The Board’s Role in Enterprise Risk Oversight Spence Hoole Priya Cherian Huskins Jim Deloach Doug Solomon
SEC Risk Disclosure Requirements – new rules adopted in December ’09
Renewed Focus on Enterprise Risk Management (ERM)
Board’s Role in ERM Oversight?
What is ERM?
Current State or Risk Oversight Process
Practical Implementation of ERM and Risk Oversight
Case Study: Mid-size, international, SaaS company
Risk Oversight and D&O Insurance
Goals and Takeaways
Role of Directors & Officers Practical Implementation
Where Are You in the ERM Landscape?
Public or private company?
Highly regulated industry?
Outside Director Officer - CEO, CFO, COO, CIO General Counsel, Treasurer, Risk Manager, HR
Status of risk management in your organization
Not yet developed New and not mature Defined but still developing Formalized and mature Optimized, leading edge, best practice 3
Board’s Role in Enterprise Risk Oversight Priya Cherian Huskins Senior Vice-President and Partner Woodruff-Sawyer & Co.
Renewed Focus on ERM due to enhanced disclosure rules
July 2009: SEC releases proposed rules
December 2010: New rule finalized
Problem to be solved: SEC’s perspective
Problem created: “Disclosure friendly” process
Disclosure Rule In addition, disclose the extent of the board’s role in the risk oversight of the registrant, such as how the board administers its oversight function, and the effect that this has on the board’s leadership structure.* *Regulation S-K Item 407(h) 6
Disclosure Samples The Board oversees the management of risk through the complementary functioning of the Finance and Risk Management Committee and the Audit Committee. –AIG (5/2010) One of the Board’s functions is oversight of risk management at Intel. “Risk” is inherent in business, and the Board seeks to understand and advise on risk in conjunction with the activities of the Board and the Board’s committees. –Intel (4/2010) Our Board of Directors has overall responsibility for risk oversight with a focus on the more significant risks facing us. During the year, management and the Board of Directors jointly discuss major risks that they feel face our business. Throughout the year, the Board of Directors, and the committees to which it has delegated responsibility, dedicate a portion of their meetings to review and discuss specific risk topics in greater detail. --(Realty Income 3/2010) 7
Board’s Role in ERM Oversight
Board’s Role in ERM Oversight?
Facilitate v. Lead Intersection between Management ERM effort & Board priorities Role of Senior Management Top down buy-in Implementation Annual 8
Current State of Risk Oversight Process and ERMFinding the Keys to Making It Work Jim DeLoach Managing Director Protiviti Inc.
10 Board Risk Oversight – Directors Survey
Given the intensive regulatory environment in the United States and other countries as well, risk oversight has become a high priority on the agenda of most board directors
Boards are taking a fresh look at the qualifications of their members, how they operate and their expertise to understand and manage the enterprise’s risks
The “Committee of Sponsoring Organizations of the Treadway Commission (COSO)” commissioned Protiviti to conduct a survey to develop a deeper knowledge of the current state of the risk oversight process and the desired future state
201 directors responded
The results of the survey provides valuable insights into how boards are fulfilling their risk oversight obligations, the maturity of their processes and the key areas offering opportunities for improvement of the risk oversight process
There exists an opportunity to improve the robustness of the risk oversight process
A strong majority of respondents agree that boards are not formally executing mature and robust risk oversight processes
There is an overall dissatisfaction in the way risk is considered in the context of the organization’s strategy and there are one or more obstacles inhibiting the risk oversight process
Organizations need to consider the benefits of enhancing risk reporting to the board There are opportunities to improve the risk appetite dialogue and action plans to address deviations from risk tolerance parameters Monitoring of the risk management process can be improved Organizations should consider doing more to enlighten the board of the most significant risk matters Boards’ self evaluation of the risk oversight process should be improved 11 Board Risk Oversight – Six General Themes
A recent survey noted: 76% communicate key risks on an ad hoc basis Almost 70% don’t routinely report the entity’s top risks to the board 63% see change in volume and complexity of risks over the last five years 48% must improve KRI reporting to senior executives Risk management processes are relatively immature and ad hoc 12 These Results Coincide with the Current State of ERM * SOURCE: “2010 Report on the Current State of Enterprise Risk Oversight: 2nd Edition”, North Carolina State University, 2010
13 The Banking Industry’s Idea of Risk?
14 Did Anyone See It Coming? What was known before this catastrophe? From March 2007: *“Subprime lenders are already getting crushed.” *Dean Baker, co-director of the Center for Economic and Policy Research: “…inventory is 20 percent higher than last year, vacancy rates have soared…” *Center for Responsible Lending: “about 1 in 5 subprime loans written in the past two years will go into default, costing 1.1 million their homes and unleashing a flood of foreclosed homes on the market.” *Mortgage Bankers Association: In 2006, 13.5 % of mortgages were subprime, compared to 2.6 % in 2000. At that time, California home prices had risen 209% in the prior 10 years while west coast inflation had risen about 30% (www.fhfa.gov). * CNNMoney.com, March 1 & 13, 2007
15 Was Risk Management to Blame? Risk Management Can:
Monitor / Measure
Risk Management Can’t:
Risk management isn’t blameless, but someone pushes the accelerator – the car doesn’t go on its own….
16 The Oil Industry’s Idea of Risk?
17 Did Anyone See It Coming? What was known before this catastrophe?* *From June 2007 – Feb. 2010, OSHA issued 761 “Egregious Willful Citations” for refineries. *A Dec. 2007 internal BP presentation regarding Gulf of Mexico incidents found that a common theme was a failure to follow BP’s own procedures and an unwillingness to stop work when something was wrong. Prior to the Deepwater Horizon Catastrophe, BP had the two biggest fines ever issued by OSHA and had $67 million in fines in 2009 alone, the highest BP fine level in at least the last five years. * Wall Street Journal, June 30, 2009 pp. A1, A18
18 Integration with What Matters is Key – Think About Four Elements Enterprise Risk Management Framework Infrastructure Integration Process Identify risks Policies Processes Organization Reporting Methodology Systems & Data Key Planning Processes Assess risks Integrate results Business goals, objectives, and strategies Test, and monitor risks Prioritize risks Develop action plans Culture Become part of the Company’s DNA
Practical Implementation of ERM and Risk OversightEnterprise Risk Management Process Example Doug Solomon Senior Vice President, General Counsel & Secretary NetSuite Inc.
Case Study: Mid-size, International, SaaS Company
Board Role-Up How NetSuite got there 20
NetSuite: Quick Take Background Performance Founded 1998 Publicly traded on NYSE: “N” Offices in 7 countries $180M+ revenue 1000+ employees 6,600+ customers, 750+ software companies Top 10 highest growth ERP solution according to Gartner and IDC NetSuite runs NetSuite Recognition #1 Cloud Business Suite 5 Star Rating Top 10 Cloud Companies to Watch Fastest Growing Top 10 FMS Vendor
Risk Assessment Background Background: The Gov. Committee Chair requested management to review and report to the Board on the Company’s risk management process. Aligns with new SEC disclosure rule oversight. GC and CFO led a management effort to inventory, organize, and report on the Company’s risk management processes. Effort included a review and discussion of risks with a cross-functional team of senior functional area managers PLUS advisory services from Protiviti, a leading risk consulting company. The following individuals representing key functional areas participated in this risk assessment process: 22
Risk Assessment Approach 23 NetSuite’s enterprise risk assessment approach is summarized below: Inventory & Document Existing ERM Processes Identify Company’s High Level Risks Assess & Prepare Summary of ERM Risks And Mitigation Activity Recommendations for Future Management to:
Review prior identified risks (10-K)
Review generic ERM checklist
Review Company’s strategic plan and assess execution risks
Benchmark against peers
Gap analysis: Compare current practices with best practices
Prioritize gaps and recommend short term actions
Define long term road map
Inventory existing risks from the following sources:
10-K, SOX, SAS 70
Operations Contingency Planning
Compensation risk & disclosure process
Review and analyze focus areas (highest level risks)
Prepare summary dashboard
Review with Board of Directors
Summary of Management’s Enterprise Risk Analysis 24 Management discussed and analyzed the enterprise’s risk management activities, capabilities, and responsibilities related to business risks in four different categories. Categorization of NetSuite’s Business Risks: Operational Risk – Operations may be inefficient and ineffective in satisfying customers and achieving the company's quality, cost and time objectives. Financial Risk - Financial risk may include a broad spectrum of risks including: financial reporting errors, inadequate liquidity management, poor product pricing, customer credit risk, foreign currency management, and financial transactional risks. Compliance Risk – Company’s processes may not comply with company policies, procedures, or government regulations. Nonconformance can result in quality issues, higher costs, lost revenues, financial penalties, and loss of reputation. Strategic Risk – The organization may not be utilizing the appropriate organizational strategies in order to compete effectively in the marketplace.
Company Specific Enterprise Risks Management identified the following high level business risks to the organization as a result of the risk assessment process and evaluated their overall impact to the organization based on significance to the organization and likelihood of occurrence: 25 Please note that the risks listed below are examples and do not reflect NetSuite specific risks Additional Risks To Consider Economic Conditions (Macro and Industry) Material Software Defects Changes in Effective Tax Rates Key Employees Security Breach Changes in Accounting Standards…… Customer Contractual Terms/Liability Fast Paced Technological Changes Business Interruption – Temporary Loss of Service Intellectual Property Protection Intellectual Property Infringement Claims Disaster Recovery Failure to maintain proper internal controls Government regulation & compliance Employee or Insider Fraud (IT and Product Security) Ethical Issues/ Side Agreements / Corruption Foreign Currency Exchange Risk Reputation Risk – Public Relations International sales & operations risk Slow Market Growth Customer price sensitivity Reliance on third party technology New sales has a delayed impact on our financial results (i.e. revenue)
Organizational Performance Measures
Budget & Planning
Note: Protiviti compared the risk assessment results to a standard list of risks for a software company and identified the additional risks stated above.
Risk Map Categorization 26 Financial Strategic LEGEND - High Impact - Med Impact - Low Impact 7. Changes in effective tax rate 15. IP Infringement Claims 12. Fast Paced Technological Changes 22. Foreign Currency Risks 20. Ethical Issues/ Side Agreements / Corruption 1. Economic Conditions 14. IP Protection Operations Compliance 11. Customer Contracts Terms/Liability 4. Material Product Defects 18. Govt Regulations & Compliance 9. Security Breach 16. Disaster Recovery 10. Changes in Accounting Standards 13. Business Interruption 17. Maintenance of Internal Controls 19. Employee or Insider Fraud 8. Key Employees
Top Business Risks– Example A number of business risks were identified based upon our discussions and analysis. Management prioritized these risks based on their significance and likelihood. In management’s view, the top business risks are as follows: 27
Risk Map – Example Consideration of Potential Impact vs. Likelihood/Frequency 28 Top Risks T O P R I S K Significant Business Risks Risk 1 Risk 2 Risk 3 Risk 4 Risk 5 Risk 6 Risk 7 Risk 8 Risk 9 Risk 10 Risk 11 Risk 12 Risk 13 Risk 14 Risk 15 1 HIGH 2 3 5 8 4 9 M E D R I S K 6 Significance of Risk 7 11 11 13 L O W R I S K 10 12 Legend 14 15 Low Risks LOW Operational Risk Strategic Risk LOW HIGH Compliance Risk Financial Risk Likelihood of Risk
Suggested Next Steps Following Initial ERM Process Board Level: Discuss board oversight process and determine role of committees oversee the risk management process going forward. Management Level: Consider appropriate management approach and organizational structure to enterprise risk management. Management recommendations: Establish Risk Council Determine appropriate membership (senior company leaders that will be responsible for managing the ERM process); Develop charter Determine meeting frequency Consider use of internal audit resources for documentation and process management. Continual Periodic Review: continue to periodically review, discuss, and evaluate enterprise risks and communicating results of analysis to the Board. Review board charters and determine if revisions are required based on changes in responsibilities Eventually, compare with peers and best practices for similar companies 29
Risk Oversight and D&O Insurance Priya Cherian Huskins Spence Hoole Senior Vice-President and Partner Managing Partner Woodruff-Sawyer & Co. Diversified Insurance Group
The Financial Landscape and D&O Market
Economic Landscape – continued fallout of financial meltdowns, stock options backdating, subprime debacles
Litigation Environment – economic turmoil generally leads to increased D&O claims; however, overall number of securities class action claims has declined in 2010