Enterprise Risk Management Tools & Techniques January 12, 2011

1. Enterprise Risk ManagementTools & TechniquesJanuary 12, 2011 Cathy Taylor, ADP Emerissa Babin, OPG Michelle Reid, TSSA

2. Today’s Objectives • Share • Enable

3. Agenda • Establish context • Risk identification • Risk analysis and evaluation • Risk treatment • Monitoring and review • Communication and reporting

4. Establish Context • Define environment within which risk will be managed • Ensures risk management approach is appropriate • Considerations include: • Public or private • Publicly traded or nonprofit • Organizational structure • Tone at the top • Organizational culture • How are decisions made?

5. Establish Context President & CEO Corporate Risk Management (CRM) Organization • Oversight of Strategic, Financial, Operational & Transactional Risks • Risk Reports to Board Committees • Risks to Business Plan Objectives (BURSA) • MD&A Risk Management , AIF Risk Factors

6. BOARD / EXECUTIVE Set Policy Support & Set the Tone RISK MANAGEMENT TEAM Set Risk Appetite ALL DEPARTMENTS Risk Ownership (identification, assessment, treatment, monitoring & reporting) Build RM Capability, Process & Tools Monitor & report program Monitor Risk Reporting Set Assurance Agenda Framework Advice, Coaching & Support Performance Management Assure Stakeholders Define ERM & Governance Expectations Establish Context

7. Establish Context

8. Risk Identification • Gather and document risks that could impact achievement of objectives • Common techniques include: • Surveys • Workshops • Management interviews • Environment scans • SWOT analysis • Results of audits

9. Risk Identification

10. Risk Identification

11. Significant RISKS & OPPORTUNITIES impacting achievement of initiatives Corporate Objectives/ Priorities Risk Mitigation & Opportunity Optimization Activities Key Initiatives to Achieve Objectives Targets KPI’s KRI’s + inform Assess & Report Performance Against Targets Significant RISKS & OPPORTUNITIES impacting achievement of objectives shape Risk Identification

12. Risk Identification

13. Risk Analysis and Evaluation • Understand the risk, its causes, the likelihood of occurrence, potential impact, and the organization’s appetite and/or tolerance for the risk • Common tools include: • Root cause analysis • Risk assessment criteria • Risk appetite matrix • Risk tolerance

14. Risk Analysis and Evaluation Risk Statements: • Important to express a risk in such a way that it can be effectively understood and addressed • Components • Event, Cause & Effect • Example: • Financial loss due to default by Clients in funding of processed payroll. • Inability to obtain adequate (quality/quantity) expat labour supply due to negative perceptions about project location results in increased construction costs • Bad Risk Statements: • Budget cuts • Company delays all IT investments • Fires

15. Risk Analysis and Evaluation Quantitative assessment • Probability • Improbable (<10%) • Unlikely (10% - 30%) • Possible (30% - 70%) • Likely (70% - 90%) • Probable (>90%) • Financial Impact • Minimal (<$5M) • Minor ($5M - $50M) • Notable ($50M - $200M) • Substantial ($200M - $500M) • Major (>$500M)

16. Risk Analysis and Evaluation Qualitative Assessment • Manageability • The degree to which the outcome of a risk is controllable through the risk treatment/mitigation actions. • Stakeholder Sensitivity • The extent of the reaction of external stakeholders (public, shareholder, regulator, etc.) to the risk or how tolerant the stakeholders are of the risk; and • What their expectations are for managing the risk. • Urgency • The promptness needed to implement mitigation for a risk in order for it to be effective. This criterion refers to how pressing the need is for mitigation as opposed to the imminence of the risk itself.

17. Risk Analysis and Evaluation

18. Risk Analysis and Evaluation

19. Risk Analysis and Evaluation

20. Risk Analysis and Evaluation

21. Break Please be back in 10 minutes

22. Risk Treatment • Select and implement options to modify risk • Typical risk treatment concepts include: • Avoid risk (cancel product line, sell business unit) • Transfer risk (out-source function or enter contract to transfer risk) • Control risk (change process, training, etc) • Fund risk (insurance)

23. Risk Treatment

24. TOO MUCH CONTROL so: A - removing procedure B - reduce insurance costs/increase insurance deductible RISK MATRIX E L M H H H Risk 1 (Inherent) D L M M H H B C L L M H H X A LIKELIHOOD RATING B L L M M H Risk 1 (Residual) A L L M M H 1 2 3 4 5 SEVERITY RATING Risk Treatment

25. Risk Treatment

26. Risk Treatment

27. Monitor and Review • Periodic monitoring of risk treatment plans and influence on risks • Ensure treatment plans exist • Ensure they are effective • Obtain additional info for further assessment • Identify emerging risks • Most common tool or technique is audit

28. Monitor and Review

29. RISK MATRIX E L M H H H D L M M H H C L L M H H B L L M M H A L L M M H 1 2 3 4 5 SEVERITY RATING Monitor and Review Risk based Audit program – which risk to audit? Risk 2 (Inherent) Risk 1 (Inherent) Risk 1 (Residual) LIKELIHOOD RATING Risk 2 (Residual)

30. Communication and Reporting • Create awareness, facilitate understanding, foster adoption / engagement • Governance or legislative requirements

31. Communication and Reporting

32. Communication and Reporting

33. Questions?

34. Announcements • CE Certificates • RIMS ERM Centre of Excellence • New RIMS logo • Curling bonspeil – February 8, 2011 • One-day Conference – March 9, 2011 • Volunteer

35. Thank you!