Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Enterprise risk-management1973


Published on

Published in: Business, Economy & Finance
  • Be the first to comment

Enterprise risk-management1973

  1. 1. Enterprise Risk Management Walter Gangl, Director, Society of Corporate Secretaries and Governance Professionals; Former Deputy General Counsel and Corporate Secretary, Armstrong World Industries R.R. Donnelley – SEC Hot Topics 2008 September 24, 2008
  2. 2. Serious failings have led to demands for enhanced board oversight of Risk: Sarbanes-Oxley Calls for enterprise-wide documentation and testing of controls over financial reporting risk. NYSE-Amendments to listing standards Requires the Audit Committee to discuss with internal and external auditors how the company handles risks and the steps taken to monitor and control exposure to such risks. SEC Now mandates disclosure of risks in periodic ’34 Act reports. Commissioner Cynthia Glassman urges public companies to use information gleaned from ERM to enhance disclosure in management’s discussion and analysis. Boards of Directors A 2005 McKinsey survey of 1000 board members indicated that 76% would like to spend more time on risk. Source: The Executive Board – Treasury Leadership Roundtable, “Organizing for Enterprise Risk Management”, dated 18 August 2005
  3. 3. COSO – Enterprise Risk Management Framework  COSO (“Committee Of Sponsoring Organizations” of the Treadway Commission) is the “father” of SOX 404’s Internal Controls evaluation.  COSO’s ERM “Framework” provides an organizational scope, emphasis, and program to broaden risk management, create an enterprise- wide awareness and emphasis, and integrate risk management process into corporate strategy.  IT’S THE BIBLE: Go to: and click on “Resources” to download.
  4. 4. Key Definitions Risk Any event or circumstance which could impact the achievement of business objectives. Risk Assessment The process of identifying and evaluating the magnitude and likelihood of risks to achievement of business plans. Inherent Risk Exposure to a risk that is intrinsic to the business in the current environment before the consideration of risk mitigation and control activities that have been designed and implemented to address a given risk. Mitigation The process of reducing the likelihood and/or impact of a risk. Residual Risk Exposure to a risk remaining after considering the effect of mitigation through risk management and control activities. Risk Management The Composite of the processes of Risk Assessment and Risk Monitoring
  5. 5. ERM Defined: “… a process, effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.” Source: COSO Enterprise Risk Management – Integrated Framework. 2004. COSO
  6. 6. Why? Risk Assessment is necessary to comply with SEC disclosures in ’33 and ’34 Act reports. Rating Agencies are beginning to take Risk Management into consideration on credit ratings… so it will affect companies’ cost of capital. Also, for Board oversight purposes. They want to know the Company has good Risk Management processes and check what management sees as the major risks and how they plan to deal with them.
  7. 7. 80 25 8 1 1042 7 Almost Certain >90% cgabce Probable >50% Possible 15-50% Unlikely Less than 15% Rare Less than 2% Probability of Occurrence .5Impact Probability of occurrence. (Over five year business plan) SeverityofImpact Massive Risk to human life or over $20 million Major >$2 to $20 Million Moderate $250,000 to $2 million Minor Up to $250,000 Risk Prioritization Using a Risk Matrix Impact levels tie to disclosure standards
  8. 8. . Disaster Recovery Risks Legal Compliance Risks (Product Liability, EH&S, Employment Practices, Antitrust) Internal Control, (SOX 404) Accounting & Reporting Risks Culture (Tone at the Top) Risks Hurricane, Natural Gas Price, Terrorist Attack, Supplier Problems, etc Currency Volatility, Political Risk, Trade Restrictions Workplace Safety, Product Quality and Safety Reliance on Big Box Customers, Competitor Strategies ASBESTOS STRATEGY Identify risks relevant to your particular business & strategy
  9. 9. ERM vs Compliance Risk Assessment “Compliance Risk Assessment” is just one component of an Enterprise-wide Risk Assessment. In an infelicitous use of nomenclature, many parties conflate the ERM term “Risk Assessment” with Compliance risks alone……avoid that confusion.
  10. 10. NOTE: Strategic Risks cause most harm to shareholder value
  11. 11. Risk Management Process Identify matters that create risk to achieving your business plans. Evaluate the risks by determining their likelihood and impact. Prioritize risks - start with those with most serious potential impact. Mitigate risks, starting with the most serious, through improved controls, processes or procedures or other action. Monitor risks to address whether mitigation is effective. Report risks to management and board. At least annually, management should report to the Board about:  Risk Management Processes  Major Risks  Mitigation of Major Risks  Residual Risk levels
  12. 12. Management's role is to guide and review ERM efforts, consider whether the residual risks are acceptable, and approve plans to mitigate serious risks. Business units (and functional units such as EH&S, HR, Treasury) must explain their risk analysis in a way that allows management to test, accept and share it with other operations and the Board of Directors. Management’s report to the Board is structured within the context of these five points:  Company processes to identify matters that create risk to achieving our business plans,  Processes to assess the likelihood and impact of such risks in order to prioritize them,  The Company’s major risks and how it defines “major”,  Who is responsible for mitigation and monitoring of those major risks, and  The mitigation of major risks, and our view of the resulting residual risk. Management’s Role
  13. 13. Board’s Role Board’s Role The Board's role is to oversee the ERM process, monitor how risks are evaluated, prioritized and mitigated, review the Company's assessment and mitigation plans for serious risks, and improve or reshape management's decisions. In the end, they should: Advise whether they are comfortable with Company’s processes to identify and assess risks. Advise whether they agree with our identification, assessment and mitigation measures. Advise whether they view the ERM processes as effective. Advise whether they are comfortable with the level of residual risk accepted by management. Make any suggestions or recommendations they have relative to the ERM processes, including identification, assessment and mitigation plans.
  14. 14. Who’s Responsible on the Board? That’s up to the Board to Decide: The whole Board…..or a committee. Whatever works best. Despite what you read in the press, the Audit Committee is NOT required to oversee ERM. NYSE rules only require the Audit Committee to monitor risks to financial reporting. And some companies have saddled Audit Committees with this additional duty. What’s the better arrangement? The Board’s basic duties are to advise management and monitor performance. When dealing with strategy and other fundamental matters, the whole Board should be involved – bringing their diverse backgrounds and experiences to the process. Risk Management is tied to and is the flip side of strategy. IMHO, Risk oversight generally belongs under the Board as a whole.
  15. 15. What’s this About Standard & Poors Evaluation Our Risk Management? Following a 2007 announcement about ERM ratings, S&P announced May 2008 that it will begin an analysis of ERM implementation by companies in Q3 2008. S&P takes the expansive view of ERM outlined above. They expect companies to have a coherent, systematic risk management approach. They will discount a “crammed- together collection of longstanding and disparate practices.” S&P will initially look at a company’s risk-management culture and strategic risk management. (Remember the importance of strategic risk.)
  16. 16. What’s this About Standard & Poors Evaluation Our Risk Management? Within a year, S&P expects all companies will have had at least an initial ERM discussion. A subsequent S&P benchmarking process will form the basis of a new S&P ERM scoring system that they intend to help identify situations that might require rating actions. Bottom Line: Companies need to get to work on ERM. How well they do on ERM will affect their access to capital markets and borrowing costs.
  17. 17. What Needs to Be Done? Lots. A recent survey of approximately 600 major companies showed that 30% have not even taken the first steps in ERM. 27% were “beginning” to implement it. 15% responded “Don’t know.” Only 24% claimed to have progressed to Intermediate (20%) or Advanced (4%) implementation. Source: KPMG
  18. 18. What’s the Objective of ERM? S&P wants to see that a company’s Risk identification, assessment, controls, monitoring and reporting are beyond basic levels. They should at least become an integrated management process. Ideally, S&P wants to see ERM become a strategic tool for the company, helping to: set strategy, identify markets, guide product development, allocate capital budgets, and become a part of its analytical framework.
  19. 19. 19 ERM: The Sunoco ExperienceERM: The Sunoco Experience September 24, 2008September 24, 2008 Ken SomesKen Somes
  20. 20. Sunoco, Inc.Sunoco, Inc. Refining & Supply 1,215 Chemicals 975 Retail Marketing 620 Coke 490 Logistics 500 Corp. 440 Capital Employed, MM$ 6/30/08 • Founded in 1886Founded in 1886 • 2007 Revenue = $45 billion2007 Revenue = $45 billion • As of 6/30/08:As of 6/30/08: $4.8 billion in market cap About 14,200 employees • Five Business LinesFive Business Lines 340 MMB / yr. refining prod. 5 billion gal. / yr. retail fuel sales 5 billion lbs / yr. chemical merchant sales Logistics MLP (NYSE:SXL) owned 43% by Sunoco, Inc. 4.2 MM tons / yr. coke prod. A2
  21. 21. 21 Refineries Chemical Plants Coke Plants Terminal Retail Marketing Western Pipeline System Eastern Pipeline System Philadelphia Marcus Hook Refinery Tulsa Jewell Indiana Harbor Haverhill Neal Toledo Frankford Marcus Hook Polypropylene La Porte NederlandBayport Eagle Point A3 Sunoco Operations
  22. 22. 22 Background/History of ERM ProgramBackground/History of ERM Program • Initiated in 2004Initiated in 2004  Audit Committee of the Board • ERM Manager Position EstablishedERM Manager Position Established  Initial inventory of risks • Program Continues to EvolveProgram Continues to Evolve  Learning/improving as we go  External influences, e.g. Rating Agencies
  23. 23. 23 ERM OrganizationERM Organization Audit CommitteeAudit Committee of the Boardof the Board ERM Manager Chief Financial Officer VP Investor Relations & Strategic Planning ERM Steering Committee Quarterly
  24. 24. 24 Examples •Chairman's Health Environment & Safety Committee •Operations Committee •Financial Information Committee •Management Control Committee Audit Committee Likelihood Consequence (business impact) Enterprise Risk Management Steering Committee Identify and Classify Risk Determine Appropriate Report Out Forum ERM– Coordinates, Tracks & Reports Status of Risks Strategic Financial Operational Identify Risk Owner Risk Owner Develops Response Plan Risk Rank Organizational Legal/Political Market Risk Owner Reports to Forum ERM Risk Identification & Follow-UpERM Risk Identification & Follow-Up
  25. 25. 25 Key Components of Risk Review Report:Key Components of Risk Review Report: • Likelihood and Potential Impact of RiskLikelihood and Potential Impact of Risk • Historical PerspectiveHistorical Perspective • How Risk is Currently ManagedHow Risk is Currently Managed  Key responsibilities/structure in place  Controls/policies/reviews, etc. • Monitoring & ReportingMonitoring & Reporting  What is measured/tracked (leading & lagging) • Opportunities to Strengthen the PlanOpportunities to Strengthen the Plan  Who is doing what and by when
  26. 26. 26 Example Risk: Projected RetirementsExample Risk: Projected Retirements • Percent Retirement Eligible Within 5 yrsPercent Retirement Eligible Within 5 yrs • Classified: Organizational RiskClassified: Organizational Risk • Risk Owner: SVP of Human ResourcesRisk Owner: SVP of Human Resources SVP’s of Business Units • Forums for Report:Forums for Report:  Executive Human Resource Development Committee  Full Board of Directors
  27. 27. 27 Example Risk: Projected RetirementsExample Risk: Projected Retirements • Historical PerspectiveHistorical Perspective  Demographics compiled and analyzed  Industry/business units/departments experience • How Currently ManagedHow Currently Managed  HR Development Committees  Succession plans/development/external hiring • Opportunities to StrengthenOpportunities to Strengthen  Identified critical positions/disciplines at risk  Selective adjustments to compensation package • Monitoring & ReportingMonitoring & Reporting  Personnel changes/succession plans/hiring  Projected versus actual experience
  28. 28. 28 Lessons LearnedLessons Learned • Support From the TopSupport From the Top • Benchmark/Learn From OthersBenchmark/Learn From Others • Tailor ERM to Company CultureTailor ERM to Company Culture • Build off Processes Already in PlaceBuild off Processes Already in Place • Simpler is BetterSimpler is Better • Get Started, then Learn/AdjustGet Started, then Learn/Adjust • Continuing evolution
  29. 29. AW Enterprise Risk Management Process Ellen Wolf Senior Vice President and Chief Financial Officer September 2008
  30. 30. 30 Who We Are We are the largest investor-owned water and wastewater service provider in the United States. • We serve a broad national footprint and a strong local presence • We lead the industry in water quality, testing and research • We provide services to over 15 million people in more than 1,600 communities in 32 states and in Ontario, Canada • We employ nearly 7,000 dedicated and active employees and support ongoing community support and corporate responsibility • We treat and deliver over one billion gallons of water daily 30
  31. 31. 31 Utility Only O&M Only Both Where We Are We manage more than 350 individual water systems across the country Every day we operate and manage: • 45,000 miles of distribution and collection mains And more than: • 80 surface water treatment plants • 600 groundwater treatment plants • 1,000 groundwater wells • 40 wastewater treatment plants 31
  32. 32. 32 Directors of Loss Control Finance Risk Management Frenkel Legal Human Resources Department Operations Engineers Water Quality Information Technology Travelers American Water Works Association Risk & Insurance Management Society InfraGuard Media Internet ENTERPRISE RISK MANAGEMENT – Pre 2003 • Decentralized approach
  33. 33. 33 ENTERPRISE RISK MANAGEMENT – Pre IPO • RWE Risk Management Process was implemented at American Water immediately after RWE’s purchase of the Company. • Key Attributes:  Risk Management Committees of senior executives at subsidiary and corporate.  Risks and Opportunities Management (ROM) toolkit which offers a structured approach to the identification and evaluation of risk.  The Risk Summary, signed by the CEO, Key Risk reports and Risk Map are updated and submitted to RWE on a quarterly basis.
  34. 34. 34 ENTERPRISE RISK MANAGEMENT – Pre IPO • Goals of RWE process  Identify and report to senior management at RWE risks which may have a material financial impact on RWE business plans. • Process  RMC committees at subsidiary level identify risks, mitigation activities and potential financial impact. Risks are aggregated and reviewed at each higher organizational level until final report is prepared for RWE board. • Risk Management Committees (RMC):  Corporate, Regional and Business Unit  Corporate EMC includes SVP & CFO, CEO, COO, VP Audit, SVP Legal, Regional Presidents, Regional Risk Representatives;  Regional and Business Unit RMC includes its Presidents, VP Finance, VP Legal, VP Service & Delivery, VP Human Resources
  35. 35. 35 ENTERPRISE RISK MANAGEMENT – Pre IPO • The ROM includes a risk register identifying all risks. Risks which are valued great than 20% of net operating income and have a greater than 1% probability of occurrence are designated as Key Risks. The ROM includes:  Reports prepared for each Key Risk which include cause analysis, severity evaluation, control and mitigation strategy, monitoring and reporting by a Risk owner.  A Risk Summary is from information generated in the Key Risk reports and prioritizes risks for the Company.  A Risk Map which is a simple visual representation of the relative importance of Key Risks to achieving business objectives. The view of risk is achieved by plotting Key Risks in terms of their probability and impact on the “heat” map.
  36. 36. 36 ENTERPRISE RISK MANAGEMENT POST IPO • An American Water (AW) framework to manage risk  To create awareness regarding risk so Management has full knowledge of risk and rewards related to AW’s business objectives. ­ Operational ­ Financial ­ Regulatory • Addresses risk management needs of various stakeholders  AW Management  AW Board (Audit Committee)  Rating Agencies  Investment Firms  External Auditors  Securities and Exchange Commission (SEC)  Regulators
  37. 37. 37 Risk Assessment Process Information Flow Commercial Development (CD) Capital Investment Management Committee (CIMC) Operational Risk Management (ORM) Operational Risk Assessment (Insurance, etc.) Labor Relations Environment Audits Other Sarbanes Oxley Business Performance Reviews Quarterly Disclosure Committee Meetings * Operations Risk Assessment Meeting Attendees: • EVP Eastern Division • EVP Western Division • VP Operations Services • AWE President • SVP Sales/Business Development * Regulatory (Compliance with Laws & Regulations) Risk Assessment Meeting Attendees: • SVP Legal & General Counsel • SVP Human Resources • SVP Communications/Ext. Affairs • VP & Counsel Regulatory Programs * Finance Risk Assessment Meeting Attendees • VP & Controller • VP Planning & Reporting • VP & Treasurer • SEC Counsel Senior Risk Management Meeting Held prior to Audit Committee Meeting • Chief Executive Officer, • President – AW Services, • President - Reg. Operations, • Chief Financial Officer and • VP Internal Audit (Coordinator) Significant company initiatives (various owners) AW Board of Directors, Audit Committee Fraud Risk Management Integrated Throughout (See following slide) * Frequency of meetings is every 6 months and before Audit Committee meeting as necessary OSHA Risk Identification and Mitigation Process
  38. 38. 38 Fraud Risk Management Process AW Code of Ethics• Annual communication • Employees asked to read and certify • Part of new employee orientation • Periodic training • Posted on AW intranet AW Management Oversight Controls • AW Policies and Practices (i.e. Delegation of Authority) – Posted on AW intranet – Part of New Employee Orientation – Owned and monitored by each applicable Senior Functional Executive  Internal Audit reviews of various functions, states, etc. throughout year AW Ethics Hotline • Third-Party Provider that receives calls regarding potential violations of AW Code of Ethics. • Third-Party Provider immediately reports calls to designated AW Senior Management. AW Compliance Officer • Manages reported Code of Ethics violations, investigations and reporting to Senior Management. • Promotes proactive communications regarding AW Code of Ethics through various company communication channels. AW Ethics Committee Committee of Senior AW Executives that govern/monitor Code of Ethics, Hotline calls, investigations, disciplinary actions, communications regarding Code of Ethics and reporting to Board of Directors, Audit Committee. AW Board of Directors, Audit Committee Quarterly, reviews Code of Ethics violations, investigations and disciplinary actions.
  39. 39. 39 Senior Risk Management Meetings • Meet quarterly before Audit Committee meeting  Also meet on ad-hoc basis as business conditions warrant. • Establish Enterprise Risk Management (ERM) Strategy  Establish ERM Subgroups – i.e. Operations, Finance, and Regulatory.  Ensure compliance with and effectiveness of ERM Strategy.  Set Delegation of Authority (DOA) limits, which is key to who is empowered for specific types of decision making. • Review, approve, and monitor significant company initiatives  i.e. Major cross divisional IT projects.  i.e. Major business process and organizational changes. • Establish Corporate Investment Criteria – Risk/Return threshold • Review all information (including 10Q and 10K) prior to Audit Comm. reporting • Review, approve, and monitor significant financing and company capital structure ERM Subgroups – Operations, Finance and Regulatory Mandate is to Identify, Monitor, and Mitigate Risk • Report and discuss risk assessments at Senior Risk Management meetings
  40. 40. 40 ENTERPRISE RISK MANAGEMENT - FUTURE • Continuous Improvement  New risks and mitigation efforts identified continuously  Mitigation efforts for known risks continues to be monitored  Strong senior management support up through Board of Directors • Continuous Change to Adapt to Evolving Risk Environment