Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
governance, risk
and compliance
May 2014
Conclusion ................................................................. 15
Introduction
Insights on governance, risk and compliance — Expecting more from risk management | 1
Risk, uncertainty and business
performance
Never before have we seen such rapid changes in how and where Understanding uncertainty means challenging our basic assumptions
companies do business than in the past 10 years: and envisioning new ways to view the world, but uncertainty is
where risk starts and where levers to performance improvement
The volatility of global business environments and markets has
can be found. REPM incorporates changes to risk management that
increased dramatically; it is unparalleled in scope and impact.
relies on direct links to ongoing performance metrics to increase
The velocity of change has never been greater. Personal and our ability to react quickly, before the die is cast. It also focuses on
business life are already moving fast and are constantly accelerating. the shift to value creation, creating an offensive front that helps us
stay ahead based on insights about uncertainty and how to manage
We are now in a world where visibility to all we do, our information,
it to our advantage.
communications, operations, investments, and actions is very high.
It can be a benefit or a curse and requires new levels of responsibility By embedding risk management into business processes,
and capabilities to manage effectively. organizations can create a REPM program that becomes insights-
and value-driven. Organizations then have greater visibility into the
However, while volatility, velocity and visibility are rapidly
health of the business, and better information to support strategic
increasing, the ability to recognize and manage the uncertainties
decision-making. They also have an approach that highlights upside
embedded in these challenges is not growing and being applied at
as well as downside risks, enabling organizations to assess and act
the same pace. This represents both a grave threat to companies
upon opportunities rather than having them pass by unnoticed.
and a very significant set of opportunities lost.
2 | Insights on governance, risk and compliance — Expecting more from risk management
REPM — the connection between business performance and value creation
Risk enabled
performance
Business management
performance
Leading practices
Expanded focus • Expanded considerations to emerging risks
• Directly links key risks to performance drivers
Risk insight • Enhanced risk analysis using data analytics
Shifting focus from reporting
The focus for risk management components that we break apart ranges of outcomes and identify
leverage to change them.
In order to fully appreciate why a new paradigm in risk management
So the big question for companies is: how much is it worth to
is important, we need to focus in on the real issue — uncertainty.
understand and reduce that uncertainty? Phrased another way,
When we consider any set of business outcomes, whether strategic,
what if you could increase the predictability of your business
financial or operational, we understand that there is no sure bet.
outcomes? And, importantly, how can you move those outcomes to
Regardless of what aspect of business we discuss, there remains
capturing more and more of the upside part of that uncertainty?
a cloud of uncertainty around the final outcomes. This cloud is
composed of both potentially positive and negative possibilities. This is the new paradigm — moving away from the status quo or
informational and compliance-focused risk management to a
Uncertainty becomes risk when it is calibrated against our vested
new level, which is directly linked to performance, based on
interests, that is, how much do we stand to gain or lose, and what
harnessing uncertainty.
are the variables that affect those possible outcome ranges. It may
seem like a fine point, but it is in consideration of the uncertainty
Insights on governance, risk and compliance — Expecting more from risk management | 3
Identifying risks that incrementally contribute to volatility in drivers and outcome metrics
Supplier/product
quality issues
A Through association of performance
Likelihood
Supplier resiliency/
production outages B
Non-compliance
with customs
regulations
C
Supply chain efficacy example
Target Profit
Labor
arbitrage
Outsourcing
High level D Uncertainty management activities are designed and value impacts are quantified
action steps E Management activities are implemented and tracked relative to performance metrics
4 | Insights on governance, risk and compliance — Expecting more from risk management
Rhythm of the
business
So where do you start?
Well, first let us consider the challenge. If you want REPM to
become intrinsic to your business, then you need to think about
how business is accomplished.
6 | Insights on governance, risk and compliance — Expecting more from risk management
There are several key business processes, and structural and At the business level planning/budgeting level, an example is:
functional components that make up this rhythm of the business, E. Revised business planning pro-formas which expand analysis
working together to deliver business value creation. Within these on types and levels of risk represented by business investments.
components of the business, we see four basic business process This will begin to create an “equal-footing” basis for a risk-
suites, which represent logical groupings from a business perspective: adjusted approach to investment and capital allocation.
1. Strategic oversight and planning — board and executive
management level activities At the operational execution level, examples include:
F. Inclusion of formal and specific risk tolerances, limits and
2. Business level planning/budgeting — management translation
thresholds as performance metrics in operational reviews.
of strategies into business plans and allocation of capital
Tied to business planning and based on the risk appetite,
3. Operational execution — value creating implementation of these tolerances provides indicators for ensuring alignment
plans and strategies of operational activities with desired risk exposures and yields
4. Monitoring and compliance — audit and compliance activities improved results predictability.
G. Re-evaluated risk and operational process linkages to better
isolate potential for cascading incidents: outsized catastrophic
We believe that risk-enabling a business, introducing key insights
operational events are often the results of a series of cascading
in a practical way, can be accelerated by addressing these logical
smaller breakdowns. Focusing on the operational uncertainties
groupings of management processes, for example.
across processes and spanning multiple controls can diminish
At the strategic oversight and planning level, there are several the potential for “runaway” events.
opportunities to begin the process of risk-enabling the organization:
A. Enhance risk governance structure, roles and responsibilities — And finally, at the control and compliance monitoring and
bringing clarity on expectations and oversight of risk assurance level you could include:
exposures. This redefinition is focused on driving performance H. Comprehensive alignment of functional monitoring processes
versus primarily reviewing key risks, and includes ties to with risk profile — inventory and comparison of functional
delegation of authority and performance management. risk monitoring activities relative to a detailed analysis of the
B. Develop a practical and “working” risk appetite — setting the company risk profile can highlight redundancies, overlaps and
tone and direction on how risk is integrated into leadership coverage gaps. This potentially cuts cost and increases risk
considerations, and how much and what type of risks are monitoring effectiveness.
required and/or acceptable for business. This approach focuses
on a clear view of how risk appetite is used in capital allocation
and related guidelines for investment and operations.
C. Identify emerging risks associated with strategic plans —
modifying processes to identify and address emergent variables
and uncertainties that can impact business aspirations. The
focus here is less about predicting specific issues, as it is about
learning how to recognize new emerging ones in advance.
D. Quantify the performance ranges within the business plan that
are tied to risk uncertainties — understanding the value of the
uncertainties will drive focused efforts to reduce them, leading
to more reliably predictable results. This requires the business
to fully understand the drivers of performance first, making
some form of driver analysis a prerequisite.
Insights on governance, risk and compliance — Expecting more from risk management | 7
REPM framework applied
Case study: REPM framework applied to electric utility capital allocation planning
8 | Insights on governance, risk and compliance — Expecting more from risk management
A program for
developing
risk-enabled
performance
management
We believe the beginning is understanding the nature and impact deal of the benefit of effective risk management is in leveraging
of uncertainties that are (or have the potential to) dramatically or building capabilities to capture upside opportunities; for this
impacting business results and strategic plans, and then using that reason, it is important to establish a foundation for driving risk
awareness to improve decision-making. We see this breaking out in management activities.
three parts:
EY suggests using a basis that considers a fuller range of
1. Determining what key uncertainties you are facing, relative to performance issues, namely growth, optimization and protection
your business results of the business. The success of any business is tied to how well
2. Aligning your company’s risk profile with your risk appetite these three are done, the specific balance among them being based
(based on your strategies and goals) on the company’s risk appetite.
Grow Protect
1 Determining key uncertainties and potential impacts
10 | Insights on governance, risk and compliance — Expecting more from risk management
2 Aligning your risk profile with your risk appetite
3 Embedding risk-enabled decision-making into the
rhythm of the business
Insights on governance, risk and compliance — Expecting more from risk management | 11
Plan of attack We believe that a logical approach to risk-enabling a company
should also consider the dimensions of:
Moving an organization toward a risk-enabled 1. Organizational risk-enablement — broad entity-wide approach
orientation takes time, and the first question 2. Business process suite focus — enhancements tied to specific
is “what is the right approach to begin?” processes and groups of processes
To answer that question we come back to the rhythm of the business. 3. Specific business issues — discrete business challenges
We previously suggested that the key management processes by impacting performance, operations, etc.
which companies operate could be broken into four “suites”:
Within this breakdown, companies can readily target near-term
• Strategic oversight and governance value in addressing specific business challenges, mid-term value in
• Business level planning/budgeting process changes, and longer term value through culture-impacting
enterprise level changes. As with any change management efforts
• Operational execution (which enhancing risk management is), it is critical to provide an
• Monitoring and compliance end-state vision and objectives, while at the same time delivering
near-term value added.
12 | Insights on governance, risk and compliance — Expecting more from risk management
REPM can be readily applied on three key dimensions, depending upon company specific
needs, operational model and capabilities
Board and
board committee 1. Organizational risk enablement
meeting Strategic oversight Risk line of sight and governance
and planning from board to operations and monitoring
Executive-level
strategic planning
Monthly/quarterly
performance
reviews 3. Specific business issues
Operational execution Risk insight application to
key business issues
Continuous
performance
management and
reporting
Monitoring
Continuous
compliance and and compliance
risk assurance
activities
Insights on governance, risk and compliance — Expecting more from risk management | 13
Risk-enabled decision-making and
business processes provide a stronger
link to the profit and loss and balance
sheet, connecting risk insights to both
value protection and creation in a
much more tangible way.
Conclusion
EY believes that the key to success of that change lies in: This is the future of risk management, and more importantly, a better
pathway to improved business performance and competitiveness in a
• Rethinking the view of risk to be more along the lines of understanding changing business world.
the uncertainties that drive variability of business results
Does your company view risk management as a key component in managing business performance?
Is there continuity of understanding in the risks associated with your plans and objectives, which carries through from
strategic planning to capital allocation and operational execution?
In addition to protecting your business, is your risk management providing direct benefit to your growth efforts as well?
Is risk management integrated into the “rhythm” of your business processes, versus a later lens or add-on?
Is your risk management connected to your P&L, cash flow and other critical metrics?
Do you know what your risk appetite really is, and more importantly, how it can be used to inform management
decision-making?
Are you using quantitative analytics as effectively as you could be to manage risks to the business?
Do you have a good sense of where and how uncertainty is embedded in your plans and activities?
Does leadership have a clear view of the company’s risk profile across the breadth of its operations?
If one of these questions has been answered with ”no,” it is time for you to take action as soon as possible.
Insights on governance, risk and compliance — Expecting more from risk management | 15
Want to learn more?
Insights on governance, risk and compliance is an ongoing series of
thought leadership reports focused on IT and other business risks
and the many related challenges and opportunities. These timely
and topical publications are designed to help you understand the
issues and provide you with valuable insights about our perspective.
Under cyber attack: EY’s Global Information Beating cybercrime: Security Program Getting value out of your lines of defense:
Security Survey 2013. Management from the board’s perspective. a pragmatic approach to establishing and
www.ey.com/giss2013 www.ey.com/spm optimizing your LOD model.
www.ey.com/lod
Centralized operations: the future of operating Privacy trends 2014: privacy protection in the Turning risk into results: how leading companies
models for Risk, Control and Compliance functions. age of technology. use risk management to fuel better performance.
www.ey.com/centralops www.ey.com/privacy2014 www.ey.com/risk
16 | Insights on governance, risk and compliance — Expecting more from risk management
At EY, we have an integrated perspective on all aspects of
organizational risk. We are the market leaders in internal
audit and financial risk and controls, and we continue to
expand our capabilities in other areas of risk, including
governance, risk and compliance as well as enterprise
risk management.
We innovate in areas such as risk consulting, risk analytics
and risk technologies to stay ahead of our competition. We
draw on in-depth industry leading technical and IT-related
risk management knowledge to deliver IT controls services
focused on the design, implementation and rationalization
of controls that potentially reduce the risks in our client’s
applications, infrastructure and data. Information security is
a key area of focus where EY is an acknowledged leader in
the current landscape of mobile technology, social media
and cloud computing.
EY | Assurance | Tax | Transactions | Advisory
About EY
EY is a global leader in assurance, tax,
About EY’s Advisory Services
transaction and advisory services. The insights Improving business performance while managing risk is an increasingly complex business
and quality services we deliver help build challenge. Whether your focus is on broad business transformation or more specifically
trust and confidence in the capital markets on achieving growth, optimizing or protecting your business, having the right advisors on
and in economies the world over. We develop your side can make all the difference. Our 30,000 advisory professionals form one of the
outstanding leaders who team to deliver on our
broadest global advisory networks of any professional organization, delivering seasoned
promises to all of our stakeholders. In so doing,
we play a critical role in building a better working multidisciplinary teams that work with our clients to deliver a powerful and exceptional
world for our people, for our clients and for our client service. We use proven, integrated methodologies to help you solve your most
communities. challenging business problems, deliver a strong performance in complex market conditions
and build sustainable stakeholder confidence for the longer term. We understand that
EY refers to the global organization, and may you need services that are adapted to your industry issues, so we bring our broad sector
refer to one or more, of the member firms of experience and deep subject matter knowledge to bear in a proactive and objective way.
Ernst & Young Global Limited, each of which is
Above all, we are committed to measuring the gains and identifying where your strategy
a separate legal entity. Ernst & Young Global
Limited, a UK company limited by guarantee, and change initiatives are delivering the value your business needs.
does not provide services to clients. For more
information about our organization, please visit To find out more about how our Risk Advisory services could help your organization, speak
ey.com. to your local EY professional or a member of our global team, go to: ey.com/advisory.
This material has been prepared for general informational Jay Layman +1 312 879 5071 jay.layman@ey.com
purposes only and is not intended to be relied upon as accounting,
tax, or other professional advice. Please refer to your advisors for EMEIA
specific advice.
Jonathan Blackmore +44 20 795 11616 jblackmore@uk.ey.com
ey.com/GRCinsights Asia-Pacific
Japan