1 / 38

Enterprise Risk Management

Enterprise Risk Management. A perspective on implementing an enterprise risk approach University of Illinois April 5, 2005. ERM Origins and Rationale. What is risk and risk management? Company organizational issues The role of technology A common language

arleen
Download Presentation

Enterprise Risk Management

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Enterprise Risk Management A perspective on implementing an enterprise risk approach University of Illinois April 5, 2005

  2. ERM Origins and Rationale • What is risk and risk management? • Company organizational issues • The role of technology • A common language • Statistical modeling and risk experts

  3. Origins • Risk is defined, operationally, as choice under conditions of uncertainty • Risk management, as a 1970’s phenomenon, was related to catastrophe planning • In the 1980’s RM is redefined by the TQM movement • Early 1990’s ERM emerges from consultancies such as PWC, E&Y and Deloitte

  4. Enterprise Risk Management Defined • “A rigorous approach to identifying, assessing and addressing risks from all sources that threaten the achievement of an organizations strategic, operational and financial objectives and/or represent an opportunity or competitive advantage.” Jerry Miccolis, Tillinghast-Towers Perrin

  5. Enterprise Risk Management ‘s Objective • “Enhancing enterprise value by improving capital efficiency, supporting strategic decision-making and building investor confidence Jerry Miccolis, Tillinghast-Towers Perrin

  6. Risk Categories (first order risks)

  7. Tools for Enterprise Risk Modeling • Standard statistical models not sufficient • Structural models • System Dynamic simulation

  8. Enterprise Risk Management • ERM is not a project, but a process that develops within an organization, driven and supported by senior management • ERM becomes part of the operational culture of the organization with process owners and drivers • There is not an off-the-shelf ERM product that works for everyone. • ERM begins with the development of a risk strategy that is linked to and supportive of the overall business imperatives of the corporation.

  9. Components of ERM • Understand capacity to bear and propensity to assume risk • Establish a robust, yet scalable, process for risk identification and assessment • Evaluate risk on a portfolio basis, with a keen understanding of natural hedges that might exist among risks • Establish a framework and process that allows for a balancing of risk control activities with risk financing mechanisms within business processes

  10. Internal Audit Operational Risk Mgmt Financial Treasury Human Resource Legal Environment Info Tech Technology HR Strategic Risk management silos with conflicting goals cross paths…

  11. Internal Audit Operational Risk Mgmt Financial Enterprise Risk Strategy and Methodology Treasury Human Resource Legal Environment Info Tech Technology HR Strategic An enterprise approach..

  12. Old Thinking No risk management strategy Risk management limited to certain areas Risk analysis in silos Risks not owned Inspect, detect, react Correlation among risks not understood Strategy Risk strategy linked to business strategy Risk culture created throughout the enterprise Risk management is a continuous, systematic process integrated within the enterprise’s culture Risk management responsibilities clearly defined Anticipate, manage, optimize and monitor risk Risk is quantified, aggregated and studied for interrelationships Risk is a key consideration for financial decision making Risk Management Thinking Has Evolved NEW

  13. ERM Examples

  14. ERM Oversight Board of Directors CEO Enterprise Risk Management Committee Enterprise Risk Manager Business Unit Business Unit Business Unit Business Unit Business Unit

  15. ERM Oversight Enterprise Risk Management Committee Determine RM strategies and goals Coordinate development of RM program Evaluate RM infrastructure Develop/Evaluate identification and measurement methodologies Identify risk owners and establish accountabilities Develop and operate RM policy

  16. Risk Analysis Process • Identify/ Source • Measure • Prioritize Assess • New Hazards • Internal Business Changes • External Influences • Diversify • Share • Control • Avoid Manage Anticipate and React Risk Information Database • Risk Owners • Risk Experts • Management • External Communicate The process is followed in the context of the overall risk strategy.

  17. Operational Risk • Contract Performance • Trademark Erosion • Customer Satisfaction • Financial Risk • Currency • Credit • Debt Covenants • Accrual Accuracy • HR Risk • Benefits • Key Management Loss • Stock Ownership Program • Succession Planning • Environment Risk • Terrorism • War • Political Stability • Regulatory- Local/ Nat’l • Public Relations • Technology Risk • Infrastructure Failure • Security • Consistent Strategy • Obsolescence • Strategic Risk • Competition • R&D Resource • Missed Market • Reputation • New Market Entrant • Major Customer (s) Loss An Initial Risk Profile

  18. Identification of Key Business Risks- Example

  19. Retained Partially retained Transferred N1 Risk Map L1 O3 L2 O4 High O2 O1 F1 $250M SEVERITY $200M L5 F2 N2 N3 F4 O7 L4 $100M L3 L7 L6 F1 E1 F3 O5 O6 L5 E5 E2 O6 O7 L4 $50M L3 F5 N4 L8 O9 F3 O8 F6 E4 $25M F5 F7 N5 L9 L10 E1 L6 E2 $10M E4 L7 $1M E2 Low 1 5 20 30 50 100 150 250 >250 Annual events Low High FREQUENCY

  20. Ten key questions to consider… • What is our appetite for risk? (capacity and propensity) • Do we know what our risks are? • Do we know how those risks relate to one another? • Who within our company “owns” those risks? • Can we measure those risks? • Have we evaluated non-traditional risks? • Does everyone at our company understand their role in managing risk? • Is effective risk management linked to performance evaluations? • Is risk considered in all facets of decision making? • Does our company continually look for ways to optimize risk strategy?

  21. Phase 1 Phase 2 Phase 4 Phase 5 Phase 3 Identify managers and key risk constituents Identify needs, objectives and ERM champion Prioritize risks identified (qualitative) Brainstorm to identify key risks Develop risk “short list” Phase 6 Specific RiskSeverity RatingLikelihood RatingManifestation RatingOverall Rating 1. 2. 3. Phase 7 Phase 8 Phase 9 Phase 10 Develop risk map and gap analysis Assess current risk management controls (specific risk) Design action plans with risks owners Identify mitigating & aggravating risk factors ERM – 10 Phase Approach

  22. Phase 1 Identify Needs and Objectives The first phase of the ERM process is to identify the key objectives of the ERM undertaking. This will help to establish timelines, priorities and key responsibilities. Sample Corporation’s Program: · To uncover and measure areas of high-potential risks ·       Develop and measure risk mitigation processes – specifically focused toward key risks ·       To create a risk aware culture by formally bringing risk consideration into strategic decision-making ·       To improve capital efficiency by providing an objective basis for allocating resources ·       To create an internal risk communication tool for building and supporting shareholder confidence ·        To establish a process that will help the company protect results

  23. Phase 1 (continued) Identify ERM Champion(s) A critical component of this initial phase is to identify the internal “champion” of the ERM project. This “champion” needs to be a senior executive within the organization. In many cases, the “champion” is the CEO, COO, CFO or even the Board of Directors. Sample’s Program: For our “key” risks, the CEO personally takes the champion’s role in addressing these risks. “If I’m not responsible for the key risks facing this company, then who is?” For operating level risks, the Presidents assume responsibility or directly assign responsibility. This initial step is critical to the success of the ERM undertaking.

  24. Phase 2Identify Managers and Key Risk Constituents The ERM process should include active participation from the operational executive manager’s identification and the key operational and strategic managers within the organization. This group should have knowledge of the business and insight into the business issues that affect the operations. This group will be the core team involved in the risk identification process. Sample’s Program: Each operating group’s ERM working group consists of the senior manager of the group and the direct reports.

  25. Phase 3Brainstorm to Identify Key Risks • Process to uncover and prioritize the key risks faced by the organization. • After the risks are captured, the group discusses each risk and clarifies any misunderstandings about what the risk. Common risks and duplicates are identified and combined. It is important that you listen to your “experts” on the risk areas to help you gauge the risks. No one is an expert on everything. • Sample Program • Brainstorming by the ERM Working Group to identify risks that they feel the company faces. A facilitator assists the group in the identification and prioritization. Some of the general ground rules include: • Each person can contribute as much as they want • Everyone should contribute • No judgments or comments- just capture information • No risk is too insignificant • Resources are called upon as needed to clarify and explain nuances

  26. Phase 4Prioritize Risks Identified (qualitative) • The risk list identified in Phase 3 will be long and the goal of this phase is to reduce the list so the critical risks surface to the top. This is best accomplished through a multi-voting exercise. Trying to deal with too many risks can bog down your process and cause you to miss achieving your objectives. • Sample Program: • Each participant will receive a specified number of votes, i.e., (n/2)+1 where n equals the number of items – this is rule of thumb • Each participant must use all votes • One vote per risk per participant • The group eliminates risks not receiving enough votes • The process is repeated until the list is reduced to only the key risks

  27. Phases 5 and 6Develop Short List/ Quantify Risks • The key risks identified in Phase 4 will now be subject to a quantitative rating methodology that considers the following risk attributes: • Severity – Refers to the potential financial impact once an event occurs. • Likelihood – Measures the probability of an event occurring. • Manifestation –Measures the probable elapsed time from identification of a potential problem to its manifestation, i.e., how long it takes the risk to become a “full grown problem.” • OR • Recovery – Measures how long it will take to fully recover from the loss.

  28. Phases 5 and 6 (continued)Develop Short List/ Quantify Risks Sample Program Identify a specific “reasonable, but catastrophic” loss scenario Identify or assign a risk owner/champion Severity – determine estimated or expected size of loss (with a loss period of three years or less) Likelihood – determine the probability that the loss will occur over a period of time, i.e., 50:50 chance of occurrence in the next “X” period of time Recovery – estimate of the time it will take to recover (fully?) from the loss Metrics (partial): (1) Risk Value = Severity times Likelihood (2) Pure Risk Value = Severity times Likelihood times Recovery

  29. 150% 0 Expense/Liability 0 150% Revenue/Assets Severity Severity refers to the potential financial impact once an event occurs. The table below provides an example of ranges of impact on revenue and expense and a score that could be assigned to the risk identified.

  30. Likelihood Likelihood measures the 50:50 probability of an event occurring. The table below presents and example of how to measure the score and time horizon to consider.

  31. Manifestation/Recovery Time This element measures the probable elapsed time from identification of a potential problem to its manifestation. The table below provides a sample matrix.

  32. Phase 7Identify Mitigating/Aggravating Factors In the business operation there are both mitigating factors and aggravating factors that can have an impact on the severity, likelihood and/or manifestation of the risk. These factors can be either external impacts or internal impacts. Mitigating factors are those factors that currently limits or reduces the likelihood or consequence of the risk. A mitigating factor could be existing management efforts, education and training, process testing and improvement, government intervention, or being in a monopolistic position. Aggravating factors are those factors that currently increases or expands the likelihood or consequence of the risk. An aggravating factor could be political factors, prior poor experiences, lack of a plan for action, fast moving industry changes, or the complexity of the situation.

  33. Phase 8Assess Current Risk Management Controls Phase 8 of the process is intended to consider the company’s current policies, procedures, management practices, and any other mitigating factors that are in place to manage the identified risks. Sample Program: Self assessment by management of the current controls in place to manage the claim on a scale of 1 (great) to 5 (non-existent). The assessment is a gauge against known peer best practices for managing this type of risk or an assessment of what is reasonably available to manage the risk.

  34. Management Rating The table below is an example of how a company might evaluate the effectiveness of the controls in place to manage the identified risks.

  35. Phases 9 and 10Develop Risk Map, Gap Analysis and Action Plans Risk Map The risk map is a graphical representation of the key risks identified. The location of the “bubble” on the map depicts time element and severity. The size of the bubble presents the perceived effectiveness of management controls in place. The smaller the bubble, the better the controls.

  36. Risk Dashboard- Gap Analysis Management Effectiveness Inherent Risk

  37. Specific Risk Management Action Plan Risk A

  38. Enterprise Risk Management A perspective on implementing an enterprise risk approach Questions????

More Related