03 25 franklin

Enterprise Risk Management:Practical Implementation

Barry FranklinGroup Managing Director, Americas

Aon Global Risk Consulting

November 2007

Preliminaries

Defining ERM

ERM drivers

Recent survey results

Defining “Risk”

Balancing diverse views - consistent framework

A value-driven approach to ERM

Implementation challenges

Case studies

Discussion Topics

ERM is the process by which companies identify, measure, manage, and disclose all key risks to increase value to primary stakeholders while satisfying other stakeholders.

What is ERM?

Process: • A systematic and sustained business process

Measure: • Consistent metrics adopted in an integrated manner across the organization

Manage: • Focused on enabling management decision making and enabling exploitation of business opportunities

Disclose: • Enabler of meaningful and transparent disclosure to key stakeholders

Holistic: • Integrated approach to Financial, Operational, Strategic and Regulatory risks

Material risks: • Analyzing & quantifying the organization's significant risks

Value: • Balanced perspective on uncertainty, managing threats and capturing opportunities

Stakeholders: • Focused on delivering the organization's key stakeholder needs and expectations

What is ERM?

Related Risk Management Processes

• Enterprise Risk Management (ERM) is often identified with Strategic Risk Management (SRM) or Governance, Risk and Compliance (GRC). Common elements are:

• Process applied consistently across company

• Driven from the top of the organization

• Takes a proactive, forward-looking view

• Considers both risks and rewards

• Integrates risk management into business process

• Assigns clear risk ownership

Corporate Disasters

Enron WorldCom Adelphia Mutual Funds

IndustryInitiatives

Treadway Report, US Turnbull Report, UK Dey Report, Canada

Best Practices

Banks Asset Managers Energy Firms Corporations

RegulatoryActions

S.E.C. Sarbanes-Oxley Basel II

EnterpriseRisk

Management

Driving Forces Behind ERM

Executive Research Key Findings

• Most companies are making some progress

• Greater board and CEO involvement

• More awareness across organizations

• Faster adoption outside of North America

• Few companies have progressed to “advanced” level

• Slower progress than originally expected

Key Drivers

0.0% 20.0% 40.0% 60.0% 80.0%

Board Request

Regulatory Pressures

Understand Hard to QuantifyRisks

Corporate GovernanceRequirements

2004 2006

Source: The Conference Board

Key Objectives 2006

• Ensure risk considered in decision making 83%

• Avoid surprises 85%

• Integrate risk management into corporate processes 70%

• Align risk exposures & mitigation 65%

• Use risk management as competitive tool 36%


Integration into Business Processes

39.8%

65.9%

75.0%

71.2%

53.8%

75.0%

0.0% 20.0% 40.0% 60.0% 80.0%

United States/Canada

UK/Europe

Rest of the World

2004 2006


Building the Process

0.0% 20.0% 40.0% 60.0% 80.0%

Common Risk Languange

Regular Risk Assessment

Mission Statement

Business Risk Inventory

2004 2006


Building the Process

0.0% 20.0% 40.0% 60.0% 80.0%

Tolerances

Regulaar Board Reports

Individual Risk Ow nership

Root Cause Analysis

2004 2006


Risk Management Integration

0.0% 10.0% 20.0% 30.0% 40.0% 50.0% 60.0% 70.0%

Product Pricing

New Product Development

Strategic Planning

Internal Audit

2004 2006


Greatest Benefits

0.0% 20.0% 40.0% 60.0% 80.0%

Governance

Articulate Risk Taking

Management Consensus

Better Informed Decisions

2004 2006


Key Risks - Americas

• Damage to reputation

• Business interruption

• Third party liability

• Distribution or supply chain failure

• Market environment

• Regulatory/legislative changes

• Failure to attract or retain staff

• Technology failure

• Failure of disaster recovery plan

• Loss of data

Source: 2007 Aon Global Risk Management Survey

Level of Preparedness

48%

70%

75%

63%

35%

41%

55%

56%

77%

69%

65%

Damage to Reputation

Business interruption

Third party liability

Distribution or supply chain failure

Market environment

Regulatory/legislative changes

Failure to attract or retain staff

Market risk

Physical damage

Merger/acquisition/restructuring

Failure of disaster recovery plan


Business Activity Priorities

Business ActivitiesCurrent Priority

RankingPriority Ranking –

Next 2 years

Risk identification, quantification and analysis 1 1

Regulatory compliance and reporting 2 3

Loss control / prevention 3 4

Managing risk on an enterprise-wide basis 4 2

Risk communication – internally with management and operations 5 5

Emergency / contingency planning 6 6

Insurance buying 7 9

Risk financing 8 7

Claims management 9 8

Risk communication – externally with business partners 10 10


Responding to Changing Risks

42%

29%19%

32%

46%

22%

29%

23%11%8%

Identify major risks Assess probability andimpact

Determine limits forinsurance

External service/ advisor

Benchmarking

Quantitative analysis

Management intuition and experience


Identification of Major Risks

3%12%

5%7%

19%

23%

55%42%

45%

55%18%

32%

19%

4%

7%8%

13%5%

14%11%

Asia/Pacif icEuropeThe AmericasAll

Other

External service provider/advisor

Business Unit registers or keyrisk indicator w orksheets

Senior management intuitionand experience

Board w orkshops or scenarioplanning


What is Risk?

• Risk can be defined as the potential harm that may arise from some present process or from some future event.

• In everyday usage, "risk" is often used synonymously with "probability", but in professional risk assessments, risk combines the probability of a negative event occurring with how harmful that event would be.

• Risk can also be viewed as “volatility from expected.” This definition captures both the upside and downside of risk.

Financial

• Includes the fluctuating cost of fuel, interest rates and access to capital

Human Capital

• A growing area of exposure in today’s labor market including employee selection, retention and turnover, absenteeism, compensation and labor relations

Legal / Regulatory

• Incorporates liabilities for employment, defamation and other allegations, including regulatory change and governance requirements

What is Risk?

Operational

• Includes day-to-day business challenges across all functional platforms, including the strive for efficiency, optimal use of outsourcing and business continuity

Strategic

• Includes organizational planning, such as the strategic response to changing customer preferences, competition, reputation/brand, innovation, etc.

Technology

• Includes system failure, network liability, internet security and other technology-related risks

What is Risk?

• A strategic mechanism for effective risk identification and containment

• Ensures that business objectives are balanced with:

• Corporate governance initiatives

• Risk mitigation initiatives

• Enhanced and timely business decisions

• Enhanced profitability

• Long-term growth

• Goal to maximize shareholder value for the enterprise as a whole

• Greatly influenced by Sarbanes-Oxley and SEC in the U.S.

Public Company – View of ERM

• Short Term:

• Drives structured and disciplined approach to risk management:

• Provides methodology for measuring business risks

• Increases awareness of risks and potential risks

• Long Term:

• Ability to aggregate risks and benefit from enterprise effects

• Better capital allocation and competitive position

• More effective strategic and operational planning

• Ensures execution of the Core Competency

Private Company – View of ERM

EnterpriseGoals &

Objectives

Value CreationPerformance

ERM ERM

ExternalIn

tern

al

Financial StrengthConformance

Capital• Debtholders• Agencies• Regulators

Governance• Controls• Compliance

Growth• Bus. Units• Managers

Returns• Shareholders• Investors• Partners

Balancing Diverse Interests

Elements of ERM as outlined in the framework:

• Is a process • Is effected by people• Is applied in strategy setting• Is applied across the enterprise• Is designed to identify potential events• Manages risks within risk appetite• Provides “reasonable assurance”• Supports achievement of key objectives

Source: COSO ERM Framework

The COSO ERM Framework Consists of 8 Interrelated Components and 4 Objectives

COSO – A Starting Point for ERM

Start with a skilled assessment of your business and ERM needs to ensure that the approach and outcomes are well matched to your needs

Growth Profitability

Continuity

Risk ResponseSolution

Governance,Culture and Disclosure

RiskIdentification

& Prioritization

EvaluateRisk Process

RiskQuantification

RiskManagement

Implementation

Using a Value-Driven Approach

ERM outcome - value

ERM process

ERM management

Evaluate Risk Process

Activities Deliverables

Gather information on current status Current state risk score card

Develop scorecard ranking current program vs. leading practice Risk maturity benchmark

Develop future vision for ERM program Key ERM goals & objectives

Develop gap analysis using scorecard format and identify quick-hits ERM performance plan

Conduct executive workshop Alignment on ERM framework / plan

Initial Established Uniform Managed Optimizing

RiskOpportunity

Current State Assessment

Current State Assessment

• Risk management is becoming more complex

• Most companies have a wide-range of risk management activities underway

ERM

Sarbanes-Oxley

Compliance

Operations

Risk committees

• Unfortunately, many companies lack a coherent vision for risk management

• Senior management and board members often have differing views of what information they would like to see from risk management

• Rating agencies are assessing risk management quality as part of their overall rating process – S&P, Fitch

Risk Maturity Benchmarking

Sample Risk Maturity Benchmark

R i s k L e a d e r s h i p

R i s k S t r a t e g y & P o l i c i e s

P e o p l e P a r t n e r s h i p s P r o c e s s e s R i s k H a n d l i n g O u t c o m e s

RIS

K E

NA

BL

ED

L E V E L 5 ( =

E x c e l l e n t c a p a b i l i t y e s t a b l i s h e d )

F u l l y e m b e d d e d i n d a y - t o - d a y b u s i n e s s p r o c e s s e s a n d s t r a t e g i e s .

RIS

K M

AN

AG

ED

L E V E L 4 ( =

E m b e d d e d a n d i m p r o v i n g )

I n t e g r a t e d a p p r o a c h e s t o m a n a g i n g r i s k a r e i m p l e m e n t e d a c r o s s b o u n d a r i e s .

L E V E L 3 ( =

Im p l e m e n t a t i o n c o m p l e t e d i n k e y

a r e a s )

F o r m a l a p p r o a c h e s t o m a n a g i n g r i s k i n p l a c e a n d w i d e l y i m p l e m e n t e d .

L E V E L 2 ( =

Im p l e m e n t a t i o n P l a n n e d )

F o r m a l a p p r o a c h e s t o m a n a g i n g r i s k i n p l a c e a n d p a r t i a l l y i m p l e m e n t e d .

RIS

K A

WA

RE

L E V E L 1 ( =

A w a r e n e s s / U n d e r s t a n d i n g )

A w a r e n e s s o f n e e d b u t l i t t l e a c t i o n .

R E S U L T S

RIS

K D

EF

INE

D

M e a s u r e s

C A P A B I L I T I E S

Policies, processes

and practices defined and formalized across the

organization

Risks measured,

managed and aggregated

on an enterprise-wide basis

Organization focused

on RM as a source of

competitive advantage

andcontinuous

improvement

Initial Established Uniform Managed Optimizing

Capabilities are

characteristic of individuals,

not of the organization

Process established

and repeating: reliance on people is reduced

OPPORTUNITY

RISK

Systematically Build and Improve Risk Management Capabilities

Maturity: Building Risk Capabilities

Risk Identification & Prioritization


Risk categorization and scoring criteria Risk hierarchy and criteria

Conduct interviews / surveys Internal risk identification

Benchmark client’s public risk factors External risk identification

Consolidation and aggregation of identified risks Risk register

Conduct risk workshop Prioritized risk map

Calibrate Definitions and Criteria

Risk Categorization and Scoring Criteria

Prioritized Risk Map

Risk Quantification


Develop risk scenarios and correlations Risk scenarios

Modeling key risks Individual risk quantification and prioritization

Calculate aggregate risk exposures Aggregate impact of key risk on company’s value and financial performance

Risk Quantification / Valuation

Build baseline valuation model; project financials consistent with strategic plan

Adapt model to dynamically accommodate risks/scenarios, value drivers and key metrics

Step 1

Develop Risk Scenarios

Step 2

Develop Baseline Valuation Model

Step 3

Run Model to Quantify Risks

Conduct interviews with risk experts

Develop risk scenarios and associated financial impact

Gather existing facts / historical data points

Aggregate risks

Shock model for each risk/scenario

Quantify impact to value and other key metrics

Provide basis for decision-making

ERM Value Propositions

Improved resource allocation

Increased operational efficiency

Greater transparency of risk

Possible reduction in earnings volatility

Optimized capital allocation

Improved regulatory standing

Consistent framework for risk

Enhanced risk reporting

Improved compliance

Enhanced risk corporate governanceKeeping resources focused on those activities that matter most to the organization

Common and deep knowledge of critical business and organizational risks Structured process to allocate

capital based on those businesses that are the most risky to the organization

Everyone in the organization has the ability to define, treat, and manage risk in a homogeneous fashion

Provide confidence that risks are being identified and managed in a constructive fashion

Defining Value – One View

Risk Adjusted Income Statement

2008 2009 2010REVENUE

Sales 642,100 670,965 701,292 Other Operating Revenue 14,482 14,626 14,773

Total Revenue 656,582 685,591 716,065

OPERATING EXPENSESSalaries, Wages and Benefits 310,667 323,093 336,017 Supplies and Services 289,850 309,593 330,750

Total Operating Expenses 600,517 632,686 666,767

(LOSS) INCOME FROM OPERATIONS 56,065 52,906 49,298

OTHER INCOME (EXPENSE)Interest and Dividends 28,419 28,704 28,991 Current State Risk Exposure (16,000) (17,326) (15,683) Mitigation Costs (2,784) (2,812) (2,840) Mitigation Impact on Current State Risk 14,326 16,532 12,031

Total Other Income (Expense) 23,961 25,098 22,499

NET PRETAX INCOME 80,026 78,003 71,796

Aggregate Loss Distribution

0

0.01

0.02

0.03

0.04

0.05

0.06

0.07

0 5 10 15 20 25 30 35 40 45

Competing Mitigation Strategies

0%

2%

4%

6%

8%

10%

12%

14%

16%

18%

20%

-6 -4 -2 0 2 4 6 8 10 12 14 16

Defining Value – Alternate View

ERM Model

(∆Value)

Enterprise Risk Exposure

Value


ValueValueValue

Scenario Development

Surveys

Key Risks

All Risks

Determine Portfolio

Effect

Individual Risk Quantification

& RankingRisk Identification

Risk Quantification

Risk Management

Process Key:

Risk Identification

Risk Quantification

Risk Management

Process Key:

ERM Committee Consensus Meeting

Risk AppetiteStrategy

Risk Management Tactics

Value-centric ERM framework

Sample Output (partial data)

Risk Distribution Report

Risk: IT External Attack (Risk #4)

Risk Scenario Likelihood Value

Worst Case1-in-30 year

event-7.5%

Pessimistic1-in-10 year

event-2.4%

Best Estimate Most Likely ---

Optimistic1-in-15 year

event0.1%

Best Case1-in-50 year

event0.2% -20.0%-15.0%-10.0%-5.0%0.0%

Risk 11

Risk 1

Risk 8

Risk 7

Risk 4

Risk 9

Risk 12

Risk 10

Risk 15

Risk 6

Risk 13

Risk 3

Risk 5

Risk 14

Risk 2

Key RisksRank by Value Impact of Worst Case Scenario

Risk Response Solution


Determine risk tolerance Defined risk tolerance

Identify risk response solution options Risk response solutions

Evaluate and select risk response solution Risk response business case

Risk Appetite - One View

$ in millions Sources: 2007 budget, metric & threshold input

$0- 81 bps40.5%40.1%Operating

Margin

Threshold is

not expected to

be achieved in

FY07

- 0.11 months12.08.9

Cash/ Months

Operating

Expense

Not Available+155 bpsNot Available73.6Total Debt/CFO

$750- $53 million$1,400$1,883Free Cash

Flow

$60- 260 bps22.5%25.0%EPS Growth

(from 2006)

Financial Buffer

(RBC)

Impact of $100

million, pre - tax

losses on metric

Defined GoalFY07EFY07 Metrics

$0- 81 bps40.5%40.1%Operating

Margin

Threshold is

not expected to

FY07

- 0.11 months12.08.9

Cash/ Months

Operating

Expense

Not Available+155 bpsNot Available73.6Total Debt/CFO

$750- $53 million$1,400$1,883Free Cash

Flow

$60- 260 bps22.5%25.0%EPS Growth

(from 2006)

Financial Buffer Impact of $100

million, pre - tax

losses on metric

Defined GoalFY07EFY07 Metrics

Target for Future State

Current State


?5%5% increase in eps

?35%Achieving strategic

plan goals

?15%10% decrease in

value

ProbabilityProbabilityEvent

Target for Future State

Current State


?5%5% increase in eps

?35%Achieving strategic

plan goals

?15%10% decrease in

value

ProbabilityProbabilityEvent Is the ERM Committee comfortable with the current state? If not, what do they want it to be? The answers result in tolerance thresholds collectively called Risk Appetite.

eps Growtheps Growth

ValueValue

Rev GrowthRev Growth

OtherOther

Risk Appetite - Alternate View

Risk Response Solution

Terminate Mitigate Transfer Exploit Tolerate

Risk Response Strategies

Exit Risk Area

Preventative

Corrective

Directive

Detective

Make a conscience decision to tolerate the

risk

Explore the upside of risk by taking new opportunities

Financing Solutions

Insurance

Capital Markets

Contractual Transfer

Hybrid

Evaluating Solutions

Risk Tolerance

0%

85%95%

Mitigation Option Being Considered

Current Mitigation

To

tal C

ost

of

Ris

k

Increase in Likelihood of Meeting Risk Appetite

Cumulative Probability99.9%

IncreasedMitigation

Cost

Evaluating Solutions

Management selects ERM actions that move enterprise risk exposure towards risk appetite, for example:

Value

Value

Risk Exposure Pre-Mitigation

Risk Exposure Post-Mitigation

Risk Management Implementation


Develop risk response plan Risk management project plan

Obtain support of risk management leaders Project governance structure

Develop teams and tools Resource allocation, communication and training

Implement projects Program management

Define metrics and implement monitoring tools Risk platform and scorecards

Risk Management Implementation

ERM Multi-Year Project Plan2007 2008 2009

Define Risk Strategy

Establish Risk Appetite

Develop Risk Profiling

Develop Cost of Risk Model

Comprehensive Risk Mapping

Risk Modeling Expanded Risk Assessment

Captive Optimization Portfolio Risk Modeling

Technology implementation

Global Optimization

Legacy Claim Projects

Evaluate Data Strategy

Legacy Claim Evaluation

Captive Strategy

M & A Process Evaluation

ERM Enabling Technologies

There are a lot of technologies related to risk in general and ERM

– Use a selection process as with any tool/technology

• Analysis: RFI/RFP

• Vendor discussions and “Bake-off” with prototype

• Design: Purchase on trial basis

• Full deployment

ERM Dashboard Applications

ERM Monitoring and Reporting

Drives Accountability

Facilitates “Dashboard” Reporting

Automates Tracking of Key Risk Indicators

Dashboards & Governance

Governance, Culture and Disclosure

Key Activities Client DeliverablesDevelop detailed ERM frameworks and

governance Policies, manuals, committees, roles and accountabilities

Develop internal risk communication and awareness program Rollout of communication and awareness

program

Develop external communication strategy Enhanced communication with rating agencies, equity analysts and regulators

Monitor risk performance against defined metrics Reporting on KPI’s

Develop continuous improvement process Improvement processes and accountabilities


BusinessUnit A

Functional,support and

Shared services

Internal AuditRisk Management

Compliance

BusinessUnit B

BusinessUnit C

DivisionA

DivisionB

DivisionC

ERM Function

Board of Directors

Executive Committee

COO CFOChief Risk

OfficerCIO CLO

ERM Framework and Governance

Governance: Partnership is Key

Board• Set Policy• Approve Risk Strategy• Enforce Correction• Provide Tone from the Top

Audit Committee• Establish Policy• Propose Risk Strategy• Measure / Monitor• Report to Board on Key

Matters

ERM Working Group*

• Monitor• Coordinate• Educate

• Facilitate• Benchmark• Report

Business/Functional Risk Owners

• Identify Risk• Measure Risk• Prioritize Risk

• Manage Risk• Report &

Improve

Internal Audit

• Provide Assurance• Conduct Risk-Based

Audits

Compliance/Ethics

• Act as Functional Risk Owner• Manage Legal Risks• Foster an Ethical Environment

*possibly chaired by CRO


ERM Project Plan e.g. ERM Manual

Client ABC

Client ABCClient ABC

External Risk Disclosure Analysis

• How was this list developed?

• How was the order of the risks determined?

• Were the impacts of these risks quantified?

• How will investors react if an unmentioned risk results in significant loss of market value?

• How does your list compare to your competitors?

Annual 10-K reports are a primary risk information source for investors and the public.

Comparative Analysis

• A comprehensive ERM program can ensure that the10-K risk factor list is complete and in appropriate order.

• Review the risks listed in the 10-K report

– Is anything missing?

– Are the risks listed in an order that is representative of their impacts?

– Have these risks been quantified?

How would investors or regulators react if an unmentioned risk results in significant loss of value?

Analyzing Competitors’ Disclosures

Regular review of competitors’ risk disclosures is vital to:

• Ensure that your risk disclosure is complete

• Keep tabs on changes in the industry environment

Strategic Review of

Annual Reports /

Regulatory Filings

Green = Declared

Red = Not Declared

Orange = Not Relevant

Comparing Risk Disclosures

ERM – Commonly Cited Challenges

• Inability to demonstrate immediate, quantifiable return on investment

• Internal competition among business units

• Cultural incompatibility

• Limited technology / tools

• Inadequate senior-level support

ERM - Critical Success Factors

• Senior management support

• Clearly defined vision

• Regular and open communication among the team

• Realistic expectations regarding timelines and deliverables

• Sufficient resource allocation for implementation and follow-through

• Linkage to organizational success factors, strategies and processes

ERM Potential Benefits

Establish Sustainable Competitive Advantage

• Integrate with business planning and value management processes

• Avoid missing key risks and losing vital opportunities

• Optimize balance between capital preservation and growth/profit-generation

Manage Risk at a Lower Cost • Minimize risk averse behavior

• Develop cost-effective risk strategies and solutions

• Eliminate redundant or unnecessary risk controls

Improve Business Performance • Support more informed/proactive risk management decisions aligned with business objectives/strategies

• Link to enterprise performance, measurement and monitoring

• Reduce volatility and prevent surprises

ERM Gap Analysis

Phase IInformation Gathering

• Conduct interviews / gather information

• Identify risk universe

• Define and develop cost of risk data

• Conduct gap analysis

Phase IISetting the Stage

• Develop overall risk management vision

• Create risk management scorecard / Gap analysis

• Identify key risk projects / activities needed to achieve risk management excellence

• Understand cost / benefit of potential risk management strategies

Phase IIIExecutive Support

• Obtain support of risk management leaders

• Present overall objectives and plan to senior management

• Develop teams and tools

• Get moving

• Deliver defined projects

• Update progress toward overall vision

• Measure performance

• Create linkage to next steps

• Build feedback loop to ensure continued progress toward goals

Phase IVImplementation

Risk Management Vision

• Risk management vision transcends the various projects and activities that comprise risk management within an organization

• In order to define risk management vision, the company must resolve a series of key questions:

What are the goals of the company’s risk management efforts?

How does the company define risk management excellence?

What is the current state of risk management?

Where are the gaps?

What are the priorities?

How will success be measured?

• In the end, risk management must deliver measurable impact on the company’s operating performance

• What are the KRIs?

• How do I get them?

• How often do I get them?

• What do I do with them?

• Foundation understanding of: frequency, source and meaning

Key Risk / Performance Indicators

KRI’s - Example

ERM Model

(∆Value)


Value


ValueValueValue

Scenario Development

Surveys

Key Risks

All Risks

Determine Portfolio

Effect

Individual Risk Quantification

& RankingRisk Identification

Risk Quantification

Risk Management

Process Key:

Risk Identification

Risk Quantification

Risk Management

Process Key:

ERM Committee Consensus Meeting

Risk AppetiteStrategy

Risk Management Tactics

Focus on Value

Case Study #1: Fast Growing Company

• Highly successful, profitable company

• Recent patent litigation surprise created temporary cash and credit crunch

• Audit committee wanted an overview of key risks facing the company

• Risk committee was formed to coordinate the effort

• Team conducted interviews with over 50 executives, supplemented by over 80 surveys

Project Objectives

• Has the company identified all its critical risks ?

• Does the company have effective controls for managing its critical risks?

• Are the risks greater now than they were 12 - 24 months ago (earnings pressure, continued acquisitions and internal strategic initiatives)?

• Are these risks within acceptable limits?

• Is the right level of information reported to Senior Management and the Board?

Project Results

• Provided information to senior management and the Audit Committee

• Developed models for key risks based on potential impact on:

Revenue

EPS

Cash

Reputation

• Examined current and potential risk mitigation opportunities, including risk transfer and self-funding

• Created a framework for more effective decision-making regarding supply chain management, site selection and inventory management

Case Study # 2: Manufacturing Company

• Company had a well-developed risk management process

• Top risks for each of the business were routinely assessed and evaluated

• Due to lack of internal data, limited effort had been made to quantify the potential impact of events

• Recent supply chain problems had highlighted previous unmeasured vulnerabilities

• Project team developed customized risk models for the top five risks of each business unit

Project Results

• Delivered working risk models to each business unit

• Risk models were used to develop “underwriting models” for potential risk transfer / mitigation solutions

• Company expanded the use of existing captive insurance company and finite risk insurance arrangements to address key issues

• Event risk maps helped uncover critical decision points that could substantially alter the overall risk exposure

• Changes were made in supply contracts, inventory levels and contingent business interruption coverage as a result of the analysis

Case Study #3: Consumer Products

• Fortune 100 consumer products company

• Treasurer and Risk Manager had identified 17 key risks under their charge

• Company wanted to develop a quantitative approach to better evaluate risk decisions

• Solution: Risk modeling project to help evaluate the optimal risk strategy

Project Results

• Project focused on the analysis of internal and external risk data

• Creation of individual and portfolio risk models

• Risk mitigation and transfer alternatives were tested using the models, resulting in significant changes

• Company was able to demonstrate the value of additional risk retention and the use of internal funding (via a captive insurance subsidiary)

• Risk finance and mitigation resources were reallocated to optimize the company’s risk management efforts

Case Study #4: Hospital

• Medium-sized hospital looking to achieve excellence in health care by surpassing standards set in “The New American Hospital” and the Malcolm Baldrige National Quality Award

• Key objective: conduct a comprehensive risk assessment

• Project involved:

Interviews with key personnel (management, physicians and nurses)

Creation of a risk inventory

Benchmarking of current risk management approaches and quality of care against industry standards and best practices

Evaluation of current risk mitigation methods

Hospital ERM Project Results

• Identified and prioritized key enterprise risks

• Recommended improved approaches for risk management

• Opportunities for improvement included:

Implementation of clinical best practices and rapid response teams to reduce cardiac complication rates

Diversification of services to counteract the impact of Medicare reform

Contingency planning around key physicians and sole-source service providers

Improvement of the contract oversight and document retention process to minimize legal liabilities

Case Study #5: Capital One

Capital One's stock plummeted by 39%, falling from a $50.60 per share close on July 16 to $30.48 per share by the close of July 17; a drop of roughly $4B in market value.

Capital One signed an "informal memorandum of understanding" with bank regulators. More than a dozen class actions were filed charging the credit card issuer with securities fraud for misleading shareholders about its financial health and its compliance with bank regulations.

July 2002, 8K filing: the company publicly commits to enhance its enterprise risk management and internal control environment.

Risk management capabilities designed and implemented across the organization.

ERM Process

Line of Business

OperationsRisk Metrics

Risk-Adjusted Decision Making

Improved Business Performance

Improved Risk Predictability and Measurement

Integrated into Operational Business Processes

ERM Process: Enhanced Future State

Suggestion: Adopt a Pilot Approach

• Start small and grow big

• Select a locale with engaged management and non-complex products or customers

• Establish proof of the ERM concept – quicker benefits

• Accomplish process objectives in a shorter timeframe

• Learn from successes/mistakes to roll out the ERM process across the organization

Overview of a Pilot

Perform facilitated session and/or interviews with select internal and external experts to identify and assess risks and risk management processes

Analyze risks for causal factors, effects, and interrelationships

Establish criticality of risk and prioritize; map key risks

Establish risk management options, action plans, etc.

Summarize data of most significant risks

Frequency

5

2

1

2510<5

>100M

10

50

50

Strategic

S1 – Partnering arrangements

S2 – Changing industry dynamics

Operational

O1 – New initiative integration/success

O2 – Business continuity

O3 – Product quality

O4 – Centralized distribution

O5 – Hazard risk

Human Capital

H1 – Succession planning

H2 – Turnover

H3 – Human capital development

Legal/Regulatory

L1 – Political pressure around drug affordability

Technology

T1 – Intellectual property

T2 – Information security

Financial

F1 – Currency fluctuations

F2 – Commodity prices

Legend

High Impact

Low Impact

Partial / Full Mitigation

No / Minimal Mitigation

Severity($ millions)

H2

O2

H3

S1

H2

F2

O1L1

O3

S2

H1 O4

T2

75

Moderate Impact

F1

T1

O5

Frequency

5

2

1

2510<5

>100M

10

50

50

Strategic

S1 – Partnering arrangements

S2 – Changing industry dynamics

Operational

O1 – New initiative integration/success

O2 – Business continuity

O3 – Product quality

O4 – Centralized distribution

O5 – Hazard risk

Human Capital

H1 – Succession planning

H2 – Turnover

H3 – Human capital development

Legal/Regulatory

L1 – Political pressure around drug affordability

Technology

T1 – Intellectual property

T2 – Information security

Financial

F1 – Currency fluctuations

F2 – Commodity prices

Legend

High Impact

Low Impact

Partial / Full Mitigation

No / Minimal Mitigation

Severity($ millions)

H2

O2O2

H3H3

S1

H2H2

F2

O1L1L1

O3O3

S2S2

H1H1 O4O4

T2

75

Moderate Impact

F1F1

T1T1

O5O5

• Ability to safeguard proprietary knowledge from a security breach which could damage financials, brand and reputation

• Intentional, coordinated and/or hidden sabotage of systems, software or processes by internal or external parties

Definition

Current Metrics Risk Owner(s)• Chief Technology Officer• IT Department• Security

Risk

Action Plans

Recommended:

• Intrusion detection and vulnerability detection equipment and software

• Destruction of old hard drives from redundant computers

• Ensure no single point of failure• Redundant hardware systems

Estimated Investment:

• Additional IT staff personnel

• Purchase of intrusion detection and vulnerability detection equipment

• Continual investment in updating software

Current:

• Up-to-date Anti-virus and system Firewall protection

• Disaster recovery plans • Network backup planning• Software and data backups • Backup Power Supply

Current State

Severity Level

Information Technology – Network Security

• Number of viruses per month• Minutes of downtime per month• Backup processes double checked weekly

• Ability to safeguard proprietary knowledge from a security breach which could damage financials, brand and reputation

• Intentional, coordinated and/or hidden sabotage of systems, software or processes by internal or external parties

Definition

Current Metrics Risk Owner(s)• Chief Technology Officer• IT Department• Security

Risk

Action Plans

Recommended:

• Intrusion detection and vulnerability detection equipment and software

• Destruction of old hard drives from redundant computers

• Ensure no single point of failure• Redundant hardware systems

Estimated Investment:

• Additional IT staff personnel

• Purchase of intrusion detection and vulnerability detection equipment

• Continual investment in updating software

Current:

• Up-to-date Anti-virus and system Firewall protection

• Disaster recovery plans • Network backup planning• Software and data backups • Backup Power Supply

Current State

Severity Level

Information Technology – Network Security

• Number of viruses per month• Minutes of downtime per month• Backup processes double checked weekly

Ris

k A

sses

smen

t P

ilot

Review current company and business objectives/risk management objectives; evaluate current risk management infrastructure and capabilities

# D

epar

ture

s 2006

2007est. 2008

est.Target

Reduce voluntary employee departures by 10% by 2008

# D

epar

ture

s 2006

2007est. 2008

est.Target

# D

epar

ture

s 2006

2007est. 2008

est.Target

Reduce voluntary employee departures by 10% by 2008

September November

Questions to Consider

• Is ERM adding value for your organization?

• Is the ERM effort stalled or is progress being made?

• Are there parallel risk management efforts that fall outside of the ERM process?

• What can be done to automate portions of the ERM process?

• Are there high impact “drill-down” projects that will deliver ERM value?

• Is ERM sustainable after the project team has moved on to other assignments?

Barry Franklin, FCAS, MAAAAon Global Risk Consulting

[email protected]

We recognize that our clients’ industries are extremely competitive and maintaining confidentiality is of the utmost importance. Accordingly, Aon takes seriously its obligation to protect the confidentiality of client information.

Similarly, we view our approaches and insights as proprietary and therefore look to our clients to protect Aon interests in our presentations, methodologies, and analytical techniques. Under no circumstances should the material in this report be shared with any third party without the written consent of Aon.

Copyright © 2007 Aon

Confidentiality

03 25 franklin

Business

use risk management

managing risk

risk communication

risk financing8

risk exposures mitigation65

clear risk ownership

management decision

claims management