ManagementRisk Definition:Change Management – Failure to effectively manage change, understand employee’s resistance and capacity to accept and embrace it.Example Subrisks:• Competing priorities• #2Accountability:Mgmt Committee –Executive –Management –• #3• #4• #5Specific Examples:• Competing/conflicting priorities• Goals not aligned with strategy• Skills needed for cost management vs.growth• IT changes to support growth andregulatory requirements• Lack of sequencing/prioritizing initiatives• Communication of priorities• Uncertainty• #6• #7• #8Risk Direction:Risk Velocity:FastStrategy Links:InnovationQuality &SafetyGrowthSlowPartnershipsIMPACTCatastrophicMajorSignificantMinorInsignificantCurrent StateWeakResidual Risk –DesiredLIKELIHOODControl Effectiveness Ratings:StrongResidual Risk –CurrentRare Unlikely Moderate Likely AlmostCertain3Desired StateWeakStrongPotential Impacts:• $$Current Risk Mitigation Activities:• #1Key Mitigation Action Items(Owner/Due):• #1© 2011 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network ofindependent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity.All rights reserved. The KPMG name, logo and “cutting through complexity” are registered trademarks or trademarks ofKPMG International. 45469CHI19

Management Effectiveness:Immediate Business Action Items5.0100%4.54.01.382.19 1.501.752.44 2.19 1.38 1.95 1.63 2.06 2.00 2.001.44 1.19 1.8190%80%3.570%3.02.5CurrentDesired60%2.01.51.050%40%30%MarketFinancialExternalGovernanceCredit RiskStrategicHuman CapitalProcess / Transaction0.50.020%10%0%Differences in Risk Mix by Business Areas© 2011 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network ofindependent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity.All rights reserved. The KPMG name, logo and “cutting through complexity” are registered trademarks or trademarks ofKPMG International. 45469CHI20

Management Effectiveness:Example Segmentation for Internal Audit and ManagementRisk Segmentation – Detailed Risk Segmentation Based on Management VotingKey Risk Impact LikelihoodLikelihood xImpact Mgmt Effect SegmentationChange Readiness 4.13 4.63 19.12 2.19 Management Improvement NeededChange Response 4.13 4.56 18.81 2.44 Management Improvement NeededCustomer Satisfaction 3.69 4.40 16.23 2.00 Management Improvement NeededResource Allocation 3.81 4.38 16.68 2.06 Management Improvement NeededOrganizational Structure and Purpose 3.73 4.33 16.17 2.00 Management Improvement NeededCompetition 4.19 4.13 17.27 2.19 Management Improvement NeededEconomy 4.20 4.88 20.48 1.38 Requires Independent ValidationMarketplace 3.88 4.87 18.86 1.50 Requires Independent ValidationCapital Availability 4.06 4.31 17.50 1.38 Requires Independent ValidationBusiness Model 4.06 4.31 17.47 1.95 Requires Independent ValidationRegulatory 3.56 4.07 14.49 1.19 Requires Independent ValidationAlignment to Strategy 3.75 4.06 15.23 1.75 Requires Independent ValidationFinancial Instruments 4.19 3.94 16.49 1.63 Requires Independent ValidationProduct/Service Pricing 3.75 3.81 14.30 1.81 Requires Independent ValidationCapacity 3.27 4.47 14.59 1.44 Watch ListAfter each business risk is analyzed, a scale can be used to segment the prioritized risks intohighly impactful areas ready for independent validation and where management improvements arenecessary© 2011 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network ofindependent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity.All rights reserved. The KPMG name, logo and “cutting through complexity” are registered trademarks or trademarks ofKPMG International. 45469CHI21

Enterprise Risk ManagementMaturity ModelFrameworkElementBasicRemain in ComplianceMatureA Management ProcessAdvancedA Strategic ToolRisk GovernanceA central risk managementpolicy to support externalrequirementsA risk management structurewith clear accountabilities tosupport risk managementobjectivesIRisk management accountabilityintegrated with performancemanagementRisk AssessmentAnnual risk assessment withlimited analysis andinterpretationFrequent risk assessment in linewith normal managementreporting and including analysisRisk and control activitiesembedded in businessprocessesIRisk Quantificationand AggregationQuantification of selected risksQuantification of operationalrisk; advanced quantification ofselected riskEntity – wide aggregation acrossall risk areasIRisk Monitoring andReportingBusiness risk reporting designedto support external requirementsExtensive reporting to the boardand audit committee on currentrisk levels and future risk issuesAlignment of all risk reporting toprovide a comprehensive singleview or riskIRisk and ControlOptimizationFewer surprises throughmanagement of key risksGreater stakeholder confidenceand improved risk mitigationstrategiesRisk – adjusted strategy,performance evaluation, andcapital allocationII Industry State C Current State L Leading PracticeD Desired State S Stakeholder Expectations© 2011 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network ofindependent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity.All rights reserved. The KPMG name, logo and “cutting through complexity” are registered trademarks or trademarks ofKPMG International. 45469CHI22

Governance, Risk and ComplianceAdvancedA Strategic ToolGRC• Technology• All Levels ofOrganization• Single Source of Truth• Convergence• Test Once – SatisfyMany© 2011 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network ofindependent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity.All rights reserved. The KPMG name, logo and “cutting through complexity” are registered trademarks or trademarks ofKPMG International. 45469CHI23

Risk Management:Performance Comments from ClientsTiming and quality ofinformation flow up to seniormanagementSiloed approach togovernance, riskmanagement andcomplianceInformation overload and inefficientbusiness steering and decision making(No common language of risk)Senor management's rolein understanding andanalysing emerging risksSurprisesImplementation focuses onhard (operational) controls,not on hearts and mindsRisk and controls arenot embedded inbusiness activitiesFocus on financialcontrols instead ofbusiness controlsFalse comfort andunreliable information(form over substance)Costly and inefficient execution ofmultiple compliance activities© 2011 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network ofindependent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity.All rights reserved. The KPMG name, logo and “cutting through complexity” are registered trademarks or trademarks ofKPMG International. 45469CHI24

Key Components of a Successful Roadmap• Vision• TargetOperatingModel• GuidingPrinciplesStrategicFocus &Alignment• Strategic• Fundamental• DiscreteTransformationPeople Process DataTechnology EnablementTransformation Program/Project ManagementChange Management/CommunicationFutureStateRoadmap =GRC Vision© 2011 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network ofindependent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity.All rights reserved. The KPMG name, logo and “cutting through complexity” are registered trademarks or trademarks ofKPMG International. 45469CHI25

GRC Holistic Model – Risk ProfilesValue DriversStrategyGovernance,Organization, &InfrastructureMISSIONValuesBusinessModelRisk ProfileBusinessProcessesEnterpriseAssurance• Compliance• PerformanceRESILIENCEValue DriversCulture & Behavior© 2011 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network ofindependent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity.All rights reserved. The KPMG name, logo and “cutting through complexity” are registered trademarks or trademarks ofKPMG International. 45469CHI26

GRC: Lessons Learned and Leading PracticesLessons LearnedSTRATEGIC• Strong tone from the top: It is very importantthat the leadership team has a good understandingof the vision – the challenge, the objectives, etc.• Start transformation process with riskassessment processes: Although much of thestreamlining may be testing and monitoring, manychallenges originate with the risk assessmentprocesses.• Be aggressive, but prudent: Many projects getbogged down in documentation and bureaucracy.Only do what your stakeholders require.DISCRETE• Include all stakeholders: Ensure all keyinternal stakeholders are considered in the effort,and any minimum requirements (reportedinformation) set out.FUNDAMENTAL• Establish a clear change management plan:Keep the cultural shift required front of mind (i.e., tomove from the mentality of managing in silos tosharing or converging risk/compliance informationacross the enterprise).• Don’t let a tool drive the transformationprocess: Many companies have allowedautomation to drive rules, formats, roles andresponsibilities, and this has led to lessstreamlining.STRATEGICEstablishingrequirements andidentifying convergenceopportunitiesDISCRETEIdentifying core activities andimprovements that will remaindiscrete based on regulations,stakeholders, etc.FUNDAMENTALFoundational elements such as, data,tools and system, that can be sharedacross functions for a consistent &integrated processLeading PracticesSTRATEGIC• Establishing guiding principles: For example,what is important to achieve convergence? (e.g.,align to strategic objectives, clear accountabilities).This will help to keep the program on track as it isrolled out, sustain it for the long-term and facilitatebuy-in from stakeholder.• Establish a common taxonomy andlanguage of risk management, complianceand control: For example, self-identified issuesstandards, governance and management reportingstandards. This enables a holistic vision andcomprehensive emerging risk identification.DISCRETE• Don’t stop at IA only: There may need to beother organizational changes or process changesmade outside of the IA areas to really facilitate thetransformation (e.g., enterprise risk managementprogram).FUNDAMENTAL• Integrated risk and controls informationunder a single technology platform:Enhances the consistency and quality of informationfor reporting and proactive risk analysis (e.g., for theidentification of emerging risks).• Global 24/7 team testing controls: A globalteam that provides ‘round-the-clock’ testing ofcontrols to enhance efficiency and meet tightdeadlines.© 2011 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network ofindependent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity.All rights reserved. The KPMG name, logo and “cutting through complexity” are registered trademarks or trademarks ofKPMG International. 45469CHI27

Trends in RiskManagement

Emerging Ideas in Risk GovernanceWhat Went Wrong?Weaknesses Identified• Failure of some BODs and senior managers toestablish, measure and adhere to a level of riskacceptable to the firm• Compensation programs that conflicted with thecontrol objectives of the firm• Inadequate and often fragmented technologicalinfrastructures that hindered effective riskidentification and measurement• Institutional arrangements that conferred statusand influence on risk takers at the expense ofindependent risk managers and control personnel© 2011 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network ofindependent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity.All rights reserved. The KPMG name, logo and “cutting through complexity” are registered trademarks or trademarks ofKPMG International. 45469CHI29

Risk Management Trends in Turbulent Times12345Enterprise-wide assuranceGRC Capabilities• Developing a clear structure within the organization thatfacilitates the governance and management of risk andcomplianceRisk culture• The organization’s culture facilitates and embraces the sharing ofrisk informationIdentifying, focusing and responding to the right risks• Identifying and responding to the most significant risks• Focusing attention on areas needing mitigation or optimizationRight level of controls (control portfolio optimization)• The right level of controls executed by the right people with theright information from the right systemValue added risk and compliance processes• Structuring the risk and compliance activities to obtain morevalue and be more cost effective• Reducing redundancy and costs and increase efficiencyTrend• Rationalization of risk monitoring functions• Increased definition and allocation ofresponsibility and accountability• Understanding risk culture and its impact ona risk management program• Single view of risk• Using scenario analysis to focus on emergingrisks• Leveraging automated controls andcontinuous auditing• Understanding risk appetite and thresholds• Increased use of automated ERP/GRCapplications• Derive value from investment in governance,risk management and compliance space© 2011 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network ofindependent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity.All rights reserved. The KPMG name, logo and “cutting through complexity” are registered trademarks or trademarks ofKPMG International. 45469CHI30

Emerging Ideas in Risk GovernanceRecent DevelopmentsEnvironmental InfluencesCurrent Trends:• Board Risk Committees (Financial Services)• Risk Reports to Entire Board• Executive Compensation Policies• Government Involvement• Board Approves Risk AppetiteU.S. Regulatory/Legislative/Guidance:• Dodd – Frank Wall Street Reform and ConsumerProtection Act• SEC Proxy and Disclosure Statement Rule• NACD GuidelinesInternational Regulation:• Basel III• FSA Focus• Solvency II• Corporate Governance Statements – e.g., South AfricaKing Report III• U.K. Corporate Governance CodeGlobal Risk Governance “Hot Spots”© 2011 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network ofindependent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity.All rights reserved. The KPMG name, logo and “cutting through complexity” are registered trademarks or trademarks ofKPMG International. 45469CHI31

Critical EvaluationRisk Management Pain PointsGuiding Principles Drive Culture Changes, ERM Implementation and DecisionmakingRisk CultureTopics What we are hearing from the industry? What changes are being considered?ERM OrganizationStructureSenior Managementand Board MembersRisk Tolerance andAppetiteOperational RiskEconomic CapitalModelScenario Analysis andTestingReporting andSystemsRisk management is often perceived as compliance exerciserather than a business issueImportant factor in ERM and a contributor to the recenteconomic problems – absence of risk committees, lack ofindependent risk functionUnbalanced focus on profits vs. risk management. Lack of riskmanagement expertise at senior levelHigh level definition. Not operationalized at business level. Notclearly communicated and not enforced on a real-time basisRemains a weak spot in ERM with simplistic assumptionsEffective usage of EC is lagging behind. Not fully utilized indecision making and capital allocationLack focus on interdependency of risks. Emphasis on historicalevents, reactive, not forward looking. Shocks and stresses tooweakReports with multiple views of the same risk, not available on atimely basis. Inadequate IT systems and processesRisk management will be a strategic function. Integration of riskfunction and business is criticalAssess the roles of CROs and business owners. Establish riskcommittees and governance to address various issues such asroles and responsibilities, independence and interdependency ofrisksExecutive team must demonstrate leadership in ERM (tone at thetop), to embed risk management into the company’s culture andoperationsClearly defined and better communicated. Executable andenforced. Linkage to economic capital modelingStrengthen ORM with other interdependent risks. Moresophisticated scenario testing and better linkage to economiccapitalClearly understand model limitations. Greater forward-lookingview. Embed EC into decision making and performancemanagementKey focus will be on risk interdependencies, especially in theoperational risk area. Greater consideration of more severescenarios and stress testing. Enhancements through dedicateddata collection, both internal and externalEnhance discipline of single view of risk. Improve effectivenessthrough common Governance, Risk and Compliance platform© 2011 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network ofindependent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity.All rights reserved. The KPMG name, logo and “cutting through complexity” are registered trademarks or trademarks ofKPMG International. 45469CHI32

ERM and Internal Audit

Internal Audit’s Role in ERMCore internal audit rolesin regard to ERMLegitimate internal auditroles with safeguardsSource: IIA UK and IrelandRoles internal auditshould not undertake© 2011 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network ofindependent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity.All rights reserved. The KPMG name, logo and “cutting through complexity” are registered trademarks or trademarks ofKPMG International. 45469CHI34

ERM Program Review (Audit)An ERM program review (or audit) by Internal Audit can provide a structured evaluation of the designand effectiveness of the company’s ERM program—leading to assurances over various aspects ofthe company’s management of enterprise-wide risks. Help the organization answer the questions:• Are identified enterprise risks and defined tolerances comprehensive and have they been establishedconsistently within risk appetite?• Have risk management processes been designed effectively so that unexpected deviations from riskappetite and tolerances can be identified in time for management to take corrective actions (key riskindicators)?• Are implemented risk management processes operating as designed and are monitoring mechanisms inplace and utilized?© 2011 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network ofindependent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity.All rights reserved. The KPMG name, logo and “cutting through complexity” are registered trademarks or trademarks ofKPMG International. 45469CHI35

Evolution of Skills for Internal AuditsSource: Risk & InsuranceManagement Society, Inc.Core Competency SkillsInterpersonal Skills:LeadershipMotivatorNegotiationsConsensus BuilderTeam BuilderAccountingEconomicsFinanceLegalComplianceHuman ResourcesAuditBusiness SkillsPersonal Skills:MotivatedInnovativeExperiencedCommunicationConsultativeManagementInformation TechnologyMarketingOperationsStatisticsSecuritySafetyConceptual SkillsPlanningOrganizingDecision MakingManagement ProcessEthical JudgmentOrganizational ArchitectStrategic ThinkingTechnical SkillsRisk Management ProcessRisk AnalysisRisk ControlRisk FinancingEnterprise Risk ManagementProject ManagementInsurance KnowledgeVendor RelationsERMIS and Claims Management© 2011 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network ofindependent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity.All rights reserved. The KPMG name, logo and “cutting through complexity” are registered trademarks or trademarks ofKPMG International. 45469CHI36

Specific Actions Internal Audit Can ConsiderHelp management produce assurance reports, scorecards, dashboards, etc.Confirm whether KRIs are being used by management to monitor key risksIs risk management embedded in key processes such as budgeting / forecasting, PMO, capitalallocation, mergers & acquisitions, incentive / bonus plans, etc?Review risk documentation against overarching risk appetite for consistency with 10K, rating agencypresentations, regulatory filings, etc.Assess “auditability” of enterprise risk documentation and designed mitigation and monitoringmechanismsResearch and benchmark risk management practices against leading practices (frameworks) in theindustry and as set out in emerging regulatory requirements such as Solvency IIAssess measurability of risk appetiteAssess relationship of risk appetite to company objectivesProvide opinion on adequacy of risk definitions© 2011 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network ofindependent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity.All rights reserved. The KPMG name, logo and “cutting through complexity” are registered trademarks or trademarks ofKPMG International. 45469CHI37

Specific Actions Internal Audit Can Consider (continued)Review drivers of key risks to ensure management understands triggers and has appropriatemonitoring processes – Are they proactive / anticipatory?Provide assurance that proposed risk management techniques completely and consistently addressthe defined risks and risk driversReview planned or intended risk responses and provide input on the practicality of the actions andhow likely the actions are to produce intended resultsConduct preimplementation reviews of large scale projects or programs; helping management focuson proactively addressing common post implementation audit findingsAssess whether an effective post-mortem is conducted following risk events to improve riskmanagement processes© 2011 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network ofindependent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity.All rights reserved. The KPMG name, logo and “cutting through complexity” are registered trademarks or trademarks ofKPMG International. 45469CHI38

KPMG’s ERM Thought LeadershipThe Business Case for a Risk Executive: Leading Efforts to Avoid Surprises, Maneuver throughChallenges, and Add Value. Discusses the benefits, challenges and leading practicerequirements for establishing an effective risk executive given the current economicenvironment.Placing Value on Enterprise Risk Management. Outlines approaches that could provide a focusto both justifying the ERM program and improving program performance.Understanding and Articulating Risk AppetiteThis white paper offers an approach for developing an effective risk appetite statement andidentifying the main characteristics of a well-defined risk appetite. (July 2009)Many Enterprise Risk Management Programs Lack Fundamentals, According to KPMG’s Surveyof Internal Auditors and Boards. KPMG’s News Release that surveyed participants from 2008NACD conference and 2008 International IIA Conference on the status of their risk managementprograms and practices.© 2011 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network ofindependent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity.All rights reserved. The KPMG name, logo and “cutting through complexity” are registered trademarks or trademarks ofKPMG International. 45469CHI39

Presenters’ contact detailsKreg WeigandKPMG LLP612-305-5581kweigand@kpmg.comwww.kpmg.com© 2011 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network ofindependent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity.All rights reserved. The KPMG name, logo and “cutting through complexity” are registered trademarks or trademarks ofKPMG International. 45469CHI40