This document discusses developing an enterprise risk management program. It defines ERM and outlines key components of an ERM program including risk identification, assessment, prioritization and monitoring tools. Technology plays an important role in both mitigating risks and providing tools to implement an ERM framework. Implementing best practices in ERM can help businesses improve performance and reduce unexpected losses. The document provides examples of how to develop an ERM program, assess maturity levels, and identify risks.

1. Developing and Selling an
Enterprise Risk Management Approach
Presented by:
Dave Cunningham, Managing Director
Baker Robbins & Company
713-840-0510
dcunningham@brco.com

2. Topics
Enterprise Risk Management
1. Defined
2. Trends and Issues
3. Applied to Law Firms
4. Technology
5. Value
6. Program Development

3. 1. ERM Defined
ERM is a management approach focused on maximizing
shareholder value and ensuring business continuity by
creating a single view of internal and external risks and
an executive-level strategy to deal with those risks.

4. Risk Management Categories
Risk can be analyzed in these categories:
Risk Types Internal External
Strategic
Economic
Market
Operational
Technical

5. ERM Processes

6. Understanding Risk Management
RM is about managing risks, not eliminating them.
Risks are both positive and negative, involving gains and losses.
Risk management’s overall goal is building and maintaining
stakeholder confidence: the key to organizational resilience.

7. 2. ERM Trends and Issues
Compliance Requirements
Role of Chief Risk Officer
European Influences (Data Protection, Ethical Walls, Anti-
Cartel, Anti-Money Laundering, External Investments)
Technology
Dependency as business tool
Risk management tool
Convergence of Performance and Risk Management

8. 3. ERM Applied to Law Firms
“It doesn’t take a visionary to see that an
enterprise view of risk is right for law firms. We
are 20 years behind the big accounting firms. It’s
just a matter of how fast we move forward.”
- General Counsel of AmLaw 20 law firm

9. ERM Applied to Law Firms
“Law firms should, in theory, be good in managing
risks across the firm because the people we are
dealing with are those who are most affected.”
“We are coming off of a difficult loss cycle. Firm are
now being much more active in managing risks.”
- Managing Director of Aon

10. Areas of a Firm Addressing Risk (Example)
CONFLICTS & ETHICS LITIGATION & SUBPOENA INSURANCE
Conflicts & Ethics and Securities MATTERS
Transaction Committees Litigation Attorneys Professional Indemnity
Information Services and Records Managing Attorney’s Office Professional Insurance Committee
Department Outside Counsel Executive Group
Outside Counsel Finance Department
EMPLOYMENT & DATA PRIVACY, SECURITY Employment/Worker’s
PERSONNEL MATTERS MATTERS Compensation
Professional Personnel and Admin HR Finance Department Administrative HR
Outside Counsel IT Finance Department
Professional Personnel and Admin HR
PARTNERSHIP ELECTIONS Other Insurance
Policy Committee MARKETING & COMMUNICATIONS Finance Department
Executive Group (Website, Branding, Copyright, Reviewing Executive Group
Finance Department Marketing Materials, etc.)
IT Marketing/Communications Department FIRM MANUALS AND GUIDANCE
Executive Group (and delegates)
PARTNERSHIP ELECTIONS PROFESSIONAL DEVELOPMENT Applicable Practice Groups & Departments
Professional Development Department
(Governance, Departures, Disputes)
Professional Personnel
Executive Group INFORMATION RETENTION
Policy Committee IR Project Team
VENDOR CONTRACTS
Pension Committee Steering Group
Applicable Departments (IT, Finance, HR,
Finance Department M/C, etc.) Outside Consultants
Professional Personnel All Practice Groups and Departments
Outside Counsel AUDIT
Audit Committee FIRM INVESTMENTS
Finance Department Investment Committee

11. Risk Exposure
1. Clients
2. Employees
3. Operations
What keeps General Counsels awake at night?

12. 4. ERM and Technology
IT is not only a source of risk;
it provides management with tools
to implement a risk framework.

13. Technology: Source of Risk
Continuity
Integrity
Accessibility
Privacy

14. Technology: Mitigating Risks
System Fault Tolerance
Physical and Electronic Security
Performance Modeling
Intranet / Communications

15. Technology: Mitigating Risks
Firm Business Processes
Conflicts and Ethical Walls
Billing
Business intelligence and reporting
Records (e-mail, paper and document) management
Team-based folders and workspaces
Knowledge management and expertise identification
Client relationship management
Enterprise resource planning
Self-Service
Litigation Support Management

16. Technology: Risk Management Tool (example)
Expected Loss Unexpected Loss
Internal
Loss Data
Severity
Enterprise Panjer Required
Risk Assessor Recursion Capital
Mapping
Frequency
External
Data
Adjust for Internal Control 1. Damage to physical assets
2. Business disruption and system failures
3. Execution, delivery and process management
4. Employment practices and workplace safety
5. Clients, products and business practice
6. Internal fraud
7. External fraud

17. ERM Dashboard (example)

18. IT Management Dashboard (example)

19. 5. ERM Business Impact
Gartner research shows that 60% of large enterprises without
best practice risk management implemented consistently
across the enterprise will significantly under-perform their
peers.
Aon: Impact on insurable losses has not been measured.
ERM helps you look better to the insurance company and
establish a sense of awareness.

20. ERM Business Impact – IT Perspective
Awareness of existing risks
Mitigation of IT risks
Necessary component of:
Service level agreements
Business continuity planning
Project charters / business cases
Reduction of surprises
A seat with firm management on business issues

21. 6. Program Development
Two Tracks
IT (Performance and) Risk Management
Enterprise Risk Management

22. IT Performance and Risk Management
IT Processes
IT Service Levels
IT Key Performance Indicators
Roles and Responsibilities related to risk:
Change and configuration management
Quality assurance
Data architecture and integrity
Security and privacy
Content management initiatives

23. ERM Program Development
Initial Steps
Context
Consider current actions and how they may or may not be
aligned with desired culture of risk
Establish a baseline
Identify
Identify existing risk-related responsibilities
Identify existing gaps in risk management
Decide roles and responsibilities
Determine maturity of the existing situation

24. Maturity Assessment Model

25. Maturity Assessment: Risk Process Ratings

26. Maturity Assessment: Business Processes

27. Maturity Assessment: IT Processes (1 of 4)

28. Maturity Assessment: IT Processes (2 of 4)

29. ERM Standards and Influences
ERM
COSO ERM Framework
AS NZS 4360: 2004
Compliance
Sarbanes-Oxley
Basel II
ISO
Standards with risk aspects:
IT Infrastructure Library (ITIL)
Project Management Institute PMBOK

30. Risk Identification Example
Risk Types Internal External
Strategic
Economic
Market
Operational
Technical
Continuity
Access Management
Integrity
Privacy

31. Risk Prioritization

32. Conclusion
Next Steps
Review how risk is considered and managed in IT projects
Have initial conversations in your firm about risks
Determine your own role in enterprise risk
Perform an assessment of risk areas and understand the
implications
Questions and Comments?