Ilta06 developing and selling an enterprise risk management approach by dave cunningham aug 2006
Developing and Selling anEnterprise Risk Management Approach Presented by: Dave Cunningham, Managing Director Baker Robbins & Company 713-840-0510 firstname.lastname@example.org
TopicsEnterprise Risk Management1. Defined2. Trends and Issues3. Applied to Law Firms4. Technology5. Value6. Program Development
1. ERM DefinedERM is a management approach focused on maximizing shareholder value and ensuring business continuity by creating a single view of internal and external risks and an executive-level strategy to deal with those risks.
Risk Management Categories Risk can be analyzed in these categories: Risk Types Internal External Strategic Economic Market Operational Technical
Understanding Risk Management RM is about managing risks, not eliminating them.Risks are both positive and negative, involving gains and losses. Risk management’s overall goal is building and maintaining stakeholder confidence: the key to organizational resilience.
2. ERM Trends and Issues Compliance Requirements Role of Chief Risk Officer European Influences (Data Protection, Ethical Walls, Anti- Cartel, Anti-Money Laundering, External Investments) Technology Dependency as business tool Risk management tool Convergence of Performance and Risk Management
3. ERM Applied to Law Firms “It doesn’t take a visionary to see that an enterprise view of risk is right for law firms. We are 20 years behind the big accounting firms. It’s just a matter of how fast we move forward.” - General Counsel of AmLaw 20 law firm
ERM Applied to Law Firms “Law firms should, in theory, be good in managing risks across the firm because the people we are dealing with are those who are most affected.” “We are coming off of a difficult loss cycle. Firm are now being much more active in managing risks.” - Managing Director of Aon
Areas of a Firm Addressing Risk (Example)CONFLICTS & ETHICS LITIGATION & SUBPOENA INSURANCE Conflicts & Ethics and Securities MATTERS Transaction Committees Litigation Attorneys Professional Indemnity Information Services and Records Managing Attorney’s Office Professional Insurance Committee Department Outside Counsel Executive Group Outside Counsel Finance DepartmentEMPLOYMENT & DATA PRIVACY, SECURITY Employment/Worker’s PERSONNEL MATTERS MATTERS Compensation Professional Personnel and Admin HR Finance Department Administrative HR Outside Counsel IT Finance Department Professional Personnel and Admin HRPARTNERSHIP ELECTIONS Other Insurance Policy Committee MARKETING & COMMUNICATIONS Finance Department Executive Group (Website, Branding, Copyright, Reviewing Executive Group Finance Department Marketing Materials, etc.) IT Marketing/Communications Department FIRM MANUALS AND GUIDANCE Executive Group (and delegates)PARTNERSHIP ELECTIONS PROFESSIONAL DEVELOPMENT Applicable Practice Groups & Departments Professional Development Department(Governance, Departures, Disputes) Professional Personnel Executive Group INFORMATION RETENTION Policy Committee IR Project Team VENDOR CONTRACTS Pension Committee Steering Group Applicable Departments (IT, Finance, HR, Finance Department M/C, etc.) Outside Consultants Professional Personnel All Practice Groups and Departments Outside Counsel AUDIT Audit Committee FIRM INVESTMENTS Finance Department Investment Committee
Risk Exposure1. Clients2. Employees3. OperationsWhat keeps General Counsels awake at night?
4. ERM and Technology IT is not only a source of risk; it provides management with tools to implement a risk framework.
Technology: Source of Risk Continuity Integrity Accessibility Privacy
Technology: Mitigating Risks System Fault Tolerance Physical and Electronic Security Performance Modeling Intranet / Communications
Technology: Mitigating Risks Firm Business Processes Conflicts and Ethical Walls Billing Business intelligence and reporting Records (e-mail, paper and document) management Team-based folders and workspaces Knowledge management and expertise identification Client relationship management Enterprise resource planning Self-Service Litigation Support Management
Technology: Risk Management Tool (example)Expected Loss Unexpected Loss Internal Loss Data Severity Enterprise Panjer RequiredRisk Assessor Recursion Capital Mapping Frequency External Data Adjust for Internal Control 1. Damage to physical assets 2. Business disruption and system failures 3. Execution, delivery and process management 4. Employment practices and workplace safety 5. Clients, products and business practice 6. Internal fraud 7. External fraud
5. ERM Business ImpactGartner research shows that 60% of large enterprises without best practice risk management implemented consistently across the enterprise will significantly under-perform their peers.Aon: Impact on insurable losses has not been measured. ERM helps you look better to the insurance company and establish a sense of awareness.
ERM Business Impact – IT Perspective Awareness of existing risks Mitigation of IT risks Necessary component of: Service level agreements Business continuity planning Project charters / business cases Reduction of surprises A seat with firm management on business issues
6. Program Development Two Tracks IT (Performance and) Risk Management Enterprise Risk Management
IT Performance and Risk Management IT Processes IT Service Levels IT Key Performance Indicators Roles and Responsibilities related to risk: Change and configuration management Quality assurance Data architecture and integrity Security and privacy Content management initiatives
ERM Program DevelopmentInitial Steps Context Consider current actions and how they may or may not be aligned with desired culture of risk Establish a baseline Identify Identify existing risk-related responsibilities Identify existing gaps in risk management Decide roles and responsibilities Determine maturity of the existing situation
ERM Standards and Influences ERM COSO ERM Framework AS NZS 4360: 2004 Compliance Sarbanes-Oxley Basel II ISO Standards with risk aspects: IT Infrastructure Library (ITIL) Project Management Institute PMBOK
Conclusion Next Steps Review how risk is considered and managed in IT projects Have initial conversations in your firm about risks Determine your own role in enterprise risk Perform an assessment of risk areas and understand the implications Questions and Comments?