enterprise risk management a perspective on implementing an enterprise risk approach university of...
TRANSCRIPT
Enterprise Risk Management
A perspective on implementing an enterprise
risk approachUniversity of Illinois
April 5, 2005
ERM Origins and Rationale
What is risk and risk management?
Company organizational issues
The role of technology
A common language
Statistical modeling and risk experts
Origins
Risk is defined, operationally, as choice under conditions of uncertaintyRisk management, as a 1970’s phenomenon, was related to catastrophe planningIn the 1980’s RM is redefined by the TQM movementEarly 1990’s ERM emerges from consultancies such as PWC, E&Y and Deloitte
Enterprise Risk Management Defined
“A rigorous approach to identifying, assessing and addressing risks from all sources that threaten the achievement of an organizations strategic, operational and financial objectives and/or represent an opportunity or competitive advantage.”
Jerry Miccolis, Tillinghast-Towers Perrin
Enterprise Risk Management ‘s Objective
“Enhancing enterprise value by improving capital efficiency, supporting strategic decision-making and building investor confidence
Jerry Miccolis, Tillinghast-Towers Perrin
Risk Categories (first order risks)
Financial Operational StrategicCurrency Service quality Business design
Interest rate Product quality Brand
Credit Info. Systems Competition
Liquidity Trans. Processing Partnerships/Alliances
Market Company Policy Reputation
Fraud Intellectual Property
Political Merge/Acquire/Divest.
Human Resources Market Capitalization
Culture
Systemic/Exogenous
Tools for Enterprise Risk Modeling
Standard statistical models not sufficient
Structural models
System Dynamic simulation
Enterprise Risk Management
• ERM is not a project, but a process that develops within an organization, driven and supported by senior management
• ERM becomes part of the operational culture of the organization with process owners and drivers
• There is not an off-the-shelf ERM product that works for everyone.
ERM begins with the development of a risk strategy that is linked to and supportive of the overall business
imperatives of the corporation.
Components of ERM
Understand capacity to bear and propensity to assume risk
Establish a robust, yet scalable, process for risk identification and assessment
Evaluate risk on a portfolio basis, with a keen understanding of natural hedges that might exist among risks
Establish a framework and process that allows for a balancing of risk control activities with risk financing mechanisms within business processes
Risk management silos with conflicting goals cross paths…
Internal Audit
Risk Mgmt
Treasury
Legal
Info Tech
HR
Operational
Financial
Human Resource
Environment
Technology
Strategic
An enterprise approach..
Internal Audit
Risk Mgmt
Treasury
Legal
Info Tech
HR
Operational
Financial
Human Resource
Environment
Technology
Strategic
Enterprise RiskStrategy and
Methodology
Risk Management Thinking Has Evolved
Old Thinking
No risk management strategy
Risk management limited to certain areas
Risk analysis in silos
Risks not owned
Inspect, detect, react
Correlation among risks not understood
Strategy
Risk strategy linked to business strategyRisk culture created throughout the enterpriseRisk management is a continuous, systematic process integrated within the enterprise’s cultureRisk management responsibilities clearly definedAnticipate, manage, optimize and monitor riskRisk is quantified, aggregated and studied for interrelationshipsRisk is a key consideration for financial decision making
NEW
ERM Examples
Industry Issue Process Result
Manufacturing Need to better understand its business exposures and the potential risks as a result of corporate governance issues.
Developed formal ERM methodology to identify key risks within the organization along with management strategies.
Formal ERM oversight committee formed; RM a critical part of strategic planning process.
Energy Needed to better understand its business risks as it faced broad regulatory changes; desire to reinvent itself in the marketplace.
Formal process of risk identification, prioritization and measurement was developed.
Risk management became an integral part of the business decision making process.
Communications and Consulting
Concern of the business risks faced by its decentralized operations.
After broad evaluation of risk profile, attention was focused on technology risk within each of the major operating companies.
Risks were identified and common technological risks were assessed and addressed at business unit level and aggregated at corporate level.
Financial Consulting Concern that financial consulting engagements were not considering operational risks
Developed formalized process for evaluating risk on a project by project basis
Risk management process identified; risk owners specified; process documented and consolidated
ERM Oversight
Board of Directors
CEO
Enterprise Risk Management Committee
Enterprise Risk Manager
Business Unit
Business Unit
Business Unit
Business Unit
Business Unit
ERM Oversight
Enterprise Risk Management Committee
Determine RM strategies and goals
Coordinate development of RM program
Evaluate RM infrastructure
Develop/Evaluate identification and measurement methodologies
Identify risk owners and establish accountabilities
Develop and operate RM policy
Risk Analysis Process
Risk Information
Database
ManageAnticipate and React
Communicate
Assess
The process is followed in the context of the overall risk strategy.
•Diversify•Share•Control•Avoid
• Identify/ Source
• Measure• Prioritize
•Risk Owners•Risk Experts•Management•External
• New Hazards• Internal Business
Changes• External
Influences
An Initial Risk Profile
Operational Risk•Contract Performance•Trademark Erosion•Customer Satisfaction
Financial Risk•Currency•Credit•Debt Covenants•Accrual Accuracy
HR Risk•Benefits•Key Management Loss•Stock Ownership Program•Succession Planning
Environment Risk•Terrorism•War•Political Stability•Regulatory- Local/ Nat’l•Public Relations
Technology Risk•Infrastructure Failure•Security•Consistent Strategy•Obsolescence
Strategic Risk•Competition•R&D Resource •Missed Market•Reputation•New Market Entrant•Major Customer (s) Loss
Identification of Key Business Risks- Example
Business Unit Risk Category Specific Risk Likelihood SeverityAll Business Regulatory Medium Moderate to Major
All Business Reputation Medium Moderate to MajorAll Financial Liquidity/ capital access Medium ModerateAll Financial Foreign Exchange Medium to High Moderate to MajorAll Market Interest Rate Medium to High Moderate to Major
All Market Market Availability for Product Low Light to ModerateAll Operational Trade Name Erosion Low Light to Moderate
All Operational Internet Use Low to Medium Moderate to Major
All Operational Customer Satisfaction Low to Medium Light to ModerateAll Operational Patent Infringement Low ModerateAll Operational Information Processing/ Technology Medium Moderate to Major
All Operational Management Fraud Low Moderate to Major
All Operational Employee Fraud Low ModerateAll Operational Leadership Medium Moderate to MajorAll Operational M&A Medium to High Moderate to Major
All Operational Errors and Omissions Medium to High Moderate to Major
All Operational Errors and Omissions Medium to High Moderate to Major
All Operational Errors and Omissions Medium to High Moderate to Major
Risk MapNatural Risks
N1 Earthquake
N2 Volcanic eruption
N3 Fire/EC – PD & BI
N4 Contingent BI
N5 Adverse weather
Financial Risks
F1 Exchange rate
F2 Insolvency
F3 Interest rate
F4 Strategic investment
F5 Nonpayment
F6 Inconvertibility
F7 Government control
F8 Portfolio default
Employment Risks
E1 Benefits
E2 Normal WC
E3 Catastrophic WC
E4 Fiduciary
E5 Employers liability
Operational Risks
O1 Product tampering
O2 Political trade risk
O3 Key executive
O4 Product piracy
O5 Kidnap and ransom
O6 Information security
O7 Employee disSampleesty
O8 Inventory obsolescence
O9 Theft
Liability/Litigation Risks
L1 Business practices (antitrust)
L2 Copyright-patent infringement
L3 Products liability
L4 Contractual risks
L5 Errors and omissions
L6 Employment practices
L7 General liability
L8 Auto liability
L9 Vendors and contractors
L10 Misc. liability
L11 Public network
L12 D&O
SEVERITY
Low
High
$250M
$200M
$100M
$50M
$25M
$10M
$1M
1 5 20 30 50 100 150 250 >250
FREQUENCYLow High
Annual events
N1
O3
O2
O1
N2
O5
N4
E2
F6
F7
N3
O6
O6
L8
E4
E4
L1
F4
O9
L2
O7
O7 E5
L4
L4
F5
F5
L5
L5
N5 L9
L7
L10
L3
L3
L7 L6
L6
F2
O8
O4
F1
F1
E2
E2
E1
E1 F3
F3
Retained
Partially retained
Transferred
Ten key questions to consider…
What is our appetite for risk? (capacity and propensity)
Do we know what our risks are?
Do we know how those risks relate to one another?
Who within our company “owns” those risks?
Can we measure those risks?
Have we evaluated non-traditional risks?
Does everyone at our company understand their role in managing risk?
Is effective risk management linked to performance evaluations?
Is risk considered in all facets of decision making?
Does our company continually look for ways to optimize risk strategy?
ERM – 10 Phase Approach
Identify needs, objectives and
ERM champion
Phase 1
Identify managers
and key risk constituents
Phase 2
Brainstorm to identify key risks
Phase 3
Prioritize risks
identified (qualitative)
Phase 4
Develop risk “short list”
Phase 5
Specific Risk Severity Rating Likelihood Rating Manifestation Rating Overall Rating
1.
2.
3.
Phase 6
Identify mitigating & aggravating risk
factors
Phase 7
Assess current risk management controls
(specific risk)
Phase 8 Phase 9
Develop risk map and gap
analysis
Phase 10
Design action plans with risks owners
Phase 1 Identify Needs and Objectives
The first phase of the ERM process is to identify the key objectives of the ERM undertaking. This will help to establish timelines, priorities and key responsibilities.
Sample Corporation’s Program: To uncover and measure areas of high-potential risks
Develop and measure risk mitigation processes – specifically focused toward key risks
To create a risk aware culture by formally bringing risk consideration into strategic decision-making
To improve capital efficiency by providing an objective basis for allocating resources
To create an internal risk communication tool for building and supporting shareholder confidence
To establish a process that will help the company protect results
Phase 1 (continued) Identify ERM Champion(s)
A critical component of this initial phase is to identify the internal “champion” of the ERM project. This “champion” needs to be a senior executive within the organization. In many cases, the “champion” is the CEO, COO, CFO or even the Board of Directors.
Sample’s Program:For our “key” risks, the CEO personally takes the champion’s role in addressing these risks. “If I’m not responsible for the key risks facing this company, then who is?”
For operating level risks, the Presidents assume responsibility or directly assign responsibility.
This initial step is critical to the success of the ERM undertaking.
Phase 2 Identify Managers and Key Risk Constituents
The ERM process should include active participation from the operational executive manager’s identification and the key operational and strategic managers within the organization.
This group should have knowledge of the business and insight into the business issues that affect the operations. This group will be the core team involved in the risk identification process.
Sample’s Program:Each operating group’s ERM working group consists of the senior manager of the group and the direct reports.
Phase 3Brainstorm to Identify Key Risks
Process to uncover and prioritize the key risks faced by the organization.
After the risks are captured, the group discusses each risk and clarifies any misunderstandings about what the risk. Common risks and duplicates are identified and combined. It is important that you listen to your “experts” on the risk areas to help you gauge the risks. No one is an expert on everything.
Sample ProgramBrainstorming by the ERM Working Group to identify risks that they feel the company faces. A facilitator assists the group in the identification and prioritization. Some of the general ground rules include:
• Each person can contribute as much as they want
• Everyone should contribute
• No judgments or comments- just capture information
• No risk is too insignificant
•Resources are called upon as needed to clarify and explain nuances
Phase 4Prioritize Risks Identified (qualitative)
The risk list identified in Phase 3 will be long and the goal of this phase is to reduce the list so the critical risks surface to the top. This is best accomplished through a multi-voting exercise. Trying to deal with too many risks can bog down your process and cause you to miss achieving your objectives.
Sample Program: • Each participant will receive a specified number of votes, i.e., (n/2)+1 where n equals the
number of items – this is rule of thumb
• Each participant must use all votes
• One vote per risk per participant
• The group eliminates risks not receiving enough votes
• The process is repeated until the list is reduced to only the key risks
Phases 5 and 6Develop Short List/ Quantify Risks
The key risks identified in Phase 4 will now be subject to a quantitative rating methodology that considers the following risk attributes:
• Severity – Refers to the potential financial impact once an event occurs.
• Likelihood – Measures the probability of an event occurring.
• Manifestation –Measures the probable elapsed time from identification of a potential problem to its manifestation, i.e., how long it takes the risk to become a “full grown problem.”
OR
• Recovery – Measures how long it will take to fully recover from the loss.
Phases 5 and 6 (continued)Develop Short List/ Quantify Risks
Sample ProgramIdentify a specific “reasonable, but catastrophic” loss scenario
Identify or assign a risk owner/champion
Severity – determine estimated or expected size of loss (with a loss period of three years or less)
Likelihood – determine the probability that the loss will occur over a period of time, i.e., 50:50 chance of occurrence in the next “X” period of time
Recovery – estimate of the time it will take to recover (fully?) from the loss
Metrics (partial):
(1) Risk Value = Severity times Likelihood
(2) Pure Risk Value = Severity times Likelihood times Recovery
Severity
Severity refers to the potential financial impact once an event occurs. The table below provides an example of ranges of impact on revenue and expense and a score that could be assigned to the risk identified.
5 5 5 5 5 5 5 54 4 4 4 4 5 5 53 3 3 4 4 4 5 53 3 3 3 3 4 4 52 2 2 3 3 4 4 52 2 2 2 3 3 4 51 1 2 2 3 3 4 50 1 2 2 3 3 4 5
Revenue/Assets
0 150%
Expense/L
iability
150%
0
Likelihood
Score Description
1 1 event per 100+ years
2 1 event in 20 - 100 years
3 1 event per 5 - 20 years
4 1 event per 1 – 5 years
5 Regularly Occurring
Likelihood measures the 50:50 probability of an event occurring. The table below presents and example of how to measure the score and time horizon to consider.
Manifestation/Recovery Time
Score Description
1 Greater than 3 years
2 1 to 3 years
3 About 1 year
4 1 week to several months
5 1 week or less
This element measures the probable elapsed time from identification of a potential problem to its manifestation. The table below provides a sample matrix.
Phase 7Identify Mitigating/Aggravating Factors
In the business operation there are both mitigating factors and aggravating factors that can have an impact on the severity, likelihood and/or manifestation of the risk. These factors can be either external impacts or internal impacts.
Mitigating factors are those factors that currently limits or reduces the likelihood or consequence of the risk. A mitigating factor could be existing management efforts, education and training, process testing and improvement, government intervention, or being in a monopolistic position.
Aggravating factors are those factors that currently increases or expands the likelihood or consequence of the risk. An aggravating factor could be political factors, prior poor experiences, lack of a plan for action, fast moving industry changes, or the complexity of the situation.
Phase 8Assess Current Risk Management Controls
Phase 8 of the process is intended to consider the company’s current policies, procedures, management practices, and any other mitigating factors that are in place to manage the identified risks.
Sample Program:Self assessment by management of the current controls in place to manage the claim on a scale of 1 (great) to 5 (non-existent). The assessment is a gauge against known peer best practices for managing this type of risk or an assessment of what is reasonably available to manage the risk.
Management Rating
Score Description
1 Best-in-class risk management processes in place
2 Risk management process would rank in the top 10%
3 Good risk management process
4 Risk Management process needs improvement
5 Non-existent risk management processes
The table below is an example of how a company might evaluate the effectiveness of the controls in place to manage the identified risks.
Sample Risk Map
0.00
1.00
2.00
3.00
4.00
5.00
0.00 5.00 10.00 15.00
Time and Probabilty Element (If and When)
Ris
k S
everi
ty (
Imp
act)
Risk "A"
Risk "B"
Risk "C"
Risk "D"
Risk "E"
Risk "F"
Phases 9 and 10Develop Risk Map, Gap Analysis and Action Plans
Risk Map
The risk map is a graphical representation of the key risks identified. The location of the “bubble” on the map depicts time element and severity. The size of the bubble presents the perceived effectiveness of management controls in place. The smaller the bubble, the better the controls.
0
2
4
6
8
10
1 2 3 4 5
Risk Dashboard- Gap Analysis
Management Effectiveness
Inherent Risk
Specific Risk Management Action Plan
Risk Description
How risk relates to business objectives
Risk Owner
Aggravating Factors
Mitigating Mitigating
Current Risk Management Strategy and Activities
Risk Management Action Plan
Risk A
Enterprise Risk Management
A perspective on implementing an enterprise
risk approach
Questions????