• Share
  • Email
  • Embed
  • Like
  • Private Content
Taking Enterprise Risk from Theoretical to Practical
 

Taking Enterprise Risk from Theoretical to Practical

on

  • 338 views

Video & Presentation: http://www.proformative.com/resources/video-presentation-taking-enterprise-risk-theoretical-practical ...

Video & Presentation: http://www.proformative.com/resources/video-presentation-taking-enterprise-risk-theoretical-practical

Risk management has always been an integral part of business. But over the last two decades, a host of corporate scandals, security threats, recessions and a myriad of other crises have pushed risk management to the forefront of business strategy. Organizations are striving to manage and monitor risks more effectively, but many companies can?t seem to get beyond the theory and practically implement an effective ERM program. Join JetBlue Airways and Granite Consulting Group as they discuss practical ways of implementing ERM and how JetBlue evolved their risk program and created a strategically focused risk evaluation process setting the direction for future risk mitigation and operational improvement. Attendees will learn to go beyond linear "top 10" surveys and to incorporate practical and actionable strategies to implement an effective ERM program.

Speakers:
Michael Bechara, CPA, CRMA, Managing Director, Granite Consulting Group Inc.
Luis Fernandes, CPA, Director of Corporate Audit, JetBlue Airways

Presentation delivered at CFO Dimensions 2013 - http://www.cfodimensions.com
Track: Governance, Risk, Compliance | Session: 4

Statistics

Views

Total Views
338
Views on SlideShare
279
Embed Views
59

Actions

Likes
0
Downloads
7
Comments
0

1 Embed 59

http://www.proformative.com 59

Accessibility

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • The next myth describes old problem of Analysis Paralysis that seems to take over when performing risk assessmentsGo through mythWe have to remember that point is not to have a process ……but to generate actionable resultsGo through reality
  • The next myth describes old problem of Analysis Paralysis that seems to take over when performing risk assessmentsGo through mythWe have to remember that point is not to have a process ……but to generate actionable resultsGo through reality
  • First lets talk about what most people have traditionally done with survey dataMost of us have simply tallied up the votes and appointed a winner95% of people rated Risk A as being most dangerous so….It obviously the most dangerous riskWe need to mitigate this right awayThe reason that so many people have confined themselves to this type of analysis is that its very difficult to manually identify other relationships in the dataThose other relationships are the deeper ones that give us the most value
  • The next myth describes old problem of Analysis Paralysis that seems to take over when performing risk assessmentsGo through mythWe have to remember that point is not to have a process ……but to generate actionable resultsGo through reality
  • This slide shows two approaches side by side the bottoms up risk universe and the top down business risk approachWithout going into exhaustive detail we can see the symbiosis between the two methodsExplain chartJoe and I have discussed often how they both can work together to create some really powerful results
  • The next myth describes old problem of Analysis Paralysis that seems to take over when performing risk assessmentsGo through mythWe have to remember that point is not to have a process ……but to generate actionable resultsGo through reality
  • The next myth describes old problem of Analysis Paralysis that seems to take over when performing risk assessmentsGo through mythWe have to remember that point is not to have a process ……but to generate actionable resultsGo through reality
  • We have some additional depth in the mitigation area on this slideSome of the more critical decisions you're going to have to make are…
  • The next myth describes old problem of Analysis Paralysis that seems to take over when performing risk assessmentsGo through mythWe have to remember that point is not to have a process ……but to generate actionable resultsGo through reality
  • To drive home this point a little more I have a very short case study I’d like to walk you through
  • Later in their risk assessment development the company adopted a more business based risk approach
  • Again in this example we see that there were risks from the bottom of the list that were very relevant to one of the company’s critical objectivesIn this example we also see the concept of risk patterns in play as there are 3 distinct risks that make up the risk pattern threatening this objective
  • Finally to wrap up back to our little story about JCRome fell in 476 ADThe western world entered the Dark AgesPerhaps thisis sort of where we are today with everyone being frustrated by risk assessment
  • But there is hopeAs people and companies become more developed and sophisticated when it comes to risk assessment perhaps we will enter an age of enlightenmentPerhaps many will let go of some of the myths in risk assessment and use better approaches and technologies to face some of hard realities that we all have to deal with
  • But there is hopeAs people and companies become more developed and sophisticated when it comes to risk assessment perhaps we will enter an age of enlightenmentPerhaps many will let go of some of the myths in risk assessment and use better approaches and technologies to face some of hard realities that we all have to deal with
  • But there is hopeAs people and companies become more developed and sophisticated when it comes to risk assessment perhaps we will enter an age of enlightenmentPerhaps many will let go of some of the myths in risk assessment and use better approaches and technologies to face some of hard realities that we all have to deal with
  • But there is hopeAs people and companies become more developed and sophisticated when it comes to risk assessment perhaps we will enter an age of enlightenmentPerhaps many will let go of some of the myths in risk assessment and use better approaches and technologies to face some of hard realities that we all have to deal with
  • But there is hopeAs people and companies become more developed and sophisticated when it comes to risk assessment perhaps we will enter an age of enlightenmentPerhaps many will let go of some of the myths in risk assessment and use better approaches and technologies to face some of hard realities that we all have to deal with
  • But there is hopeAs people and companies become more developed and sophisticated when it comes to risk assessment perhaps we will enter an age of enlightenmentPerhaps many will let go of some of the myths in risk assessment and use better approaches and technologies to face some of hard realities that we all have to deal with
  • But there is hopeAs people and companies become more developed and sophisticated when it comes to risk assessment perhaps we will enter an age of enlightenmentPerhaps many will let go of some of the myths in risk assessment and use better approaches and technologies to face some of hard realities that we all have to deal with
  • But there is hopeAs people and companies become more developed and sophisticated when it comes to risk assessment perhaps we will enter an age of enlightenmentPerhaps many will let go of some of the myths in risk assessment and use better approaches and technologies to face some of hard realities that we all have to deal with
  • But there is hopeAs people and companies become more developed and sophisticated when it comes to risk assessment perhaps we will enter an age of enlightenmentPerhaps many will let go of some of the myths in risk assessment and use better approaches and technologies to face some of hard realities that we all have to deal with
  • But there is hopeAs people and companies become more developed and sophisticated when it comes to risk assessment perhaps we will enter an age of enlightenmentPerhaps many will let go of some of the myths in risk assessment and use better approaches and technologies to face some of hard realities that we all have to deal with

Taking Enterprise Risk from Theoretical to Practical Taking Enterprise Risk from Theoretical to Practical Presentation Transcript

  • 1© 2013 Crossing the Rubicon – Taking Enterprise Risk from Theoretical to Practical Luis Fernandes Mike Bechara jetBlue Airways Granite Consulting Grp. Director of Internal Audit Managing Director
  • 2© 2013 Words of Wisdom “In theory there is no difference between theory and practice. In practice there is”
  • 3© 2013 Theory vs. Reality Development has stagnated due to misconceptions about implementation
  • 4© 2013 What We Will Learn Today Reconcile theories to realities Tips & techniques Ways to leverage the ERM output
  • 5© 2013 ERM in Theory….(The COSO Definition) 1. Enterprise risk management is a process, 2. Effected by an entity’s board of directors, management and other personnel, 3. Applied in strategy setting and across the enterprise 4. Designed to identify potential events that may affect the entity, 5. Manage risk to be within its risk appetite, 6. Provide reasonable assurance regarding the achievement of entity objectives.
  • 6© 2013 ERM in Reality….(Your Average Company) 1. Enterprise risk management is an opaque process, 2. Effected by Driven by the head of internal audit with updates to an entity’s board of directors, management and other personnel, 3. Applied in Divorced from strategy setting and across the enterprise corporate office based 4. Designed to identify potential events that may affect the entity, with focus on what has already happened or one or two current “hot” topics 5. Manage risk to be within its risk appetite (amorphous term) 6. Provide reasonable assurance regarding the achievement of entity objectives which are often excluded from the discussion
  • 7© 2013 Theory 1: ERM is a Process Misinterpretation • If we have an ongoing process that’s good enough! • Because if we keep studying reports and data ..that’s the same as actually addressing the risks Reality • Risk assessment is a prophecy of the future • You will never identify or predict all risks….If you could you would be a zillionaire! • The tale of the Conservative Engineer Tips & Techniques • Facilitate the best assessment and reevaluate periodically • Build risk discussions into business/financial reviews
  • 8© 2013 Theory 2: Effected by Mgt., Board & Others Misinterpretation • Divorcing risk from the business • “Don’t call us we’ll call you!” • This is a highly complex process that is irrelevant for most people Reality • Risks are only relevant when viewed through the prism of objectives • We need to understand what we are trying to achieve to identify what is relevant Tips & Techniques • No one will understand the risks better than those that face them every day • Evaluate your risks as they relate to your company’s objectives
  • 9© 2013 Tips & Techniques: People • Where does risk information come from? • Accounting Data • Quality Data • Industry Studies • People
  • 10© 2013 Tips & Techniques: People • Aren't they too subjective and unreliable? • They face the risks everyday & understand them very well • People have the ability to make predictions based on future plans • Historical data analysis assumes the future will look like the past—things don’t happen the same way twice
  • 11© 2013 Theory 3: Applied in Strategy Setting Misinterpretation • Cataloging all risks • False hope of “Total Information Awareness” • A Risk Universe is only a start Reality • We are all adults here • Bad things will happen and we wont care about most of them • Key is to focus on what matters Tips & Techniques • Use a top down business risk approach to compliment the bottoms up risk universe approach • Concentrate on events that disrupt critical goals & strategy
  • 12© 2013 Tips and Techniques: Use Multiple Analyses A business risk approach compliments and strengthens the risk universe by linking risks to objectives to present a more complete risk picture Interview/survey Management Identify risks by functional area Linearly rank risks by likelihood and impact Mitigate the top vote getters Understand company objectives/strategy Interview/survey management Use analytical tools to identify the key risk patterns linked to each objective Mitigate the risks associated with the top objectives BusinessRiskBased RiskUniverse
  • 13© 2013 Theory 4: Events That May Affect the Entity Misinterpretation • We only have to assess one risk at a time • The highest ranked risk is the most “dangerous” Reality • Simple rankings are a start but are inadequate by themselves • Negative events are caused by multiple risk factors • Managing risk requires us to understand the affect of individual risks manifesting themselves simultaneously Tips & Techniques • How the risks interrelate to one another? • How are risks influenced by priorities? • Would certain risks combine to form and ever greater threat?
  • 14© 2013 Tips & Techniques: Interrelated Risks Lack of Accounting Experience Poor Communication Excessive Overtime Aggressive Marketing Programs System Implementations
  • 15© 2013 Tips & Techniques: Interrelated Risks Combination of: 1. Aggressive Marketing Programs 2. Excessive Overtime 3. Poor Communication Lack of Accounting Experience System Implementations
  • 16© 2013 Theory 5: Manage Risk Within Appetite Misinterpretation • Risk is mitigated….Its Miller time! • Once we mitigate risks beyond a certain level we’re done! Reality • Risks are like zombies..they rise again if not monitored • Mitigating risk is an ongoing effort that takes time but pays big dividends Tips & Techniques • Get internal Audit involved • Monitor risks over time • Just monitoring risks will have a positive effect
  • 17© 2013 Tips & Strategies Risk Monitoring Decisions • When is a risk mitigated? • How often do we check back? • What should we check?
  • 18© 2013 Theory 6: Linked to Objectives Misinterpretation • The voting is over! Let’s mitigate the “Top 10 risks” and all will be well! • Classic cart before the horse thinking Reality • Companies do not exist to manage risks they exist to achieve objectives • Would we come home and say, “Honey I forgot to get the bread from the supermarket…. but I didn’t into an accident!” Tips & Techniques • When allocating resources for mitigation prioritize objectives…not risks • Begin allocating resources towards the mitigating the risks associated with the most important objectives
  • 19© 2013 Before: The Traditional Analysis A Major Airline • Engaged in a typical risk assessment process • Identified 31 risks • Ranked according to Likelihood, Impact and Degree of Control • Typical approach would be to mitigate starting at the top • Proceed as much as cost/benefit dictates • No links to business strategy or objectives • No related of risks to one another to form risk patterns Rank Risk Title Risk Description 1 Risk Description 2 Risk Description 3 Risk Description 4 Risk Description 5 Risk Description 6 Risk Description 7 Risk Description 8 Risk Description 9 Risk Description 10 Risk Description 11 Risk Description 12 Risk Description 13 Risk Description 14 Risk Description 15 Risk Description 16 Risk Description 17 Risk Description 18 Risk Description 19 Risk Description 20 Risk Description 21 Risk Description 22 Risk Description 23 Risk Description 24 Risk Description 25 Risk Description 26 Risk Description 27 Risk Description 28 Risk Description 29 Risk Description 30 Risk Description 31 Risk Description
  • 20© 2013 After: Business Based Analysis Business Based Approach • Surveyed the Executive Team on their views of company objectives and risks • Do you believe the company will achieve Objective 1 • How serious do you believe each risk to be? • Risks are linked to business objectives • Risks are grouped into the risk patterns that are most relevant for each objective
  • 21© 2013 After: Business Based Analysis • Risks 21 and 23 were again from the bottom of the list! • A new risk that threaten this objective was identified through the survey process • Objective was directly tied to leadership
  • 22© 2013 What Uses Does the ERM Output Have? Many, but here is one example……
  • 23© 2013 Practical Uses of ERM Data External: Enhancing Enterprise Value
  • 24© 2013 How ERM Can Enhance Enterprise Value Value CFO Influence Your Company is constantly being valued by investors, lenders, rating agencies, acquisition partners, etc. Many say the CFO’s #1 job is to guard and enhance enterprise value To do this we have to understand how outsiders determine value A quick walk down finance memory lane……
  • 25© 2013 Three Valuation Approaches Determination of Value Asset Market Income
  • 26© 2013 Why is the ROR a Big Deal? Low ROR Equals A High Valuation Determination of required rate of return is a key driver of enterprise value!  Main driver of valuation is the rate of return required by investors to invest in your firm  Aka: Discount rate
  • 27© 2013 How is the ROR Calculated? • Common Methods of Calculating ROR – Modified CAPM = Rf + B(RPm) + RPs + RPu – Build Up Method = Rf + RPm+ RPs + Rpu Risk Free Equity Premium Size Premium Company Premium Rf RPm RPs RPu
  • 28© 2013 What Exactly Is RPu? • What is RPu? – The analyst’s judgment regarding risks specific to your company – If he/she deems you risky it will raise the ROR and lower value – Can also be negative lowering ROR and raising value No objective source for RPu. It is subjective and based on analyst judgment
  • 29© 2013 How Does RPu Tie to ERM? Company Risk Premium (ERM) Management Competition Litigation Customers Suppliers Strategy
  • 30© 2013 But How Do I Tell the ERM Story? • Explain the present but focus on the future! • Explain how risks are being managed & monitored • Describe how objectives will be achieved • Ensure they understand that ERM is a management tool not a one time project • Lengthy explanations of “history” • Presenting risks outside the context of objectives • Indicating your risk program as overly scientific or precise • i.e. Risk A = 3.43256 • Lengthy discussions of survey techniques or risk rating systems • Specific terms like velocity, risk appetite
  • 31© 2013 Recap: What We Learned Theories vs. Realities in successfully implementing an ERM program No. Theory Practical Application 1 ERM is a process Build a good process and move forward 2 Effected by the Board. Mgt. and other personnel Risks should be sourced from and be a part of the business 3 Applied in strategy setting Risks to the Enterprise are not all risks 4 Events that may affect the entity Risks combine to form patterns 5 Manage risk within appetite Appetite setting is not a one time event 6 Linked to objectives Mitigate risks in the context of objectives
  • 32© 2013 What We Learned As a result Enterprise Value can increase Managing Risks down can reduce the ROR
  • 33© 2013 Contact Information Michael Bechara, CPA, CFE, CRMA Managing Director 845.363.6610 Office • 845.282.3899 Cell • 845.230.8739 Fax mbechara@consultgranite.com • www.consultgranite.com Granite Consulting Group Inc. 1511 Route 22 , Suite 322 • Brewster, NY 10509
  • 34© 2013 Thank You! Crossing the Rubicon – Taking Enterprise Risk from Theoretical to Practical
  • 35© 2013 Thank You Sponsors! PLATINUM GOLD SILVER DIAMOND