Enterprise Risk Management - Spence Hoole


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • If you’re not familiar with NetSuite: NetSuite offers a complete business management solution all running in the cloud - a 100% SaaS, subscriptions based business We’ve experienced dramatic growth since our founding in 1998 – growing in double digits, we went public in 2007, and we now support over 6,600 customers. We’re on the vanguard of cloud computing as it gains acceptance in the enterprise – just recently we entered the Top 10 financial management / ERP solutions according to Gartner and IDC.A key foundation to NetSuite’s su Our cloud business management solution runs mission critical applications across finance, CRM and Ecommerce for over 6,600 companies – small and medium size businesses, and divisions of global enterprises.
  • Enterprise Risk Management - Spence Hoole

    1. 1. The Board’s Role in Enterprise Risk Oversight<br />Spence Hoole<br />Priya Cherian Huskins<br />Jim Deloach<br />Doug Solomon<br />
    2. 2. Overview<br /><ul><li>SEC Risk Disclosure Requirements – new rules adopted in December ’09
    3. 3. Renewed Focus on Enterprise Risk Management (ERM)
    4. 4. Board’s Role in ERM Oversight?
    5. 5. What is ERM?
    6. 6. Current State or Risk Oversight Process
    7. 7. Practical Implementation of ERM and Risk Oversight
    8. 8. Case Study: Mid-size, international, SaaS company
    9. 9. Risk Oversight and D&O Insurance
    10. 10. Goals and Takeaways</li></ul>Role of Directors & Officers<br />Practical Implementation<br /><ul><li>Q&A</li></ul>2<br />
    11. 11. Where Are You in the ERM Landscape?<br /><ul><li>Public or private company?
    12. 12. Highly regulated industry?
    13. 13. Your Role</li></ul>Outside Director <br />Officer - CEO, CFO, COO, CIO <br />General Counsel, Treasurer, Risk Manager, HR <br /><ul><li>Status of risk management in your organization </li></ul>Not yet developed <br />New and not mature<br />Defined but still developing<br />Formalized and mature <br />Optimized, leading edge, best practice<br />3<br />
    14. 14. Board’s Role in Enterprise Risk Oversight<br />Priya Cherian Huskins<br />Senior Vice-President and Partner <br />Woodruff-Sawyer & Co.<br />
    15. 15. Renewed Focus on ERM due to enhanced disclosure rules<br /><ul><li>July 2009: SEC releases proposed rules
    16. 16. December 2010: New rule finalized
    17. 17. Problem to be solved: SEC’s perspective
    18. 18. Problem created: “Disclosure friendly” process
    19. 19. Process analysis
    20. 20. Timing</li></li></ul><li>Disclosure Rule<br />In addition, disclose the extent of the board’s role in the risk oversight of the registrant, such as how the board administers its oversight function, and the effect that this has on the board’s leadership structure.*<br />*Regulation S-K Item 407(h)<br />6<br />
    21. 21. Disclosure Samples<br />The Board oversees the management of risk through the complementary functioning of the Finance and Risk Management Committee and the Audit Committee. –AIG (5/2010)<br />One of the Board’s functions is oversight of risk management at Intel. “Risk” is inherent in business, and the Board seeks to understand and advise on risk in conjunction with the activities of the Board and the Board’s committees. –Intel (4/2010)<br />Our Board of Directors has overall responsibility for risk oversight with a focus on the more significant risks facing us. During the year, management and the Board of Directors jointly discuss major risks that they feel face our business. Throughout the year, the Board of Directors, and the committees to which it has delegated responsibility, dedicate a portion of their meetings to review and discuss specific risk topics in greater detail.  --(Realty Income 3/2010)<br />7<br />
    22. 22. Board’s Role in ERM Oversight<br /><ul><li>Board’s Role in ERM Oversight?</li></ul>Facilitate v. Lead<br />Intersection between <br />Management ERM effort & Board priorities<br />Role of Senior Management<br />Top down buy-in <br />Implementation<br />Annual<br />8<br />
    23. 23. Current State of Risk Oversight Process and ERMFinding the Keys to Making It Work<br />Jim DeLoach<br />Managing Director<br />Protiviti Inc.<br />
    24. 24. 10<br />Board Risk Oversight – Directors Survey <br /><ul><li>Given the intensive regulatory environment in the United States and other countries as well, risk oversight has become a high priority on the agenda of most board directors
    25. 25. Boards are taking a fresh look at the qualifications of their members, how they operate and their expertise to understand and manage the enterprise’s risks
    26. 26. The “Committee of Sponsoring Organizations of the Treadway Commission (COSO)” commissioned Protiviti to conduct a survey to develop a deeper knowledge of the current state of the risk oversight process and the desired future state
    27. 27. 201 directors responded
    28. 28. The results of the survey provides valuable insights into how boards are fulfilling their risk oversight obligations, the maturity of their processes and the key areas offering opportunities for improvement of the risk oversight process</li></li></ul><li>There exists an opportunity to improve the robustness of the risk oversight process<br /><ul><li>A strong majority of respondents agree that boards are not formally executing mature and robust risk oversight processes
    29. 29. There is an overall dissatisfaction in the way risk is considered in the context of the organization’s strategy and there are one or more obstacles inhibiting the risk oversight process</li></ul>Organizations need to consider the benefits of enhancing risk reporting to the board<br />There are opportunities to improve the risk appetite dialogue and action plans to address deviations from risk tolerance parameters<br />Monitoring of the risk management process can be improved<br />Organizations should consider doing more to enlighten the board of the most significant risk matters<br />Boards’ self evaluation of the risk oversight process should be improved<br />11<br />Board Risk Oversight – Six General Themes<br />
    30. 30. A recent survey noted:<br />76% communicate key risks on an ad hoc basis<br />Almost 70% don’t routinely report the entity’s top risks to the board<br />63% see change in volume and complexity of risks over the last five years<br />48% must improve KRI reporting to senior executives<br />Risk management processes are relatively immature and ad hoc <br />12<br />These Results Coincide with the Current State of ERM<br />* SOURCE: “2010 Report on the Current State of Enterprise Risk Oversight: 2nd Edition”, North Carolina State University, 2010<br />
    31. 31. 13<br />The Banking Industry’s Idea of Risk?<br />
    32. 32. 14<br />Did Anyone See It Coming?<br />What was known before this catastrophe?<br />From March 2007:<br />*“Subprime lenders are already getting crushed.”<br />*Dean Baker, co-director of the Center for Economic and Policy Research: “…inventory is 20 percent higher than last year, vacancy rates have soared…”<br />*Center for Responsible Lending: “about 1 in 5 subprime loans written in the past two years will go into default, costing 1.1 million their homes and unleashing a flood of foreclosed homes on the market.”<br />*Mortgage Bankers Association: In 2006, 13.5 % of mortgages were subprime, compared to 2.6 % in 2000.<br />At that time, California home prices had risen 209% in the prior 10 years while west coast inflation had risen about 30% (www.fhfa.gov).<br />* CNNMoney.com, March 1 & 13, 2007<br />
    33. 33. 15<br />Was Risk Management to Blame?<br />Risk Management Can:<br /><ul><li>Review
    34. 34. Inform
    35. 35. Advise
    36. 36. Monitor / Measure
    37. 37. Control
    38. 38. Resign (!)</li></ul>Risk Management Can’t:<br /><ul><li>Initiate
    39. 39. Decide</li></ul>Risk management isn’t blameless, but someone pushes the accelerator – the car doesn’t go on its own….<br />
    40. 40. 16<br />The Oil Industry’s Idea of Risk?<br />
    41. 41. 17<br />Did Anyone See It Coming?<br />What was known before this catastrophe?*<br />*From June 2007 – Feb. 2010, OSHA issued 761 “Egregious Willful Citations” for refineries.<br />*A Dec. 2007 internal BP presentation regarding Gulf of Mexico incidents found that a common theme was a failure to follow BP’s own procedures and an unwillingness to stop work when something was wrong.<br />Prior to the Deepwater Horizon Catastrophe, BP had the two biggest fines ever issued by OSHA and had $67 million in fines in 2009 alone, the highest BP fine level in at least the last five years.<br />* Wall Street Journal, June 30, 2009 pp. A1, A18<br />
    42. 42. 18<br />Integration with What Matters is Key – Think About Four Elements<br />Enterprise Risk Management Framework<br />Infrastructure<br />Integration<br />Process<br />Identify risks<br />Policies<br />Processes<br />Organization<br />Reporting <br />Methodology<br />Systems & Data<br />Key Planning Processes<br />Assess risks<br />Integrate results<br />Business<br />goals,<br />objectives,<br />and<br />strategies<br />Test, and monitor risks<br />Prioritize risks<br />Develop action plans<br />Culture<br />Become part of the Company’s DNA<br />
    43. 43. Practical Implementation of ERM and Risk OversightEnterprise Risk Management Process Example<br />Doug Solomon<br />Senior Vice President,<br />General Counsel & Secretary<br />NetSuite Inc.<br />
    44. 44. Lessons Learned<br /><ul><li>Case Study: Mid-size, International, SaaS Company</li></ul>Board Role-Up<br />How NetSuite got there<br />20<br />
    45. 45. NetSuite: Quick Take<br />Background<br />Performance<br />Founded 1998<br />Publicly traded on NYSE: “N”<br />Offices in 7 countries<br />$180M+ revenue<br />1000+ employees<br />6,600+ customers, 750+ software companies<br />Top 10 highest growth ERP solution according to Gartner and IDC<br />NetSuite runs NetSuite<br />Recognition<br />#1 Cloud Business Suite<br />5 Star Rating<br />Top 10 Cloud Companies to Watch<br />Fastest Growing Top 10 FMS Vendor<br />
    46. 46. Risk Assessment Background<br />Background: The Gov. Committee Chair requested management to review and report to the Board on the Company’s risk management process. Aligns with new SEC disclosure rule oversight. <br />GC and CFO led a management effort to inventory, organize, and report on the Company’s risk management processes. <br />Effort included a review and discussion of risks with a cross-functional team of senior functional area managers PLUS advisory services from Protiviti, a leading risk consulting company. <br /> The following individuals representing key functional areas participated in this risk assessment process:<br />22<br />
    47. 47. Risk Assessment Approach<br />23<br />NetSuite’s enterprise risk assessment approach is summarized below:<br />Inventory & Document Existing ERM Processes<br />Identify Company’s High Level Risks<br />Assess & Prepare Summary of ERM Risks And Mitigation Activity<br />Recommendations for Future<br />Management to:<br /><ul><li>Review prior identified risks (10-K)
    48. 48. Review generic ERM checklist
    49. 49. Review Company’s strategic plan and assess execution risks
    50. 50. Benchmark against peers
    51. 51. Gap analysis: Compare current practices with best practices
    52. 52. Prioritize gaps and recommend short term actions
    53. 53. Define long term road map
    54. 54. Inventory existing risks from the following sources:
    55. 55. 10-K, SOX, SAS 70
    56. 56. Internal Audit
    57. 57. Operations Contingency Planning
    58. 58. Security planning
    59. 59. Compensation risk & disclosure process
    60. 60. Review and analyze focus areas (highest level risks)
    61. 61. Prepare summary dashboard
    62. 62. Management discussion
    63. 63. Review with Board of Directors</li></li></ul><li>Summary of Management’s Enterprise Risk Analysis<br />24<br />Management discussed and analyzed the enterprise’s risk management activities, capabilities, and responsibilities related to business risks in four different categories.<br />Categorization of NetSuite’s Business Risks:<br />Operational Risk – Operations may be inefficient and ineffective in satisfying customers and achieving the company's quality, cost and time objectives. <br />Financial Risk - Financial risk may include a broad spectrum of risks including: financial reporting errors, inadequate liquidity management, poor product pricing, customer credit risk, foreign currency management, and financial transactional risks. <br />Compliance Risk – Company’s processes may not comply with company policies, procedures, or government regulations. Nonconformance can result in quality issues, higher costs, lost revenues, financial penalties, and loss of reputation.<br />Strategic Risk – The organization may not be utilizing the appropriate organizational strategies in order to compete effectively in the marketplace.<br />
    64. 64. Company Specific Enterprise Risks<br />Management identified the following high level business risks to the organization as a result of the risk assessment process and evaluated their overall impact to the organization based on significance to the organization and likelihood of occurrence:<br />25<br />Please note that the risks listed below are examples and do not reflect NetSuite specific risks<br />Additional Risks To Consider<br />Economic Conditions (Macro and Industry)<br />Material Software Defects<br />Changes in Effective Tax Rates<br />Key Employees<br />Security Breach<br />Changes in Accounting Standards……<br />Customer Contractual Terms/Liability<br />Fast Paced Technological Changes<br />Business Interruption – Temporary Loss of Service<br />Intellectual Property Protection<br />Intellectual Property Infringement Claims<br />Disaster Recovery<br />Failure to maintain proper internal controls<br />Government regulation & compliance<br />Employee or Insider Fraud (IT and Product Security)<br />Ethical Issues/ Side Agreements / Corruption<br />Foreign Currency Exchange Risk<br />Reputation Risk – Public Relations<br />International sales & operations risk<br />Slow Market Growth<br />Customer price sensitivity<br />Reliance on third party technology<br />New sales has a delayed impact on our financial results (i.e. revenue)<br /><ul><li>Performance Incentives
    65. 65. Organizational Performance Measures
    66. 66. Organizational Culture
    67. 67. Succession Planning
    68. 68. Budget & Planning
    69. 69. Technological Innovation</li></ul>Note: Protiviti compared the risk assessment results to a standard list of risks for a software company and identified the additional risks stated above.<br />
    70. 70. Risk Map Categorization <br />26<br />Financial<br />Strategic<br />LEGEND<br /> - High Impact<br /> - Med Impact<br />- Low Impact<br />7. Changes in <br />effective<br /> tax rate<br />15. IP Infringement<br /> Claims<br />12. Fast Paced<br />Technological <br />Changes<br />22. Foreign <br />Currency <br />Risks<br />20. Ethical Issues/ <br />Side Agreements / <br />Corruption<br />1. Economic <br />Conditions<br />14. IP Protection<br />Operations<br />Compliance<br />11. Customer<br />Contracts<br />Terms/Liability<br />4. Material <br />Product <br />Defects<br />18. Govt Regulations <br />& Compliance<br />9. Security<br />Breach<br />16. Disaster <br />Recovery<br />10. Changes in <br />Accounting <br />Standards<br />13. Business<br /> Interruption<br />17. Maintenance <br />of Internal <br />Controls<br />19. Employee or <br />Insider Fraud <br />8. Key <br />Employees<br />
    71. 71. Top Business Risks– Example<br />A number of business risks were identified based upon our discussions and analysis. Management prioritized these risks based on their significance and likelihood. In management’s view, the top business risks are as follows:<br />27<br />
    72. 72. Risk Map – Example Consideration of Potential Impact vs. Likelihood/Frequency<br />28<br />Top Risks<br />T<br />O<br />P<br /> R<br />I<br />S<br />K<br />Significant Business Risks <br />Risk 1<br />Risk 2<br />Risk 3<br />Risk 4<br />Risk 5<br />Risk 6<br />Risk 7<br />Risk 8<br />Risk 9<br />Risk 10<br />Risk 11<br />Risk 12<br />Risk 13<br />Risk 14<br />Risk 15<br />1<br />HIGH<br />2<br />3<br />5<br />8<br />4<br />9<br />M<br />E<br />D<br />R<br />I<br />S<br />K<br />6<br />Significance of Risk<br />7<br />11<br />11<br />13<br />L<br />O<br />W<br />R<br />I<br />S<br />K<br />10<br />12<br />Legend<br />14<br />15<br />Low Risks<br />LOW<br />Operational Risk <br />Strategic Risk <br />LOW<br />HIGH<br />Compliance Risk <br />Financial Risk <br />Likelihood of Risk<br />
    73. 73. Suggested Next Steps Following Initial ERM Process<br />Board Level: Discuss board oversight process and determine role of committees oversee the risk management process going forward. <br />Management Level: Consider appropriate management approach and organizational structure to enterprise risk management. Management recommendations:<br />Establish Risk Council <br />Determine appropriate membership (senior company leaders that will be responsible for managing the ERM process);<br />Develop charter<br />Determine meeting frequency<br />Consider use of internal audit resources for documentation and process management. <br />Continual Periodic Review: continue to periodically review, discuss, and evaluate enterprise risks and communicating results of analysis to the Board. <br />Review board charters and determine if revisions are required based on changes in responsibilities<br />Eventually, compare with peers and best practices for similar companies<br />29<br />
    74. 74. Risk Oversight and D&O Insurance<br />Priya Cherian Huskins Spence Hoole <br />Senior Vice-President and Partner Managing Partner<br />Woodruff-Sawyer & Co. Diversified Insurance Group<br />
    75. 75. The Financial Landscape and D&O Market <br /><ul><li>Economic Landscape – continued fallout of financial meltdowns, stock options backdating, subprime debacles
    76. 76. Litigation Environment – economic turmoil generally leads to increased D&O claims; however, overall number of securities class action claims has declined in 2010
    77. 77. Risk Currency - Market Security / Carrier Solvency
    78. 78. Importance of DIC A-side Coverage</li></ul>31<br />
    79. 79. D&O Market and Renewal Outlook – 2011 <br /><ul><li>Will the really soft D&O market become even softer?
    80. 80. Insurance Carrier stability and solvency concerns
    81. 81. Trends in SEC enforcement activity
    82. 82. M&A case law development
    83. 83. What should board’s focus be in relation to:
    84. 84. Program Structure
    85. 85. Limits
    86. 86. Coverage Terms and Conditions</li></ul>32<br />
    87. 87. Q&A<br />