1
Enterprise Risk ManagementLessons, Trends & Laws
Paul L. Walker
Feb. 26th, 2004
2
Lessons from the Field
3
ERM Definition
• ERM is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events, that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.– COSO Fall 2003
4
There are knowns, known unknowns, and unknown
unknowns. Author unknown
5
Strategic Risk: Value Collapse in The Fortune 1000
• Studied Fortune 1000 between 1993-98
• Ten percent of the Fortune 1000 lost over 25% of shareholder value within a one-month period. Even after two years, the Value Collapse 100 had not recovered.
• Most of these losses can be attributed to ___________ risk.
6
Strategic Risk: Value Collapse in The Fortune 1000
24
12
76
4
21
2
11
7 76
3 3
0
5
10
15
20
25
% of Top 100
Cost Overrun
Accounting Problems
PoorManage-
ment
Supply Chain Issues
Competi-tive
Merger Problem
Wrong Products
Pricing Pressure
CustomerLosses
R&D &
Other
Demand Shortfall
Regulation
Strategic58%
Operational31%
Finan-cial6%
Foreign Economic
Issues
High Input
Prices & Interest
60
70
80
90
100
110
120
130
140
150
160
0 2 4 6 8 10 12 14 16 18 20 22 24
Sto
ck P
rice
Gro
wth
Ind
ex
Months after Initial Drop
S&P 5001
Value Collapse
1002
Source: Mercer Value Growth Database, Mercer analysis.Note: 1S&P 500 index is the sum of the S&P indexes corresponding to time period for each of the 100 companies. suffering stock drops.2Data was not available for all companies for all 24 months after the stock drop (e.g., for stock drops in the last two years. Where data was not available, companies were excluded from that month for both the 100 companies. index and the S&P 500 index.
7
The ERM Process
Monitor Act Assess Risks
Identify RisksSet Objectives
8
The Management Challenge: Four Barriers to Strategy Execution
Only 5% of the workforce understands
the strategy
The Vision Barrier
The People Barrier
Only 25% of managers have goals/incentives
linked to strategy
The Management Barrier
85% of executive teams spend less than one hour per month discussing long-term strategy
The Resource Barrier
60% of organizations don’t link budgets to strategy
9 of 10 companies
fail to executestrategy
9
10
Enterprise Risk M anagem entEnterprise Risk M anagem ent
BusinessVision
BusinessO bjective
RiskFram ew ork
IdentifyR isk
Universe
RiskW orkshop
Control &Action
W orkshop
M onitorEvaluateM anage
M arket Sha re
R espect Individual
Service to C ustom er
Strive for E xcellen ce
Expans io n O pportunity
Distributio n
C usto mer Service
R etentio n
Develop ment
Leadership
Categorize R isk
Standard Framew ork
R eference
Survey Stakeho lders
C omp ile Data
Share D ata
Schedule W orkshop
C ross Divis io na l
Discussio ns
Add itio nal R isk
Prior it ize R isk
Evaluate R isk
Existing Co ntro ls
D efic ienc ies
Actio n P lan
Respo nsibility
Actio n and T imeline
M o nitor Progress
Address Gaps
R eport R esults
Wal-Mart’s ERM Process
11
Company Perspective
• “I think the point to risk management is not to try and operate your business in a risk-free environment. It’s to tip the scale to your advantage. So it becomes strategic rather than just defensive.”Peter Cox, CFO, United Grain Growers Ltd.
12
Risk Identification TechniquesInternal interviewing and discussion:
• interviews• questionnaires• brainstorming• Self-assessment and other facilitated workshops• SWOT analysis (strengths, weaknesses, opportunities, and threats)
External sources:
• comparison with other organizations• discussion with peers• benchmarking• risk consultants
Tools, diagnostics and processes:
• checklists• flowcharts• scenario analysis• value chain analysis• business process analysis• systems engineering• process mapping
AICPA, Managing Risk in the New Economy, p. 9
13
Business Risk Model TM -- A Common Language
Competitor Sensitivity Shareholder Relations Capital Availability
Catastrophic Loss Sovereign/Political Legal Regulatory Industry Financial Markets
Operations RiskCustomer Satisfaction
Human ResourcesProduct Development
Efficiency Capacity
Performance GapCycle Time
SourcingCommodity Pricing
Obsolescence/ShrinkageCompliance
Business InterruptionProduct/Service Failure
EnvironmentalHealth and Safety
Trademark/Brand Name Erosion
Empowerment RiskLeadershipAuthority
LimitPerformance Incentives
Communications
Financial RiskCurrency
Interest RateLiquidity
Cash Transfer VelocityDerivativeSettlement
Reinvestment/RolloverCredit
CollateralCounterparty
Information Processing/Technology Risk
AccessIntegrity
RelevanceAvailability
Integrity RiskManagement Fraud
Employee FraudIllegal Acts
Unauthorized UseReputation
OperationalPricing
Contract CommitmentMeasurement
AlignmentCompleteness and Accuracy
Regulatory Reporting
FinancialBudget and Planning
Completeness and AccuracyAccounting Information
Financial Reporting EvaluationTaxation
Pension FundInvestment EvaluationRegulatory Reporting
StrategicEnvironmental ScanBusiness Portfolio
ValuationMeasurement
Organization StructureResource Allocation
PlanningLife Cycle
The Economist Intelligence Unit, Managing Business Risk, p. 15
Environment Risk
Process Risk
Information for Decision-Making Risk
14
Risk ManagementAssessing Impact and Likelihood of Occurrence
10
10
Low Likelihood of Occurrence High
MinorDisturbance
Catastrophic
Impact onAchievementof Objectives(Significance)
Adapted From The Economist Intelligence Unit, Managing Business Risk, p. 30 and Deloitte & Touche, Perspectives on Risk, p. 13
Inspect/Correctand
Monitor
Prevent at the
Source
ControlUnnecessary;
Continue to Assess
Monitorand
Investigate
1
4th QuartileLow Impact
Low Likelihood
3rd QuartileLow Impact
High Likelihood
2nd QuartileHigh Impact
Low Likelihood
1st QuartileHigh Impact
High Likelihood
15
??
?
?
?
?
Impact
Frequency
16
E-BusinessRisk Map
1/5/00
Significance High/Low=6 High/Medium=8 High/High=9Organizational Structure IT Infrastructure Pricing AccuracyCommunications - Internal/External Litigation Accounting Controls
High IT Data Integrity Content Accountability System Integration E-business owner Hidden Costs Third Party Communications Credit Risk Hacking Due Diligence Risk
Margin ProtectionCompetitivenessProfitability Measurement
Medium/Low=3 Medium/Medium=5 Medium/High=7
AuthorityRegulatory - State Differences Points of Failure
Medium Code of Conduct Regulatory ResponseComplex Process/Systems
Business Exit Strategy External Data IntegrityResource Allocation - IT & HR
Employee Privacy Intellectual PropertyCustomer Privacy Unauthorized IntermediaryTechnology Contract Terms
Transparent IntermediaryAlliances & CompetitionOrder Fulfillment
Low
Low/Low=1 Low/Medium=2 Low/High=4Qualify Customer Default Strategy
Low Medium High
Likelihood
17
Instructions
1. Please list the key processes within your area of responsibility (e.g., the six to eight major activities performed within your function).
2. For each of these key processes, please list the:
a. risks that could impede the processb. factors that contribute to the riskc. management activities, or controls, that are or should
be in place to mitigate the risk
3. Please list the objectives for your area of responsibility (no more than ten key objectives that if attained would ensure success in your area).
4. Please assess the overall readiness within your area of responsibility to seize opportunities and manage risks.
18
Key Process
KEY PROCESS RISKS:CONTRIBUTING FACTORS:
MANAGEMENT ACTIVITIES:
Consequences:
Experienced Risks:
19
Objectives for Your Area of Responsibility
Please list the objectives for your area of responsibility (no more than ten key objectivesthat if attained would ensure success in your area).
20
Risk ReadinessUse the following categories to assess the overall readiness within your area of responsibility to seize opportunities and manage risks using the scale at the bottom of the page:
Management Environment VL L M H VHe.g., ethical values, HR policies, accountability, trust, proper resources
Risk Assessment VL L M H VHe.g., objectives clear, risks identified, measurement indicators, monitoring of environment
Management Activities VL L M H VHe.g., policies practiced, expectations and scope, decisions by right people, integrated control processes, timely decisions
Information / Communication VL L M H VHe.g., communication processes, relevant information, coordination ofdecisions, plans communicated, information needs reassessed
Monitoring VL L M H VHe.g., performance monitored, assumptions challenged, follow upprocesses, periodic reporting on risk management and control
VL = Very Low L = Low M = Medium H = High VH = Very High
What is your level of concern with respect to the overall ability of your area of responsibility to seize opportunities and manage risks? Please circle the most appropriate response:
21
Making Enterprise Risk Management Pay Off
• Barton, Shenkir and Walker
• Published by the Financial Executive Institute in 2001 and by the Financial Times in 2002
22
Case-Study Companies in FERF Study
Study Company Industry Revenues1 Employees
Chase Manhattan Corp.2 Financial Services $22,982 74,800
Dupont Chemical $26,918 94,000
Microsoft Corp. Technology $19,750 31,575
United Grain Growers, Ltd. Agriculture C$1,832 1,600
Unocal Corp. Energy $6,057 7,550
1Most recent fiscal year in millions of U.S. dollars (except for United Grain Growers which is in millions of Canadian dollars).
2J.P. Morgan Chase & Co. as of December 31, 2000.
23
Main Reasons Involved in ERM
• Shareholder value, shareholder value and shareholder value
• Known unknowns and unknown unknowns:– Number and complexity of risks– Avoid debacles
24
Lessons From Case Study Companies
• No single approach
• Identify risks enterprise-wide– Look for integration, value and consistency
25
More Lessons
• Assess and measure risk- Maps, rankings, lists- Can be quantitative or qualitative
• Driving risk awareness throughout organization
• Risk champions
26Note: All loss amounts are in millions of dollars.
1.10
1.00
0.90
0.80
0.70
0.60
0.50
0.40
0.30
0.20
0.10
0.00$0.00 $6.18
Annual Loss Amount
Prob-abilitythatAnnualLosswillExceedAmountShown
Sample RiskGain/Loss Probability Curve
90% - $0.30
80% - $0.48
70% - $0.68
60% - $1.13
50% - $1.15
40% - $1.50
30% - $1.98
20% - $2.73
10% - $4.28
27
Actual Revenues VersusRisk Corrected Revenues
1980
1981
1982
1983
1984
1985
1986
1987
1988
1989
1990
1991
1992
1993
1994
ActualDistribution
RiskCorrection
Distribution
Risk CorrectedRevenues
ActualRevenues
28
Goal of Risk Management at Dupont
Distribution after Risk ManagementInherent
Distribution
Earnings
29
Natural Gas9%
Ethane4%
Cyclohexane5%
Corn2%
Soybeans2%
Anticipated Local Currency Margins
46%
Floating Rate Debt32%
Notional Amount at Risk= $5 billion
Where’s the volatility?
30
The Volatility
• Natural Gas 46%
• Corn 18%
• Interest Rates 20%
• Euro 12%
• JPN Yen 9%
31
Earnings at Risk by Risk Factor
Total DuPont EaR by Risk Category(100% = $35 million)
Commodity Prices
Foreign Exchange
InterestRates
32%51%
17%
0%
5%
10%
15%
20%
25%
30%
35%
Chemicals Precious Metals Natural Gas Agriculture Other Commodities
Commodity Contribution toEaR by Major Commodity
(100% = $16 million)
0%
5%
10%
15%
20%
25%
30%
35%
Euro Yen Mexican Peso Canadian $ Other Currencies
Foreign Exchange Contribution toEaR for Major Currency
(100% = $26 million)
32
Earnings at Risk Hedge Effectiveness Comparisons
-$40
-$30
-$20
-$10
$0
$10
$20
$30
$40
Business Unit 1 Business Unit 2 Business Unit 3 Business Unit 4 Total DuPont DiversificationBenefit
"Natural" Earnings at Risk
With Hedging Earnings at Risk
Earnings at RiskContribution(millions of dollars)
33
Expected Earnings and EaR for Budget Year 2000
$0
$10
$20
$30
$40
$50
$60
$70
Janu
ary
Feb
ruar
y
Mar
ch
Apr
il
May
June
July
Aug
ust
Sep
tem
ber
Oct
ober
Nov
embe
r
Dec
embe
r
Expected Earnings Earnings at Risk
$ MillionsSummary by Month
0%
5%
10%
15%
20%
25%
$545Equals the earnings
Corresponding to the95% CI
$125EaR equals the
difference
$670Equals the expectedOr budgeted earnings
Earnings($ millions)
Distribution or AnnualizedEarnings Outcomes
34
Probability Assessment of Earnings OutcomesIllustration
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
25%
20%
15%
10%
5%
0%$545
Level of earningscorresponding with EaR
$640 $670Expected
or budgeted earnings
Earnings($ millions)
Interpretation: There is a 30% chance thatdue to all risks (although this analysis could beproduced for each risk, or SBU) earnings willfall below $640 million for the year.
Probabilityof a SpecificOutcome
CumulativeProbability
35
Earnings Variability by Key Factor
-0.90 -0.80 -0.70 -0.60 -0.50 -0.40 -0.30 -0.20 -0.10 0.00 0.10 0.20 0.30 0.40 0.50 0.60 0.70 0.80 0.90 1.00
Total (not additive)
Pension – OPEB
Sales Volume
Prices
Environmental
Fuel Cost
Transmission Congestion
Interest Rates
Plant Availability
GDP
(Cents per share)
36
Risk, Quantification and Gap Analysis
37
Weather 1 1 1 1 1 1 1 1 3 1 1 1 1 1 1 1 1 1 20
Basis/Price Risk 1 1 2 1 2 1 1 1 1 1 1 1 1 2 1 1 1 2 22
Foreign Exchange 2 1 2 1 2 1 2 1 1 1 1 1 1 1 1 2 1 2 24
Regulatory Risk CWB, Transportation
1 1 1 1 1 1 1 1 2 2 2 1 1 3 1 2 2 1 25
Inventory 1 1 2 1 1 2 1 2 1 2 1 3 1 1 1 2 1 1 25
Transportation 1 1 1 1 2 2 1 1 2 2 1 1 1 1 2 2 2 1 25
Major Property (e.g., terminals)
1 2 3 1 1 1 1 1 2 1 2 1 2 1 1 1 1 3 26
Credit/Receivables 2 2 2 1 2 2 2 1 1 1 1 1 1 1 2 2 2 2 28
EDP System Failure 1 2 3 1 2 2 1 1 2 1 1 2 2 2 2 1 2 1 29
Leverage (debt/equity) 1 2 2 2 1 2 2 1 2 1 1 1 2 1 1 2 2 3 29
Customer/Supplier/Finance Counterparty
2 2 3 1 1 2 2 2 1 2 1 2 1 1 1 1 2 2 29
Data accuracy 2 2 3 2 1 2 2 1 2 2 1 1 1 1 2 1 3 1 30
Interest Rate 2 2 3 1 2 2 2 1 2 1 2 1 2 1 2 2 1 3 32
Business Interruption 3 3 2 1 1 2 2 2 2 2 1 1 2 1 1 2 1 3 32
Spoilage/Disease 1 1 1 1 3 3 3 2 1 2 2 2 2 1 1 3 1 2 32
Strategic Planning 2 3 2 2 1 1 1 1 2 1 1 3 2 2 2 2 3 2 33
Environmental 3 2 2 2 1 3 2 2 1 2 2 2 2 1 1 2 2 1 33
Process Compliance/Execution
3 2 2 2 1 2 2 1 2 1 1 1 2 1 2 3 3 3 34
38
The Gap (source MMC 2003)
1.0
2.0
3.0
4.0
5.0
6.0
7.0
8.0
9.0
1.0
2.0
3.0
4.0
5.0
6.0
7.0
8.0
9.0Management Effectiveness
Inherent Risk
HighRisk
Moderateto High
Risk
ModerateRisk
Low toModerate
Risk
Low Risk
High ManagementEffectiveness
Moderateto High
ManagementEffectiveness
ModerateManagementEffectiveness
Low toModerate
ManagementEffectiveness
Low ManagementEffectiveness
Compliance
IT Security
Human Resource
Shareholder Relations
Environmental
Business Continuity
Management Succession
Financial Reporting
Counter-Party Settlement
Product Liability
CommunicationHazard
39
“Those who live only by the numbers may find that the computer has simply replaced the oracles to whom people resorted in ancient times for guidance in risk management and decision making.”
Peter Bernstein, Against The Gods: The Remarkable Story of Risk
40
Enterprise Risk Management: Pulling it all Together
• Walker, Shenkir and Barton
• Published by the IIA in 2002
41
Case-Study Companies in IIA Study
1,244,000$193,300RetailingWal-Mart Stores Inc.
6,800$9,200Oil & Gas OperationsUnocal Corp.
386,000$184,600ManufacturingGeneral Motors Corp.
13,800$7,000Electric UtilitiesFirstEnergy Corp.
61,000C$5,900Postal DeliveryCanada Post Corp.
EmployeesRevenues1IndustryCompany
1Most recent fiscal year ending on or before September 30, 2001, in $ millions U.S. (except Canada Post Corp., which is in Canadian dollars).
42
Elements of Effective Risk Management
• C-level support and CAE leadership
• Link to value (the CFO challenge)
• Changes in internal auditing
• Ownership vs. facilitation
• Risk integration
• Risk Infrastructure
• Corporate Governance
43
• I will show the committee the risk maps, which identify the top risks for each division, and give them an example of the action plans under development. I will also describe how the monitoring process works, and the manner in which we will link action plans and metrics to shareholder value. – John Lewis, Chief Audit Executive, Wal-Mart
44
BoardReporting Audit
CommitteeReporting
Risk Champions
ManagementAccountability
Internal AuditFollow-up
Volume and
Frequency of
Information
ManagementFollow-up
Change inAudit Approach
Chief RiskOfficer
ERM
ERM CommitteeERM & Corporate
Governance
45
Functional Assessments of Risks, Controls,
& Objectiveswith VPs &
Management teams
Functional Assessments of Risks, Controls,
& Objectiveswith VPs &
Management teams
Corporate Risk/Control
Objectivesassessment
session with top 100
Executives
Discussion of results
with Management
Executive Committee
Corporate Risk/Control
Objectivesassessment
session with top 100
Executives
Discussion of results
with Management
Executive Committee
AnnualAudit Opinion
andAudit Plan
AnnualAudit Opinion
andAudit Plan
Risk MgmtProcessUpdates
AuditResults
ConsultingProjects
ActionPlans
Follow-up
DAREResults
CrossFunctional
IssuesAnalysis
Board StrategicPlanningSession
Board StrategicPlanningSession
Canada Post’s ERM Process
46
Reporting to the Board of Directors
• Top risks identified.
• Assessment of top risks.
• Most challenging objectives.
• Control effectiveness (over time).
• Outstanding action plans.
47
Ri sk 1
Ri sk 2
Ri sk 3
Ri sk 4
Ri sk 5
Ri sk 6
Ri sk 7
Ri sk 8
Ri sk 9
Ri sk 10
Ri sk 11
Ri sk 12
Ri sk 13
Ri sk 14
Ri sk 15
Ri sk 16
Ri sk 17
Ri sk 18
Low High
48
Corporate Control Effectiveness
1 2 3 4
A1
A2
A3
A4
A5
B1
B2
B3
B4
C1
C2
C3
C4
C5
D1
D2
D3
D4
D5
D6
Purpose
2.5
Commitment
2.2Monitor/Learn
2.4
Capability
2.4
1= Not very effective2= Somewhat effective3= Substantially effective4= Very effective
49
Achievability of Objectives
1
2
3
4
Ach
ieva
bilit
y
1 2 3 4 5 6 7 8 9 10 11
50
FUNCTIONAL RISK ASSESSMENT SUMMARY 2000 / 2001
51
Key Governance Questions Relating to ERM (source MMC 2003)
Reporting
Execution
Strategy
Policy
• Is there a process for assessing risk and capabilities?
• Is Board advising on “mission-critical” risks?
• Is opportunity-seeking behavior balanced with risk-taking?
• Are boundaries and limits adequately defined ?
• Is there a process for reporting risk and performance?
• Does the organization structure support risk reporting?
• Are key risks managed?
• Are capabilities effective?
• Is risk-sensitive culture in place?
52
Trends
53
How would you characterize the status of your ERM framework?
(Tillinghast-Towers Perrin, 2000)
% of Respondents
9%
22%
20%
38%
11%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Complete ERM framework
Partial ERM framework
Planning to implement framework
Investigating concept
No framework and no plans
54
Will ERM help you address this business issue?
% of Respondents Selecting “Yes”
85%
68%
69%
50%
64%
63%
62%
67%
55%
57%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Earnings growth
Revenue growth
Earnings consistency
Technology costs
Return on capital
Regulatory change/compliance
People costs
Expense control/reduction
Product pricing
Capital management/allocation
55
Which of the following risks are included in your internal audit plan?
% Indicating Each Risk
12%
49%
83%
88%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Financial risks
Operational risks
Strategic risks
Other
56
Adoption is wide (Economist and MMC, 2001)
• 33% of Asian companies have adopted some form of ERM
• 34% of North American companies are implementing some form of ERM
• Europeans are ahead in adoption (53%)
57
ERM can improve their P/E ratio and cost of capital
• 84% believe there is a link between ERM and P/E and cost of capital
58
Communicating ERM to investors is beneficial
• More than 50% believe there is something to gain by communicating their ERM efforts to the investment community
59
Non-traditional risks
• Executives report that their most significant risks are not the traditional finance or insurance risks
• These are also among the most poorly managed risks.
60
Risks Should Drive the Audit Committee Agenda
• Risk Oversight– “…making sure that management has instituted
processes to identify, and bring to the board’s attention, the major risks the enterprise faces.”
• Report of the NACD Blue Ribbon Commission
• “Risk Oversight-Board Lessons for Turbulent Times”
61
Based on Management’s Risk Assessment Process
• Audit Committees should focus on:– Accountability for, and
– Effectiveness of• Management’s Risk Assessment Process
• Controls Related to Risks– Source: KPMG’s Audit Committee Institute
62
Audit Committee Involvement (per 2003 proxies of Fortune 100)
0
10
20
30
40
50
60
70
80
90
100
HaveCharter
SomeRisk Mngt
List of BusRisks
Fin RisksOnly
Nothing Disc withIA
Disc withEA
63
Advanced ERM Co’s (PWC’s Global CEO
Survey, 2004)
• Have significantly higher benefits, for example– 74% of advanced co’s report that ERM helps
create value (compared to 39% of nonadvanced)
64
Commitment: ERM as a Priority
• 39% of CEOs agree
• 38% of Boards agree
65
The Laws
66
Laws and Key Documents
• Turnbull and the UK
• Kontrag and Germany
• South Africa and the King Report
• Australia and New Zealand Standard
• Sarbanes-Oxley?
67
Math
• ERM Compliance + Ad hoc procedures = Survival
• ERM Process + Focus on Value + Corporate Governance = SUCCESS
68
Summary: Why Enterprise Risk Management?
1. ______________
2. ______________
3. ______________
69
Company Perspectives
• “Enterprise risk management is a great, great process. I could not say more about it.”Mario Pilozzi, Wal-Mart Canada COO
• “An organization cannot shrink its way to greatness it must grow and one of the keys to successful growth is excellent risk management.”Jacqueline Wagner, GM General Auditor
70
Company Perspectives
• “The approach we have taken in financial risk and business risk is to try to quantify what we can and not necessarily worry that we are unable to capture everything in our measurement.”George Zinn, director of corporate finance, Microsoft Corp.
71
Company Perspectives
• “What we have is a control process now. We don’t have a value creation process. That’s what we’re trying to do.”Susan Stalnecker, Treasurer, DuPont Co.
Questions and Answers
73
“The past seldom obliges by revealing to us when wildness will break out in the future.”
Peter Bernstein
Against the Gods: The Remarkable Story of Risk