Companies often pursue business opportunities derived from risks taken as a result of implementing their business strategy. The “COSO ERM “risk management framework ,formulated in 2017, outlines the key pillars of an effective risk management program that organizations should pursue. The framework is designed to enable organizations to optimally manage situations of uncertainty and to enable organizations to establish effective risk management plans whenever they intend to implement new business and strategic plans, as well as to effectively manage risks during the regular course of their business. The updated COSO ERM Framework consists of a set of principles organized into five interrelated components: Governance and Culture, Strategy and Objective Setting, Performance, Review and Revision, and Information, Communication and reporting.
Collectively, these five components assist companies in several important activities:
- Implementing effective Tone at the Top;
- Establish oversight responsibilities for the enterprise’s risk management activities;
- Define a Risk Appetite aligned with business and strategic objective;
- Prioritize risks by severity and select appropriate risk response plans;
- Review the performance of business entities responsible each risk response plan, assess performance of the framework’s components over time and/or in light of significant business events, and determine whether any revisions are needed; and
- Continuously obtaining and sharing necessary information (both internal and external), from junior staff to senior management as well as across the business and operational functions within the organization.
By adopting integrated risk management programs, organizations are able to act on several types of risks using one common language, thereby allocating appropriate resources for optimal management and oversight over the components of, not only standard operational or strategic risks, but also – fraud risks, financial integrity and compliance risks (e.g., SOX), , data privacy and information security risks, legal risks and many others.
Enterprise Risk Management
The financial services sector in Israel operates in a complex regulatory environment, with multi-dimensional requirements for Enterprise Risk Management (“ERM”) outlined by the Bank of Israel, the Capital Market, Insurance and Savings Authority, and the Israel Securities Authority. This complex web of regulatory oversight and enforcement requires financial institutions to regularly disclose risks, risk management strategy, risk ownership and risk response mechanisms concerning a wide range of risk areas, including operational risk, credit risks, interest rates and liquidity market risks, counterparty risk, insurance risks, investment risks, technology and IT risks,cyber risks, conduct risks, strategic risks, compliance and regulatory risks, as well as macroeconomic risks.
As a result, financial institutions have developed a hybrid approach for ERM, combining risk analysis with capital planning and n Internal Capital Adequacy Assessment Process (“ICAAP” for banking institutions, and “ORSA” for insurance companies), followed by-in-depth analysis of leverage ratios, LCR liquidity ratios, and stress testing of scenarios as well as risk management models (e.g., VAR, PD, LGD, EAD and IRB). Finally, the abovementioned processes are consolidated in order to formulate into relevant policies and procedures.
- Design comprehensive Enterprise Risk Management Frameworks, including risk surveys, policy documents, Risk Appetite policies, and many more;
- Assist companies with the implementation of IT systems designed for ERM or ERM-related purposes (e.g., GRC – Governance, Risk & Compliance), all in accordance with international best practice such as “COSO” and “COBIT”;
- Assist publicly-listed companies in developing and implementing processes and controls designed for complying with SOX requirements, the Goshen Committee resolutions, and IT General Controls (“ITGC”) standards.
- Advising financial institutions on credit risk management, market and liquidity risks, as well as development and validation of financial risk models in accordance with model risk management and validation principles issued by the OCC and the Bank of Israel.
- Assist companies in adopting international regulations mandating risk management , such as Basel and Solvency, or the Internal Capital Adequacy Assessment Process (ICAAP).
- Design KRI’s (Key Risk Indicators) for early identification of risks using, all in accordance with the organization’s strategic business plans.
- Identify and analyze emerging risks using stress scenarios and effective reports.
- Conduct Risks – These are risks which are directly related to an organization’s behavior towards its customers, such as lack of transparency into products and services, irresponsible lending, and market abuse.
- Climate and environmental risks – Assist companies with managing both Physical risks and Transition risks (i.e., risks arising due to evolving regulatory opinions and polices towards climate and environmental risks).
- Utilize expertise from both risk management and strategic consulting in order to formulate appropriate crisis readiness programs based on stress scenarios (multi-variables / inverse scenarios), as well as robust plans to recover from crisis events using agile business processes and controls, informed by root-cause analysis and lessons learned.
- Conduct Enterprise Resilience Assessments combined with an integrated dynamic risk analysis (e.g., “Risk Radar”), as well as assisting companies with implementing effective BCP’s (“Business Continuity Plans”) and DRP’s (“Disaster Recovery Plans”)