tools &techniques for effective risk management v3.0
DESCRIPTION
Risk Management - Why it has failed to deliver, over and over againTRANSCRIPT
Tools and Techniques for Effective Risk Management
From a Management Consultant’s Toolbox
Chetan Gautam, PMP, MBAPresident, Globe 1, [email protected]: 215-262-0557 F: 1-(888) 749-8519
2
Outline & Objectives
Outline Traditional risk view & its flaws Emerging external and internal risk requirements Current state of Risk Management Enterprise Risk Management (ERM) definition & context Walk-through of ERM process, tools, tips and techniques Challenges What can we do now and where do we start?
Globe 1, Inc. Proprietary
3
What is the Traditional View of Risk?
Globe 1, Inc. Proprietary
Risk - A possibility that an event will occur and adversely affect the achievement of objectives.
Risk is almost always associated with a potential loss of something, for instance, financial loss due to bad investments, lawsuits, etc.
4
What’s Wrong with Traditional RM Looks at the downside of Risk (losses) Doesn’t exploit the benefits of technology advancements Fails to address & adjust to meet emerging requirements It is tactical & doesn’t look at the big picture (inward-looking) Allows division of risk management in departmental silos Doesn’t force alignment with business strategy Allows selective risk management without oversight
“We are a finance company, we only want to do market related risk management”
Globe 1, Inc. Proprietary
We the Finance
Guys
We the Marketing
Guys
5
Build confidence in investment community and stakeholders
Increased expectations /requirements for improved corporate governance of risk
Organizations such as RIMS &PMI are promoting risk management at multiple levels
External Requirements/Pressures
Changing regulatory environment in face of global financial crisis
Rating agencies, such as S&P, evaluate companies on Risk Management
Increased expectations by shareholders for effective risk management
Globe 1, Inc. Proprietary
6
Specific External Requirements The SEC requires companies to describe risks
that may have a material impact on future financial performance
The AICPA produced analysis recommends that reporting of risks be improved to include a discussion of all risks/opportunities that
(1) are current, (2) are of serious concern, (3) have an impact on earnings or cash flow, (4) are specific or unique, and (5) have been identified and considered by management
A committee of five major professional accounting associations (COSO) published an integrated framework for enterprise risk management Globe 1, Inc. Proprietary
7
Internal Requirements
Align Risk Appetite and Strategy Minimize operational surprises &
losses Seize Opportunities
Globe 1, Inc. Proprietary
Rationalize capital needs and allocation Need to investigate interdependent risks Provide integrated responses to multiple risks Increased expectations /requirements for
improved corporate governance of risk Need to address technology integration and
dependence
8
Current State of Risk Management at Fortune 100 36% of directors surveyed did
not have a full understanding of company’s risks
Directors claimed that they approached risks on case-by-case basis
Only 54% claimed to have clearly defined risk tolerance levels
Only 47.6% of boards rank their key risks
Only 42.3% have formal practices and policies in place to address reputation risk
(Source: The Conference Board, “The Role of U.S. Corporate Boards in ERM”, Brancato, C. K. , et. al.)
Globe 1, Inc. Proprietary
9
Risk Management at Fortune 100
Only 11% of companies has a well-defined role of Chief Risk Officer who would report to the Board on Risk Issues
71.8% of directors believe they have the right risk metrics and methodology in making strategic decisions
Globe 1, Inc. Proprietary
Only at 25% of non-financial companies the board considers all major risks including strategic risks (versus 54.5% of financial companies)
Only 16.1% companies report having a separate and distinct risk committee for more than 2 years, versus 3.5% in the non-financial area.
(Source: The Conference Board, “The Role of U.S. Corporate Boards in ERM”, Brancato, C. K. , et. al.)
10
Why RM is still ineffective?(Despite these pressures?)
Missing structure & champions (Where is the CRM?)
Missing Integrated RM Methodology Few RM tools available & integration is
difficult Little or no focus on RM education Inconsistent understanding &
application of RM practices
Globe 1, Inc. Proprietary
11
Welcome to Enterprise Risk Management (ERM) – New Age RM
Enterprise Risk
Management
• Has interdependencies with other processes
• Has a well defined structure
• Is implemented enterprise-wide & draws participation from other management disciplines
• Promotes Risk Aware Culture
Strategic
Management
Project Management
Globe 1, Inc. Proprietary
12
What is Enterprise Risk Management
Risk management is a process, effected by senior management and other personnel of an entity, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.
Source: Derived from the ERM Framework DRAFT, Published by Committee of Sponsoring Organizations of the Treadway Commission, www.erm.coso.org
Globe 1, Inc. Proprietary
13
Enterprise RM is a Process
ERM is not one event or
circumstance, but a series of actions
that permeate
an entity's
activities (Source: COSO ERM
Framework)
Enterprise Risk
Management:
Globe 1, Inc. Proprietary
14
TIP: What Makes a Process Successful?
Must haves•Must be well-understood by the people who execute it•Must be consistently applied and iterative•Must be implementable•Must be auditable and controllable •Must have an owner & an executive champion
Should haves
•Should be documented•Should be scalable and incremental•Should be measurable
Globe 1, Inc. Proprietary
15
Enterprise Risk Management Process
1. Environment
Scanning
2. Strategic Alignment
Globe 1, Inc. Proprietary
Communication
Control & Monitoring
16
ERM - Structure
Globe 1, Inc. Proprietary
Board
CRM CEO
RMEC
FRM
FRS
The Board is responsible for providing oversight and direction to ERM
Chief Executive Office is ultimately responsible for ERM.Chief Risk Manager is responsible for reporting risks to the Board and managing the ERM programRisk Management Executive Committee reviews risk assessments & provides recommendations, while also working as the authority for resolving escalated issues. It is composed of Risk Officers (S/VPs) representing all BUsFunctional-Area Risk Manager is responsible for one or more Functional Areas or Risk Categories on the Risk Universe. FRM also chairs
Functional-Area Risk Sub-Committee is responsible for conducting risk management tasks for their assigned functional areas. It consists of SMEs from multiple areas such as Operations , IT, PMO, Legal, Business Architecture & Audit
Globe 1, Inc. Proprietary 17
18
ERM - Structure
CRM – Chief Risk Manager Responsible for reporting risks to the board and managing
the risk management program ERRB – Executive Risk Review Board
Responsible for reviewing risk assessments and approving/suggesting action
FRM – Functional Risk Manager Responsible for a Functional Area or (multiple) risk
categories on the Risk Universe Reports to CRM and ERRB
FRMT – Functional Risk Management Team Responsible for assisting FRM in Functional Risk
Management Globe 1, Inc. Proprietary
Environment Scanning
Globe 1, Inc. Proprietary 19
Regulatory Body/Commissions
Rating
Agency
Govt.
Organization
Units
Area
Industry
CompetitorsConsumers
Region/Country
OffshorePartners/Vendors
World
International Clients
International Investments
20
Environment Factors
External Factors
•Social, Legal & Regulatory trends•Political climate•Competition•International & domestic markets•Fluctuations in demand•Terrorist & criminal activities•International health issues•Weather & Natural Calamities•Pandemic Flue
Internal Factors
•Staff capabilities & skills•Staff availability•Capacity•Systems & technology•Procedures & processes•Communication•Effectiveness•Leadership effectiveness•Risk appetite
Globe 1, Inc. Proprietary
21
Environment Scanning
Purpose Capture current and previously known issues
Key Activities Create/update a Risk Universe that identifies:
▪ Risk Categories/Sources within an Environment▪ Common Risks & Descriptions (to get started)▪ Align Risks with Business Units/Functional Areas
Identify Stakeholders (create a structure) Create a Glossary
When Annual
Techniques Interviews/Workshops with SMEs/Stakeholders Analysis of business plans, industry & markets
Tools/Artifacts Expert Knowledge, Operating Manuals, Policies &
Procedures, Compliance Handbooks, Business Rules, etc.
Globe 1, Inc. Proprietary
23
Strategic Alignment
Purpose Align Risk Management with organization’s strategic direction
Key Activities Analysis of organization’s Threats & Opportunities (TOs) at
multiple levels Create/update Risk Universe with new Risks & Risk
Categories discovered during the process Map KPIs, Goals & Objectives to Risks in the Risk Universe
When During annual strategy setting
Technique Strategic Audits
Tools Balance Score Card, SWOT, SFAS, PEST etc.
Globe 1, Inc. Proprietary
25
External Factor Analysis Summary (EFAS)
Globe 1, Inc. Proprietary
External FactorsWeight Rating
Weighted Score Comments
1 2 3 4 5
1.00
Opportunities
Threats
Total Weighted Score
Notes: 1. List opportunities and threats (5–10 each) in column 1. 2. Weight each factor from 1.0 (Most Important) to 0.0 (Not Important) in Column 2 based on that factor’s probable impact on the company’s strategic position. The total weights must sum to 1.00. 3. Rate each factor from 5 (Outstanding) to 1 (Poor) in Column 3 based on the company’s response to that factor. 4. Multiply each factor’s weight times its rating to obtain each factor’s weighted score in Column 4. 5. Use Column 5 (comments) for rationale used for each factor. 6. Add the weighted scores to obtain the total weighted score for the company in Column 4. This tells how well the company is responding to the strategic factors in its external environment. A weighted score of 3.0 means average performance.Source: T. L. Wheelen and J. D. Hunger, “External Strategic Factors Analysis Summary (EFAS).” Copyright © 1991 by Wheelen and Hunger Associates. Reprinted by permission.
26Globe 1, Inc. Proprietary
External FactorsWeight Rating
Weighted Score Comments
1.00
Opportunities• Economic integration of
European Community• Demographics favor quality
appliances• Economic development of Asia• Opening of Eastern Europe• Trend to “Super Stores”
Threats• Increasing government regulations
• Strong U.S. competition• Whirlpool and Electrolux strong
globally• New product advances• Japanese appliance companies
Total Scores
.20
.10
.05
.05
.10
.10
.10
.15
.05
.10
4
5
122
443
12
.80
.50
.05
.10
.20
.40
.40
.45
.05
.20
Acquisition of Hoover
Maytag quality
Low Maytag presenceWill take timeMaytag weak in this
channel
Well positionedWell positionedHoover weak globally
QuestionableOnly Asian presence is
Australia
3.15
1 2 3 4 5
External Factor Analysis Summary (EFAS)
27
Internal Factor Analysis Summary (IFAS)
Globe 1, Inc. Proprietary
Internal Factors Weight RatingWeighted Score Comments
1 2 3 4 5
1.00
Strengths
Weaknesses
Total Weighted Score
Notes: 1. List opportunities and threats (5–10 each) in column 1. 2. Weight each factor from 1.0 (Most Important) to 0.0 (Not Important) in Column 2 based on that factor’s probable impact on the company’s strategic position. The total weights must sum to 1.00. 3. Rate each factor from 5 (Outstanding) to 1 (Poor) in Column 3 based on the company’s response to that factor. 4. Multiply each factor’s weight times its rating to obtain each factor’s weighted score in Column 4. 5. Use Column 5 (comments) for rationale used for each factor. 6. Add the weighted scores to obtain the total weighted score for the company in Column 4. This tells how well the company is responding to the strategic factors in its external environment A weighted score of 3.0 means average performance..
Source: T. L. Wheelen and J. D. Hunger, “External Strategic Factors Analysis Summary (EFAS).” Copyright © 1991 by Wheelen and Hunger Associates. Reprinted by permission.
28
Internal Factor Analysis Summary (IFAS)
Globe 1, Inc. Proprietary
Internal Factors Weight RatingWeighted Score Comments
1 2 3 4 5
1.00
Strengths• Quality Maytag culture• Experienced top management• Vertical integration• Employee relations• Hoover’s international orientation
Weaknesses• Process-oriented R&D• Distribution channels
• Financial position• Global positioning
• Manufacturing facilities
Total Weighted Score
Quality key to successKnow appliancesDedicated factoriesGood, but deterioratingHoover name in cleaners
Slow on new productsSuperstores replacing
small dealersHigh debt loadHoover weak outside the
United Kingdom and Australia
Investing now
3.05
.15
.05
.10
.05
.15
.05
.05
.15
.20
.05
54433
22
22
4
.75
.20
.40
.15
.45
.10
.10
.30
.40
.20
29
Strategic Factor Analysis Summary (SFAS)
Globe 1, Inc. Proprietary
Strategic Factors
(Select the most important opportunities/threats from EFAS, Table 3.4 and the most important strengths and weaknesses from IFAS, Table 4.2)
S1 Quality Maytag culture (S)
S3 Hoover’s international orientation (S)
W3 Financial position (W)
W4 Global positioning (W)
O1 Economic integration of
European Community (O)
O2 Demographics favor quality (O)
O5 Trend to super stores (O + T)
T3 Whirlpool and Electrolux (T)
T5 Japanese appliance companies (T)
Total Score
Weight RatingWeighted Score Comments
1.00
Notes: 1. List each of the factors developed in your IFAS and EFAS tables in Column 1. 2. Weight each factor from 1.0 (Most Important) to 0.0 (Not Important) in Column 2 based on that factor’s probable impact on the company’s strategic position. The total weights must sum to 1.00. 3. Rate each factor from 5 (Outstanding) to 1 (Poor) in Column 3 based on the company’s response to that factor. 4. Multiply each factor’s weight times its rating to obtain each factor’s weighted score in Column 4. 5. For duration in Column 5, check appropriate column (short term—less than 1 year; intermediate—1 to 3 years; long term—over 3 years.) 6. Use Column 6 (comments) for rationale used for each factor. A weighted score of 3.0 means average performance.Source: T. L. Wheelen and J. D. Hunger, “Strategic Factors Analysis Summary (SFAS).” Copyright © 1997 by Wheelen and Hunger Associates. Reprinted by permission.
SH
OR
T
INT
ER
ME
DIA
TE
LO
NG
Duration
3.05
.10
.10
.10
.15
.10
.10
.10
.15
.10
Quality key to success
Name recognition
High debt
Only in N.A., U.K., and Australia
Acquisition of Hoover
Maytag quality
Weak in this channel
Dominate industry
Asian presence
5
3
2
2
4
5
2
3
2
.50
.30
.20
.30
.40
.50
.20
.45
.20
X
X
X
X
X
X
X
X
X
30
Event Identification
Purpose Identify & Assess Risk Event (Triggers/Situations)
Key Activities Identify Risk Events and map them to the Risks in the Risk Universe Create/Update “Risk Profiles” for departments, projects, initiatives
When At least annually if not quarterly, or on as needed basis
Techniques Facilitated Meetings and/or Guided Surveys Analysis of Business Processes and IT systems Analysis of External & Internal environments Analysis of marketing plan, business plans, and lessons learned
Tools/Artifacts Business Process Models, Systems Architecture Diagrams,
Subscription to Event Alerts (policy/form /requirement changes)
Globe 1, Inc. Proprietary
31
Risk Assessment
Purpose Prioritize and Report Organization’s Risk Events
Key Activities Create/Update Risk Profile with:
▪ Impact analysis results & assignment of a Impact/Severity level to each Risk Event
▪ Identify the Proximity of each Risk Event▪ Identify the Likelihood of each Risk Event▪ Assign Adequacy of Response rating to each Risk Event
Calculate Risk Priority/Rating When
Immediately following Risk Identification Techniques
Analysis of Decision Trees, Probability Trees, Expected Monetary Value, NPV, Payback Period, Probabilities, Forecasting, What-if-Analysis, etc.
Using Financial data, probability data, historical data/logs, risk-assessment
guidelines & worksheets (internally agreed)Globe 1, Inc. Proprietary
32
Globe 1, Inc. Proprietary
33
Risk Response Planning
Purpose To prepare a well planned response to Risk Events when and if they occur
Key Activities Define business’s Risk Appetite Define Risk Response Strategies (Reduction, Removal, Transfer,
Acceptance) Document Flow Charts , Define Roles and Responsibilities Define Policies and Procedures Define Residual Risk
When At least annually if not quarterly, or on as needed basis
Techniques WBS, Scheduling, policy definition, flow-charting, consensus-development,
cost-benefit justification Using
Project management tools, process flow tools, organization charts, quantitative management methods (probability distributions, forecasting)
Globe 1, Inc. Proprietary
35
Where to Start then?
Start where you are Do at least the basic stuff (develop a
basic framework and artifacts) Practice it, promote it within you
group and then sell it to other groups Build a manual or excel based
system Include Risk Reporting in status
meetings (promotes risk culture)Globe 1, Inc. Proprietary
Globe 1, Inc. Proprietary 36
Thanks
Tools & Techniques for Effective Risk Management
Q & A
Chetan Gautam, PMP, MBAPresident, Globe 1, Inc.
P: 215-262-0557 F: 1-(888) 749-8519