03 25 franklin
TRANSCRIPT
Enterprise Risk Management:Practical Implementation
Barry FranklinGroup Managing Director, Americas
Aon Global Risk Consulting
November 2007
Preliminaries
Defining ERM
ERM drivers
Recent survey results
Defining “Risk”
Balancing diverse views - consistent framework
A value-driven approach to ERM
Implementation challenges
Case studies
Discussion Topics
ERM is the process by which companies identify, measure, manage, and disclose all key risks to increase value to primary stakeholders while satisfying other stakeholders.
What is ERM?
Process: • A systematic and sustained business process
Measure: • Consistent metrics adopted in an integrated manner across the organization
Manage: • Focused on enabling management decision making and enabling exploitation of business opportunities
Disclose: • Enabler of meaningful and transparent disclosure to key stakeholders
Holistic: • Integrated approach to Financial, Operational, Strategic and Regulatory risks
Material risks: • Analyzing & quantifying the organization's significant risks
Value: • Balanced perspective on uncertainty, managing threats and capturing opportunities
Stakeholders: • Focused on delivering the organization's key stakeholder needs and expectations
What is ERM?
Related Risk Management Processes
• Enterprise Risk Management (ERM) is often identified with Strategic Risk Management (SRM) or Governance, Risk and Compliance (GRC). Common elements are:
• Process applied consistently across company
• Driven from the top of the organization
• Takes a proactive, forward-looking view
• Considers both risks and rewards
• Integrates risk management into business process
• Assigns clear risk ownership
Corporate Disasters
Enron WorldCom Adelphia Mutual Funds
IndustryInitiatives
Treadway Report, US Turnbull Report, UK Dey Report, Canada
Best Practices
Banks Asset Managers Energy Firms Corporations
RegulatoryActions
S.E.C. Sarbanes-Oxley Basel II
EnterpriseRisk
Management
Driving Forces Behind ERM
Executive Research Key Findings
• Most companies are making some progress
• Greater board and CEO involvement
• More awareness across organizations
• Faster adoption outside of North America
• Few companies have progressed to “advanced” level
• Slower progress than originally expected
Key Drivers
0.0% 20.0% 40.0% 60.0% 80.0%
Board Request
Regulatory Pressures
Understand Hard to QuantifyRisks
Corporate GovernanceRequirements
2004 2006
Source: The Conference Board
Key Objectives 2006
• Ensure risk considered in decision making 83%
• Avoid surprises 85%
• Integrate risk management into corporate processes 70%
• Align risk exposures & mitigation 65%
• Use risk management as competitive tool 36%
Source: The Conference Board
Integration into Business Processes
39.8%
65.9%
75.0%
71.2%
53.8%
75.0%
0.0% 20.0% 40.0% 60.0% 80.0%
United States/Canada
UK/Europe
Rest of the World
2004 2006
Source: The Conference Board
Building the Process
0.0% 20.0% 40.0% 60.0% 80.0%
Common Risk Languange
Regular Risk Assessment
Mission Statement
Business Risk Inventory
2004 2006
Source: The Conference Board
Building the Process
0.0% 20.0% 40.0% 60.0% 80.0%
Tolerances
Regulaar Board Reports
Individual Risk Ow nership
Root Cause Analysis
2004 2006
Source: The Conference Board
Risk Management Integration
0.0% 10.0% 20.0% 30.0% 40.0% 50.0% 60.0% 70.0%
Product Pricing
New Product Development
Strategic Planning
Internal Audit
2004 2006
Source: The Conference Board
Greatest Benefits
0.0% 20.0% 40.0% 60.0% 80.0%
Governance
Articulate Risk Taking
Management Consensus
Better Informed Decisions
2004 2006
Source: The Conference Board
Key Risks - Americas
• Damage to reputation
• Business interruption
• Third party liability
• Distribution or supply chain failure
• Market environment
• Regulatory/legislative changes
• Failure to attract or retain staff
• Technology failure
• Failure of disaster recovery plan
• Loss of data
Source: 2007 Aon Global Risk Management Survey
Level of Preparedness
48%
70%
75%
63%
35%
41%
55%
56%
77%
69%
65%
Damage to Reputation
Business interruption
Third party liability
Distribution or supply chain failure
Market environment
Regulatory/legislative changes
Failure to attract or retain staff
Market risk
Physical damage
Merger/acquisition/restructuring
Failure of disaster recovery plan
Source: 2007 Aon Global Risk Management Survey
Business Activity Priorities
Business ActivitiesCurrent Priority
RankingPriority Ranking –
Next 2 years
Risk identification, quantification and analysis 1 1
Regulatory compliance and reporting 2 3
Loss control / prevention 3 4
Managing risk on an enterprise-wide basis 4 2
Risk communication – internally with management and operations 5 5
Emergency / contingency planning 6 6
Insurance buying 7 9
Risk financing 8 7
Claims management 9 8
Risk communication – externally with business partners 10 10
Source: 2007 Aon Global Risk Management Survey
Responding to Changing Risks
42%
29%19%
32%
46%
22%
29%
23%11%8%
Identify major risks Assess probability andimpact
Determine limits forinsurance
External service/ advisor
Benchmarking
Quantitative analysis
Management intuition and experience
Source: 2007 Aon Global Risk Management Survey
Identification of Major Risks
3%12%
5%7%
19%
23%
55%42%
45%
55%18%
32%
19%
4%
7%8%
13%5%
14%11%
Asia/Pacif icEuropeThe AmericasAll
Other
External service provider/advisor
Business Unit registers or keyrisk indicator w orksheets
Senior management intuitionand experience
Board w orkshops or scenarioplanning
Source: 2007 Aon Global Risk Management Survey
What is Risk?
• Risk can be defined as the potential harm that may arise from some present process or from some future event.
• In everyday usage, "risk" is often used synonymously with "probability", but in professional risk assessments, risk combines the probability of a negative event occurring with how harmful that event would be.
• Risk can also be viewed as “volatility from expected.” This definition captures both the upside and downside of risk.
Financial
• Includes the fluctuating cost of fuel, interest rates and access to capital
Human Capital
• A growing area of exposure in today’s labor market including employee selection, retention and turnover, absenteeism, compensation and labor relations
Legal / Regulatory
• Incorporates liabilities for employment, defamation and other allegations, including regulatory change and governance requirements
What is Risk?
Operational
• Includes day-to-day business challenges across all functional platforms, including the strive for efficiency, optimal use of outsourcing and business continuity
Strategic
• Includes organizational planning, such as the strategic response to changing customer preferences, competition, reputation/brand, innovation, etc.
Technology
• Includes system failure, network liability, internet security and other technology-related risks
What is Risk?
• A strategic mechanism for effective risk identification and containment
• Ensures that business objectives are balanced with:
• Corporate governance initiatives
• Risk mitigation initiatives
• Enhanced and timely business decisions
• Enhanced profitability
• Long-term growth
• Goal to maximize shareholder value for the enterprise as a whole
• Greatly influenced by Sarbanes-Oxley and SEC in the U.S.
Public Company – View of ERM
• Short Term:
• Drives structured and disciplined approach to risk management:
• Provides methodology for measuring business risks
• Increases awareness of risks and potential risks
• Long Term:
• Ability to aggregate risks and benefit from enterprise effects
• Better capital allocation and competitive position
• More effective strategic and operational planning
• Ensures execution of the Core Competency
Private Company – View of ERM
EnterpriseGoals &
Objectives
Value CreationPerformance
ERM ERM
ExternalIn
tern
al
Financial StrengthConformance
Capital• Debtholders• Agencies• Regulators
Governance• Controls• Compliance
Growth• Bus. Units• Managers
Returns• Shareholders• Investors• Partners
Balancing Diverse Interests
Elements of ERM as outlined in the framework:
• Is a process • Is effected by people• Is applied in strategy setting• Is applied across the enterprise• Is designed to identify potential events• Manages risks within risk appetite• Provides “reasonable assurance”• Supports achievement of key objectives
Source: COSO ERM Framework
The COSO ERM Framework Consists of 8 Interrelated Components and 4 Objectives
COSO – A Starting Point for ERM
Start with a skilled assessment of your business and ERM needs to ensure that the approach and outcomes are well matched to your needs
Growth Profitability
Continuity
Risk ResponseSolution
Governance,Culture and Disclosure
RiskIdentification
& Prioritization
EvaluateRisk Process
RiskQuantification
RiskManagement
Implementation
Using a Value-Driven Approach
ERM outcome - value
ERM process
ERM management
Evaluate Risk Process
Activities Deliverables
Gather information on current status Current state risk score card
Develop scorecard ranking current program vs. leading practice Risk maturity benchmark
Develop future vision for ERM program Key ERM goals & objectives
Develop gap analysis using scorecard format and identify quick-hits ERM performance plan
Conduct executive workshop Alignment on ERM framework / plan
Initial Established Uniform Managed Optimizing
RiskOpportunity
Current State Assessment
Current State Assessment
• Risk management is becoming more complex
• Most companies have a wide-range of risk management activities underway
ERM
Sarbanes-Oxley
Compliance
Operations
Risk committees
• Unfortunately, many companies lack a coherent vision for risk management
• Senior management and board members often have differing views of what information they would like to see from risk management
• Rating agencies are assessing risk management quality as part of their overall rating process – S&P, Fitch
Risk Maturity Benchmarking
Sample Risk Maturity Benchmark
R i s k L e a d e r s h i p
R i s k S t r a t e g y & P o l i c i e s
P e o p l e P a r t n e r s h i p s P r o c e s s e s R i s k H a n d l i n g O u t c o m e s
RIS
K E
NA
BL
ED
L E V E L 5 ( =
E x c e l l e n t c a p a b i l i t y e s t a b l i s h e d )
F u l l y e m b e d d e d i n d a y - t o - d a y b u s i n e s s p r o c e s s e s a n d s t r a t e g i e s .
RIS
K M
AN
AG
ED
L E V E L 4 ( =
E m b e d d e d a n d i m p r o v i n g )
I n t e g r a t e d a p p r o a c h e s t o m a n a g i n g r i s k a r e i m p l e m e n t e d a c r o s s b o u n d a r i e s .
L E V E L 3 ( =
Im p l e m e n t a t i o n c o m p l e t e d i n k e y
a r e a s )
F o r m a l a p p r o a c h e s t o m a n a g i n g r i s k i n p l a c e a n d w i d e l y i m p l e m e n t e d .
L E V E L 2 ( =
Im p l e m e n t a t i o n P l a n n e d )
F o r m a l a p p r o a c h e s t o m a n a g i n g r i s k i n p l a c e a n d p a r t i a l l y i m p l e m e n t e d .
RIS
K A
WA
RE
L E V E L 1 ( =
A w a r e n e s s / U n d e r s t a n d i n g )
A w a r e n e s s o f n e e d b u t l i t t l e a c t i o n .
R E S U L T S
RIS
K D
EF
INE
D
M e a s u r e s
C A P A B I L I T I E S
Policies, processes
and practices defined and formalized across the
organization
Risks measured,
managed and aggregated
on an enterprise-wide basis
Organization focused
on RM as a source of
competitive advantage
andcontinuous
improvement
Initial Established Uniform Managed Optimizing
Capabilities are
characteristic of individuals,
not of the organization
Process established
and repeating: reliance on people is reduced
OPPORTUNITY
RISK
Systematically Build and Improve Risk Management Capabilities
Maturity: Building Risk Capabilities
Risk Identification & Prioritization
Activities Deliverables
Risk categorization and scoring criteria Risk hierarchy and criteria
Conduct interviews / surveys Internal risk identification
Benchmark client’s public risk factors External risk identification
Consolidation and aggregation of identified risks Risk register
Conduct risk workshop Prioritized risk map
Calibrate Definitions and Criteria
Risk Categorization and Scoring Criteria
Prioritized Risk Map
Risk Quantification
Activities Deliverables
Develop risk scenarios and correlations Risk scenarios
Modeling key risks Individual risk quantification and prioritization
Calculate aggregate risk exposures Aggregate impact of key risk on company’s value and financial performance
Risk Quantification / Valuation
Build baseline valuation model; project financials consistent with strategic plan
Adapt model to dynamically accommodate risks/scenarios, value drivers and key metrics
Step 1
Develop Risk Scenarios
Step 2
Develop Baseline Valuation Model
Step 3
Run Model to Quantify Risks
Conduct interviews with risk experts
Develop risk scenarios and associated financial impact
Gather existing facts / historical data points
Aggregate risks
Shock model for each risk/scenario
Quantify impact to value and other key metrics
Provide basis for decision-making
ERM Value Propositions
Improved resource allocation
Increased operational efficiency
Greater transparency of risk
Possible reduction in earnings volatility
Optimized capital allocation
Improved regulatory standing
Consistent framework for risk
Enhanced risk reporting
Improved compliance
Enhanced risk corporate governanceKeeping resources focused on those activities that matter most to the organization
Common and deep knowledge of critical business and organizational risks Structured process to allocate
capital based on those businesses that are the most risky to the organization
Everyone in the organization has the ability to define, treat, and manage risk in a homogeneous fashion
Provide confidence that risks are being identified and managed in a constructive fashion
Defining Value – One View
Risk Adjusted Income Statement
2008 2009 2010REVENUE
Sales 642,100 670,965 701,292 Other Operating Revenue 14,482 14,626 14,773
Total Revenue 656,582 685,591 716,065
OPERATING EXPENSESSalaries, Wages and Benefits 310,667 323,093 336,017 Supplies and Services 289,850 309,593 330,750
Total Operating Expenses 600,517 632,686 666,767
(LOSS) INCOME FROM OPERATIONS 56,065 52,906 49,298
OTHER INCOME (EXPENSE)Interest and Dividends 28,419 28,704 28,991 Current State Risk Exposure (16,000) (17,326) (15,683) Mitigation Costs (2,784) (2,812) (2,840) Mitigation Impact on Current State Risk 14,326 16,532 12,031
Total Other Income (Expense) 23,961 25,098 22,499
NET PRETAX INCOME 80,026 78,003 71,796
Aggregate Loss Distribution
0
0.01
0.02
0.03
0.04
0.05
0.06
0.07
0 5 10 15 20 25 30 35 40 45
Competing Mitigation Strategies
0%
2%
4%
6%
8%
10%
12%
14%
16%
18%
20%
-6 -4 -2 0 2 4 6 8 10 12 14 16
Defining Value – Alternate View
ERM Model
(∆Value)
Enterprise Risk Exposure
Value
Enterprise Risk Exposure
ValueValueValue
Scenario Development
Surveys
Key Risks
All Risks
Determine Portfolio
Effect
Individual Risk Quantification
& RankingRisk Identification
Risk Quantification
Risk Management
Process Key:
Risk Identification
Risk Quantification
Risk Management
Process Key:
ERM Committee Consensus Meeting
Risk AppetiteStrategy
Risk Management Tactics
Value-centric ERM framework
Sample Output (partial data)
Risk Distribution Report
Risk: IT External Attack (Risk #4)
Risk Scenario Likelihood Value
Worst Case1-in-30 year
event-7.5%
Pessimistic1-in-10 year
event-2.4%
Best Estimate Most Likely ---
Optimistic1-in-15 year
event0.1%
Best Case1-in-50 year
event0.2% -20.0%-15.0%-10.0%-5.0%0.0%
Risk 11
Risk 1
Risk 8
Risk 7
Risk 4
Risk 9
Risk 12
Risk 10
Risk 15
Risk 6
Risk 13
Risk 3
Risk 5
Risk 14
Risk 2
Key RisksRank by Value Impact of Worst Case Scenario
Risk Response Solution
Activities Deliverables
Determine risk tolerance Defined risk tolerance
Identify risk response solution options Risk response solutions
Evaluate and select risk response solution Risk response business case
Risk Appetite - One View
$ in millions Sources: 2007 budget, metric & threshold input
$0- 81 bps40.5%40.1%Operating
Margin
Threshold is
not expected to
be achieved in
FY07
- 0.11 months12.08.9
Cash/ Months
Operating
Expense
Not Available+155 bpsNot Available73.6Total Debt/CFO
$750- $53 million$1,400$1,883Free Cash
Flow
$60- 260 bps22.5%25.0%EPS Growth
(from 2006)
Financial Buffer
(RBC)
Impact of $100
million, pre - tax
losses on metric
Defined GoalFY07EFY07 Metrics
$0- 81 bps40.5%40.1%Operating
Margin
Threshold is
not expected to
FY07
- 0.11 months12.08.9
Cash/ Months
Operating
Expense
Not Available+155 bpsNot Available73.6Total Debt/CFO
$750- $53 million$1,400$1,883Free Cash
Flow
$60- 260 bps22.5%25.0%EPS Growth
(from 2006)
Financial Buffer Impact of $100
million, pre - tax
losses on metric
Defined GoalFY07EFY07 Metrics
Target for Future State
Current State
Enterprise Risk Exposure
?5%5% increase in eps
?35%Achieving strategic
plan goals
?15%10% decrease in
value
ProbabilityProbabilityEvent
Target for Future State
Current State
Enterprise Risk Exposure
?5%5% increase in eps
?35%Achieving strategic
plan goals
?15%10% decrease in
value
ProbabilityProbabilityEvent Is the ERM Committee comfortable with the current state? If not, what do they want it to be? The answers result in tolerance thresholds collectively called Risk Appetite.
eps Growtheps Growth
ValueValue
Rev GrowthRev Growth
OtherOther
Risk Appetite - Alternate View
Risk Response Solution
Terminate Mitigate Transfer Exploit Tolerate
Risk Response Strategies
Exit Risk Area
Preventative
Corrective
Directive
Detective
Make a conscience decision to tolerate the
risk
Explore the upside of risk by taking new opportunities
Financing Solutions
Insurance
Capital Markets
Contractual Transfer
Hybrid
Evaluating Solutions
Risk Tolerance
0%
85%95%
Mitigation Option Being Considered
Current Mitigation
To
tal C
ost
of
Ris
k
Increase in Likelihood of Meeting Risk Appetite
Cumulative Probability99.9%
IncreasedMitigation
Cost
Evaluating Solutions
Management selects ERM actions that move enterprise risk exposure towards risk appetite, for example:
Value
Value
Risk Exposure Pre-Mitigation
Risk Exposure Post-Mitigation
Risk Management Implementation
Activities Deliverables
Develop risk response plan Risk management project plan
Obtain support of risk management leaders Project governance structure
Develop teams and tools Resource allocation, communication and training
Implement projects Program management
Define metrics and implement monitoring tools Risk platform and scorecards
Risk Management Implementation
ERM Multi-Year Project Plan2007 2008 2009
Define Risk Strategy
Establish Risk Appetite
Develop Risk Profiling
Develop Cost of Risk Model
Comprehensive Risk Mapping
Risk Modeling Expanded Risk Assessment
Captive Optimization Portfolio Risk Modeling
Technology implementation
Global Optimization
Legacy Claim Projects
Evaluate Data Strategy
Legacy Claim Evaluation
Captive Strategy
M & A Process Evaluation
ERM Enabling Technologies
There are a lot of technologies related to risk in general and ERM
– Use a selection process as with any tool/technology
• Analysis: RFI/RFP
• Vendor discussions and “Bake-off” with prototype
• Design: Purchase on trial basis
• Full deployment
ERM Dashboard Applications
ERM Monitoring and Reporting
Drives Accountability
Facilitates “Dashboard” Reporting
Automates Tracking of Key Risk Indicators
Dashboards & Governance
Governance, Culture and Disclosure
Key Activities Client DeliverablesDevelop detailed ERM frameworks and
governance Policies, manuals, committees, roles and accountabilities
Develop internal risk communication and awareness program Rollout of communication and awareness
program
Develop external communication strategy Enhanced communication with rating agencies, equity analysts and regulators
Monitor risk performance against defined metrics Reporting on KPI’s
Develop continuous improvement process Improvement processes and accountabilities
Governance, Culture and Disclosure
BusinessUnit A
Functional,support and
Shared services
Internal AuditRisk Management
Compliance
BusinessUnit B
BusinessUnit C
DivisionA
DivisionB
DivisionC
ERM Function
Board of Directors
Executive Committee
COO CFOChief Risk
OfficerCIO CLO
ERM Framework and Governance
Governance: Partnership is Key
Board• Set Policy• Approve Risk Strategy• Enforce Correction• Provide Tone from the Top
Audit Committee• Establish Policy• Propose Risk Strategy• Measure / Monitor• Report to Board on Key
Matters
ERM Working Group*
• Monitor• Coordinate• Educate
• Facilitate• Benchmark• Report
Business/Functional Risk Owners
• Identify Risk• Measure Risk• Prioritize Risk
• Manage Risk• Report &
Improve
Internal Audit
• Provide Assurance• Conduct Risk-Based
Audits
Compliance/Ethics
• Act as Functional Risk Owner• Manage Legal Risks• Foster an Ethical Environment
*possibly chaired by CRO
Governance, Culture and Disclosure
ERM Project Plan e.g. ERM Manual
Client ABC
Client ABCClient ABC
External Risk Disclosure Analysis
• How was this list developed?
• How was the order of the risks determined?
• Were the impacts of these risks quantified?
• How will investors react if an unmentioned risk results in significant loss of market value?
• How does your list compare to your competitors?
Annual 10-K reports are a primary risk information source for investors and the public.
Comparative Analysis
• A comprehensive ERM program can ensure that the10-K risk factor list is complete and in appropriate order.
• Review the risks listed in the 10-K report
– Is anything missing?
– Are the risks listed in an order that is representative of their impacts?
– Have these risks been quantified?
How would investors or regulators react if an unmentioned risk results in significant loss of value?
Analyzing Competitors’ Disclosures
Regular review of competitors’ risk disclosures is vital to:
• Ensure that your risk disclosure is complete
• Keep tabs on changes in the industry environment
Strategic Review of
Annual Reports /
Regulatory Filings
Green = Declared
Red = Not Declared
Orange = Not Relevant
Comparing Risk Disclosures
ERM – Commonly Cited Challenges
• Inability to demonstrate immediate, quantifiable return on investment
• Internal competition among business units
• Cultural incompatibility
• Limited technology / tools
• Inadequate senior-level support
ERM - Critical Success Factors
• Senior management support
• Clearly defined vision
• Regular and open communication among the team
• Realistic expectations regarding timelines and deliverables
• Sufficient resource allocation for implementation and follow-through
• Linkage to organizational success factors, strategies and processes
ERM Potential Benefits
Establish Sustainable Competitive Advantage
• Integrate with business planning and value management processes
• Avoid missing key risks and losing vital opportunities
• Optimize balance between capital preservation and growth/profit-generation
Manage Risk at a Lower Cost • Minimize risk averse behavior
• Develop cost-effective risk strategies and solutions
• Eliminate redundant or unnecessary risk controls
Improve Business Performance • Support more informed/proactive risk management decisions aligned with business objectives/strategies
• Link to enterprise performance, measurement and monitoring
• Reduce volatility and prevent surprises
ERM Gap Analysis
Phase IInformation Gathering
• Conduct interviews / gather information
• Identify risk universe
• Define and develop cost of risk data
• Conduct gap analysis
Phase IISetting the Stage
• Develop overall risk management vision
• Create risk management scorecard / Gap analysis
• Identify key risk projects / activities needed to achieve risk management excellence
• Understand cost / benefit of potential risk management strategies
Phase IIIExecutive Support
• Obtain support of risk management leaders
• Present overall objectives and plan to senior management
• Develop teams and tools
• Get moving
• Deliver defined projects
• Update progress toward overall vision
• Measure performance
• Create linkage to next steps
• Build feedback loop to ensure continued progress toward goals
Phase IVImplementation
Risk Management Vision
• Risk management vision transcends the various projects and activities that comprise risk management within an organization
• In order to define risk management vision, the company must resolve a series of key questions:
What are the goals of the company’s risk management efforts?
How does the company define risk management excellence?
What is the current state of risk management?
Where are the gaps?
What are the priorities?
How will success be measured?
• In the end, risk management must deliver measurable impact on the company’s operating performance
• What are the KRIs?
• How do I get them?
• How often do I get them?
• What do I do with them?
• Foundation understanding of: frequency, source and meaning
Key Risk / Performance Indicators
KRI’s - Example
ERM Model
(∆Value)
Enterprise Risk Exposure
Value
Enterprise Risk Exposure
ValueValueValue
Scenario Development
Surveys
Key Risks
All Risks
Determine Portfolio
Effect
Individual Risk Quantification
& RankingRisk Identification
Risk Quantification
Risk Management
Process Key:
Risk Identification
Risk Quantification
Risk Management
Process Key:
ERM Committee Consensus Meeting
Risk AppetiteStrategy
Risk Management Tactics
Focus on Value
Case Study #1: Fast Growing Company
• Highly successful, profitable company
• Recent patent litigation surprise created temporary cash and credit crunch
• Audit committee wanted an overview of key risks facing the company
• Risk committee was formed to coordinate the effort
• Team conducted interviews with over 50 executives, supplemented by over 80 surveys
Project Objectives
• Has the company identified all its critical risks ?
• Does the company have effective controls for managing its critical risks?
• Are the risks greater now than they were 12 - 24 months ago (earnings pressure, continued acquisitions and internal strategic initiatives)?
• Are these risks within acceptable limits?
• Is the right level of information reported to Senior Management and the Board?
Project Results
• Provided information to senior management and the Audit Committee
• Developed models for key risks based on potential impact on:
Revenue
EPS
Cash
Reputation
• Examined current and potential risk mitigation opportunities, including risk transfer and self-funding
• Created a framework for more effective decision-making regarding supply chain management, site selection and inventory management
Case Study # 2: Manufacturing Company
• Company had a well-developed risk management process
• Top risks for each of the business were routinely assessed and evaluated
• Due to lack of internal data, limited effort had been made to quantify the potential impact of events
• Recent supply chain problems had highlighted previous unmeasured vulnerabilities
• Project team developed customized risk models for the top five risks of each business unit
Project Results
• Delivered working risk models to each business unit
• Risk models were used to develop “underwriting models” for potential risk transfer / mitigation solutions
• Company expanded the use of existing captive insurance company and finite risk insurance arrangements to address key issues
• Event risk maps helped uncover critical decision points that could substantially alter the overall risk exposure
• Changes were made in supply contracts, inventory levels and contingent business interruption coverage as a result of the analysis
Case Study #3: Consumer Products
• Fortune 100 consumer products company
• Treasurer and Risk Manager had identified 17 key risks under their charge
• Company wanted to develop a quantitative approach to better evaluate risk decisions
• Solution: Risk modeling project to help evaluate the optimal risk strategy
Project Results
• Project focused on the analysis of internal and external risk data
• Creation of individual and portfolio risk models
• Risk mitigation and transfer alternatives were tested using the models, resulting in significant changes
• Company was able to demonstrate the value of additional risk retention and the use of internal funding (via a captive insurance subsidiary)
• Risk finance and mitigation resources were reallocated to optimize the company’s risk management efforts
Case Study #4: Hospital
• Medium-sized hospital looking to achieve excellence in health care by surpassing standards set in “The New American Hospital” and the Malcolm Baldrige National Quality Award
• Key objective: conduct a comprehensive risk assessment
• Project involved:
Interviews with key personnel (management, physicians and nurses)
Creation of a risk inventory
Benchmarking of current risk management approaches and quality of care against industry standards and best practices
Evaluation of current risk mitigation methods
Hospital ERM Project Results
• Identified and prioritized key enterprise risks
• Recommended improved approaches for risk management
• Opportunities for improvement included:
Implementation of clinical best practices and rapid response teams to reduce cardiac complication rates
Diversification of services to counteract the impact of Medicare reform
Contingency planning around key physicians and sole-source service providers
Improvement of the contract oversight and document retention process to minimize legal liabilities
Case Study #5: Capital One
Capital One's stock plummeted by 39%, falling from a $50.60 per share close on July 16 to $30.48 per share by the close of July 17; a drop of roughly $4B in market value.
Capital One signed an "informal memorandum of understanding" with bank regulators. More than a dozen class actions were filed charging the credit card issuer with securities fraud for misleading shareholders about its financial health and its compliance with bank regulations.
July 2002, 8K filing: the company publicly commits to enhance its enterprise risk management and internal control environment.
Risk management capabilities designed and implemented across the organization.
ERM Process
Line of Business
OperationsRisk Metrics
Risk-Adjusted Decision Making
Improved Business Performance
Improved Risk Predictability and Measurement
Integrated into Operational Business Processes
ERM Process: Enhanced Future State
Suggestion: Adopt a Pilot Approach
• Start small and grow big
• Select a locale with engaged management and non-complex products or customers
• Establish proof of the ERM concept – quicker benefits
• Accomplish process objectives in a shorter timeframe
• Learn from successes/mistakes to roll out the ERM process across the organization
Overview of a Pilot
Perform facilitated session and/or interviews with select internal and external experts to identify and assess risks and risk management processes
Analyze risks for causal factors, effects, and interrelationships
Establish criticality of risk and prioritize; map key risks
Establish risk management options, action plans, etc.
Summarize data of most significant risks
Frequency
5
2
1
2510<5
>100M
10
50
50
Strategic
S1 – Partnering arrangements
S2 – Changing industry dynamics
Operational
O1 – New initiative integration/success
O2 – Business continuity
O3 – Product quality
O4 – Centralized distribution
O5 – Hazard risk
Human Capital
H1 – Succession planning
H2 – Turnover
H3 – Human capital development
Legal/Regulatory
L1 – Political pressure around drug affordability
Technology
T1 – Intellectual property
T2 – Information security
Financial
F1 – Currency fluctuations
F2 – Commodity prices
Legend
High Impact
Low Impact
Partial / Full Mitigation
No / Minimal Mitigation
Severity($ millions)
H2
O2
H3
S1
H2
F2
O1L1
O3
S2
H1 O4
T2
75
Moderate Impact
F1
T1
O5
Frequency
5
2
1
2510<5
>100M
10
50
50
Strategic
S1 – Partnering arrangements
S2 – Changing industry dynamics
Operational
O1 – New initiative integration/success
O2 – Business continuity
O3 – Product quality
O4 – Centralized distribution
O5 – Hazard risk
Human Capital
H1 – Succession planning
H2 – Turnover
H3 – Human capital development
Legal/Regulatory
L1 – Political pressure around drug affordability
Technology
T1 – Intellectual property
T2 – Information security
Financial
F1 – Currency fluctuations
F2 – Commodity prices
Legend
High Impact
Low Impact
Partial / Full Mitigation
No / Minimal Mitigation
Severity($ millions)
H2
O2O2
H3H3
S1
H2H2
F2
O1L1L1
O3O3
S2S2
H1H1 O4O4
T2
75
Moderate Impact
F1F1
T1T1
O5O5
• Ability to safeguard proprietary knowledge from a security breach which could damage financials, brand and reputation
• Intentional, coordinated and/or hidden sabotage of systems, software or processes by internal or external parties
Definition
Current Metrics Risk Owner(s)• Chief Technology Officer• IT Department• Security
Risk
Action Plans
Recommended:
• Intrusion detection and vulnerability detection equipment and software
• Destruction of old hard drives from redundant computers
• Ensure no single point of failure• Redundant hardware systems
Estimated Investment:
• Additional IT staff personnel
• Purchase of intrusion detection and vulnerability detection equipment
• Continual investment in updating software
Current:
• Up-to-date Anti-virus and system Firewall protection
• Disaster recovery plans • Network backup planning• Software and data backups • Backup Power Supply
Current State
Severity Level
Information Technology – Network Security
• Number of viruses per month• Minutes of downtime per month• Backup processes double checked weekly
• Ability to safeguard proprietary knowledge from a security breach which could damage financials, brand and reputation
• Intentional, coordinated and/or hidden sabotage of systems, software or processes by internal or external parties
Definition
Current Metrics Risk Owner(s)• Chief Technology Officer• IT Department• Security
Risk
Action Plans
Recommended:
• Intrusion detection and vulnerability detection equipment and software
• Destruction of old hard drives from redundant computers
• Ensure no single point of failure• Redundant hardware systems
Estimated Investment:
• Additional IT staff personnel
• Purchase of intrusion detection and vulnerability detection equipment
• Continual investment in updating software
Current:
• Up-to-date Anti-virus and system Firewall protection
• Disaster recovery plans • Network backup planning• Software and data backups • Backup Power Supply
Current State
Severity Level
Information Technology – Network Security
• Number of viruses per month• Minutes of downtime per month• Backup processes double checked weekly
Ris
k A
sses
smen
t P
ilot
Review current company and business objectives/risk management objectives; evaluate current risk management infrastructure and capabilities
# D
epar
ture
s 2006
2007est. 2008
est.Target
Reduce voluntary employee departures by 10% by 2008
# D
epar
ture
s 2006
2007est. 2008
est.Target
# D
epar
ture
s 2006
2007est. 2008
est.Target
Reduce voluntary employee departures by 10% by 2008
September November
Questions to Consider
• Is ERM adding value for your organization?
• Is the ERM effort stalled or is progress being made?
• Are there parallel risk management efforts that fall outside of the ERM process?
• What can be done to automate portions of the ERM process?
• Are there high impact “drill-down” projects that will deliver ERM value?
• Is ERM sustainable after the project team has moved on to other assignments?
Barry Franklin, FCAS, MAAAAon Global Risk Consulting
We recognize that our clients’ industries are extremely competitive and maintaining confidentiality is of the utmost importance. Accordingly, Aon takes seriously its obligation to protect the confidentiality of client information.
Similarly, we view our approaches and insights as proprietary and therefore look to our clients to protect Aon interests in our presentations, methodologies, and analytical techniques. Under no circumstances should the material in this report be shared with any third party without the written consent of Aon.
Copyright © 2007 Aon
Confidentiality