1© 2013
Crossing the Rubicon –
Taking Enterprise Risk from
Theoretical to Practical
Luis Fernandes Mike Bechara
jetBlue Ai...
2© 2013
Words of Wisdom
“In theory there is no difference between theory and
practice. In practice there is”
3© 2013
Theory vs. Reality
Development has stagnated due to
misconceptions about implementation
4© 2013
What We Will Learn Today
Reconcile theories
to realities
Tips & techniques
Ways to leverage
the ERM output
5© 2013
ERM in Theory….(The COSO Definition)
1. Enterprise risk management is a process,
2. Effected by an entity’s board ...
6© 2013
ERM in Reality….(Your Average Company)
1. Enterprise risk management is an opaque process,
2. Effected by Driven b...
7© 2013
Theory 1: ERM is a Process
Misinterpretation
• If we have an ongoing process that’s good
enough!
• Because if we k...
8© 2013
Theory 2: Effected by Mgt., Board & Others
Misinterpretation
• Divorcing risk from the business
• “Don’t call us w...
9© 2013
Tips & Techniques: People
• Where does risk
information come from?
• Accounting Data
• Quality Data
• Industry Stu...
10© 2013
Tips & Techniques: People
• Aren't they too subjective and unreliable?
• They face the risks everyday & understan...
11© 2013
Theory 3: Applied in Strategy Setting
Misinterpretation
• Cataloging all risks
• False hope of “Total Information...
12© 2013
Tips and Techniques: Use Multiple Analyses
A business risk approach compliments and strengthens the risk universe...
13© 2013
Theory 4: Events That May Affect the Entity
Misinterpretation
• We only have to assess one risk at a time
• The h...
14© 2013
Tips & Techniques: Interrelated Risks
Lack of
Accounting
Experience
Poor
Communication
Excessive
Overtime
Aggress...
15© 2013
Tips & Techniques: Interrelated Risks
Combination of:
1. Aggressive Marketing Programs
2. Excessive Overtime
3. P...
16© 2013
Theory 5: Manage Risk Within Appetite
Misinterpretation
• Risk is mitigated….Its Miller
time!
• Once we mitigate ...
17© 2013
Tips & Strategies
Risk Monitoring Decisions
• When is a risk mitigated?
• How often do we check back?
• What shou...
18© 2013
Theory 6: Linked to Objectives
Misinterpretation
• The voting is over! Let’s mitigate the “Top
10 risks” and all ...
19© 2013
Before: The Traditional Analysis
A Major Airline
• Engaged in a typical risk assessment
process
• Identified 31 r...
20© 2013
After: Business Based Analysis
Business Based Approach
• Surveyed the Executive
Team on their views of
company ob...
21© 2013
After: Business Based Analysis
• Risks 21 and 23 were again
from the bottom of the list!
• A new risk that threat...
22© 2013
What Uses Does the ERM Output Have?
Many, but here is one example……
23© 2013
Practical Uses of ERM Data
External: Enhancing Enterprise Value
24© 2013
How ERM Can Enhance Enterprise Value
Value
CFO
Influence
Your Company is constantly being
valued by investors, le...
25© 2013
Three Valuation Approaches
Determination of Value
Asset
Market
Income
26© 2013
Why is the ROR a Big Deal?
Low ROR
Equals
A High
Valuation
Determination of required rate of return is a key driv...
27© 2013
How is the ROR Calculated?
• Common Methods of Calculating ROR
– Modified CAPM = Rf + B(RPm) + RPs + RPu
– Build ...
28© 2013
What Exactly Is RPu?
• What is RPu?
– The analyst’s judgment
regarding risks specific to
your company
– If he/she...
29© 2013
How Does RPu Tie to ERM?
Company Risk
Premium
(ERM)
Management
Competition
Litigation
Customers
Suppliers
Strategy
30© 2013
But How Do I Tell the ERM Story?
• Explain the present but focus
on the future!
• Explain how risks are being
man...
31© 2013
Recap: What We Learned
Theories vs. Realities in successfully implementing
an ERM program
No. Theory Practical Ap...
32© 2013
What We Learned
As a result
Enterprise Value
can increase
Managing Risks
down can
reduce the ROR
33© 2013
Contact Information
Michael Bechara, CPA, CFE, CRMA
Managing Director
845.363.6610 Office • 845.282.3899 Cell • 8...
34© 2013
Thank You!
Crossing the Rubicon – Taking Enterprise Risk
from Theoretical to Practical
35© 2013
Thank You Sponsors!
PLATINUM
GOLD
SILVER
DIAMOND
Upcoming SlideShare
Loading in …5
×

Taking Enterprise Risk from Theoretical to Practical

229
-1

Published on

Video & Presentation: http://www.proformative.com/resources/video-presentation-taking-enterprise-risk-theoretical-practical

Risk management has always been an integral part of business. But over the last two decades, a host of corporate scandals, security threats, recessions and a myriad of other crises have pushed risk management to the forefront of business strategy. Organizations are striving to manage and monitor risks more effectively, but many companies can?t seem to get beyond the theory and practically implement an effective ERM program. Join JetBlue Airways and Granite Consulting Group as they discuss practical ways of implementing ERM and how JetBlue evolved their risk program and created a strategically focused risk evaluation process setting the direction for future risk mitigation and operational improvement. Attendees will learn to go beyond linear "top 10" surveys and to incorporate practical and actionable strategies to implement an effective ERM program.

Speakers:
Michael Bechara, CPA, CRMA, Managing Director, Granite Consulting Group Inc.
Luis Fernandes, CPA, Director of Corporate Audit, JetBlue Airways

Presentation delivered at CFO Dimensions 2013 - http://www.cfodimensions.com
Track: Governance, Risk, Compliance | Session: 4

Published in: Business, Economy & Finance
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
229
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
12
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • The next myth describes old problem of Analysis Paralysis that seems to take over when performing risk assessmentsGo through mythWe have to remember that point is not to have a process ……but to generate actionable resultsGo through reality
  • The next myth describes old problem of Analysis Paralysis that seems to take over when performing risk assessmentsGo through mythWe have to remember that point is not to have a process ……but to generate actionable resultsGo through reality
  • First lets talk about what most people have traditionally done with survey dataMost of us have simply tallied up the votes and appointed a winner95% of people rated Risk A as being most dangerous so….It obviously the most dangerous riskWe need to mitigate this right awayThe reason that so many people have confined themselves to this type of analysis is that its very difficult to manually identify other relationships in the dataThose other relationships are the deeper ones that give us the most value
  • The next myth describes old problem of Analysis Paralysis that seems to take over when performing risk assessmentsGo through mythWe have to remember that point is not to have a process ……but to generate actionable resultsGo through reality
  • This slide shows two approaches side by side the bottoms up risk universe and the top down business risk approachWithout going into exhaustive detail we can see the symbiosis between the two methodsExplain chartJoe and I have discussed often how they both can work together to create some really powerful results
  • The next myth describes old problem of Analysis Paralysis that seems to take over when performing risk assessmentsGo through mythWe have to remember that point is not to have a process ……but to generate actionable resultsGo through reality
  • The next myth describes old problem of Analysis Paralysis that seems to take over when performing risk assessmentsGo through mythWe have to remember that point is not to have a process ……but to generate actionable resultsGo through reality
  • We have some additional depth in the mitigation area on this slideSome of the more critical decisions you're going to have to make are…
  • The next myth describes old problem of Analysis Paralysis that seems to take over when performing risk assessmentsGo through mythWe have to remember that point is not to have a process ……but to generate actionable resultsGo through reality
  • To drive home this point a little more I have a very short case study I’d like to walk you through
  • Later in their risk assessment development the company adopted a more business based risk approach
  • Again in this example we see that there were risks from the bottom of the list that were very relevant to one of the company’s critical objectivesIn this example we also see the concept of risk patterns in play as there are 3 distinct risks that make up the risk pattern threatening this objective
  • Finally to wrap up back to our little story about JCRome fell in 476 ADThe western world entered the Dark AgesPerhaps thisis sort of where we are today with everyone being frustrated by risk assessment
  • But there is hopeAs people and companies become more developed and sophisticated when it comes to risk assessment perhaps we will enter an age of enlightenmentPerhaps many will let go of some of the myths in risk assessment and use better approaches and technologies to face some of hard realities that we all have to deal with
  • But there is hopeAs people and companies become more developed and sophisticated when it comes to risk assessment perhaps we will enter an age of enlightenmentPerhaps many will let go of some of the myths in risk assessment and use better approaches and technologies to face some of hard realities that we all have to deal with
  • But there is hopeAs people and companies become more developed and sophisticated when it comes to risk assessment perhaps we will enter an age of enlightenmentPerhaps many will let go of some of the myths in risk assessment and use better approaches and technologies to face some of hard realities that we all have to deal with
  • But there is hopeAs people and companies become more developed and sophisticated when it comes to risk assessment perhaps we will enter an age of enlightenmentPerhaps many will let go of some of the myths in risk assessment and use better approaches and technologies to face some of hard realities that we all have to deal with
  • But there is hopeAs people and companies become more developed and sophisticated when it comes to risk assessment perhaps we will enter an age of enlightenmentPerhaps many will let go of some of the myths in risk assessment and use better approaches and technologies to face some of hard realities that we all have to deal with
  • But there is hopeAs people and companies become more developed and sophisticated when it comes to risk assessment perhaps we will enter an age of enlightenmentPerhaps many will let go of some of the myths in risk assessment and use better approaches and technologies to face some of hard realities that we all have to deal with
  • But there is hopeAs people and companies become more developed and sophisticated when it comes to risk assessment perhaps we will enter an age of enlightenmentPerhaps many will let go of some of the myths in risk assessment and use better approaches and technologies to face some of hard realities that we all have to deal with
  • But there is hopeAs people and companies become more developed and sophisticated when it comes to risk assessment perhaps we will enter an age of enlightenmentPerhaps many will let go of some of the myths in risk assessment and use better approaches and technologies to face some of hard realities that we all have to deal with
  • But there is hopeAs people and companies become more developed and sophisticated when it comes to risk assessment perhaps we will enter an age of enlightenmentPerhaps many will let go of some of the myths in risk assessment and use better approaches and technologies to face some of hard realities that we all have to deal with
  • But there is hopeAs people and companies become more developed and sophisticated when it comes to risk assessment perhaps we will enter an age of enlightenmentPerhaps many will let go of some of the myths in risk assessment and use better approaches and technologies to face some of hard realities that we all have to deal with
  • Taking Enterprise Risk from Theoretical to Practical

    1. 1. 1© 2013 Crossing the Rubicon – Taking Enterprise Risk from Theoretical to Practical Luis Fernandes Mike Bechara jetBlue Airways Granite Consulting Grp. Director of Internal Audit Managing Director
    2. 2. 2© 2013 Words of Wisdom “In theory there is no difference between theory and practice. In practice there is”
    3. 3. 3© 2013 Theory vs. Reality Development has stagnated due to misconceptions about implementation
    4. 4. 4© 2013 What We Will Learn Today Reconcile theories to realities Tips & techniques Ways to leverage the ERM output
    5. 5. 5© 2013 ERM in Theory….(The COSO Definition) 1. Enterprise risk management is a process, 2. Effected by an entity’s board of directors, management and other personnel, 3. Applied in strategy setting and across the enterprise 4. Designed to identify potential events that may affect the entity, 5. Manage risk to be within its risk appetite, 6. Provide reasonable assurance regarding the achievement of entity objectives.
    6. 6. 6© 2013 ERM in Reality….(Your Average Company) 1. Enterprise risk management is an opaque process, 2. Effected by Driven by the head of internal audit with updates to an entity’s board of directors, management and other personnel, 3. Applied in Divorced from strategy setting and across the enterprise corporate office based 4. Designed to identify potential events that may affect the entity, with focus on what has already happened or one or two current “hot” topics 5. Manage risk to be within its risk appetite (amorphous term) 6. Provide reasonable assurance regarding the achievement of entity objectives which are often excluded from the discussion
    7. 7. 7© 2013 Theory 1: ERM is a Process Misinterpretation • If we have an ongoing process that’s good enough! • Because if we keep studying reports and data ..that’s the same as actually addressing the risks Reality • Risk assessment is a prophecy of the future • You will never identify or predict all risks….If you could you would be a zillionaire! • The tale of the Conservative Engineer Tips & Techniques • Facilitate the best assessment and reevaluate periodically • Build risk discussions into business/financial reviews
    8. 8. 8© 2013 Theory 2: Effected by Mgt., Board & Others Misinterpretation • Divorcing risk from the business • “Don’t call us we’ll call you!” • This is a highly complex process that is irrelevant for most people Reality • Risks are only relevant when viewed through the prism of objectives • We need to understand what we are trying to achieve to identify what is relevant Tips & Techniques • No one will understand the risks better than those that face them every day • Evaluate your risks as they relate to your company’s objectives
    9. 9. 9© 2013 Tips & Techniques: People • Where does risk information come from? • Accounting Data • Quality Data • Industry Studies • People
    10. 10. 10© 2013 Tips & Techniques: People • Aren't they too subjective and unreliable? • They face the risks everyday & understand them very well • People have the ability to make predictions based on future plans • Historical data analysis assumes the future will look like the past—things don’t happen the same way twice
    11. 11. 11© 2013 Theory 3: Applied in Strategy Setting Misinterpretation • Cataloging all risks • False hope of “Total Information Awareness” • A Risk Universe is only a start Reality • We are all adults here • Bad things will happen and we wont care about most of them • Key is to focus on what matters Tips & Techniques • Use a top down business risk approach to compliment the bottoms up risk universe approach • Concentrate on events that disrupt critical goals & strategy
    12. 12. 12© 2013 Tips and Techniques: Use Multiple Analyses A business risk approach compliments and strengthens the risk universe by linking risks to objectives to present a more complete risk picture Interview/survey Management Identify risks by functional area Linearly rank risks by likelihood and impact Mitigate the top vote getters Understand company objectives/strategy Interview/survey management Use analytical tools to identify the key risk patterns linked to each objective Mitigate the risks associated with the top objectives BusinessRiskBased RiskUniverse
    13. 13. 13© 2013 Theory 4: Events That May Affect the Entity Misinterpretation • We only have to assess one risk at a time • The highest ranked risk is the most “dangerous” Reality • Simple rankings are a start but are inadequate by themselves • Negative events are caused by multiple risk factors • Managing risk requires us to understand the affect of individual risks manifesting themselves simultaneously Tips & Techniques • How the risks interrelate to one another? • How are risks influenced by priorities? • Would certain risks combine to form and ever greater threat?
    14. 14. 14© 2013 Tips & Techniques: Interrelated Risks Lack of Accounting Experience Poor Communication Excessive Overtime Aggressive Marketing Programs System Implementations
    15. 15. 15© 2013 Tips & Techniques: Interrelated Risks Combination of: 1. Aggressive Marketing Programs 2. Excessive Overtime 3. Poor Communication Lack of Accounting Experience System Implementations
    16. 16. 16© 2013 Theory 5: Manage Risk Within Appetite Misinterpretation • Risk is mitigated….Its Miller time! • Once we mitigate risks beyond a certain level we’re done! Reality • Risks are like zombies..they rise again if not monitored • Mitigating risk is an ongoing effort that takes time but pays big dividends Tips & Techniques • Get internal Audit involved • Monitor risks over time • Just monitoring risks will have a positive effect
    17. 17. 17© 2013 Tips & Strategies Risk Monitoring Decisions • When is a risk mitigated? • How often do we check back? • What should we check?
    18. 18. 18© 2013 Theory 6: Linked to Objectives Misinterpretation • The voting is over! Let’s mitigate the “Top 10 risks” and all will be well! • Classic cart before the horse thinking Reality • Companies do not exist to manage risks they exist to achieve objectives • Would we come home and say, “Honey I forgot to get the bread from the supermarket…. but I didn’t into an accident!” Tips & Techniques • When allocating resources for mitigation prioritize objectives…not risks • Begin allocating resources towards the mitigating the risks associated with the most important objectives
    19. 19. 19© 2013 Before: The Traditional Analysis A Major Airline • Engaged in a typical risk assessment process • Identified 31 risks • Ranked according to Likelihood, Impact and Degree of Control • Typical approach would be to mitigate starting at the top • Proceed as much as cost/benefit dictates • No links to business strategy or objectives • No related of risks to one another to form risk patterns Rank Risk Title Risk Description 1 Risk Description 2 Risk Description 3 Risk Description 4 Risk Description 5 Risk Description 6 Risk Description 7 Risk Description 8 Risk Description 9 Risk Description 10 Risk Description 11 Risk Description 12 Risk Description 13 Risk Description 14 Risk Description 15 Risk Description 16 Risk Description 17 Risk Description 18 Risk Description 19 Risk Description 20 Risk Description 21 Risk Description 22 Risk Description 23 Risk Description 24 Risk Description 25 Risk Description 26 Risk Description 27 Risk Description 28 Risk Description 29 Risk Description 30 Risk Description 31 Risk Description
    20. 20. 20© 2013 After: Business Based Analysis Business Based Approach • Surveyed the Executive Team on their views of company objectives and risks • Do you believe the company will achieve Objective 1 • How serious do you believe each risk to be? • Risks are linked to business objectives • Risks are grouped into the risk patterns that are most relevant for each objective
    21. 21. 21© 2013 After: Business Based Analysis • Risks 21 and 23 were again from the bottom of the list! • A new risk that threaten this objective was identified through the survey process • Objective was directly tied to leadership
    22. 22. 22© 2013 What Uses Does the ERM Output Have? Many, but here is one example……
    23. 23. 23© 2013 Practical Uses of ERM Data External: Enhancing Enterprise Value
    24. 24. 24© 2013 How ERM Can Enhance Enterprise Value Value CFO Influence Your Company is constantly being valued by investors, lenders, rating agencies, acquisition partners, etc. Many say the CFO’s #1 job is to guard and enhance enterprise value To do this we have to understand how outsiders determine value A quick walk down finance memory lane……
    25. 25. 25© 2013 Three Valuation Approaches Determination of Value Asset Market Income
    26. 26. 26© 2013 Why is the ROR a Big Deal? Low ROR Equals A High Valuation Determination of required rate of return is a key driver of enterprise value!  Main driver of valuation is the rate of return required by investors to invest in your firm  Aka: Discount rate
    27. 27. 27© 2013 How is the ROR Calculated? • Common Methods of Calculating ROR – Modified CAPM = Rf + B(RPm) + RPs + RPu – Build Up Method = Rf + RPm+ RPs + Rpu Risk Free Equity Premium Size Premium Company Premium Rf RPm RPs RPu
    28. 28. 28© 2013 What Exactly Is RPu? • What is RPu? – The analyst’s judgment regarding risks specific to your company – If he/she deems you risky it will raise the ROR and lower value – Can also be negative lowering ROR and raising value No objective source for RPu. It is subjective and based on analyst judgment
    29. 29. 29© 2013 How Does RPu Tie to ERM? Company Risk Premium (ERM) Management Competition Litigation Customers Suppliers Strategy
    30. 30. 30© 2013 But How Do I Tell the ERM Story? • Explain the present but focus on the future! • Explain how risks are being managed & monitored • Describe how objectives will be achieved • Ensure they understand that ERM is a management tool not a one time project • Lengthy explanations of “history” • Presenting risks outside the context of objectives • Indicating your risk program as overly scientific or precise • i.e. Risk A = 3.43256 • Lengthy discussions of survey techniques or risk rating systems • Specific terms like velocity, risk appetite
    31. 31. 31© 2013 Recap: What We Learned Theories vs. Realities in successfully implementing an ERM program No. Theory Practical Application 1 ERM is a process Build a good process and move forward 2 Effected by the Board. Mgt. and other personnel Risks should be sourced from and be a part of the business 3 Applied in strategy setting Risks to the Enterprise are not all risks 4 Events that may affect the entity Risks combine to form patterns 5 Manage risk within appetite Appetite setting is not a one time event 6 Linked to objectives Mitigate risks in the context of objectives
    32. 32. 32© 2013 What We Learned As a result Enterprise Value can increase Managing Risks down can reduce the ROR
    33. 33. 33© 2013 Contact Information Michael Bechara, CPA, CFE, CRMA Managing Director 845.363.6610 Office • 845.282.3899 Cell • 845.230.8739 Fax mbechara@consultgranite.com • www.consultgranite.com Granite Consulting Group Inc. 1511 Route 22 , Suite 322 • Brewster, NY 10509
    34. 34. 34© 2013 Thank You! Crossing the Rubicon – Taking Enterprise Risk from Theoretical to Practical
    35. 35. 35© 2013 Thank You Sponsors! PLATINUM GOLD SILVER DIAMOND
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×