1 / 23

Enterprise Risk: Overview and A Start Up Experience

NC State ERM Roundtable Series October 2005. Enterprise Risk: Overview and A Start Up Experience. Chris Duncan 404.995.3600 Christopher.A.Duncan@marsh.com. Overview. Increasingly, companies are expanding ERM efforts

mandel
Download Presentation

Enterprise Risk: Overview and A Start Up Experience

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. NC State ERM Roundtable Series October 2005 Enterprise Risk:Overview and A Start Up Experience Chris Duncan 404.995.3600 Christopher.A.Duncan@marsh.com

  2. Overview • Increasingly, companies are expanding ERM efforts • 91% planning to, or in process of, expanding ERM efforts (Conference Board) • Driven by desire to impact shareholder value, improve governance, communications • Delta Air Lines initiated ERM effort after 9/11, established CRO position • Chose to focus (initially) on subjective risk evaluation process rather than “quant” emphasis • Focused on building process, interaction with risk leaders rather than “centralized” CRO role • Management’s Role in Managing Risk • Resources/Infrastructure, Mitigation, Communication/Governance • Key to ERM is delivering value that is understood and • makes a difference to bottom line, brand, survivability

  3. Changing Risk Requires New Approach “Here is Edward Bear, coming downstairs now, bump, bump, bump, on the back of his head, behind Christopher Robin. It is, as far as he knows, the only way of coming downstairs, But sometimes he feels that there really is another way, if only he could stop bumping for a moment and think of it.” Opening lines of “Winnie-The-Pooh” by A. A. Milne

  4. Risk Drivers on Value From ‘93 - ‘98, 10% of Fortune 1000 lost > 25% stockholder value in one month… strategic and operating risk led the way, but many “big” risks effectively hedged Customer Demand Shortfall Competition Cost Overruns Accounting Irregularities Management Ineffectiveness Supply Chain Issues M&A Problems Products Pricing Loss Customer Macroeconomics Commodity Prices Interest Rates Regulatory R&D Delays Lawsuit Natural Disasters Supplier Strategic Operational Financial Hazard Source: Marsh/Mercer; used with permission

  5. Sidebar: Board vs. Management Roles • Sarbox and NYSE rules require Boards to have oversight on the effectiveness of the risk management processes • Does not mean the Board manages risk • Increasingly, rating agencies, institutional investors are asking questions on risk, and ERM • Ultimately, management is challenged to prioritize risk, and figure out the risk infrastructure, resources, process and communication/governance to ensure the right risks are managed appropriately • Does not mean management must eliminate all risks • Does mean that appropriate levels of management understand risks, roles and responsibilities One doesn't discover new lands without consenting to lose sight of the shore for a very long time. Andre Gide

  6. Shareholder Value Enhancement Operating Performance • Societal focus • Brand/reputation risk focus • Risk competence as competitive tool Compliance & Prevention • Integration into corporate governance • Risk planning in business strategy • Achieving traditional risk best practice status • Integrating risk approach across functional silos • Protect P&L, balance sheet from surprises • Prevent accidents, crisis • Meet compliance/fiduciary responsibility Various Levels of Risk Management Risk Management occurs on many different levels, each adding value in different ways, and the “sweet spot” varies by company, culture

  7. Risk Management Environments Cross Functional & Emerging View of Risks Business/ Strategic Safety / Security Legal Financial Operational Audit Functional Risk View • fuel • interest • foreign exchange • insurance/financing • technology • info security • e-business • continuity • revenue • financialcontrols • processrisks • disclosure • fraud • civil • criminal • regulatory • contractual • brand • reputation • service • alliances • expansion • flight safety • environment • employeesafety • security Most companies (and Delta) have deep functional risk identification and management; challenge is addressing (cross functional) and forward-looking “horizon” risks

  8. - - + + Not All Risks Are Created Equal Management’s challenge is figuring out what to focus on, and when… Company Killers, Customer Impact, Loss of Brand Reputation Management Typical Risk Focus Organizational Impact Safety Net for P&L, Balance Sheet Risk Financing, Insurance, Projects, And Initiatives Cost Safety, Claims, Compliance, Administration Risk Management is the allocation of finite resources to infinite risks

  9. Hazard risks • Hazard & Operational Risks are the “meat and potatoes” of risk management • Work comp • Property • Liability • Auto • Construction • Life & Health • Historical risk manager focus, insurance “sweet spot” • Incremental improvement in underlying risk profile via safety, claims • Not typically considered in strategic decisions • Insurance focused • Focus: optimize as “cost of doing business”

  10. Reputation risk • Reputation Risk… • How brand, company perception, future business potential is impacted by internal and external events and decisions • Focuses on internal and external stakeholders • Response model driven by perceptions, not facts • Globalization of brands • “Risk” is defined by external parties, stakeholder reactions, expectations (perceptions), rather than science (facts) • Media/internet, cultures, corporate governance, regulation, non-gov’t organizations plays major role • Limited role by insurance • Focus: Pre-emptive strategies, crisis response Examples: “Mad Cow”, Privacy Breach, Cell Radiation, Exec Comp, Animal Testing, Crisis Management Failures, Fat (“Oreo & McD”)

  11. Societal Risk Issues Blur with Reputation Societal risk… • Tend to cross cultures & companies • Similar to reputation risks in exponential growth potential • Externally driven risk factors • Targets of societal, self-appointed “representatives” • UN, Worldbank, WHO, etc. • Subject to government intervention/regulation • Institutional investors? • Cross cultural “NGOs” • Responses establish boundaries of corporate, gov’t behavior via legislation/law, international opinion • Borderless society generates new risks and issues for all • Ex. Avian Flu/SARs, AIDS, terrorism, internet attacks, internet special interest groups, int’l labor migration, IP rights theft, food safety confidence, natural disaster refugees • Sarbanes-Oxley classic response to new “risk” to “boundary” corporate behavior • Others: demands for security in air travel, cross border testing for madcow, halts on genetically modified foods, acrylamide, “Katrina”? • No material insurance role • Focus: Pre-emptive strategies, crisis response

  12. Limited Window to Influence Brand/Societal Risk Explore/ Plan Warning Action/Options Ride the Outcome/No Options! Influence & Lead Plan No Ability to Influence Outcomes; Response Driven by Media, Government Regulatory, Legislative Intervention Media/Public Impact Ex. Avian Flu Will have short time period (days) to restore confidence before media/ public perception overwhelms response Time Emerging Risk Awareness Rapid Escalation (Tipping Events) Risk Perception Embedded Irrespective of Facts, Response Ex..Mad Cow, 9/11 Security, SarBox… U R HERE * Adapted from Risk issue lifecycle, Strategic Reputation Risk, Larkin

  13. So Where to From Here? • Chose ERM organizational framework • COSO, New Zealand, Turnbull, company specific • Address governance and communication infrastructure needs • Choices based on culture, politics, leadership endorsement • Get started somewhere…its about progress, not perfection • Drive the process first through a limited number of critical issues …then build off the initial value generated The ability to define what may happen in the future and to chose among alternatives lies at the heart of contemporary societies. - Peter L. Bernstein , Against the Gods

  14. ERM Infrastructure ERM Process ERM Integration Vision/Goals Governance Oversight Structure Common Language Policies Technology Tools Techniques Tolerance/ Appetite Operational Processes Strategic Planning Quality Process Competency Models Six Sigma SOX Product Development Capital Projects Merger/Post-Merger Capital Allocation Performance Management Identify, Assess, and Prioritize Business Risks Aggregate Results with Decision Making Processes Analyze Risks and Current Capabilities Business Goals, Objectives & Strategies Measure, Monitor and Report Determine Strategies and Design Capabilities Develop and Execute Action Plans/ Establish Metrics ERM Culture Organizational Change Management Communication Awareness/Training Information Sharing Continuous Improvement Example…Mercer Oliver Wyman ERM Framework Copyright Mercer Oliver Wyman 2005

  15. ERM is a process to help achieve entity objectives across these categories Eight interrelated components Applies to activities at all levels of the organization COSO ERM Framework Source: Enterprise Risk Management – Integrated Framework. Committee of Sponsoring Organizations of the Treadway Commission, 2004

  16. ERM Infrastructure & Culture Vision/ Goals - Governance – Policies – Tolerances and Appetite - Language Internal Environment Risk Management Philosophy – Risk Appetite – Board of Directors – Integrity and Ethical Values – Commitment to Competence – Organizational Structure– Assignment of Authority and Responsibility– HR Standards Event Identification Events – Influencing Factors – Methodologies and Techniques – Event Interdependencies – Event Categories – Risks and Opportunities Process Identify, assess, and prioritize enterprise risks Risk Assessment Inherent and Residual Risk – Likelihood and Impact – Methodologies and Techniques – Correlation Aggregate results/integrate with decision-making process Analyze key risks and current capabilities Risk Response Identify Risk Responses – Evaluate Possible Risk Responses – Select Responses – Portfolio View Objectives & Strategies Measure, monitor and report Determine strategies and design capabilities Control Activities Integration with Risk Response – Types of Control Activities – General Controls – Application Controls – Entity Specific Develop and execute action plans/establish metrics Objective Setting Strategic Objectives – Related Objectives – Selected Objectives – Risk Appetite – Risk Tolerances ERM Integration Strategic Planning- Resource allocation – Scorecards – Quality Processes Information and Communication Information – Strategic and Integrated Systems – Communication ERM Culture and Enabling Activities Communication – Information – Awareness/ Training – Change Management Monitoring Separate Evaluations – Ongoing Evaluations COSO & MOW Alignment Copyright Mercer Oliver Wyman 2005

  17. Delta: Created Enterprise Risk Council General/Cross Specific Functional Risks Risks ERC CRO (Chair) Safety Security Legal Corp. Audit Treasury Controller Info Security Safety Security Standing Council Operational Enterprise Wide View, Coordination And Early Identification Deeper Dive Into Specific Areas of Risks Corp Ethics & Compliance Compliance/Reg 404 Steering Committee 404 Compliance Hotline Reporting,Others

  18. Initiated Risk Mapping • Helpful to put risk into buckets to assess “what’s at risk, where?” • Useful in communicating risk priorities and response to Board, others • Categories vary, but often include: • Financial • Operational • Human Capital • Legal • Technology • Security • Political • Ethics/Compliance • Others?

  19. Developed Risk Matrix, Common Language • Challenge is finding common means to evaluating various risk is terms of frequency, severity • While all risk eventually may be (eventually) quantified and correlated, did not have the time or resources to do so • Idea was subjective process first, quantitative discipline as ERM evolved • Agreed on Frequency/Likelihood and Severity Matrix for rating risk • Severity Matrix blended financial measurements, reputation risk and compliance risk • Built the language bridge across diverse functions like legal, marketing, human resources, technology, finance • Low, Medium, High, “Survival Bet” = Severity

  20. Risk Mapping Risks are captured by category… 1. Financial 5. Security 9. Reputation 2. Operational 6. Human Capital 3. Compliance 7. Technology 4. Legal 8. Political And evaluated for overall risk… Example/Not Actual Resulting in Risk Map

  21. The Result • Improved communication and awareness on emerging risk issues • Formalized process to get out of day to day risk management trap • Platform for discussing risk issues and investments with executive leadership and board, and resource allocation • Identified growing risk areas company was not addressing aggressively (ex. Delta shifting technology dependence, SARs/pandemic, others) • Combined influence of “risk heads” via ERC moved risk agenda forward faster than could individually • Net result: Better decision making/resource allocation, fewer surprises However beautiful the strategy, you should occasionally look at the results. Winston Churchill

  22. Key Learnings • Focus on initial success to seed company for future progress • Critical success factors in any ERM effort: • Clear ownership and accountability of risk • Realistic expectations of success of risk control plans • Conservative estimates of what risk is left over • Priorities on closing the gaps • Integrating into financial planning, human capital processes • Ongoing communications, “governance” processes to continually re-rank risks, and identify new ones • Culture, process and relationships matter in execution ERM is ultimately about changing culture and behavior, driving decision making and measurable results

  23. ERM is a matter of future survival in an increasingly complex world Implementation will vary company by company depending on culture, leadership support, internal and external risk profile Getting started and making headway is more important than getting it perfect ERM won’t make all problems go away…the world is full of surprises… but it will help you prepare and respond more effectively, and it will help every company take more intelligent risks. In Closing A ship in the harbor is safe-- but that is not what ships are for… Admiral Grace Hopper

More Related