google–risk assessment tools
TRANSCRIPT
Risk Assessment Tools
April 1, 2015
Ali-Reza Khaleeli ERM 603
Honor Code • I will not lie or cheat in any way on any assignment for this course (including but
not limited to the following examples). • My answers to homework, quizzes, and exams will be my own (except for
assignments that explicitly permit collaboration). • I will not make solutions to homework, quizzes, or exams available to anyone else.
This includes both solutions written by me and official or unofficial solutions. • I will not look up homework or exam answers on the internet.
• I will not engage in any other activities that will dishonestly improve my results or dishonestly improve/hurt the results of others
1
Likelihood Scale:
Descriptor Definition Descriptor Definition
5
Rating
2 Unlikely Once in 10 years up to once in 20 years
4 Likely Once in 6 months up to once in 5 years
3
<15% chance of occurrence over life of asset or projectRareOnce in 20 years or lessRare1
Unlikely 15% up to 40% chance of occurrence over life of asset or project
Annual Frequence Probability
40% up to 70% chance of occurrence over life of asset or projectPossibleOnce in 5 years up to once in 10 yearsPossible
70% up to 90% chance of occurrence over life of asset or project
90% or greater chance of certain occurrence over life of asset or projectAlmost CertainUp to once in 6 months or moreFrequent
Likely
2
Impact Scale:
Rating Descriptor Definition
5 Extreme • Financial loss of $55 billion or more
• Considerable damage to global environment
• Unable to conduct daily operations
• No security for all employees and third parties, including customers or vendors
• Persistent negative international media coverage; enormous loss of market share
• Substantial prosecution and fines, litigation including class actions, incarceration of leadership
• Significant injuries or fatalities to employees or third parties
• Mass exodus of senior leaders, culture forever altered
4 Major • Financial loss of $15 billion up to $55 billion
• Considerable damage to local environment
• Extremely limited daily operations functioning
• Security of all employees and third parties threatened, including customers or vendors
• Persistent negative national media coverage; significant loss of market share
• Report to regulator requiring major project for corrective action
• Hospital care required for employees or third parties
• Some senior managers leave, high turnover of experienced staff, not perceived as employer of choice
3 Moderate • Financial loss of $2 billion up to $15 billion
• Sufficient damage to local environment
• Partial daily operations functioning
• Security of all employees and third parties deteriorating, including customers or vendors
• Temporary negative national media coverage
• Report of breach to regulator with immediate correction to be implemented
• Out-patient medical treatment required for employees or third parties
• Widespread staff morale problems, high turnover, shift in culture
2 Minor • Financial loss of $600 million up to $2 billion
• Slight damage to local environment
• Majority of daily operations functioning
• Security of all employees and third parties slightly weakened, including customers or vendors
• Local reputational damage
• Reportable incident to regulator, no follow up
• Minor injuries to employees or third parties
• General staff morale problems and increase in turnover, culture questioned
1 Incidental • Financial loss up to $600 million
• Next to no damage to local environment
• All, but 1 or 2, daily operations functioning
• No breach of security of all employees and third parties, including customers or vendors
• Local media attention quickly alleviated
• Not reportable to regulator
• No injuries to employees or third parties
• Isolated staff dissatisfaction, culture intact
3
Vulnerability Scale:
Speed of Onset Scale:
Rating Descriptor Definition
5 Very High • Extreme rate of change in industry
• No ability to anticipate events
• No ability to withstand event
• No scenario planning performed
• No internal control capabilities to address risks
• No responses implemented
• No contingency or crisis management plans in place
4 High • High rate of change in industry
• Little ability to anticipate events
• Little ability to withstand event
• Limited scenario planning for key strategic risks performed
• Low internal control capabilities to address risks
• Partial responses implemented or not achieving control objectives
• Some contingency or crisis management plans in place
3 Medium • Modest rate of change in industry
• Selected ability to anticipate events
• Selected ability to withstand event
• Stress testing and sensitivity analysis of scenarios performed
• Medium internal control capabilities to address risks
• Majority of responses implemented and achieving objectives most of the time
• Certain contingency and crisis management plans in place, limited rehearsals
2 Low • Low rate of change in industry
• Strong ability to anticipate events
• Strong ability to withstand event
• Strategic options defined
• Medium to high internal control capabilities to address risks
• All responses implemented and achieving objectives except under extreme conditions
• All contingency and crisis management plans in place, some rehearsals
1 Very Low • Almost no rate of change in industry
• Can anticipate events
• Can fully withstand event
• Real options deployed to maximize strategic flexibility
• High internal control capabilities to address risks
• Redundant response mechanisms in place and regularly tested for critical risks
• All contingency and crisis management plans in place and rehearsed regularly
Rating Descriptor Definition
Very rapid onset, with little to no warning, instantaneousVery High5
Onset occurs between 1-6 months Medium3
Onset occurs within the first week to a monthHigh4
Very slow onset, occurs over a year or moreVery Low1
Onset occurs between 6-12 months Low2
4
Risk Ratings L = Likelihood I = Impact V = Vulnerability S = Speed of onset
ID Risk L I V S
1 Competition 3.3 4.3 3.5 3
2 Investment 2.5 3.5 3.7 3
3 Adoption 4 4.5 4.3 5
4 Advertisement 3.5 4.8 4.5 5
5 Operating Margin 3.9 4.5 4.3 3
6 Regulatory 2.8 3.4 3.1 2
7 Proceedings 4.4 2 3.7 4
8 Acquis i tions and Investments 4.5 4 3.5 2
9 Brand 1.2 4.8 4.5 5
10 U.S. and Foreign Laws 4.9 3.3 3.6 3
11 Intel lectual Property Cla ims 4.3 3.2 4 3
12 Intel lectual Property Rights 3.9 4.1 3.8 4
13 Onl ine Services and Content 4.1 3.2 4.3 3
14 Technology Privacy 4 4.8 4.6 5
15 Manufacturing and Supply Chain 3.9 4 4.5 4
16 Securi ty 4.8 4.8 4.6 5
17 Search Qual i ty 3.4 3.4 2.2 3
18 Interruption or Fa i lure of Systems 4.6 4.7 4.3 5
19 International Operations 4.1 4.1 4.1 4
20 Operating Results 4 3.8 4.7 2
21 Bus iness Strategy Execution 2.5 4.5 2.9 2
22 Personnel 2.5 4.4 2.8 3
23 Internet Access Block 1.5 3.5 4.6 4
24 Ad Block 4.1 3.2 4.6 2
25 Investment Portfol io Value 4 4.8 3.3 4
26 Tax Liabi l i ties 3.8 3.2 3.1 3
27 Stock Trading Price 4.2 3.8 4.1 4
28 Stock Ownership Concentration 2.8 3.3 4.3 4
29 Documents and Law Provis ions 1.5 2.8 4.1 1
5
Risk Map
6
Risk Rating Risk Rating4 Advertisement 4.8 3 Adoption 5
9 Brand 4.8 4 Advertisement 5
14 Technology Privacy 4.8 9 Brand 5
16 Security 4.8 14 Technology Privacy 5
25 Investment Portfolio Value 4.8 16 Security 5
18 Interruption or Failure of Systems 4.7 18 Interruption or Failure of Systems 5
3 Adoption 4.5 7 Proceedings 4
5 Operating Margin 4.5 12 Intellectual Property Rights 4
21 Business Strategy Execution 4.5 15 Manufacturing and Supply Chain 4
22 Personnel 4.4 19 International Operations 4
1 Competition 4.3 23 Internet Access Block 4
12 Intellectual Property Rights 4.1 25 Investment Portfolio Value 4
19 International Operations 4.1 27 Stock Trading Price 4
8 Acquisitions and Investments 4 28 Stock Ownership Concentration 4
15 Manufacturing and Supply Chain 4 1 Competition 3
20 Operating Results 3.8 2 Investment 3
27 Stock Trading Price 3.8 5 Operating Margin 3
2 Investment 3.5 10 U.S. and Foreign Laws 3
23 Internet Access Block 3.5 11 Intellectual Property Claims 3
6 Regulatory 3.4 13 Online Services and Content 3
17 Search Quality 3.4 17 Search Quality 3
10 U.S. and Foreign Laws 3.3 22 Personnel 3
28 Stock Ownership Concentration 3.3 26 Tax Liabilities 3
11 Intellectual Property Claims 3.2 6 Regulatory 2
13 Online Services and Content 3.2 8 Acquisitions and Investments 2
24 Ad Block 3.2 20 Operating Results 2
26 Tax Liabilities 3.2 21 Business Strategy Execution 2
29 Documents and Law Provisions 2.8 24 Ad Block 2
7 Proceedings 2 29 Documents and Law Provisions 1
Risk Impact Risk Speed of Onset
Ranking Risks by Impact and Speed of Onset, individually:
7
Risk Correlations
By seeing these correlations, we are able to better understand the risks and risk portfolio. In addition,
performing this interaction map allows us to move away from silos and begin to see and practice
enterprise risk management as a collaboration of the company as a whole. This allows us to understand
how the different risks relate and how some can be managed together.
A next step that could be taken, but would need more information is using historical data to determine
which other risks might correlate as well as whether or not the risks that correlate have been properly
managed before or if these are new risks.
RisksC
om
pe
titi
on
Inv
est
me
nt
Ad
op
tio
n
Ad
ve
rtis
em
en
t
Op
era
tin
g M
arg
in
Re
gu
lato
ry
Pro
cee
din
gs
Acq
uis
itio
ns
an
d I
nv
est
me
nts
Bra
nd
U.S
. a
nd
Fo
reig
n L
aw
s
Inte
lle
ctu
al P
rop
ert
y C
laim
s
Inte
lle
ctu
al P
rop
ert
y R
igh
ts
On
lin
e S
erv
ice
s a
nd
Co
nte
nt
Te
chn
olo
gy
Pri
va
cy
Ma
nu
fact
uri
ng
an
d S
up
ply
Ch
ain
s
Se
curi
ty
Se
arc
h Q
ua
lity
Inte
rru
pti
on
or
Fa
ilu
re o
f
Sy
ste
ms
Inte
rna
tio
na
l O
pe
rati
on
s
Op
era
tin
g R
esu
lts
Bu
sin
ess
Str
ate
gy
Ex
ecu
tio
n
Pe
rso
nn
el
Inte
rne
t A
cce
ss B
lock
Ad
Blo
ck
Inv
est
me
nt
Po
rtfo
lio
Va
lue
Ta
x L
iab
ilit
ies
Sto
ck T
rad
ing
Pri
ce
Sto
ck O
wn
ers
hip
Co
nce
ntr
ati
on
Do
cum
en
ts a
nd
La
w
Pro
vis
ion
s
Competition x x x x x x x x x xInvestment x x x x x x x x x x x x x x xAdoption x x x x x x x x x x x x xAdvertisement x x x x x x x xOperating Margin x x x x x x x x x x x xRegulatory x x x x x xProceedings x x x x x x x xAcquisitions and Investments x x x x x x x x x x x xBrand x x x x x x x x x x x x x x x x x xU.S. and Foreign Law s x x x x x x x xIntellectual Property Claims x x x x x x x x x x x x xIntellectual Property Rights x x x x x x x x x x x x x x x x xOnline Services and Content x x x x x x x x x x x x x x x xTechnology Privacy x x x x x x x x x x x x x xManufacturing and Supply Chains x x x x x x x xSecurity x x x x x x x x x x x x x x x xSearch Quality x x x x x x x x x x xInterruption or Failure of Systems x x x x x x x xInternational Operations x x x x x x x x x x x x x x x x x x xOperating Results x x x x x x x x x x x x x xBusiness Strategy Execution x xPersonnel x x x x x x x x xInternet Access Block x x x x x x x x x x x xAd Block x x x x x x xInvestment Portfolio Value x x x x x xTax Liabilities
Stock Trading Price x x x x x x x x x x x
Stock Ow nership Concentration x x
Documents and Law Provisions
8
MARCI Chart
T
The MARCI chart allows us to prioritize risks based in risk response. In other words, the MARCI chart
allows us to prioritize the risks based on what needs to be done in order to manage each risk.
Velocity and “Clockspeed” Although speed and velocity are synonyms in general terms, when defining them in the context of risk
management, they mean different things. Velocity is “the time it takes for a risk event to manifest itself,
or in other words, the time that elapses between the occurrence of an event and the point at which the
company feels its effects” (Curtis and Carey, 7). A risk with high velocity is one that manifests itself
immediately, while a risk with slow velocity is a risk that manifests itself very slowly. On the contrary,
clockspeed is defined by Marks as the information needed in order to manage risks. In this case, a slow
clockspeed risk is one that “is managed over a lengthy period of maturation and is managed effectively
through traditional control mechanisms” (Horwath, 26), while a fast clockspeed risk is one where
unexpected events occurs that require a fast response and may require a different approach that it would if
it was a slow clockspeed. Although similar, velocity is the speed of the event, while clockspeed
incorporates both velocity as well as the type of response needed in order to manage the event.
9
Quantitative Approaches Google has proactively identified the potential risk that this particular trend is creating, and now faces the
challenge of taking a deeper dive into the most effective way to assess this risk. The document, Risk
Assessment in Practice, suggests a number of quantitative measures that companies should use in their
risk assessments, to include: benchmarking, scenario analysis, deterministic models, and probabilistic
models. Taking into consideration that Google is generally aware of the likelihood and impact of this risk,
they must focus on assessing the velocity of the risk, in order to develop a decision and action plan in
managing this trend. Using a risk interaction map to first link correlation, a bow tie diagram can then
further be developed using quantifiable data to illustrate the end events or losses stemming from the
consequences associated with the risk. Data used to assess the trend and velocity of this risk is an
extremely important factor, and should be derived from both the internal and external environment.
Competitor and industry trends data is crucial to assessing the real risk impact and the sensitivity of
timing. Analysis of both past and current relationships and partnerships with manufacturers and
distributors can provide good insight into the company’s current market share and future financial health.
All of the pertinent data used needs to then be modeled to look at the consequential impact on a range of
different factors, such as share price, research and development funding, marketing budgets, and others.
Risk Tolerance and Appetite Statements 1 Risk Tolerance Statement: The Company is willing to assume no more than a 10% loss to profit margin,
but will not accept more than a 5% loss to market share in conjunction with net sales.
In developing this statement, we considered the overall mission and strategic objectives of the company,
how it can be implemented throughout the whole organization, and the risk capacity concerning its
financial health. In this example, because the risk appetite is moderately high, the risk tolerance had to
reflect a compromise of boundaries concerning the company’s financial well-being. This is why the
company is willing to assume a higher tolerance on loss of profit, so long as the company continues to
deliver on its net sales and not significantly deviate from their current market share.
Risk Appetite Statement: The Company operates within a moderately high-risk appetite in relation to the
declining trend of personal computer usage amongst the general population. The company assumes this
appetite with the intent to excel within the highly competitive environment, and strives to continue to be
the “first in market” leader, holding majority market share of the industry’s technology, products, and
systems. Operating a moderately high appetite will increase our competitiveness in research and
development, and cultivation of business agreements with top manufacturers and distributors.
In developing this statement, we considered the overall mission and strategic objectives of the company,
the boundaries of acceptable risk tolerance, the effect on the company’s risk profile, its applicability to
decision making and action implementation, the company’s risk attitudes, and its relevance towards this
specific risk. The company has to assume a moderately high-risk attitude because of the fast paced nature
of their industry, as well as the macro environment. For Google, high-risk endeavors, specifically in the
field of research and development, have the ability to turn into highly profitable opportunities.
10
Risk Appetite and Tolerance Statements 2 Risk Tolerance Statement: The Company is not willing to assume any risk to its reputation, and will
therefore enforce a zero tolerance policy to reputation risk.
Risk Appetite Statement: The Company operates with a low risk appetite concerning any decisions and
activities which may cause any and all damages to Google’s reputation. The company assumes this
appetite with the intent to protect the reputation of the brand, its technology, products, and services,
affiliates, employees, and value.
Reputation is a concerning element that affects all of Google’s individual risks, and is mentioned in most
of their listed risk factors under Item 1A. Unlike the previous statements, Google cannot afford to enforce
a high-risk appetite, nor allow an exposed risk tolerance. Additionally, because reputation risk correlates
to each function of the organization’s goals, it is a highly sensitive risk that can have high magnitude
adverse effects.
Google should balance risk taking and risk control in a holistic manner, as these two functions should be
balanced. This balance will set clear concise objectives and parameters, without limiting the company
from pursuing profitable opportunities. Both risk taking and risk controls should be set in accordance to
the company’s goals, overall culture, and legal and regulatory mandates.
11
References Curtis, Patchin, and Mark Carey. “Risk Assessment in Practice.” Deloitte & Tuche LLP. Oct 2012.
The Committee of Sponsoring Organizations of the Treadway Commission.
Rittenberg, Larry, and Frank Martens. “Understanding and Communicating Risk Appetite.” The
Committee of Sponsoring Organizations of the Treadway Commission. Jan 2012.
Crowe Horwath. “Risk Appetite and Tolerance Guidance Paper.” Institute of Risk Management.
United States Securities and Exchange Comission. From 10k. Google Inc.
Marks, Norman. "Do You Realize How Fast You Need to Respond to Risk? What Does This
Mean?" Sustainable Business Forum. N.p., 16 Mar. 2012.