Valuendo Erm In An Extended Environment (March 2007)

321 views

Published on

Generic presentation on ERM : enterprise risk management

Published in: Business, Economy & Finance
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
321
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
2
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Valuendo Erm In An Extended Environment (March 2007)

  1. 1. ERM Enterprise Risk Management in an extended enterprise Friday March 16th 2007 Mr. Marc Vael Managing Director Valuendo © 2007 Valuendo. All rights reserved. 1 INFORMATION CLASSIFICATION = PUBLIC Introduction • Marc Vael • Managing Director Valuendo (“value & do”) since July 2001 • Education – Master Applied Economics (UAntwerp) – Master Information Management (UHasselt) – Master+ Applied Economics & ICT (KUL) • Core Services – Enterprise Risk Management – IT Governance – Information Security Management – Data Privacy & Protection – Business Continuity / Disaster Recovery – Crisis Management – IT Audit & Compliance • Certifications – CISA / CISM / CISSP / ITIL Service Manager © 2007 Valuendo. All rights reserved. 2 INFORMATION CLASSIFICATION = PUBLIC Marc Vael Valuendo March 2007 1
  2. 2. ERM Why is “risk” a key business issue? Risk is now seen as an issue that affects all parts of the business and influences business success and failure . . . Risk Risks External Forces Business Risk Profile Board Executive Competition = Business Business + Market Process Units Cap Regulation Performance Executive € Alliances/Partners Suppliers Efficiency and Cost-Based Improvement Cost- . . . consequently, risk management is increasingly the focus of the Board and executive management, and is proactive versus reactive © 2007 Valuendo. All rights reserved. 3 INFORMATION CLASSIFICATION = PUBLIC What is Enterprise Risk Management? Valuendo’s View: – Enterprise Risk Management (ERM) is an organization-wide approach to the identification, assessment, communication andmanagement of all relevant risks in a cost-effective manner. What are potential benefits? – Improves decision making within the company – Allows the broadening of 404 efforts (financial – operational) – Increases accountability – Provides clarity on key organizational risks – Greater confidence from compliance activities – Supports organizational strategy – Risk-Based Key Performance Measurement – Improves controls efficiency – Improves identification of opportunities and threats – Established pro-active management – Effective allocation and use of resources – Improves incident management and reduction in loss and the cost of risk, including insurance premiums – Improves stakeholder confidence ERM is a dynamic process which is focused on protecting an organization’s value. © 2007 Valuendo. All rights reserved. 4 INFORMATION CLASSIFICATION = PUBLIC Marc Vael Valuendo March 2007 2
  3. 3. ERM What are the ERM priorities? © 2007 Valuendo. All rights reserved. 5 INFORMATION CLASSIFICATION = PUBLIC A risk management framework is an essential part of beginning to meet today’s challenges ERM is not a “One-Size-Fits-All” approach. The key is to determine the degree of maturity that is right for your organisation BASIC MATURE ADVANCED Framework Element Remain in Compliance A Management Process A Strategic Tool A risk management structure with Risk management accountability A central risk management policy Risk Governance clear accountabilities to support integrated with performance to support external requirements risk management objectives management Frequent risk assessment in line Annual risk assessment with limited Risk and control activities Risk Assessment with normal management reporting analysis and interpretation embedded in business processes and including analysis Quantification of operational risk; Risk Quantification Entity-wide aggregation across all Quantification of selected risks advanced quantification of selected and Aggregation risk areas risks Extensive reporting to the board Alignment of all risk reporting to Risk Monitoring Business risk reporting designed to and audit committee on current provide a comprehensive single and Reporting support external requirements risk levels and future risk issues view of risk Greater stakeholder confidence and Risk-adjusted approaches, Risk and Control Fewer surprises through improved risk mitigation performance evaluation, and Optimization management of key risks approaches capital allocation © 2007 Valuendo. All rights reserved. 6 INFORMATION CLASSIFICATION = PUBLIC Marc Vael Valuendo March 2007 3
  4. 4. ERM Example of Risk Ranking Criteria Risk Consequence Level Description Ranking Criteria • <€5 million impact on profitability 1 Insignificant • No impact on market share • No impact on reputation • €5 million to €10 million impact on profitability 2 Minor • Consequences can be absorbed under normal operating conditions • Potential impact on market share • Potential impact on reputation • >€25 million to €50 million impact on profitability 3 Moderate • There is some impact on market share • There is some impact on reputation • >€50 million to €100 million impact on profitability 4 Major • Market share will be affected in the short term • Reputation is affected in the short term • >€100 million impact on profitability 5 Catastrophic • Serious diminution in reputation • Sustained loss of market share Likelihood of Risk Occurrence Ranking Criteria Level Description Event may only occur in exceptional circumstances 1 Exceptional Event could occur in rare circumstances 2 Unlikely Event could occur at some time 3 Possible Event could occur in most circumstances 4 Likely Event is expected to occur in most circumstances 5 Almost certain © 2007 Valuendo. All rights reserved. 7 INFORMATION CLASSIFICATION = PUBLIC Risk Categories (R Sam # Top 10 Risks 3j an p Catastrophic 3j Loss of building, together with key 1 do le staff or technology infrastructure m Ri Pl sk 1c Adverse changes in law and 2 ot s 5a tin government affecting the company’s 1b business model g) Major 1c Risk Consequence 5a Loss of market share or revenue 3 through competition or regulation 3h 4d 5b 5b Introduction of competing products 4 Moderate 5c and technologies by other companies 3g 4e 1f 4g 3a 5 5c Inability to attract and retain key 4f 1a 2a 2b 1d employees 3e 4a 2c 1e 4b Minor 4j 4i 4c 6 1b Failure to develop global management and information systems 3c 3i 3f Insignificant 3d 4d Exposure to litigation related to the 7 3b 4h company’s products/services Exceptional Unlikely Possible Likely Almost 3h Deficient products/services provided 8 certain resulting in loss of reputation Likelihood of Risk Occurrence 4a Inability to react to changes in 9 Key overseas legal, economic, or regulatory environment Produce Performance and Regulatory and Top Ten Risks Reputation Risks Quality Risks Compliance Risks 10 3i Increased pricing pressure from Growth and Strategic Risks competitors and/or customers Operating Risks © 2007 Valuendo. All rights reserved. 8 INFORMATION CLASSIFICATION = PUBLIC Marc Vael Valuendo March 2007 4
  5. 5. ERM Controllable vs. Uncontrollable Risks (R Sam # Top 10 Risks 3j an p Catastrophic 3j Loss of building, together with key 1 do le staff or technology infrastructure m Ri Pl sk 1c Adverse changes in law and 2 ot s 5a tin government affecting the company’s 1b business model g) Major 1c Risk Consequence 5a Loss of market share or revenue 3 through competition or regulation 3h 4d 5b 5b Introduction of competing products 4 Moderate 5c and technologies by other companies 3g 4e 1f 4g 3a 5 5c Inability to attract and retain key 4f 1a 2a 2b 1d employees 3e 4a 2c 1e 4b Minor 4j 4i 4c 6 1b Failure to develop global management and information systems 3c 3i 3f Insignificant 3d 4d Exposure to litigation related to the 3b 7 4h company’s products/services Remote Unlikely Possible Likely Almost 3h Deficient products/services provided 8 certain resulting in loss of reputation Likelihood of Risk Occurrence 4a Inability to react to changes in 9 Key overseas legal, economic, or regulatory environment Uncontrollable (Management Top Ten Risks Controllable Combination of controllable cannot prevent risk occurrence; (Management can and uncontrollable 3i Increased pricing pressure from 10 it can only detect risk occurrence prevent risk occurrence) competitors and/or customers and manage risk consequence) © 2007 Valuendo. All rights reserved. 9 INFORMATION CLASSIFICATION = PUBLIC Unique vs. Ongoing Risks # Top 10 Risks (R Sam 3j an p Catastrophic 1 3j Loss of building, together with key do le staff or technology infrastructure m Ri Pl sk 2 ot s 1c Adverse changes in law and 5a tin government affecting the company’s 1b g) business model Major 1c Risk Consequence 3 5a Loss of market share or revenue through competition or regulation 3h 4d 5b 5b Introduction of competing products 4 Moderate 5c and technologies by other companies 3g 4e 1f 4g 3a 5c Inability to attract and retain key 5 4f 1a 2a 2b 1d employees 3e 4a 2c 1e 4b Minor 4j 4i 4c 1b Failure to develop global 6 management and information systems 3c 3i 3f Insignificant 3d 7 3b 4d Exposure to litigation related to the 4h company’s products/services Remote Unlikely Possible Likely Almost 3h Deficient products/services provided 8 certain resulting in loss of reputation Likelihood of Risk Occurrence 4a Inability to react to changes in 9 Key overseas legal, economic, or regulatory environment Unique Risks: One time event nature of risk Ongoing Risks: Iterative trend nature of Top Ten Risks that impacts operating earnings over risk. Economic, market, and regulatory 10 3i Increased pricing pressure from a limited time frame that may reoccur. conditions that impact operating earnings competitors and/or customers over an indefinite time frame. © 2007 Valuendo. All rights reserved. 10 INFORMATION CLASSIFICATION = PUBLIC Marc Vael Valuendo March 2007 5
  6. 6. ERM Assessment of Actions to Manage Risks Sa m pl e Risk #1 Mitigating Actions Recommendations Assessment of Risk Owner/ ris current actions Risk Monitor k (0 - 5) Consider introducing flexible 3 5c Actions to prevent risk occurrence Risk Owners • Business Unit Heads Inability to attract and - Quarterly analysis of turnover metrics working hours • Chief HR Officer retain key employees - Company-wide career development program for top performers Risk Monitor (Operating Risks, - Attractive compensation package CEO People) Actions to respond to risk occurrence - Exit interviews with employees - Renegotiation with employee Actions to manage risk consequence - Succession planning Key to assessment of current actions to manage risks: (0) Exceed Requirement – The risk management processes have been over-engineered for the level of risk involved. (1) Meet Requirement – The risk management processes are appropriate for the level of risk identified. (2) Need Strengthening (Minor) – Minor improvements in the risk management processes are necessary to reach “meet requirement.” (3) Need Strengthening (Important) – Risk management processes need to be strengthened in important ways to reach “meet requirement.” (4) Need Strengthening (Critical) – Risk management processes are clearly deficient in critical ways. (5) Unestablished – Risk management processes have not yet been established. This will most likely be the situation in the case of a new business initiative. © 2007 Valuendo. All rights reserved. 11 INFORMATION CLASSIFICATION = PUBLIC Prioritization of Potential Areas for Improvement The prioritization below factors the impact on cost, speed, and quality—and improving process performance High Don’t do’s Must do’s 5 4 17 6 2 LEVEL OF EFFORT 3 9 Don’t care’s Quick wins 8 10 High Low IMPACT ON RISK MITIGATION OR OPTIMIZATION © 2007 Valuendo. All rights reserved. 12 INFORMATION CLASSIFICATION = PUBLIC Marc Vael Valuendo March 2007 6
  7. 7. ERM ERM An assessment can help highlight the risk strategy, process, and activities for your organization Risk Maturity Continuum Advanced Basic Mature Today Target Remain in Compliance A Management Process A Strategic Tool Industry Benchmark 1 2 3 4 5 Risk Governance Ex Risk Assessment am ple Risk Quantification & Aggregation Risk Monitoring & Reporting Risk and Control Optimization An assessment yields a tailored implementation approach, including: – A road map for implementing potential ERM improvements – A clear articulation of the desired degree of ERM maturity for your business © 2007 Valuendo. All rights reserved. 13 INFORMATION CLASSIFICATION = PUBLIC There are some barriers to improving Enterprise Risk Management BARRIERS • Risk management is not connected to corporate strategy Addressing • Leadership from the top is lacking these can help • Risk management is positioned as compliance improve your • Risk management is seen as a backroom exercise • Risk is being managed in silos ability to • The focus is on risk assessment alone—no integrated manage risks framework is in place in a • Past mistakes are overlooked—no corporate learning from previous risk events coordinated, • There is no clear road map for improvement cost-effective • Soft issues of behavior and attitude are ignored—focus on policy, quantification, etc. manner • The scope of change management required is underestimated © 2007 Valuendo. All rights reserved. 14 INFORMATION CLASSIFICATION = PUBLIC Marc Vael Valuendo March 2007 7
  8. 8. ERM Conclusion ERM is a dynamic process which is focused on protecting an organization’s value. © 2007 Valuendo. All rights reserved. 15 INFORMATION CLASSIFICATION = PUBLIC Contact information Mr. Marc Vael, CISA, CISM, CISSP, ITIL Managing Director Valuendo Kriebrugstraat 33 1760 Roosdaal Belgium T: +32 5 433 61 93 M: +32 473 99 30 31 M: mvael@valuendo.com mvael@ valuendo.com © 2007 Valuendo. All rights reserved. 16 INFORMATION CLASSIFICATION = PUBLIC Marc Vael Valuendo March 2007 8

×