taking enterprise risk from theoretical to practical
DESCRIPTION
Video & Presentation: http://www.proformative.com/resources/video-presentation-taking-enterprise-risk-theoretical-practical Risk management has always been an integral part of business. But over the last two decades, a host of corporate scandals, security threats, recessions and a myriad of other crises have pushed risk management to the forefront of business strategy. Organizations are striving to manage and monitor risks more effectively, but many companies can?t seem to get beyond the theory and practically implement an effective ERM program. Join JetBlue Airways and Granite Consulting Group as they discuss practical ways of implementing ERM and how JetBlue evolved their risk program and created a strategically focused risk evaluation process setting the direction for future risk mitigation and operational improvement. Attendees will learn to go beyond linear "top 10" surveys and to incorporate practical and actionable strategies to implement an effective ERM program. Speakers: Michael Bechara, CPA, CRMA, Managing Director, Granite Consulting Group Inc. Luis Fernandes, CPA, Director of Corporate Audit, JetBlue Airways Presentation delivered at CFO Dimensions 2013 - http://www.cfodimensions.com Track: Governance, Risk, Compliance | Session: 4TRANSCRIPT
![Page 1: Taking Enterprise Risk from Theoretical to Practical](https://reader036.vdocuments.us/reader036/viewer/2022070318/5570d96fd8b42afb678b4864/html5/thumbnails/1.jpg)
1© 2013 Ask, Share, Learn
www.proformative.com
#CFOD13
Crossing the Rubicon – Taking Enterprise Risk from Theoretical to PracticalLuis Fernandes Mike Bechara
jetBlue Airways Granite Consulting Grp.
Director of Internal Audit Managing Director
![Page 2: Taking Enterprise Risk from Theoretical to Practical](https://reader036.vdocuments.us/reader036/viewer/2022070318/5570d96fd8b42afb678b4864/html5/thumbnails/2.jpg)
2© 2013 Ask, Share, Learn
www.proformative.com
#CFOD13
Words of Wisdom
“In theory there is no difference between theory and practice. In practice there is”
![Page 3: Taking Enterprise Risk from Theoretical to Practical](https://reader036.vdocuments.us/reader036/viewer/2022070318/5570d96fd8b42afb678b4864/html5/thumbnails/3.jpg)
3© 2013 Ask, Share, Learn
www.proformative.com
#CFOD13
Theory vs. Reality
Significant ERM development
over time but…
Development has stagnated due to misconceptions about implementation
![Page 4: Taking Enterprise Risk from Theoretical to Practical](https://reader036.vdocuments.us/reader036/viewer/2022070318/5570d96fd8b42afb678b4864/html5/thumbnails/4.jpg)
4© 2013 Ask, Share, Learn
www.proformative.com
#CFOD13
What We Will Learn Today
Reconcile theories to realities
Tips & techniques
Ways to leverage the ERM output
![Page 5: Taking Enterprise Risk from Theoretical to Practical](https://reader036.vdocuments.us/reader036/viewer/2022070318/5570d96fd8b42afb678b4864/html5/thumbnails/5.jpg)
5© 2013 Ask, Share, Learn
www.proformative.com
#CFOD13
ERM in Theory….(The COSO Definition)
1. Enterprise risk management is a process, 2. Effected by an entity’s board of directors, management and other personnel, 3. Applied in strategy setting and across the enterprise4. Designed to identify potential events that may affect the
entity, 5. Manage risk to be within its risk appetite, 6. Provide reasonable assurance regarding the achievement
of entity objectives.
![Page 6: Taking Enterprise Risk from Theoretical to Practical](https://reader036.vdocuments.us/reader036/viewer/2022070318/5570d96fd8b42afb678b4864/html5/thumbnails/6.jpg)
6© 2013 Ask, Share, Learn
www.proformative.com
#CFOD13
ERM in Reality….(Your Average Company)
1. Enterprise risk management is an opaque process, 2. Effected by Driven by the head of internal audit with updates to an
entity’s board of directors, management and other personnel, 3. Applied in Divorced from strategy setting and across the enterprise
corporate office based4. Designed to identify potential events that may affect the entity,
with focus on what has already happened or one or two current “hot” topics
5. Manage risk to be within its risk appetite (amorphous term) 6. Provide reasonable assurance regarding the achievement of entity
objectives which are often excluded from the discussion
![Page 7: Taking Enterprise Risk from Theoretical to Practical](https://reader036.vdocuments.us/reader036/viewer/2022070318/5570d96fd8b42afb678b4864/html5/thumbnails/7.jpg)
7© 2013 Ask, Share, Learn
www.proformative.com
#CFOD13
Theory 1: ERM is a Process
Misinterpretation• If we have an ongoing process that’s
good enough!• Because if we keep studying reports
and data ..that’s the same as actually addressing the risks
Reality• Risk assessment is a prophecy of the
future• You will never identify or predict all
risks….If you could you would be a zillionaire!
• The tale of the Conservative EngineerTips & Techniques• Facilitate the best assessment and
reevaluate periodically• Build risk discussions into
business/financial reviews
![Page 8: Taking Enterprise Risk from Theoretical to Practical](https://reader036.vdocuments.us/reader036/viewer/2022070318/5570d96fd8b42afb678b4864/html5/thumbnails/8.jpg)
8© 2013 Ask, Share, Learn
www.proformative.com
#CFOD13
Theory 2: Effected by Mgt., Board & Others
Misinterpretation• Divorcing risk from the business • “Don’t call us we’ll call you!”• This is a highly complex process
that is irrelevant for most peopleReality• Risks are only relevant when
viewed through the prism of objectives
• We need to understand what we are trying to achieve to identify what is relevant
Tips & Techniques• No one will understand the risks
better than those that face them every day
• Evaluate your risks as they relate to your company’s objectives
![Page 9: Taking Enterprise Risk from Theoretical to Practical](https://reader036.vdocuments.us/reader036/viewer/2022070318/5570d96fd8b42afb678b4864/html5/thumbnails/9.jpg)
9© 2013 Ask, Share, Learn
www.proformative.com
#CFOD13
Tips & Techniques: People
• Where does risk information come from?
• Accounting Data
• Quality Data
• Industry Studies
• People
![Page 10: Taking Enterprise Risk from Theoretical to Practical](https://reader036.vdocuments.us/reader036/viewer/2022070318/5570d96fd8b42afb678b4864/html5/thumbnails/10.jpg)
10© 2013 Ask, Share, Learn
www.proformative.com
#CFOD13
Tips & Techniques: People• Aren't they too subjective and unreliable?
• They face the risks everyday & understand them very well
• People have the ability to make predictions based on future plans
• Historical data analysis assumes the future will look like the past—things don’t happen the same way twice
![Page 11: Taking Enterprise Risk from Theoretical to Practical](https://reader036.vdocuments.us/reader036/viewer/2022070318/5570d96fd8b42afb678b4864/html5/thumbnails/11.jpg)
11© 2013 Ask, Share, Learn
www.proformative.com
#CFOD13
Theory 3: Applied in Strategy Setting
Misinterpretation• Cataloging all risks• False hope of “Total Information
Awareness”• A Risk Universe is only a startReality• We are all adults here• Bad things will happen and we wont care
about most of them• Key is to focus on what mattersTips & Techniques• Use a top down business risk approach
to compliment the bottoms up risk universe approach
• Concentrate on events that disrupt critical goals & strategy
![Page 12: Taking Enterprise Risk from Theoretical to Practical](https://reader036.vdocuments.us/reader036/viewer/2022070318/5570d96fd8b42afb678b4864/html5/thumbnails/12.jpg)
12© 2013 Ask, Share, Learn
www.proformative.com
#CFOD13
Tips and Techniques: Use Multiple Analyses
A business risk approach compliments and strengthens the risk universe by linking risks to objectives to present a more complete risk picture
Interview/survey Management
Identify risks by functional area
Linearly rank risks by likelihood and impact
Mitigate the top vote getters
Understand company objectives/strategy
Interview/survey management
Use analytical tools to identify the key risk patterns linked to
each objective
Mitigate the risks associated with the top
objectives
Busi
ness
Ris
k Ba
sed
Risk
Uni
vers
e
![Page 13: Taking Enterprise Risk from Theoretical to Practical](https://reader036.vdocuments.us/reader036/viewer/2022070318/5570d96fd8b42afb678b4864/html5/thumbnails/13.jpg)
13© 2013 Ask, Share, Learn
www.proformative.com
#CFOD13
Theory 4: Events That May Affect the Entity
Misinterpretation• We only have to assess one risk at a
time• The highest ranked risk is the most
“dangerous”Reality• Simple rankings are a start but are
inadequate by themselves• Negative events are caused by
multiple risk factors• Managing risk requires us to
understand the affect of individual risks manifesting themselves simultaneously
Tips & Techniques• How the risks interrelate to one
another?• How are risks influenced by
priorities?• Would certain risks combine to form
and ever greater threat?
![Page 14: Taking Enterprise Risk from Theoretical to Practical](https://reader036.vdocuments.us/reader036/viewer/2022070318/5570d96fd8b42afb678b4864/html5/thumbnails/14.jpg)
14© 2013 Ask, Share, Learn
www.proformative.com
#CFOD13
Tips & Techniques: Interrelated Risks
Lack of Accounting Experience
Poor Communication
Excessive Overtime
Aggressive Marketing Programs
System Implementations
![Page 15: Taking Enterprise Risk from Theoretical to Practical](https://reader036.vdocuments.us/reader036/viewer/2022070318/5570d96fd8b42afb678b4864/html5/thumbnails/15.jpg)
15© 2013 Ask, Share, Learn
www.proformative.com
#CFOD13
Tips & Techniques: Interrelated Risks
Combination of:1. Aggressive Marketing Programs2. Excessive Overtime3. Poor Communication
Lack of Accounting Experience
System Implementations
![Page 16: Taking Enterprise Risk from Theoretical to Practical](https://reader036.vdocuments.us/reader036/viewer/2022070318/5570d96fd8b42afb678b4864/html5/thumbnails/16.jpg)
16© 2013 Ask, Share, Learn
www.proformative.com
#CFOD13
Theory 5: Manage Risk Within Appetite
Misinterpretation• Risk is mitigated….Its Miller
time!• Once we mitigate risks
beyond a certain level we’re done!
Reality• Risks are like zombies..they
rise again if not monitored• Mitigating risk is an ongoing
effort that takes time but pays big dividends
Tips & Techniques• Get internal Audit involved• Monitor risks over time• Just monitoring risks will
have a positive effect
![Page 17: Taking Enterprise Risk from Theoretical to Practical](https://reader036.vdocuments.us/reader036/viewer/2022070318/5570d96fd8b42afb678b4864/html5/thumbnails/17.jpg)
17© 2013 Ask, Share, Learn
www.proformative.com
#CFOD13
Tips & Strategies
Risk Monitoring Decisions• When is a risk mitigated?• How often do we check
back?• What should we check?
![Page 18: Taking Enterprise Risk from Theoretical to Practical](https://reader036.vdocuments.us/reader036/viewer/2022070318/5570d96fd8b42afb678b4864/html5/thumbnails/18.jpg)
18© 2013 Ask, Share, Learn
www.proformative.com
#CFOD13
Theory 6: Linked to Objectives
Misinterpretation• The voting is over! Let’s mitigate the
“Top 10 risks” and all will be well!• Classic cart before the horse thinkingReality• Companies do not exist to manage risks
they exist to achieve objectives• Would we come home and say, “Honey I
forgot to get the bread from the supermarket…. but I didn’t into an accident!”
Tips & Techniques• When allocating resources for mitigation
prioritize objectives…not risks• Begin allocating resources towards the
mitigating the risks associated with the most important objectives
![Page 19: Taking Enterprise Risk from Theoretical to Practical](https://reader036.vdocuments.us/reader036/viewer/2022070318/5570d96fd8b42afb678b4864/html5/thumbnails/19.jpg)
19© 2013 Ask, Share, Learn
www.proformative.com
#CFOD13
Before: The Traditional AnalysisA Major Airline
• Engaged in a typical risk assessment process
• Identified 31 risks
• Ranked according to Likelihood, Impact and Degree of Control
• Typical approach would be to mitigate starting at the top
• Proceed as much as cost/benefit dictates
• No links to business strategy or objectives
• No related of risks to one another to form risk patterns
Rank Risk Title Risk Description
1 Risk Description
2 Risk Description
3 Risk Description
4 Risk Description
5 Risk Description
6 Risk Description
7 Risk Description
8 Risk Description
9 Risk Description
10 Risk Description
11 Risk Description
12 Risk Description
13 Risk Description
14 Risk Description
15 Risk Description
16 Risk Description
17 Risk Description
18 Risk Description
19 Risk Description
20 Risk Description
21 Risk Description
22 Risk Description
23 Risk Description
24 Risk Description
25 Risk Description
26 Risk Description
27 Risk Description
28 Risk Description
29 Risk Description
30 Risk Description
31 Risk Description
![Page 20: Taking Enterprise Risk from Theoretical to Practical](https://reader036.vdocuments.us/reader036/viewer/2022070318/5570d96fd8b42afb678b4864/html5/thumbnails/20.jpg)
20© 2013 Ask, Share, Learn
www.proformative.com
#CFOD13
After: Business Based AnalysisBusiness Based Approach
• Surveyed the Executive Team on their views of company objectives and risks
• Do you believe the company will achieve Objective 1
• How serious do you believe each risk to be?
• Risks are linked to business objectives
• Risks are grouped into the risk patterns that are most relevant for each objective
![Page 21: Taking Enterprise Risk from Theoretical to Practical](https://reader036.vdocuments.us/reader036/viewer/2022070318/5570d96fd8b42afb678b4864/html5/thumbnails/21.jpg)
21© 2013 Ask, Share, Learn
www.proformative.com
#CFOD13
After: Business Based Analysis
• Risks 21 and 23 were again from the bottom of the list!
• A new risk that threaten this objective was identified through the survey process
• Objective was directly tied to leadership
![Page 22: Taking Enterprise Risk from Theoretical to Practical](https://reader036.vdocuments.us/reader036/viewer/2022070318/5570d96fd8b42afb678b4864/html5/thumbnails/22.jpg)
22© 2013 Ask, Share, Learn
www.proformative.com
#CFOD13
What Uses Does the ERM Output Have?Many, but here is one example……
![Page 23: Taking Enterprise Risk from Theoretical to Practical](https://reader036.vdocuments.us/reader036/viewer/2022070318/5570d96fd8b42afb678b4864/html5/thumbnails/23.jpg)
23© 2013 Ask, Share, Learn
www.proformative.com
#CFOD13
Practical Uses of ERM Data
External: Enhancing Enterprise Value
![Page 24: Taking Enterprise Risk from Theoretical to Practical](https://reader036.vdocuments.us/reader036/viewer/2022070318/5570d96fd8b42afb678b4864/html5/thumbnails/24.jpg)
24© 2013 Ask, Share, Learn
www.proformative.com
#CFOD13
How ERM Can Enhance Enterprise Value
Value
CFO
Influence
Your Company is constantly being valued by investors, lenders, rating agencies, acquisition partners, etc.
Many say the CFO’s #1 job is to guard and enhance enterprise value
To do this we have to understand how outsiders determine valueA quick walk down finance memory lane……
![Page 25: Taking Enterprise Risk from Theoretical to Practical](https://reader036.vdocuments.us/reader036/viewer/2022070318/5570d96fd8b42afb678b4864/html5/thumbnails/25.jpg)
25© 2013 Ask, Share, Learn
www.proformative.com
#CFOD13
Three Valuation Approaches
Determination of Value
Asset
Market
Income
![Page 26: Taking Enterprise Risk from Theoretical to Practical](https://reader036.vdocuments.us/reader036/viewer/2022070318/5570d96fd8b42afb678b4864/html5/thumbnails/26.jpg)
26© 2013 Ask, Share, Learn
www.proformative.com
#CFOD13
Why is the ROR a Big Deal?
Low ROR Equals
A High Valuation
Determination of required rate of return is a key driver of enterprise value!
Main driver of valuation is the rate of return required by investors to invest in your firm
Aka: Discount rate
![Page 27: Taking Enterprise Risk from Theoretical to Practical](https://reader036.vdocuments.us/reader036/viewer/2022070318/5570d96fd8b42afb678b4864/html5/thumbnails/27.jpg)
27© 2013 Ask, Share, Learn
www.proformative.com
#CFOD13
How is the ROR Calculated?
• Common Methods of Calculating ROR– Modified CAPM = Rf + B(RPm) + RPs + RPu– Build Up Method = Rf + RPm+ RPs + Rpu
Risk Free Equity Premium
Size Premium Company Premium
Rf
RPm RPs RPu
![Page 28: Taking Enterprise Risk from Theoretical to Practical](https://reader036.vdocuments.us/reader036/viewer/2022070318/5570d96fd8b42afb678b4864/html5/thumbnails/28.jpg)
28© 2013 Ask, Share, Learn
www.proformative.com
#CFOD13
What Exactly Is RPu?
• What is RPu?– The analyst’s judgment
regarding risks specific to your company
– If he/she deems you risky it will raise the ROR and lower value
– Can also be negative lowering ROR and raising value
No objective source for RPu. It is subjective and based on analyst judgment
![Page 29: Taking Enterprise Risk from Theoretical to Practical](https://reader036.vdocuments.us/reader036/viewer/2022070318/5570d96fd8b42afb678b4864/html5/thumbnails/29.jpg)
29© 2013 Ask, Share, Learn
www.proformative.com
#CFOD13
How Does RPu Tie to ERM?
Company Risk
Premium(ERM)
Management
Competition
Litigation
Customers
Suppliers
Strategy
![Page 30: Taking Enterprise Risk from Theoretical to Practical](https://reader036.vdocuments.us/reader036/viewer/2022070318/5570d96fd8b42afb678b4864/html5/thumbnails/30.jpg)
30© 2013 Ask, Share, Learn
www.proformative.com
#CFOD13
But How Do I Tell the ERM Story?
• Explain the present but focus on the future!
• Explain how risks are being managed & monitored
• Describe how objectives will be achieved
• Ensure they understand that ERM is a management tool not a one time project
• Lengthy explanations of “history”• Presenting risks outside the context
of objectives• Indicating your risk program as
overly scientific or precise • i.e. Risk A = 3.43256
• Lengthy discussions of survey techniques or risk rating systems
• Specific terms like velocity, risk appetite
![Page 31: Taking Enterprise Risk from Theoretical to Practical](https://reader036.vdocuments.us/reader036/viewer/2022070318/5570d96fd8b42afb678b4864/html5/thumbnails/31.jpg)
31© 2013 Ask, Share, Learn
www.proformative.com
#CFOD13
Recap: What We LearnedTheories vs. Realities in successfully implementing an ERM programNo.
Theory Practical Application
1 ERM is a process Build a good process and move forward
2 Effected by the Board. Mgt. and other personnel
Risks should be sourced from and be a part of the business
3 Applied in strategy setting Risks to the Enterprise are not all risks
4 Events that may affect the entity
Risks combine to form patterns
5 Manage risk within appetite Appetite setting is not a one time event
6 Linked to objectives Mitigate risks in the context of objectives
![Page 32: Taking Enterprise Risk from Theoretical to Practical](https://reader036.vdocuments.us/reader036/viewer/2022070318/5570d96fd8b42afb678b4864/html5/thumbnails/32.jpg)
32© 2013 Ask, Share, Learn
www.proformative.com
#CFOD13
What We LearnedAs a result Enterprise Value can increase
Managing Risks down can reduce the ROR
![Page 33: Taking Enterprise Risk from Theoretical to Practical](https://reader036.vdocuments.us/reader036/viewer/2022070318/5570d96fd8b42afb678b4864/html5/thumbnails/33.jpg)
33© 2013 Ask, Share, Learn
www.proformative.com
#CFOD13
Contact Information
Michael Bechara, CPA, CFE, CRMAManaging Director
845.363.6610 Office • 845.282.3899 Cell • 845.230.8739 Fax
[email protected] • www.consultgranite.com
Granite Consulting Group Inc.1511 Route 22 , Suite 322 • Brewster, NY 10509
![Page 34: Taking Enterprise Risk from Theoretical to Practical](https://reader036.vdocuments.us/reader036/viewer/2022070318/5570d96fd8b42afb678b4864/html5/thumbnails/34.jpg)
34© 2013 Ask, Share, Learn
www.proformative.com
#CFOD13Thank You!Crossing the Rubicon – Taking Enterprise Risk from Theoretical to Practical
![Page 35: Taking Enterprise Risk from Theoretical to Practical](https://reader036.vdocuments.us/reader036/viewer/2022070318/5570d96fd8b42afb678b4864/html5/thumbnails/35.jpg)
35© 2013 Ask, Share, Learn
www.proformative.com
#CFOD13
Thank You Sponsors!
PLATINUM
GOLD
SILVER
DIAMOND