Enterprise-Wide Risk Management

Top 10 Things Everyone should know about Enterprise Risk Management

Grant Thornton

Contents

#1 What is Enterprise Risk Management? #2 The Value Proposition Why do this? #3 ERM Best Practices International #4 An Example of ERM Methodology #5 Identify Risks #6 Analyze Risks #7 Evaluate Risks #8 ERM Organization #9 Where is the industry today? #10 Best Practices and Lessons Learned
Grant Thornton

#1 - What is Enterprise Risk Management?

Taken from "COSO - ERM Integrated Framework"

Takes an entity-level portfolio view of risk A process, ongoing and flowing through an entity Effected by people at every level of the organization Applied in strategy setting Designed to identify potential events that, if they occur, will affect the entity Designed to help an organization manage risk within its risk appetite Provides reasonable assurance to an entity's management and board of directors as to accomplishment of business objectives
Grant Thornton

#2 - The Value Proposition Why do this?

Taken from "COSO - ERM Integrated Framework"

Develops a strategic, firm-wide approach to risk management and mitigation using all the available tools: derivatives, insurance, internal controls and strategic action Focuses management attention on the truly important risks risks with potential to significantly impact earnings or even endanger firm survival Integrates risk management into critical decision-making processes, such as strategic planning, to ensure a link between risk-adjusted performance measurement tools (e.g. Economic Capital RAROC) and strategic decision-making (i.e. Budget planning, Capex, M&A) Identifies the risks inherent in current strategy and business model before the competition to provide sustainable competitive advantage

Grant Thornton

The Value Proposition for Pub Co.s Why do this?

Lowers cost of capital by reducing cash flow volatility and increases confidence of delivering financial outcomes Determines risk appetite of the firm in context of investor expectations

Financial resources and communicates this effectively to all shareholders (i.e. Board, investors, analysts, rating agencies)

Grant Thornton

#3 - ERM - Best Practices - International

Australia/New Zealand Canada UK South Africa Banking - Worldwide

AZ4360 and HB436 CoCo Combined Code King I and II Basel I and II

India

Clause 49

Grant Thornton

COSO-ERM Framework
Taken from "COSO - ERM Integrated Framework"

COSO ERM Framework

Comparison to COSO
Strategic Operations 4 objectives vs. 3 (strategy is added) reporting is more robust internal environment >control environment risk identification more robust separate section for risk response

Reporting
Compliance Internal Environment Objective Setting Event Identification Risk Assessment Risk Response Control Activities Information & Communication

Monitoring

Grant Thornton

COSO ERM Process Flow

Internal Environment Risk Management Philosophy Risk Culture Board of Directors Integrity and Ethical Values Commitment to Competence Managements Philosophy and Operating Style - Risk Appetite Organizational Structure Assignment of Authority and Responsibility Human Resource Policies and Practices Objective Setting Strategic Objectives Related Objectives Selected Objectives Risk Appetite Risk Tolerance Event Identification Events Factors Influencing Strategy and Objectives Methodologies and Techniques Event Interdependencies Event Categories Risks and Opportunities Risk Assessment Inherent and Residual Risk Likelihood and Impact Methodologies and Techniques Correlation Risk Response Identify Risk responses Evaluate Possible Risk Responses Select Responses Portfolio View Control Activities Integration with Risk Response Types of Control Activities General Controls Application Controls Entity Specific Information & Communication Information Strategic and Integrated Systems Communication Monitoring Separate Evaluations Ongoing Evaluations
Grant Thornton

Internal Environment
Taken from "COSO - ERM Integrated Framework"

Establishes a philosophy regarding risk management. It recognizes that unexpected as well as expected events may occur Establishes the entitys risk culture Considers all other aspects of how the organizations actions may affect its risk culture

Grant Thornton

Objective Setting
Taken from "COSO - ERM Integrated Framework"

Is applied when management considers risks strategy in the setting of objectives Forms the risk appetite of the entity a high-level view of how much risk management and the board are willing to accept

Risk tolerance, the acceptable level of variation around objectives, is aligned with risk appetite

Grant Thornton

10

Event Identification
Taken from "COSO - ERM Integrated Framework"

Differentiates risks and opportunities Events that may have a negative impact represent risks Events that may have a positive impact represent natural offsets (opportunities), which management channels back to strategy setting

Grant Thornton

11

Event Identification
Taken from "COSO - ERM Integrated Framework"

Involves identifying those incidents, occurring internally or externally, that could affect strategy and achievement of objectives Addresses how internal and external factors combine and interact to influence the risk profile.

Grant Thornton

12

Risk Assessment
Taken from "COSO - ERM Integrated Framework"

Allows an entity to understand the extent to which potential events might impact objectives Assesses risks from two perspectives: Likelihood Impact Is used to assess risks and is normally also used to measure the related objectives

Grant Thornton

13

Risk Assessment
Taken from "COSO - ERM Integrated Framework"

Employs a combination of both qualitative and quantitative risk assessment methodologies Relates time horizons to objective horizons Assesses risk on both an inherent and a residual basis

Grant Thornton

14

Risk Response
Taken from "COSO - ERM Integrated Framework"

Identifies and evaluates possible responses to risk Evaluates options in relation to entitys risk appetite, cost vs. benefit of potential risk responses, and degree to which a response will reduce impact and/or likelihood

Selects and executes response based on evaluation of the portfolio of risks and responses

Grant Thornton

15

Control Activities
Taken from "COSO - ERM Integrated Framework"

Policies and procedures that help ensure that the risk responses, as well as other entity directives, are carried out Occur throughout the organization, at all levels and at all functions Include application and general information technology controls

Grant Thornton

16

Information & Communication

Taken from "COSO - ERM Integrated Framework"

Management identifies, captures and communicates pertinent information in a form and timeframe that enables people to carry out their responsibilities Communication occurs in a broader sense, flowing down, across and up the organization

Grant Thornton

17

Monitoring
Taken from "COSO - ERM Integrated Framework"

Effectiveness of the other ERM components is monitored through: Ongoing monitoring activities Separate evaluations A combination of the two

Grant Thornton

18

Relationship to Internal Control Integrated Framework

Expands and elaborates on elements of internal control as set out in COSOs control framework Includes objective setting as a separate component. Objectives are a prerequisite for internal control

Expands the control frameworks Financial Reporting and Risk Assessment

Grant Thornton

19

#4 - An Example of ERM Methodology

Gain understanding of business model and establish context

Methodology
Co. Strategy & objectives Control Environment ERM overall plan Understand internal risk capabilities Vision/mission of Co. Establish risk appetite/tolerances Discuss different risk treatment strategies

Identify Risks

Analyze risks

Evaluate risks

Treat risks

Monitor risks

Identify/ interview risk process owners Identify risk universe/terms Identify key risk events Link risks to strategy ID processes/subprocesses Link risks to proc/sub.

Significance of risks Likelihood-inherent Likelihood-residual Roll-up of risks Prioritized summary Report

Compare against risk tolerances Assess different treatment options

Decide optimal option Assign responsibility Ensure resources available Bridge risk capability gaps Treat risks Analyze & evaluate residual risks Report

Risk monitoring Internal audit assurance (see separate flow)

Methodology

Discussion Review documents Facilitated workshops

Questionnaires, CSA FCSA Brainstorming

Scatter graph Heat map, charts, Communications CSA

Cost vs. benefit analysis (avoid, accept, mitigate, outsource) CSA External exports (e.g., actuaries)

Techniques

Techniques

CSA

Dashboards

Technology

Technology

Voting technology Compliance software

Voting technology Risk repository software Templates Risk questionnaire List of people to interview Risk universe/terms Processes/sub-processes Risks linked to processes Risks linked to strategy

Scenario modeling software

Monitoring software Extraction software Audit workpaper software

Deliverables

Strategy linked to risk appetite Overall ERM plan by year Report on existing risk capabilities Risk appetite statement/tolerancesestablished Risk management charter/Committee Establish common business language

Prioritized risk report with and without mitigation

Risk report-post treatment

Report an on-going risk monitoring Key metrics Tie into performance management system

Grant Thornton

20

Deliverables

Gain Understanding Relating Vision, Mission, Strategic/Business Objectives and Appetite

Vision: To help drive advancement of education Mission: To improve the mathematics skills of elementary & secondary students, regardless of curriculum & teaching styles Strategic Objectives
A. Enhance shareholder value: Consistently grow operating earnings (currently at 25%) B. Market share objective: Penetrate both top 1000 school districts + 40% of next tier 1500 school districts C. Reputation objective: Be recognized by educators and institutions as significant contributor to education in U.S. D. People objective: Achieve ranking as one of top 50 companies to work for E. Integrity objective: Always act with integrity when dealing with employees, customers, vendors or other parties

Strategy
Expand customer base retail channels Expand product line-reading based product Foreign languages penetrate international markets

Risk Appetite
A. - Accepts consumption of capital for need and information technology projects - Will not accept impairment of reputation through significant quality defects - Will not accept any deaths from internal accidents B. C. D. E.

Related Objectives
A. B. C. D. E. Install customer service (reporting) information system Ensure quality assurance process Ensure internal accident rate is reduced by 10% (compliance)

Measure
A. B. C. Be recognized by educators and institutions as significant contributor to education in U.S. D. Ensure accident rate is reduced by 10% E. Grant Thornton A. B.

Target
A. B.

Tolerances-Acceptable Range

C. Ensure quality assurance process is 99% defect free D. Ensure accident rate is reduced by 10%

C. Willing to accept up to 3% deviation D. Willing to accept no deviation E.

E.

21

Identify Risks Risk Universe

Business Risk Model Definitions - Example
External Risks 1. Industry* 2. Economy 3. Political change Process Risks 11. Customer satisfaction 12. Product failure* 13. Supply chain 14. Sourcing 15. Supplier concentration 16. Outsourcing 17. Production Cycle 18. Catastrophic loss 19. Process execution Strategic Risks Internal Risks 6. Market share 7. Reputation 8. Brand equity* 9. Strategic focus 10. Investor confidence

4. 5.

Competitor Consumer preference Compliance Risks 20. Policies and procedures 21. Environmental 22. Contract 23. Legal and regulatory*

People Risks 24. Human Resources 25. Health and safety* 26. Authority 27. Integrity 28. Leadership/Empowerment 29. Communications 30. Culture 31. Performance incentive 32. Knowledge capital

Operations Risks

Treasury Risks 33. Cash flow/liquidity 34. Capital availability 35. Interest rate 36. Foreign exchange Financial Risks 40. Accounting 41. Budgeting 42. Taxation

Credit Risks 37. Credit capacity 38. Credit concentration 39. Credit default

Operational Risks 43. Pricing 44. Performance measurement 45. Portfolio

Grant Thornton

Technological Risks 46. Systems infrastructure 47. Systems access 48. Systems availability 49. Data integrity 50. Date relevance

22

#5 - Identify Risks Risk Universe Terms

Business Risk Model Definitions - Example
External Risks 1. Industry Changes in the education or technology industries may require alteration in Companys business model and potentially threaten long term viability Process Risks 12.Product failure failure of product to operate as intended may result in higher than acceptable returns or warranty claims, lack of repeat business and damage to brand equity Treasury Risks Internal Risks 8. Brand equity Failure to establish and maintain brand awareness, positioning, and strength may impair Companys ability to execute strategic growth objectives

Operations Risks

Strategic Risks

Compliance Risks 23.Legal and regulatory failure to comply with federal, state or local regulations may result in fees, penalties, criminal or civil claims, or damage to the companys reputation Credit Risks

People Risks 25.Health and safety failure to protect health and safety of employees and third parties on company property, may result in claims, fees, low morale, or reduced productivity

Financial Risks

Operational Risks

Technological Risks

Grant Thornton

23

Identify Risks Linking of Risks to Strategic Objectives

Strategic Objectives
Risks Earnings Growth 1. Industry 2. Economy 3. Political change 4. Competitor 5. Consumer preference 6. Market share 7. Reputation 8. Brand equity 9. Strategic focus 10. Investor confidence 11. Customer satisfaction 12. Product failure 13. Supply chain 14. Sourcing 15. Supplier concentration 16. Outsourcing 17. Production cycle 18. Catastrophic loss X Market Share X Reputation People Integrity

Grant Thornton

24

Identify Risks Link Risks to Business Processes

ABC Company Finance (Process) M&A (Sub Process) General Counsel (Process) Environmental (Sub Process) Administration (Process) HR (Sub Process) Risk Management (Process) Insurance (Sub Process) Strategic Planning (Sub Process) Operations (Process) Production (Sub Process) Quality Assurance (Sub Process) Customer Service (Process) Distribution/ Warranty & Repairs (Sub Process) New Product Development (Process) Research (Sub Process)
Grant Thornton

Industry X

Brand Equity

Product Failure

Legal & Regulatory

Health & Safety

X X X

X X X X X
25

X X X

#6 - Analyze Risks
Assessment of Risks for Impact and Likelihood of Occurrence
Scales for Impact: 1 Not Significant Neither a strategic nor financial impact 3 Slightly Significant Relatively minor strategic and/or financial impact (one-weeks earnings) e.g., minor legal issues 5 Moderately Significant Noticeable challenges to achieving strategic objectives and/or financial targets (one-months earnings) e.g., serious breach of regulations with investigational authorities 7 Significant Difficult to achieve strategic objectives (possibly requiring a strategic change) and/or material financial impact (one-quarters earnings) e.g., major breach of regulation/major litigation 9 Highly Significant Strategic objectives cannot be achieved, resulting in significant financial impact (one-years earnings) and questions about future viability- e.g., significant prosecution and fines very significant litigation including class action lawsuits Scales for Likelihood (assess likelihood with and without mitigation): 1 Never - will not occur in specified time period (<5%) 3 Unlikely - not likely to occur in specified time period (<25%) 5 Possible may occur in specified time period (<50%) 7 Likely more likely than not to occur in specified time period (<50%) 9 Definitely Already occurring or almost certainly will occur in specified time period (>90%)
Grant Thornton

26

#7 - Evaluate Risks Risk Appetite/Tolerance

Scales for Tolerance: Very Low Tolerance Management is not willing to accept more than a nominal level of risk. Adverse risks are intolerable whatever benefits the activity will bring and risk reduction measures are essential whatever their cost. Moderate Tolerance Management will accept a moderate level of risk. Costs and benefits are taken into account and opportunities balanced against potential adverse consequences. Extremely High Tolerance Management will accept an extremely high level of risk. Positive or negative risks are negligible or so small that no risk treatment measures are needed.

Grant Thornton

27

Evaluate Risks Evaluate Risks Against Risk Tolerances

Impact 1 Industry 6.6

Likelihood 4.0

Tolerance Moderate

Analysis Industry changes would have moderate to high impact as the Companys product may have to undergo significant changes. Technological changes are inherent with industry, hence ABC Companys likelihood and tolerance are both moderate Protecting ABC Companys brand is paramount for future growth and success; hence high impact and low tolerance. High quality assurance and ongoing R&D result in low likelihood High quality products and performance are very important to the ABC Company; hence high impact and low tolerance. Companys strong quality control helps keep likelihood low (good audit candidate) Changes in legal and regulations could have a moderately high impact on the company As these changes are infrequent, ABC Company is successful in managing these changes to low tolerance level Considering the high value placed on employees, Company has a low tolerance to health & safety risks which could have a moderate impact The Company has an effective health & safety program, which has helped the likelihood of this risk remain low

Brand Equity

7.4

4.0

Low

12

Product Failure

7.8

3.8

Low

23

Legal & Regulatory

6.6

3.4

Low

25

Health & Safety

6.4

3.2

Low

Grant Thornton

28

Impact vs. Probability

High
I M P A C T Low
Grant Thornton

Medium Risk

High Risk

Share Low Risk

Mitigate & Control Medium Risk

Accept

Control

PROBABILITY

High
29

Example: Call Center Risk Assessment

High

Medium Risk

High Risk

I M P A C T Low

Loss of phones Loss of computers

Credit risk Customer has a long wait Customer cant get through Customer cant get answers

Low Risk

Medium Risk

Fraud Lost transactions Employee morale

Entry errors Equipment obsolescence Repeat calls for same problem

PROBABILITY

High
30

Grant Thornton

Treat Risks

Risk Impact to Company Tolerance Far Exceeds

Management Believes It Can Effectively Manage Not Manage

Risk to Company Strategy Core Not Core

Choices Avoid Transfer Reduce Accept

High

Exceeds

Consistent

Grant Thornton

31

Monitor Risks Risk Monitoring Internal Audit Program

Industry

6.6

4.0

26.40

4.0

Moderate

Strategy Mergers & Acquisitions Production Q&A Customer Service NPD

Review business controls over strategy setting process. Ensure S, W, O, T have considered impact of industry/technology changes. Review controls over quality control and analyze customer returns. Review controls over New Product Development. Review business controls over quality assurance process & ongoing R&D levels KPI.

Product Failure

7.8

3.8

29.64

2.8

Low

Brand Equity

7.4

4.0

29.60

2.8

Low

Quality assurance Distribution / fwarranty & repairs NPD General counsel

Legal & Regulatory Health & Safety

6.6

3.4

22.44

3.4

Low

Discuss with general counsel pending regulatory changes. Reconfirm that controls are good in this area analyze reports of safety issues.

6.4

3.2

20.48

2.8

Low

General counsel HR

Grant Thornton

32

Key Concepts in ERM Framework

Sustainability Interconnectivity

Transparency

Grant Thornton

33

#8 - ERM Organization
Taken from IIA presentation "Applying COSO - ERM Integrated Framework"

Vice President and Chief Risk Officer

Insurance Risk Manager

ERM Director

Corporate Credit Risk Manager

ERM Manager

ERM Manager

FES Commodity Risk Mg. Director Staff

Staff

Staff

Grant Thornton

34

Enterprise Risk Management Best Practices For Internal Audit's Role

Core Internal Roles in Regard to ERM Giving assurance on the risk management processes Giving assurance that risks are correctly evaluated Evaluating the reporting of key risks Reviewing the management of key risks Legitimate Internal Audit Roles with Safeguards Facilitating identification and evaluation of risks Coaching management in responding to risks Coordinating ERM activities Consolidated reporting on risks Maintaining and developing the ERM framework Championing establishment of ERM Developing RM strategy for board approval Roles Internal Audit Should Not Undertake Setting the risk appetite Imposing risk management processes Management assurance on risks Taking decisions on risk responses Implementing risk responses on management's behalf Accountability for risk management

Grant Thornton

35

Basic, Midpoint and Advanced ERM

Basic Elements of ERM: Identification, Infrastructure, and Process

Midpoint Elements of ERM Identification, Infrastructure, and Process

Advanced ERM: Integration with Corporate Practices

Determine risk treatment strategies Establish a business risk inventory Align BU risks with objectives Create common language for risks, control activities and monitoring efforts Communicate expectations for risk taking to senior managers

All the basic elements Quantify key risks to best extent possible Identify key metrics to report on risk Create risk policy and procedure manual Analyze risks' root cause and impact Integrate effects of risk types

All basic and midpoint Strategic planning Annual budget process Stakeholder communications Management scorecards Remuneration

Grant Thornton

36

Where is the Industry Today?

Pre 2003 No external drivers for ERM Regulatory compliance for public companies is changing that

Grant Thornton

37

#9 - Where is the Industry Today?

Stats from a Mercer Oliver Wyman Survey on ERM

90% of companies getting ready to implement ERM Only 11% have completed the implementation 35% have formally trained executives and business line managers to assess the probability of various types of risk 55% don't have a member of senior management with explicit responsibilities to manage risk

Grant Thornton

38

#10 - Best Practices and Lessons Learned

Establish an ERM framework including a Risk Management Committee and Charter Identify a risk champion and make sure he/she has active support from the CEO Understand that ERM is a journey and not a project Provide a holistic definition of business risk Include consultants but do not let them drive ERM Dont underestimate the impact of existing culture Dont undersell ERM as a business risk assessment Dont implement ERM as a part time job Dont bite off more than you can initially chew need to show tangible benefits all along

Grant Thornton

39

Real Life Experiences

Grant Thornton

40