• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Enterprise Risk Management - Spence Hoole
 

Enterprise Risk Management - Spence Hoole

on

  • 951 views

 

Statistics

Views

Total Views
951
Views on SlideShare
941
Embed Views
10

Actions

Likes
0
Downloads
20
Comments
0

1 Embed 10

http://www.summitconf.org 10

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • If you’re not familiar with NetSuite: NetSuite offers a complete business management solution all running in the cloud - a 100% SaaS, subscriptions based business We’ve experienced dramatic growth since our founding in 1998 – growing in double digits, we went public in 2007, and we now support over 6,600 customers. We’re on the vanguard of cloud computing as it gains acceptance in the enterprise – just recently we entered the Top 10 financial management / ERP solutions according to Gartner and IDC.A key foundation to NetSuite’s su Our cloud business management solution runs mission critical applications across finance, CRM and Ecommerce for over 6,600 companies – small and medium size businesses, and divisions of global enterprises.

Enterprise Risk Management - Spence Hoole Enterprise Risk Management - Spence Hoole Presentation Transcript

  • The Board’s Role in Enterprise Risk Oversight
    Spence Hoole
    Priya Cherian Huskins
    Jim Deloach
    Doug Solomon
  • Overview
    • SEC Risk Disclosure Requirements – new rules adopted in December ’09
    • Renewed Focus on Enterprise Risk Management (ERM)
    • Board’s Role in ERM Oversight?
    • What is ERM?
    • Current State or Risk Oversight Process
    • Practical Implementation of ERM and Risk Oversight
    • Case Study: Mid-size, international, SaaS company
    • Risk Oversight and D&O Insurance
    • Goals and Takeaways
    Role of Directors & Officers
    Practical Implementation
    • Q&A
    2
  • Where Are You in the ERM Landscape?
    • Public or private company?
    • Highly regulated industry?
    • Your Role
    Outside Director
    Officer - CEO, CFO, COO, CIO
    General Counsel, Treasurer, Risk Manager, HR
    • Status of risk management in your organization
    Not yet developed
    New and not mature
    Defined but still developing
    Formalized and mature
    Optimized, leading edge, best practice
    3
  • Board’s Role in Enterprise Risk Oversight
    Priya Cherian Huskins
    Senior Vice-President and Partner
    Woodruff-Sawyer & Co.
  • Renewed Focus on ERM due to enhanced disclosure rules
    • July 2009: SEC releases proposed rules
    • December 2010: New rule finalized
    • Problem to be solved: SEC’s perspective
    • Problem created: “Disclosure friendly” process
    • Process analysis
    • Timing
  • Disclosure Rule
    In addition, disclose the extent of the board’s role in the risk oversight of the registrant, such as how the board administers its oversight function, and the effect that this has on the board’s leadership structure.*
    *Regulation S-K Item 407(h)
    6
  • Disclosure Samples
    The Board oversees the management of risk through the complementary functioning of the Finance and Risk Management Committee and the Audit Committee. –AIG (5/2010)
    One of the Board’s functions is oversight of risk management at Intel. “Risk” is inherent in business, and the Board seeks to understand and advise on risk in conjunction with the activities of the Board and the Board’s committees. –Intel (4/2010)
    Our Board of Directors has overall responsibility for risk oversight with a focus on the more significant risks facing us. During the year, management and the Board of Directors jointly discuss major risks that they feel face our business. Throughout the year, the Board of Directors, and the committees to which it has delegated responsibility, dedicate a portion of their meetings to review and discuss specific risk topics in greater detail.  --(Realty Income 3/2010)
    7
  • Board’s Role in ERM Oversight
    • Board’s Role in ERM Oversight?
    Facilitate v. Lead
    Intersection between
    Management ERM effort & Board priorities
    Role of Senior Management
    Top down buy-in
    Implementation
    Annual
    8
  • Current State of Risk Oversight Process and ERMFinding the Keys to Making It Work
    Jim DeLoach
    Managing Director
    Protiviti Inc.
  • 10
    Board Risk Oversight – Directors Survey
    • Given the intensive regulatory environment in the United States and other countries as well, risk oversight has become a high priority on the agenda of most board directors
    • Boards are taking a fresh look at the qualifications of their members, how they operate and their expertise to understand and manage the enterprise’s risks
    • The “Committee of Sponsoring Organizations of the Treadway Commission (COSO)” commissioned Protiviti to conduct a survey to develop a deeper knowledge of the current state of the risk oversight process and the desired future state
    • 201 directors responded
    • The results of the survey provides valuable insights into how boards are fulfilling their risk oversight obligations, the maturity of their processes and the key areas offering opportunities for improvement of the risk oversight process
  • There exists an opportunity to improve the robustness of the risk oversight process
    • A strong majority of respondents agree that boards are not formally executing mature and robust risk oversight processes
    • There is an overall dissatisfaction in the way risk is considered in the context of the organization’s strategy and there are one or more obstacles inhibiting the risk oversight process
    Organizations need to consider the benefits of enhancing risk reporting to the board
    There are opportunities to improve the risk appetite dialogue and action plans to address deviations from risk tolerance parameters
    Monitoring of the risk management process can be improved
    Organizations should consider doing more to enlighten the board of the most significant risk matters
    Boards’ self evaluation of the risk oversight process should be improved
    11
    Board Risk Oversight – Six General Themes
  • A recent survey noted:
    76% communicate key risks on an ad hoc basis
    Almost 70% don’t routinely report the entity’s top risks to the board
    63% see change in volume and complexity of risks over the last five years
    48% must improve KRI reporting to senior executives
    Risk management processes are relatively immature and ad hoc 
    12
    These Results Coincide with the Current State of ERM
    * SOURCE: “2010 Report on the Current State of Enterprise Risk Oversight: 2nd Edition”, North Carolina State University, 2010
  • 13
    The Banking Industry’s Idea of Risk?
  • 14
    Did Anyone See It Coming?
    What was known before this catastrophe?
    From March 2007:
    *“Subprime lenders are already getting crushed.”
    *Dean Baker, co-director of the Center for Economic and Policy Research: “…inventory is 20 percent higher than last year, vacancy rates have soared…”
    *Center for Responsible Lending: “about 1 in 5 subprime loans written in the past two years will go into default, costing 1.1 million their homes and unleashing a flood of foreclosed homes on the market.”
    *Mortgage Bankers Association: In 2006, 13.5 % of mortgages were subprime, compared to 2.6 % in 2000.
    At that time, California home prices had risen 209% in the prior 10 years while west coast inflation had risen about 30% (www.fhfa.gov).
    * CNNMoney.com, March 1 & 13, 2007
  • 15
    Was Risk Management to Blame?
    Risk Management Can:
    • Review
    • Inform
    • Advise
    • Monitor / Measure
    • Control
    • Resign (!)
    Risk Management Can’t:
    • Initiate
    • Decide
    Risk management isn’t blameless, but someone pushes the accelerator – the car doesn’t go on its own….
  • 16
    The Oil Industry’s Idea of Risk?
  • 17
    Did Anyone See It Coming?
    What was known before this catastrophe?*
    *From June 2007 – Feb. 2010, OSHA issued 761 “Egregious Willful Citations” for refineries.
    *A Dec. 2007 internal BP presentation regarding Gulf of Mexico incidents found that a common theme was a failure to follow BP’s own procedures and an unwillingness to stop work when something was wrong.
    Prior to the Deepwater Horizon Catastrophe, BP had the two biggest fines ever issued by OSHA and had $67 million in fines in 2009 alone, the highest BP fine level in at least the last five years.
    * Wall Street Journal, June 30, 2009 pp. A1, A18
  • 18
    Integration with What Matters is Key – Think About Four Elements
    Enterprise Risk Management Framework
    Infrastructure
    Integration
    Process
    Identify risks
    Policies
    Processes
    Organization
    Reporting
    Methodology
    Systems & Data
    Key Planning Processes
    Assess risks
    Integrate results
    Business
    goals,
    objectives,
    and
    strategies
    Test, and monitor risks
    Prioritize risks
    Develop action plans
    Culture
    Become part of the Company’s DNA
  • Practical Implementation of ERM and Risk OversightEnterprise Risk Management Process Example
    Doug Solomon
    Senior Vice President,
    General Counsel & Secretary
    NetSuite Inc.
  • Lessons Learned
    • Case Study: Mid-size, International, SaaS Company
    Board Role-Up
    How NetSuite got there
    20
  • NetSuite: Quick Take
    Background
    Performance
    Founded 1998
    Publicly traded on NYSE: “N”
    Offices in 7 countries
    $180M+ revenue
    1000+ employees
    6,600+ customers, 750+ software companies
    Top 10 highest growth ERP solution according to Gartner and IDC
    NetSuite runs NetSuite
    Recognition
    #1 Cloud Business Suite
    5 Star Rating
    Top 10 Cloud Companies to Watch
    Fastest Growing Top 10 FMS Vendor
  • Risk Assessment Background
    Background: The Gov. Committee Chair requested management to review and report to the Board on the Company’s risk management process. Aligns with new SEC disclosure rule oversight.
    GC and CFO led a management effort to inventory, organize, and report on the Company’s risk management processes.
    Effort included a review and discussion of risks with a cross-functional team of senior functional area managers PLUS advisory services from Protiviti, a leading risk consulting company.
    The following individuals representing key functional areas participated in this risk assessment process:
    22
  • Risk Assessment Approach
    23
    NetSuite’s enterprise risk assessment approach is summarized below:
    Inventory & Document Existing ERM Processes
    Identify Company’s High Level Risks
    Assess & Prepare Summary of ERM Risks And Mitigation Activity
    Recommendations for Future
    Management to:
    • Review prior identified risks (10-K)
    • Review generic ERM checklist
    • Review Company’s strategic plan and assess execution risks
    • Benchmark against peers
    • Gap analysis: Compare current practices with best practices
    • Prioritize gaps and recommend short term actions
    • Define long term road map
    • Inventory existing risks from the following sources:
    • 10-K, SOX, SAS 70
    • Internal Audit
    • Operations Contingency Planning
    • Security planning
    • Compensation risk & disclosure process
    • Review and analyze focus areas (highest level risks)
    • Prepare summary dashboard
    • Management discussion
    • Review with Board of Directors
  • Summary of Management’s Enterprise Risk Analysis
    24
    Management discussed and analyzed the enterprise’s risk management activities, capabilities, and responsibilities related to business risks in four different categories.
    Categorization of NetSuite’s Business Risks:
    Operational Risk – Operations may be inefficient and ineffective in satisfying customers and achieving the company's quality, cost and time objectives.
    Financial Risk - Financial risk may include a broad spectrum of risks including: financial reporting errors, inadequate liquidity management, poor product pricing, customer credit risk, foreign currency management, and financial transactional risks.
    Compliance Risk – Company’s processes may not comply with company policies, procedures, or government regulations. Nonconformance can result in quality issues, higher costs, lost revenues, financial penalties, and loss of reputation.
    Strategic Risk – The organization may not be utilizing the appropriate organizational strategies in order to compete effectively in the marketplace.
  • Company Specific Enterprise Risks
    Management identified the following high level business risks to the organization as a result of the risk assessment process and evaluated their overall impact to the organization based on significance to the organization and likelihood of occurrence:
    25
    Please note that the risks listed below are examples and do not reflect NetSuite specific risks
    Additional Risks To Consider
    Economic Conditions (Macro and Industry)
    Material Software Defects
    Changes in Effective Tax Rates
    Key Employees
    Security Breach
    Changes in Accounting Standards……
    Customer Contractual Terms/Liability
    Fast Paced Technological Changes
    Business Interruption – Temporary Loss of Service
    Intellectual Property Protection
    Intellectual Property Infringement Claims
    Disaster Recovery
    Failure to maintain proper internal controls
    Government regulation & compliance
    Employee or Insider Fraud (IT and Product Security)
    Ethical Issues/ Side Agreements / Corruption
    Foreign Currency Exchange Risk
    Reputation Risk – Public Relations
    International sales & operations risk
    Slow Market Growth
    Customer price sensitivity
    Reliance on third party technology
    New sales has a delayed impact on our financial results (i.e. revenue)
    • Performance Incentives
    • Organizational Performance Measures
    • Organizational Culture
    • Succession Planning
    • Budget & Planning
    • Technological Innovation
    Note: Protiviti compared the risk assessment results to a standard list of risks for a software company and identified the additional risks stated above.
  • Risk Map Categorization
    26
    Financial
    Strategic
    LEGEND
    - High Impact
    - Med Impact
    - Low Impact
    7. Changes in
    effective
    tax rate
    15. IP Infringement
    Claims
    12. Fast Paced
    Technological
    Changes
    22. Foreign
    Currency
    Risks
    20. Ethical Issues/
    Side Agreements /
    Corruption
    1. Economic
    Conditions
    14. IP Protection
    Operations
    Compliance
    11. Customer
    Contracts
    Terms/Liability
    4. Material
    Product
    Defects
    18. Govt Regulations
    & Compliance
    9. Security
    Breach
    16. Disaster
    Recovery
    10. Changes in
    Accounting
    Standards
    13. Business
    Interruption
    17. Maintenance
    of Internal
    Controls
    19. Employee or
    Insider Fraud
    8. Key
    Employees
  • Top Business Risks– Example
    A number of business risks were identified based upon our discussions and analysis. Management prioritized these risks based on their significance and likelihood. In management’s view, the top business risks are as follows:
    27
  • Risk Map – Example Consideration of Potential Impact vs. Likelihood/Frequency
    28
    Top Risks
    T
    O
    P
    R
    I
    S
    K
    Significant Business Risks
    Risk 1
    Risk 2
    Risk 3
    Risk 4
    Risk 5
    Risk 6
    Risk 7
    Risk 8
    Risk 9
    Risk 10
    Risk 11
    Risk 12
    Risk 13
    Risk 14
    Risk 15
    1
    HIGH
    2
    3
    5
    8
    4
    9
    M
    E
    D
    R
    I
    S
    K
    6
    Significance of Risk
    7
    11
    11
    13
    L
    O
    W
    R
    I
    S
    K
    10
    12
    Legend
    14
    15
    Low Risks
    LOW
    Operational Risk
    Strategic Risk
    LOW
    HIGH
    Compliance Risk
    Financial Risk
    Likelihood of Risk
  • Suggested Next Steps Following Initial ERM Process
    Board Level: Discuss board oversight process and determine role of committees oversee the risk management process going forward.
    Management Level: Consider appropriate management approach and organizational structure to enterprise risk management. Management recommendations:
    Establish Risk Council
    Determine appropriate membership (senior company leaders that will be responsible for managing the ERM process);
    Develop charter
    Determine meeting frequency
    Consider use of internal audit resources for documentation and process management.
    Continual Periodic Review: continue to periodically review, discuss, and evaluate enterprise risks and communicating results of analysis to the Board.
    Review board charters and determine if revisions are required based on changes in responsibilities
    Eventually, compare with peers and best practices for similar companies
    29
  • Risk Oversight and D&O Insurance
    Priya Cherian Huskins Spence Hoole
    Senior Vice-President and Partner Managing Partner
    Woodruff-Sawyer & Co. Diversified Insurance Group
  • The Financial Landscape and D&O Market
    • Economic Landscape – continued fallout of financial meltdowns, stock options backdating, subprime debacles
    • Litigation Environment – economic turmoil generally leads to increased D&O claims; however, overall number of securities class action claims has declined in 2010
    • Risk Currency - Market Security / Carrier Solvency
    • Importance of DIC A-side Coverage
    31
  • D&O Market and Renewal Outlook – 2011
    • Will the really soft D&O market become even softer?
    • Insurance Carrier stability and solvency concerns
    • Trends in SEC enforcement activity
    • M&A case law development
    • What should board’s focus be in relation to:
    • Program Structure
    • Limits
    • Coverage Terms and Conditions
    32
  • Q&A