Enterprise Risk Management:  Practical Implementation             Barry Franklin     Group Managing Director, Americas    ...
Discussion Topics   Preliminaries       Defining ERM       ERM drivers       Recent survey results       Defining “Ri...
What is ERM?ERM is the process by which companiesidentify, measure, manage, and discloseall key risks to increase value to...
What is ERM?Process:         • A systematic and sustained business processMeasure:         • Consistent metrics adopted in...
Related Risk Management Processes• Enterprise Risk Management (ERM) is often identified  with Strategic Risk Management (S...
Driving Forces Behind ERM                                         Enron                           Corporate     WorldCom  ...
Executive Research Key Findings• Most companies are making some progress• Greater board and CEO involvement• More awarenes...
Key Drivers     Corporate Governance         RequirementsUnderstand Hard to Quantify          Risks      Regulatory Pressu...
Key Objectives 2006• Ensure risk considered in decision making            83%• Avoid surprises                            ...
Integration into Business Processes                                                                            75.0%   Res...
Building the Process Business Risk Inventory      Mission StatementRegular Risk AssessmentCommon Risk Languange           ...
Building the Process    Root Cause AnalysisIndividual Risk Ow nership Regulaar Board Reports              Tolerances      ...
Risk Management Integration           Internal Audit       Strategic PlanningNew Product Development          Product Pric...
Greatest BenefitsBetter Informed Decisions Management Consensus    Articulate Risk Taking             Governance          ...
Key Risks - Americas• Damage to reputation• Business interruption• Third party liability• Distribution or supply chain fai...
Level of Preparedness                                         % with written plan in place or have undertaken a formal rev...
Business Activity Priorities                                                                                 Current Prior...
Responding to Changing Risks                               11%                     23%        8%                          ...
Identification of Major Risks                           5%11%        14%             4%            13%8%          7%      ...
What is Risk?• Risk can be defined as the potential harm that may arise from  some present process or from some future eve...
What is Risk?Financial   • Includes the fluctuating cost of fuel, interest rates and     access to capitalHuman Capital   ...
What is Risk?Operational   • Includes day-to-day business challenges across all     functional platforms, including the st...
Public Company – View of ERM• A strategic mechanism for effective risk identification and containment• Ensures that busine...
Private Company – View of ERM• Short Term:   • Drives structured and disciplined approach to risk     management:   • Prov...
Balancing Diverse Interests                                  Value Creation                                  Performance  ...
COSO – A Starting Point for ERMThe COSO ERM Framework Consists of8 Interrelated Components and 4 ObjectivesElements of ERM...
Using a Value-Driven ApproachStart with a skilled assessment of your business andERM needs to ensure that the approach and...
Evaluate Risk Process                Activities                                   Deliverables      Gather information on ...
Current State Assessment   Initial   Established   Uniform   Managed   OptimizingRisk                                     ...
Current State Assessment•   Risk management is becoming more complex•   Most companies have a wide-range of risk managemen...
Risk Maturity Benchmarking                                         Sample Risk Maturity Benchmark                         ...
Maturity: Building Risk CapabilitiesSystematically Build and Improve Risk Management Capabilities                         ...
Risk Identification & Prioritization              Activities                             Deliverables  Risk categorization...
Calibrate Definitions and CriteriaRisk Categorization and Scoring Criteria
Prioritized Risk Map
Risk Quantification            Activities                                   DeliverablesDevelop risk scenarios and correla...
Risk Quantification / Valuation       Step 1                 Step 2                Step 3    Develop Risk        Develop B...
Defining Value – One View                                          ERM Value Propositions                                 ...
Defining Value – Alternate ViewRisk Adjusted Income Statement                                             2008       2009 ...
Value-centric ERM framework                                                          Risk Management                      ...
Sample Output (partial data)Risk Distribution Report                                                 Key Risks            ...
Risk Response Solution              Activities                             Deliverables        Determine risk tolerance   ...
Risk Appetite - One View                                                    Impact of $100                                ...
Risk Appetite - Alternate View  Value                          Enterprise Risk Exposure                                   ...
Risk Response Solution                             Risk Response                               StrategiesTerminate     Mit...
Evaluating Solutions                                     Increase in Likelihood of                                       M...
Evaluating SolutionsManagement selects ERM actions that move enterprise  risk exposure towards risk appetite, for example:...
Risk Management Implementation             Activities                                   Deliverables       Develop risk re...
Risk Management Implementation                 ERM Multi-Year Project Plan          2007                      2008        ...
ERM Enabling TechnologiesThere are a lot of technologies related to risk in general and ERM    – Use a selection process a...
ERM Dashboard Applications
ERM Monitoring and Reporting
Dashboards & Governance              Drives Accountability                                      Facilitates “Dashboard”   ...
Governance, Culture and Disclosure         Key Activities                             Client Deliverables Develop detailed...
Governance, Culture and Disclosure  ERM Framework and Governance                           Board of Directors             ...
Governance: Partnership is Key                                        Board                         •   Set Policy        ...
Governance, Culture and Disclosure             ERM Project Plan e.g. ERM Manual                   Client ABCClient ABC    ...
External Risk Disclosure AnalysisAnnual 10-K reports are a primary riskinformation source for investors and the public.• H...
Comparative Analysis• A comprehensive ERM program can ensure that  the10-K risk factor list is complete and in appropriate...
Analyzing Competitors’ DisclosuresRegular review of competitors’ risk disclosures is vital to:• Ensure that your risk disc...
Comparing Risk DisclosuresDescriptionConsumer demand and acceptance of servicesoffered by usOur ability to achieve and mai...
ERM – Commonly Cited Challenges• Inability to demonstrate  immediate, quantifiable return on investment• Internal competit...
ERM - Critical Success Factors• Senior management support• Clearly defined vision• Regular and open communication among th...
ERM Potential BenefitsEstablish Sustainable Competitive   • Integrate with business planning and valueAdvantage           ...
ERM Gap Analysis       Phase I                  Phase II             Phase III               Phase IVInformation Gathering...
Risk Management Vision•   Risk management vision transcends the various projects and activities that    comprise risk mana...
Key Risk / Performance Indicators• What are the KRIs?• How do I get them?• How often do I get them?• What do I do with the...
KRI’s - Example
Focus on Value                                                          Risk Management                                   ...
Case Study #1: Fast Growing Company• Highly successful, profitable company• Recent patent litigation surprise created temp...
Project Objectives• Has the company identified all its critical risks ?• Does the company have effective controls for mana...
Project Results•   Provided information to senior management and the Audit    Committee•   Developed models for key risks ...
Case Study # 2: Manufacturing Company• Company had a well-developed risk management process• Top risks for each of the bus...
Project Results• Delivered working risk models to each business unit• Risk models were used to develop “underwriting model...
Case Study #3: Consumer Products• Fortune 100 consumer products company• Treasurer and Risk Manager had identified 17 key ...
Project Results• Project focused on the analysis of internal and external risk  data• Creation of individual and portfolio...
Case Study #4: Hospital•    Medium-sized hospital looking to achieve excellence in health care    by surpassing standards ...
Hospital ERM Project Results• Identified and prioritized key enterprise risks• Recommended improved approaches for risk ma...
Case Study #5: Capital One                                  Capital One signed an "informal memorandum of understanding" w...
ERM Process: Enhanced Future StateIntegrated into Operational Business Processes                                          ...
Suggestion: Adopt a Pilot Approach• Start small and grow big• Select a locale with engaged management and non-  complex pr...
Overview of a Pilot                         Review current company and                Severity                            ...
Questions to Consider• Is ERM adding value for your organization?• Is the ERM effort stalled or is progress being made?• A...
Barry Franklin, FCAS, MAAA     Aon Global Risk Consulting         312.381.3920  barry_franklin@ars.aon.com
ConfidentialityWe recognize that our clients’ industries are extremely competitive and maintainingconfidentiality is of th...
Upcoming SlideShare
Loading in …5
×

03 25 franklin

494 views

Published on

Published in: Business, Economy & Finance
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
494
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
29
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

03 25 franklin

  1. 1. Enterprise Risk Management: Practical Implementation Barry Franklin Group Managing Director, Americas Aon Global Risk Consulting November 2007
  2. 2. Discussion Topics Preliminaries  Defining ERM  ERM drivers  Recent survey results  Defining “Risk”  Balancing diverse views - consistent framework A value-driven approach to ERM Implementation challenges Case studies
  3. 3. What is ERM?ERM is the process by which companiesidentify, measure, manage, and discloseall key risks to increase value to primarystakeholders while satisfying otherstakeholders.
  4. 4. What is ERM?Process: • A systematic and sustained business processMeasure: • Consistent metrics adopted in an integrated manner across the organizationManage: • Focused on enabling management decision making and enabling exploitation of business opportunitiesDisclose: • Enabler of meaningful and transparent disclosure to key stakeholdersHolistic: • Integrated approach to Financial, Operational, Strategic and Regulatory risksMaterial risks: • Analyzing & quantifying the organizations significant risksValue: • Balanced perspective on uncertainty, managing threats and capturing opportunitiesStakeholders: • Focused on delivering the organizations key stakeholder needs and expectations
  5. 5. Related Risk Management Processes• Enterprise Risk Management (ERM) is often identified with Strategic Risk Management (SRM) or Governance, Risk and Compliance (GRC). Common elements are:• Process applied consistently across company• Driven from the top of the organization• Takes a proactive, forward-looking view• Considers both risks and rewards• Integrates risk management into business process• Assigns clear risk ownership
  6. 6. Driving Forces Behind ERM Enron Corporate WorldCom Disasters AdelphiaBanks Mutual FundsAsset ManagersEnergy FirmsCorporations Best Enterprise Regulatory Practices Risk Actions Management S.E.C. Sarbanes-Oxley Basel II Treadway Report, US Industry Turnbull Report, UK Initiatives Dey Report, Canada
  7. 7. Executive Research Key Findings• Most companies are making some progress• Greater board and CEO involvement• More awareness across organizations• Faster adoption outside of North America• Few companies have progressed to “advanced” level• Slower progress than originally expected
  8. 8. Key Drivers Corporate Governance RequirementsUnderstand Hard to Quantify Risks Regulatory Pressures Board Request 0.0% 20.0% 40.0% 60.0% 80.0% 2004 2006 Source: The Conference Board
  9. 9. Key Objectives 2006• Ensure risk considered in decision making 83%• Avoid surprises 85%• Integrate risk management into corporate processes 70%• Align risk exposures & mitigation 65%• Use risk management as competitive tool 36% Source: The Conference Board
  10. 10. Integration into Business Processes 75.0% Rest of the World 75.0% 53.8% UK/Europe 65.9% 71.2%United States/Canada 39.8% 0.0% 20.0% 40.0% 60.0% 80.0% 2004 2006 Source: The Conference Board
  11. 11. Building the Process Business Risk Inventory Mission StatementRegular Risk AssessmentCommon Risk Languange 0.0% 20.0% 40.0% 60.0% 80.0% 2004 2006 Source: The Conference Board
  12. 12. Building the Process Root Cause AnalysisIndividual Risk Ow nership Regulaar Board Reports Tolerances 0.0% 20.0% 40.0% 60.0% 80.0% 2004 2006 Source: The Conference Board
  13. 13. Risk Management Integration Internal Audit Strategic PlanningNew Product Development Product Pricing 0.0% 10.0% 20.0% 30.0% 40.0% 50.0% 60.0% 70.0% 2004 2006 Source: The Conference Board
  14. 14. Greatest BenefitsBetter Informed Decisions Management Consensus Articulate Risk Taking Governance 0.0% 20.0% 40.0% 60.0% 80.0% 2004 2006 Source: The Conference Board
  15. 15. Key Risks - Americas• Damage to reputation• Business interruption• Third party liability• Distribution or supply chain failure• Market environment• Regulatory/legislative changes• Failure to attract or retain staff• Technology failure• Failure of disaster recovery plan• Loss of data Source: 2007 Aon Global Risk Management Survey
  16. 16. Level of Preparedness % with written plan in place or have undertaken a formal review of this risk Damage to Reputation 48% Business interruption 70% Third party liability 75%Distribution or supply chain failure 63% Market environment 35% Regulatory/legislative changes 41% Failure to attract or retain staff 55% Market risk 56% Physical damage 77% Merger/acquisition/restructuring 69% Failure of disaster recovery plan 65% Source: 2007 Aon Global Risk Management Survey
  17. 17. Business Activity Priorities Current Priority Priority Ranking – Business Activities Ranking Next 2 yearsRisk identification, quantification and analysis 1 1Regulatory compliance and reporting 2 3Loss control / prevention 3 4Managing risk on an enterprise-wide basis 4 2Risk communication – internally with management and operations 5 5Emergency / contingency planning 6 6Insurance buying 7 9Risk financing 8 7Claims management 9 8Risk communication – externally with business partners 10 10 Source: 2007 Aon Global Risk Management Survey
  18. 18. Responding to Changing Risks 11% 23% 8% External service/ advisor 32% 29% Benchmarking 46% Quantitative analysis Management intuition and experience 22% 42% 29% 19%Identify major risks Assess probability and Determine limits for impact insurance Source: 2007 Aon Global Risk Management Survey
  19. 19. Identification of Major Risks 5%11% 14% 4% 13%8% 7% Other 19% 18% External service provider/32% 55% advisor Business Unit registers or key 45% risk indicator w orksheets Senior management intuition 55% and experience42% 23% Board w orkshops or scenario 19% planning7% 12% 5% 3%All The Americas Europe Asia/Pacific Source: 2007 Aon Global Risk Management Survey
  20. 20. What is Risk?• Risk can be defined as the potential harm that may arise from some present process or from some future event.• In everyday usage, "risk" is often used synonymously with "probability", but in professional risk assessments, risk combines the probability of a negative event occurring with how harmful that event would be.• Risk can also be viewed as “volatility from expected.” This definition captures both the upside and downside of risk.
  21. 21. What is Risk?Financial • Includes the fluctuating cost of fuel, interest rates and access to capitalHuman Capital • A growing area of exposure in today’s labor market including employee selection, retention and turnover, absenteeism, compensation and labor relationsLegal / Regulatory • Incorporates liabilities for employment, defamation and other allegations, including regulatory change and governance requirements
  22. 22. What is Risk?Operational • Includes day-to-day business challenges across all functional platforms, including the strive for efficiency, optimal use of outsourcing and business continuityStrategic • Includes organizational planning, such as the strategic response to changing customer preferences, competition, reputation/brand, innovation, etc.Technology • Includes system failure, network liability, internet
  23. 23. Public Company – View of ERM• A strategic mechanism for effective risk identification and containment• Ensures that business objectives are balanced with: • Corporate governance initiatives • Risk mitigation initiatives • Enhanced and timely business decisions • Enhanced profitability • Long-term growth• Goal to maximize shareholder value for the enterprise as a whole• Greatly influenced by Sarbanes-Oxley and SEC in the U.S.
  24. 24. Private Company – View of ERM• Short Term: • Drives structured and disciplined approach to risk management: • Provides methodology for measuring business risks • Increases awareness of risks and potential risks• Long Term: • Ability to aggregate risks and benefit from enterprise effects • Better capital allocation and competitive position • More effective strategic and operational planning • Ensures execution of the Core Competency
  25. 25. Balancing Diverse Interests Value Creation Performance Growth Returns • Bus. Units • Shareholders • Managers • Investors External • PartnersInternal Enterprise ERM Goals & ERM Objectives Governance Capital • Controls • Debtholders • Compliance • Agencies Financial Strength • Regulators Conformance
  26. 26. COSO – A Starting Point for ERMThe COSO ERM Framework Consists of8 Interrelated Components and 4 ObjectivesElements of ERM as outlined in the framework:• Is a process• Is effected by people• Is applied in strategy setting• Is applied across the enterprise• Is designed to identify potential events• Manages risks within risk appetite• Provides “reasonable assurance”• Supports achievement of key objectivesSource: COSO ERM Framework
  27. 27. Using a Value-Driven ApproachStart with a skilled assessment of your business andERM needs to ensure that the approach and outcomesare well matched to your needs Evaluate Risk Process Risk Identification ERM management & Prioritization ERM process Governance, Culture and Disclosure Growth Profitability ERM outcome - value Risk Quantification Continuity Risk Management Implementation Risk Response Solution
  28. 28. Evaluate Risk Process Activities Deliverables Gather information on current status  Current state risk score card Develop scorecard ranking current program vs. leading practice  Risk maturity benchmark Develop future vision for ERM program  Key ERM goals & objectivesDevelop gap analysis using scorecard format and identify quick-hits  ERM performance plan Conduct executive workshop  Alignment on ERM framework / plan
  29. 29. Current State Assessment Initial Established Uniform Managed OptimizingRisk Opportunity
  30. 30. Current State Assessment• Risk management is becoming more complex• Most companies have a wide-range of risk management activities underway  ERM  Sarbanes-Oxley  Compliance  Operations  Risk committees• Unfortunately, many companies lack a coherent vision for risk management• Senior management and board members often have differing views of what information they would like to see from risk management• Rating agencies are assessing risk management quality as part of their overall rating process – S&P, Fitch
  31. 31. Risk Maturity Benchmarking Sample Risk Maturity Benchmark C A P A B IL IT IE S RE S UL T S M easu resR I S K M A N A G E DS K E N A B L E D R isk R i sk S tr a te g y P e o p le P a r tn e r sh i p s P ro c e sse s R isk H a n d lin g O u tc o m e s L e a d e rsh ip & P o lic ie s F u lly e m b e d d e d L E V E L 5 (= in d a y - t o - d a y Ex c e l l e n t c a pa bi l ity b u s in e s s e s ta bli s h e d) p ro ce sse s an d s tr a te g ie s . R I In t e g r a t e d a p p ro a c h e s to L E V E L 4 (= m a n a g in g r is k Em be dde d a n d are i m p r o vi n g ) im p le m e n t e d acro ss b o u n d a r ie s . F o rm alR IS K D E F IN E D L E V E L 3 (= a p p ro a c h e s to Im p l e m e n t a t i o n m a n a g in g r is k c o m pl e te d i n k e y in p la c e a n d ar eas ) w id e ly im p le m e n t e d . F o rm al a p p ro a c h e s to L E V E L 2 (= m a n a g in g r is k Im p l e m e n t a t i o n in p la c e a n d P la n n e d) p a r t ia lly im p le m e n t e d .R IS K A W A R E L E V E L 1 (= Aw are n e ss o f A war en es s / n e e d b u t lit t le U n de r s ta n di n g ) a c tio n . D o s e n io r m a n a g e rs s u p p o rt a n d p ro m o t e ris k P ro c e s s D o t h e o r g a n i s a t i o n s p r o c e s s e s i n c o r p o r a t e L e a d e r s h ip m a n a g e m e n t? e ffe c t i v e r i s k m a n a g e m e n t ? es R is k R is k
  32. 32. Maturity: Building Risk CapabilitiesSystematically Build and Improve Risk Management Capabilities Organization focused Risks on RM as a Policies, measured, source of processes managed and competitive Process aggregated established and practices advantage Capabilities defined and on an and and enterprise- are repeating: formalized continuous characteristic across the wide basis improvement reliance on of individuals, people is organization not of the reduced organization Initial Established Uniform Managed Optimizing RISK OPPORTUNITY
  33. 33. Risk Identification & Prioritization Activities Deliverables Risk categorization and scoring criteria  Risk hierarchy and criteria Conduct interviews / surveys  Internal risk identification Benchmark client’s public risk factors  External risk identificationConsolidation and aggregation of identified risks  Risk register Conduct risk workshop  Prioritized risk map
  34. 34. Calibrate Definitions and CriteriaRisk Categorization and Scoring Criteria
  35. 35. Prioritized Risk Map
  36. 36. Risk Quantification Activities DeliverablesDevelop risk scenarios and correlations  Risk scenarios Modeling key risks  Individual risk quantification and prioritization Aggregate impact of key risk on company’s Calculate aggregate risk exposures  value and financial performance
  37. 37. Risk Quantification / Valuation Step 1 Step 2 Step 3 Develop Risk Develop Baseline Run Model to Scenarios Valuation Model Quantify Risks Conduct  Build baseline  Aggregate risks interviews with valuation model;  Shock model for risk experts project financials each consistent with Develop risk risk/scenario strategic plan scenarios and  Quantify impact associated  Adapt model to to value and financial impact dynamically other key metrics accommodate Gather existing risks/scenarios,  Provide basis for facts / historical value drivers and decision-making data points key metrics
  38. 38. Defining Value – One View ERM Value Propositions Improved resource allocation Keeping resources focused on Enhanced risk corporate governance those activities that matter most Increased operational efficiency to the organizationCommon and deep knowledgeof critical business and Greater transparency of riskorganizational risks Possible reduction in earnings volatility Structured process to allocate capital based on those Optimized capital allocation businesses that are the most Improved regulatory standing risky to the organizationEveryone in the organization Enhanced risk reportinghas the ability to define, treat, Consistent framework for riskand manage risk in a Provide confidence that risks arehomogeneous fashion Improved compliance being identified and managed in a constructive fashion
  39. 39. Defining Value – Alternate ViewRisk Adjusted Income Statement 2008 2009 2010REVENUE Sales 642,100 670,965 701,292 Other Operating Revenue 14,482 14,626 14,773 Total Revenue 656,582 685,591 Aggregate Loss Distribution 716,065OPERATING EXPENSES 0.07 0.06 Salaries, Wages and Benefits 310,667 323,093 0.05 336,017 Supplies and Services 289,850 309,593 0.04 330,750 0.03 Total Operating Expenses 600,517 632,686 0.02 666,767 0.01 0(LOSS) INCOME FROM OPERATIONS 56,065 52,906 0 5 10 15 49,298 20 25 30 35 40 45OTHER INCOME (EXPENSE) Interest and Dividends 28,419 28,704 28,991 Competing Mitigation Strategies Current State Risk Exposure (16,000) (17,326) 20% (15,683) Mitigation Costs (2,784) (2,812) 18% 16% (2,840) Mitigation Impact on Current State Risk 14,326 16,532 14% 12% 12,031 Total Other Income (Expense) 23,961 25,098 10% 8% 22,499 6% 4%NET PRETAX INCOME 80,026 78,003 2% 0% 71,796 -6 -4 -2 0 2 4 6 8 10 12 14 16
  40. 40. Value-centric ERM framework Risk Management Tactics Strategy Risk Appetite Determine Scenario Portfolio Development ERM Committee Effect Consensus Meeting Surveys Enterprise ERM Risk Exposure All Key ModelRisks Risks (∆Value) Value Individual Risk Risk Identification Quantification & Ranking Process Key: Risk Quantification Risk Management
  41. 41. Sample Output (partial data)Risk Distribution Report Key Risks Rank by Value Impact of Worst Case ScenarioRisk: IT External Attack (Risk #4)Risk Scenario Likelihood Value Risk 11 1-in-30 year Risk 1 Worst Case -7.5% event Risk 8 Risk 7 Risk 4 1-in-10 year Pessimistic -2.4% Risk 9 event Risk 12 Risk 10 Risk 15Best Estimate Most Likely --- Risk 6 Risk 13 Risk 3 1-in-15 year Optimistic 0.1% Risk 5 event Risk 14 Risk 2 1-in-50 year Best Case 0.2% 0.0% -5.0% -10.0% -15.0% -20.0% event
  42. 42. Risk Response Solution Activities Deliverables Determine risk tolerance  Defined risk tolerance Identify risk response solution options  Risk response solutionsEvaluate and select risk response solution  Risk response business case
  43. 43. Risk Appetite - One View Impact of $100 Financial Buffer FY07 Metrics FY07E Defined Goal million, pre - tax (RBC) losses on metric EPS Growth 25.0% 22.5% - 260 bps $60 (from 2006) Free Cash $1,883 $1,400 - $53 million $750 Flow Operating 40.1% 40.5% - 81 bps $0 Margin Threshold is Cash/ Months not expected to Operating 8.9 12.0 - 0.11 months be achieved in Expense FY07 Total Debt/CFO 73.6 Not Available +155 bps Not Available$ in millions Sources: 2007 budget, metric & threshold input
  44. 44. Risk Appetite - Alternate View Value Enterprise Risk Exposure Target for Current State Future State Event Probability Probability Is the ERM CommitteeRev Growth comfortable with the 10% decrease in 15% ? current state? If not, value Achieving strategic what do they want it to 35% ? be? The answers result plan goals in tolerance thresholdseps Growth 5% increase in eps 5% ? collectively called Risk Appetite. Other
  45. 45. Risk Response Solution Risk Response StrategiesTerminate Mitigate Transfer Exploit Tolerate Exit Risk Preventative Financing Solutions Explore the Make a Area upside of risk conscience by taking new decision to Corrective opportunities tolerate the risk Insurance Directive Capital Markets Detective Contractual Transfer Hybrid
  46. 46. Evaluating Solutions Increase in Likelihood of Meeting Risk Appetite Current Mitigation Total Cost of Risk Mitigation Option Being Considered 85% Risk Tolerance 95%IncreasedMitigation Cost 0% 99.9% Cumulative Probability
  47. 47. Evaluating SolutionsManagement selects ERM actions that move enterprise risk exposure towards risk appetite, for example: Risk Exposure Pre-Mitigation Value Risk Exposure Post-Mitigation Value
  48. 48. Risk Management Implementation Activities Deliverables Develop risk response plan  Risk management project planObtain support of risk management leaders  Project governance structure Develop teams and tools  Resource allocation, communication and training Implement projects  Program managementDefine metrics and implement monitoring tools  Risk platform and scorecards
  49. 49. Risk Management Implementation ERM Multi-Year Project Plan 2007 2008 2009 Define Risk Strategy Comprehensive Risk MappingDevelop Cost of Risk Model Technology implementation Establish Risk Appetite Risk Modeling Expanded Risk Assessment Evaluate Data Strategy Captive Optimization Portfolio Risk Modeling Develop Risk Profiling Legacy Claim Projects Legacy Claim Evaluation Global Optimization Captive StrategyM & A Process Evaluation
  50. 50. ERM Enabling TechnologiesThere are a lot of technologies related to risk in general and ERM – Use a selection process as with any tool/technology • Analysis: RFI/RFP • Vendor discussions and “Bake-off” with prototype • Design: Purchase on trial basis • Full deployment
  51. 51. ERM Dashboard Applications
  52. 52. ERM Monitoring and Reporting
  53. 53. Dashboards & Governance Drives Accountability Facilitates “Dashboard” Reporting Automates Tracking of Key Risk Indicators
  54. 54. Governance, Culture and Disclosure Key Activities Client Deliverables Develop detailed ERM frameworks and governance  Policies, manuals, committees, roles and accountabilitiesDevelop internal risk communication and awareness program  Rollout of communication and awareness programDevelop external communication strategy  Enhanced communication with rating agencies, equity analysts and regulatorsMonitor risk performance against defined metrics  Reporting on KPI’sDevelop continuous improvement process  Improvement processes and accountabilities
  55. 55. Governance, Culture and Disclosure ERM Framework and Governance Board of Directors Executive Committee Chief Risk COO CFO CIO CLO Officer ERM Function Business Division Unit A A Functional, Business support and Division Unit B Shared services B Business Division Unit C C Risk Management Internal Audit Compliance
  56. 56. Governance: Partnership is Key Board • Set Policy • Approve Risk Strategy • Enforce Correction • Provide Tone from the Top Audit Committee • Establish Policy • Propose Risk Strategy • Measure / Monitor • Report to Board on Key Matters ERM Working Group* • Monitor • Facilitate • Coordinate • Benchmark • Educate • Report Compliance/Ethics Internal Audit Business/Functional Risk Owners• Provide Assurance • Identify Risk • Manage Risk • Act as Functional Risk Owner• Conduct Risk-Based • Measure Risk • Report & • Manage Legal Risks Audits • Prioritize Risk Improve • Foster an Ethical Environment *possibly chaired by CRO
  57. 57. Governance, Culture and Disclosure ERM Project Plan e.g. ERM Manual Client ABCClient ABC Client ABC
  58. 58. External Risk Disclosure AnalysisAnnual 10-K reports are a primary riskinformation source for investors and the public.• How was this list developed?• How was the order of the risks determined?• Were the impacts of these risks quantified?• How will investors react if an unmentioned risk results in significant loss of market value?• How does your list compare to your competitors?
  59. 59. Comparative Analysis• A comprehensive ERM program can ensure that the10-K risk factor list is complete and in appropriate order.• Review the risks listed in the 10-K report – Is anything missing? – Are the risks listed in an order that is representative of their impacts? – Have these risks been quantified?How would investors or regulators react if an unmentioned risk results in significant loss of value?
  60. 60. Analyzing Competitors’ DisclosuresRegular review of competitors’ risk disclosures is vital to:• Ensure that your risk disclosure is complete• Keep tabs on changes in the industry environment
  61. 61. Comparing Risk DisclosuresDescriptionConsumer demand and acceptance of servicesoffered by usOur ability to achieve and maintain acceptablecost levelsFare levelsActions by competitorsRegulatory matters StrategicGeneral economic conditions Review ofCommodity prices Annual Reports /Changing business strategies RegulatorySingle aircraft type FilingsChanges to and costs of security procedures Green = DeclaredCost and availability of aircraft insurance Red = Not DeclaredTerrorist attack Orange = Not RelevantInternational hostilitiesAbility to continue as a going concernAbility to operate pursuant to the terms of theDIP FinancingAbility to obtain a federal loan guarantee from theATSB
  62. 62. ERM – Commonly Cited Challenges• Inability to demonstrate immediate, quantifiable return on investment• Internal competition among business units• Cultural incompatibility• Limited technology / tools• Inadequate senior-level support
  63. 63. ERM - Critical Success Factors• Senior management support• Clearly defined vision• Regular and open communication among the team• Realistic expectations regarding timelines and deliverables• Sufficient resource allocation for implementation and follow-through• Linkage to organizational success factors, strategies and processes
  64. 64. ERM Potential BenefitsEstablish Sustainable Competitive • Integrate with business planning and valueAdvantage management processes • Avoid missing key risks and losing vital opportunities • Optimize balance between capital preservation and growth/profit-generationManage Risk at a Lower Cost • Minimize risk averse behavior • Develop cost-effective risk strategies and solutions • Eliminate redundant or unnecessary risk controlsImprove Business Performance • Support more informed/proactive risk management decisions aligned with business objectives/strategies • Link to enterprise performance, measurement and monitoring • Reduce volatility and prevent surprises
  65. 65. ERM Gap Analysis Phase I Phase II Phase III Phase IVInformation Gathering Setting the Stage Executive Support Implementation• Conduct interviews / • Develop overall • Obtain support of • Deliver defined gather information risk management risk management projects vision leaders• Identify risk universe • Update progress • Create risk • Present overall toward overall• Define and develop management objectives and vision cost of risk data scorecard / Gap plan to senior • Measure• Conduct gap analysis analysis management performance • Identify key risk • Develop teams • Create linkage to projects / and tools next steps activities needed • Get moving to achieve risk • Build feedback management loop to ensure excellence continued progress toward goals • Understand cost / benefit of potential risk management strategies
  66. 66. Risk Management Vision• Risk management vision transcends the various projects and activities that comprise risk management within an organization• In order to define risk management vision, the company must resolve a series of key questions:  What are the goals of the company’s risk management efforts?  How does the company define risk management excellence?  What is the current state of risk management?  Where are the gaps?  What are the priorities?  How will success be measured?• In the end, risk management must deliver measurable impact on the company’s operating performance
  67. 67. Key Risk / Performance Indicators• What are the KRIs?• How do I get them?• How often do I get them?• What do I do with them?• Foundation understanding of: frequency, source and meaning
  68. 68. KRI’s - Example
  69. 69. Focus on Value Risk Management Tactics Strategy Risk Appetite Determine Scenario Portfolio Development ERM Committee Effect Consensus Meeting Surveys Enterprise ERM Risk Exposure All Key ModelRisks Risks (∆Value) Value Individual Risk Risk Identification Quantification & Ranking Process Key: Risk Quantification Risk Management
  70. 70. Case Study #1: Fast Growing Company• Highly successful, profitable company• Recent patent litigation surprise created temporary cash and credit crunch• Audit committee wanted an overview of key risks facing the company• Risk committee was formed to coordinate the effort• Team conducted interviews with over 50 executives, supplemented by over 80 surveys
  71. 71. Project Objectives• Has the company identified all its critical risks ?• Does the company have effective controls for managing its critical risks?• Are the risks greater now than they were 12 - 24 months ago (earnings pressure, continued acquisitions and internal strategic initiatives)?• Are these risks within acceptable limits?• Is the right level of information reported to Senior Management and the Board?
  72. 72. Project Results• Provided information to senior management and the Audit Committee• Developed models for key risks based on potential impact on:  Revenue  EPS  Cash  Reputation• Examined current and potential risk mitigation opportunities, including risk transfer and self-funding• Created a framework for more effective decision-making regarding supply chain management, site selection and inventory management
  73. 73. Case Study # 2: Manufacturing Company• Company had a well-developed risk management process• Top risks for each of the business were routinely assessed and evaluated• Due to lack of internal data, limited effort had been made to quantify the potential impact of events• Recent supply chain problems had highlighted previous unmeasured vulnerabilities• Project team developed customized risk models for the top five risks of each business unit
  74. 74. Project Results• Delivered working risk models to each business unit• Risk models were used to develop “underwriting models” for potential risk transfer / mitigation solutions• Company expanded the use of existing captive insurance company and finite risk insurance arrangements to address key issues• Event risk maps helped uncover critical decision points that could substantially alter the overall risk exposure• Changes were made in supply contracts, inventory levels and contingent business interruption coverage as a result of the analysis
  75. 75. Case Study #3: Consumer Products• Fortune 100 consumer products company• Treasurer and Risk Manager had identified 17 key risks under their charge• Company wanted to develop a quantitative approach to better evaluate risk decisions• Solution: Risk modeling project to help evaluate the optimal risk strategy
  76. 76. Project Results• Project focused on the analysis of internal and external risk data• Creation of individual and portfolio risk models• Risk mitigation and transfer alternatives were tested using the models, resulting in significant changes• Company was able to demonstrate the value of additional risk retention and the use of internal funding (via a captive insurance subsidiary)• Risk finance and mitigation resources were reallocated to optimize the company’s risk management efforts
  77. 77. Case Study #4: Hospital• Medium-sized hospital looking to achieve excellence in health care by surpassing standards set in “The New American Hospital” and the Malcolm Baldrige National Quality Award• Key objective: conduct a comprehensive risk assessment• Project involved:  Interviews with key personnel (management, physicians and nurses)  Creation of a risk inventory  Benchmarking of current risk management approaches and quality of care against industry standards and best practices  Evaluation of current risk mitigation methods
  78. 78. Hospital ERM Project Results• Identified and prioritized key enterprise risks• Recommended improved approaches for risk management• Opportunities for improvement included:  Implementation of clinical best practices and rapid response teams to reduce cardiac complication rates  Diversification of services to counteract the impact of Medicare reform  Contingency planning around key physicians and sole- source service providers  Improvement of the contract oversight and document retention process to minimize legal liabilities
  79. 79. Case Study #5: Capital One Capital One signed an "informal memorandum of understanding" with bank regulators. More than a dozen class actions were filed charging the credit card issuer with securities fraud for misleading shareholders about its financial health and its compliance with bank regulations. Risk management capabilities designed and implemented across the organization.Capital Ones stockplummeted by 39%, fallingfrom a $50.60 per share closeon July 16 to $30.48 per shareby the close of July 17; a dropof roughly $4B in market July 2002, 8K filing: the company publiclyvalue. commits to enhance its enterprise risk management and internal control environment.
  80. 80. ERM Process: Enhanced Future StateIntegrated into Operational Business Processes Improved Risk Predictability and Measurement Line of ERM Business Risk-Adjusted DecisionProcess Operations Making Risk Metrics Improved Business Performance
  81. 81. Suggestion: Adopt a Pilot Approach• Start small and grow big• Select a locale with engaged management and non- complex products or customers• Establish proof of the ERM concept – quicker benefits• Accomplish process objectives in a shorter timeframe• Learn from successes/mistakes to roll out the ERM process across the organization
  82. 82. Overview of a Pilot Review current company and Severity ($ millions) >100M H2 S1 Strategic Legend S1 – Partnering arrangements business objectives/risk High Impact Moderate Impact 50 O5 O1 O3 L1 S2 – Changing industry dynamics Ope rational O1 – New initiative integration/success management objectives; evaluate O2 O2 – Business continuity Low Impact 10 Partial / Full Mitigation No / Minimal H1 O4 O3 – Product quality O4 – Centralized distribution O5 – Hazard risk Establish risk management current risk management Mitigation 5 T2 T1 H3 S2 F2 Human Capital H1 – Succession planning H2 – Turnove r H3 – Human capital de velopment options, action plans, etc. infrastructure and capabilities 2 H2 F1 Legal/Regulatory L1 – Political pressure around drug affordability Te chnology T1 – Intellectual prope rty T2 – Information security Risk Definition Current State Financial 1 • Ability to safeguard proprietary knowledge from a security F1 – Currency fluctuations Information Technology breach which could damage financials, brand and reputation Severity F2 – Commodity prices – Network Security • Intentional, coordinated and/or hidden sabotage of systems, Level <5 10 25 50 75 software or processes by internal or external parties Frequency Current Metrics Risk Owner(s) • Number of viruses per month • Chief Technology Officer • Minutes of downtime per month • IT Department • Backup processes double checked weekly • Security Action PlansRisk Assessment Pilot Current: Recommended: Estimated Investment: • Up-to-date Anti-virus and • Intrusion detection and vulnerability • Additional IT staff personnel Establish criticality of risk and system Firewall protection • Disaster recovery plans • Network backup planning • Software and data backups detection equipment and software • Destruction of old hard drives from redundant computers • Ensure no single point of failure • Purchase of intrusion detection and vulnerability detection equipment • Continual investment in updating • Backup Power Supply • Redundant hardware systems software prioritize; map key risks September November Perform facilitated session and/or Summarize data of most interviews with select internal and significant risks external experts to identify and assess risks and risk management processes Reduce voluntary employee departures by 10% by 2008 Analyze risks for causal factors, 2006 # Departures effects, and interrelationships 2007 est. 2008 Target est.
  83. 83. Questions to Consider• Is ERM adding value for your organization?• Is the ERM effort stalled or is progress being made?• Are there parallel risk management efforts that fall outside of the ERM process?• What can be done to automate portions of the ERM process?• Are there high impact “drill-down” projects that will deliver ERM value?• Is ERM sustainable after the project team has moved on to other assignments?
  84. 84. Barry Franklin, FCAS, MAAA Aon Global Risk Consulting 312.381.3920 barry_franklin@ars.aon.com
  85. 85. ConfidentialityWe recognize that our clients’ industries are extremely competitive and maintainingconfidentiality is of the utmost importance. Accordingly, Aon takes seriously itsobligation to protect the confidentiality of client information.Similarly, we view our approaches and insights as proprietary and therefore look toour clients to protect Aon interests in our presentations, methodologies, andanalytical techniques. Under no circumstances should the material in this report beshared with any third party without the written consent of Aon.Copyright © 2007 Aon

×