Risk Management vs.
Risk Management vs.
Enterprise Risk
Enterprise Risk
Management
Management
Kate LarkKate Lark –– Dartmouth CollegeDartmouth College Paul L. Walker
Paul L. Walker -- University of VirginiaUniversity of Virginia Feb 4
Definition of Risk Management
Definition of Risk Management
…the process of planning, organizing, leading, and …the process of planning, organizing, leading, and
controlling the activities of an organization in controlling the activities of an organization in order to minimize the adverse effects of
order to minimize the adverse effects of accidentalaccidental
losses on that organization at reasonable cost. losses on that organization at reasonable cost.
George L. Head George L. Head 1972
ARM Textbook
ARM Textbook
(Associate in Risk Management)
(Associate in Risk Management)
5 step process in analyzing risk: 5 step process in analyzing risk:
1. 1. IdentifyIdentify 2. 2. AssessAssess 3. 3. EvaluateEvaluate 4. 4. MitigateMitigate 5. 5. MonitorMonitor
George L. Head and Stephen Horn II George L. Head and Stephen Horn II 1985
RIMS
Risk Management Models
Traditional Risk Management Progressive Risk Management Strategic Risk Management
Risk Management Models
Risk Management Models
Traditional
Traditional
Risk IdentificationRisk Identification
Loss ControlLoss Control
Claims AnalysisClaims Analysis
Risk Management Models
Risk Management Models
Progressive
Progressive
Alternative Risk FinancingAlternative Risk Financing
Business ContinuityBusiness Continuity
Total Cost of RiskTotal Cost of Risk
Risk Management Models
Risk Management Models
Strategic
Strategic
EnterpriseEnterprise--wide Risk Managementwide Risk Management
Indexing of RiskIndexing of Risk
Definition of Enterprise Risk
Management
…is a process for ensuring the effective
identification, assessment, and management of all significant risks to an entity. This includes not only the traditional areas of hazard risk and financial risk, but also operational risk and
strategic risk.
ERM software vendor
ERM software vendor
Enterprise Risk Management Process Steps Enterprise Risk Management Process Steps
1. 1. IdentifyIdentify 2. 2. AssessAssess 3. 3. EvaluateEvaluate 4. 4. MitigateMitigate 5. 5. MonitorMonitor 2005 2005
ERM
Effective support of strategic and business
planning
Proactive risk management Integrated, holistic approach
Concise and consolidated reporting
Continuous risk assessment, reevaluation and
ERM
ERM
con’t
con’t
Risk ownership assigned in management Risk ownership assigned in management
business and evaluation plans business and evaluation plans
Open communicationOpen communication
Risk management roles and responsibilities Risk management roles and responsibilities
clearly defined and communicated clearly defined and communicated
Marsh Marsh
Why is ERM Needed?
Why is ERM Needed?
Risk are becoming more complexRisk are becoming more complex
Task is globalTask is global
Why is ERM Needed?
Why is ERM Needed?
More difficult to:More difficult to:
Protect assetsProtect assets
Allocate capitalAllocate capital
Manage threats to operations and resourcesManage threats to operations and resources
ERM is more than accidental risks
ERM is more than accidental risks
Risks include…
Risks include…
OperationalOperational FinancialFinancial OperationalOperational Strategic Strategic ComplianceCompliance ReputationalReputationalRisk Appetite
Risk Appetite
is the amount of risk, on a broad level, an entity is the amount of risk, on a broad level, an entity is willing to accept in pursuit of its mission.
is willing to accept in pursuit of its mission.
COSO COSO
The goal of good risk management is not to The goal of good risk management is not to
minimize risk, but to achieve the best balance of minimize risk, but to achieve the best balance of risk and opportunity.
risk and opportunity.
Dan Borge, “The Book of Risk” Dan Borge, “The Book of Risk”
ERM Definition
ERM Definition
ERM is a process, ERM is a process,
effected by an entity’s board of directors, management and effected by an entity’s board of directors, management and
other personnel, other personnel,
applied in strategy setting and across the enterprise,applied in strategy setting and across the enterprise,
designed to identify potential events, that may affect the designed to identify potential events, that may affect the
entity, and entity, and
manage risks to be within its risk appetite, manage risks to be within its risk appetite,
to provide reasonable assurance regarding the achievement of to provide reasonable assurance regarding the achievement of
entity objectives. entity objectives.
ERM – The Goal
• In short, “the goal of an enterprise-wide risk management initiative is to create, protect, and enhance shareholder value by managing the
uncertainties that could influence achieving the organization’s objectives.”
Barton, Shenkir & Walker, Making Enterprise Risk Management Pay
New View of Risk
New Paradigm Old Paradigm
• Historically focused • Ad hoc activity
• Accounting, treasury and internal audit
• Fragmentation (Silo Approach) • Financial risk
• Inspect, detect, react • Focus on people
• Strategic
• Continuous activity • All of management
• Focused and coordinated (Holistic) • Business risks
• Anticipate, prevent, monitor • Focus on processes and people
The ERM Process
Monitor Act Measure and
Prioritize Risks
Identify Risks Set Objectives
Functional Assessments of Risks, Controls, & Objectives with VPs & Management teams Functional Assessments of Risks, Controls, & Objectives with VPs & Management teams Corporate Risk/Control Obj ectives assessment session with top 100 Executives Discussion of results with Management Executive Committee Corporate Risk/Control Objective s assessment session with top 100 Executives Discussion of re sults with Management Exec ut ive Committee Annual Audit Opinion and Audit Plan Annual Audit Opinion and Audit Plan Risk Mgmt Proces s Updates Audi t Res ults Consul ting Projects Action Plans Fol low-up DARE Resul ts Cross Functional Issues Anal ysis Board St rategic Planning Session Board Strategic Planning Session
Enterprise Risk Management
Enterprise Risk Management Business Vision Business Objective Risk Framework Identify Risk Universe Risk Workshop Control & Action Workshop Monitor Evaluate Manage M ark e t Share Res pec t Individual Se rvice to Custome r Strive for E xce lle nce
Expansion Opportunity Dist ribution Customer Service Rete ntion D evelopment Leadership
Cate gorize R isk Standard Framework
Refe rence
Surve y Stakeholders C om pile D at a
Share D at a Sche dule Workshop
Cross Divisional Discussions Additional Risk Prioritize Risk Evaluate Risk Existing C ontrols D ef iciencies A ct ion Plan Responsibilit y
A ction and Timeline Monitor Progress
Addre ss Gaps R eport Results
ERM Keys
ERM Keys
Know and understand risksKnow and understand risks
Think strategicallyThink strategically
Prioritize Key Risks
Prioritize Key Risks
Strategic Risk: Value Collapse
in The Fortune 1000
24 12 7 6 4 2 1 2 11 7 7 6 3 3 0 5 10 15 20 25 % of Top 100 Cost Overrun Accounting Problems Poor Manage-ment Supply Chain Issues Competi-tive Merger Problem W rong Products Pricing Pressure Customer Losses R&D & Other Demand Shortfall Regulation Strategic 58% Operational 31% Finan-cial 6% Foreign Economic Issues High Input Prices & Interest 60 70 80 90 100 110 120 130 140 150 160 0 2 4 6 8 10 12 14 16 18 20 22 24 S to ck P ri ce G ro w th I n d e xM onths after Initial Drop S&P 5001
Value Collapse 1002
Source: Mercer Value Growth Database, Mercer analysis.
Note: 1S&P 500 index is the sum of the S&P indexes corresponding to time period for each of the 100 companies. suffering stock drops.
2Data was not available for all companies for all 24 months after the stock drop (e.g., for stock drops in the last two years. W here data was not available, companies were
The Management Challenge:
Four Barriers to Strategy Execution
(per BS C newsletter)Only 5% of the workforce understands
the strategy
The Vision Barrier
The People Barrier
Only 25% of managers have goals/incentives linked to strategy The Management Barrier 85% of executive teams spend less than one hour per
month discussing long-term strategy
The Resource Barrier
60% of organizations don’t link budgets to strategy
9 of 10 companies fail to execute
“What have you done to
“What have you done to
increase shareholder
increase shareholder
value this last week?”
value this last week?”
ERM at Wal
ERM at Wal--Mart: The Basic Process…
Mart: The Basic Process…
• Individual Country Specific • Corporate Level
1.
1. Identify Critical Risks Identify Critical Risks ÆÆ Business Plan KillersBusiness Plan Killers Æ
Æ Exposures / ThreatsExposures / Threats 2.
2. Define Risk Drivers (causes)Define Risk Drivers (causes) ÆÆ What & Why of the RisksWhat & Why of the Risks 3.
3. Prioritize and Select Top 4Prioritize and Select Top 4--6 Risks6 Risks ÆÆ Determine Critical FocusDetermine Critical Focus 4.
4. Develop / Implement Action Plans Develop / Implement Action Plans ÆÆ Focus Into ActionFocus Into Action 5.
5. Measure and Link Value AddedMeasure and Link Value Added ÆÆ Analyze, Adjust, AchieveAnalyze, Adjust, Achieve
of Actions to ‘Bottom Line’ of Actions to ‘Bottom Line’
84 86 88 90 92 94 96
Aug-03 Sep-03 Oct-03 Nov-03 Dec-03 M onth P e rcep ti o n %
WM Comp 1 Comp 2 Comp 3
Product Flow
Product Flow -- Action Impact
Action Impact
Impact of mitigation actions are considered on two levels: 1) Actual Product In-Stock Rates (on the shelf)
2) Customer Perception of Wal-Mart’s Product Availability
The metrics measure both reality and perception to provide a balanced view of how well we are mitigating this risk.
90 92 94 96 98 100
Aug-03 Sep-03 Oct-03 Nov-03 Dec-03
Month % A v a ila b il it y
WM Comp 1 Comp 2 Comp 3
Target 98% Target: Top Ranking
Actual In-Stock Rate Customer Perception of Availability
Fictional Data
Earnings Variability by Key Factor Earnings Variability by Key Factor
-0.90 -0.80 -0.70 -0.60 -0.50 -0.40 -0.30 -0.20 -0.10 0.00 0.10 0.20 0.30 0.40 0.50 0.60 0.70 0.80 0.90 1.00 Total (not additive)
Pension – OPEB Sales Volume Prices Environmental Fuel Cost Transmission Congestion Interest Rates Plant Availability GDP
Actual Earnings Versus Actual Earnings Versus Risk Corrected Earnings Risk Corrected Earnings
1980 1981 1982 1983 1984 1985 1986 1987 1988 1989 1990 1991 1992 1993 1994 Actual Distribution Risk Correction Distribution Risk Corrected Revenues Actual Revenues
Purpose of ERM at GM
Purpose of ERM at GM
No big surprisesNo big surprises
Risks are understoodRisks are understood
Exposures are acceptedExposures are accepted
No big mistakesNo big mistakes
Risks identifiedRisks identified
Risk management effectiveRisk management effective
No big missed opportunitiesNo big missed opportunities
Organization is ready and able to accept greater risks based on risk / Organization is ready and able to accept greater risks based on risk /
reward reward
Increased certainty of business plan achievementIncreased certainty of business plan achievement
Does SOX mandate
Does SOX mandate
ERM?
ERM?
SOX Section 302
SOX Section 302
Discussion of Disclosure Controls and Discussion of Disclosure Controls and
Procedures Procedures
“The procedures should capture information that is “The procedures should capture information that is
relevant to an assessment of the need to disclose relevant to an assessment of the need to disclose developments and risks that pertain to the issuer’s developments and risks that pertain to the issuer’s business.”
SOX Section 409
SOX Section 409
Requires rapid disclosure of material events.Requires rapid disclosure of material events.
SOX Section 404
SOX Section 404
Mandates companies adopt a “control Mandates companies adopt a “control
framework.” framework.”
Management must assess themselves using this Management must assess themselves using this
framework framework
Management must reportManagement must report
“A Control Framework”
“A Control Framework”
Original COSOOriginal COSO
Control EnvironmentControl Environment
Control ActivitiesControl Activities
Information & CommunicationInformation & Communication
MonitoringMonitoring
Public Company Accounting
Public Company Accounting
Oversight Board (PCAOB)
Oversight Board (PCAOB)
Company level controls include management’s Company level controls include management’s
risk assessment process. risk assessment process.
An ineffective risk assessment function is An ineffective risk assessment function is
considered a material weakness considered a material weakness
SEC Rules
SEC Rules
Management Management required to certify they have required to certify they have
programs and controls to
programs and controls to disclosedisclose
developments and
developments and risks risks pertaining to business.pertaining to business.
Audit Committee
Audit Committee
The audit committee should understand the The audit committee should understand the
corporation’s risk profile and oversee the corporation’s risk profile and oversee the
corporation’s risk assessment and management corporation’s risk assessment and management practices.
practices.
The Board
The Board
Among the core responsibilities of the board are Among the core responsibilities of the board are
understanding the issues, forces and risks that understanding the issues, forces and risks that define and drive the company’s business.
define and drive the company’s business.
Board Involvement
Board Involvement
“The board should, as a minimum, disclose that there is “The board should, as a minimum, disclose that there is
an ongoing process for identifying, evaluating, and an ongoing process for identifying, evaluating, and managing the
managing the significantsignificant risks faced by the company.”risks faced by the company.”
Turnbull Report, 1999Turnbull Report, 1999
“The Board has reviewed the risk management process “The Board has reviewed the risk management process
and confirms that it complies with the Turnbull and confirms that it complies with the Turnbull
Committee Guidance on Internal Control issued in Committee Guidance on Internal Control issued in September 1999.”
September 1999.”
NYSE Listed Company Manual
NYSE Listed Company Manual
303A.07 Audit Committee Additional 303A.07 Audit Committee Additional
Requirements Requirements: :
(D) discuss policies with respect to risk assessment (D) discuss policies with respect to risk assessment
and risk management and risk management
303A.07 Audit Committee Additional
303A.07 Audit Committee Additional
Requirements
Requirements: Commentary
: Commentary
While it is the job of the CEO and senior While it is the job of the CEO and senior
management to assess and manage…risk…the management to assess and manage…risk…the AC must discuss guidelines and policies to
AC must discuss guidelines and policies to govern the process
What about the Board?
What about the Board?
SEC MD&A SEC MD&A
"ERM is an important tool companies can use to "ERM is an important tool companies can use to enhance disclosure in MD&A and to run the
enhance disclosure in MD&A and to run the business more effectively. I think it would be business more effectively. I think it would be helpful for companies to explain the risk
helpful for companies to explain the risk management process and the level of
management process and the level of accountability for it."
accountability for it."
SEC Commissioner Cynthia Glassman SEC Commissioner Cynthia Glassman Compliance Week
ERM and Corporate
ERM and Corporate
Governance
Governance
Board Reporting Audit Committee Reporting Risk Champions Management Accountability Internal Audit Follow-up Volume and Frequency of Information Management Follow-up Change in Audit Approach Chief Risk Officer ERM ERM Committee ERM & Corporate Governance
Reporting to the Board of
Reporting to the Board of
Directors
Directors
Top risks identified.Top risks identified.
Assessment of top risks.Assessment of top risks.
Control effectiveness (over time).Control effectiveness (over time).
I will show the committee the risk maps, which I will show the committee the risk maps, which
identify the top risks for each division, and give identify the top risks for each division, and give them an example of the action plans under
them an example of the action plans under development. I will also describe how the development. I will also describe how the
monitoring process works, and the manner in monitoring process works, and the manner in which we will link action plans and metrics to which we will link action plans and metrics to shareholder value.
shareholder value.
Achievability of Objectives
Achievability of Objectives
(Source: Canada Post) (Source: Canada Post)
1 2 3 4 A c h ie v a b ili ty 1 2 3 4 5 6 7 8 9 10 11
Average premium on share price Average premium on share price
investors are willing to pay for good investors are willing to pay for good governance
governance
Japan U.S. Germany France U.K. Canada
Data source: McKinsey & Co.; 2002 Global Investor Opinion Survey Data source: McKinsey & Co.; 2002 Global Investor Opinion Survey
20% 14% 13% 13% 12% 11% 0
Quality of Governance Quality of Governance
& Returns & Returns
Annualized stock returns for a three
Annualized stock returns for a three--year period ending year period ending 08.12.03 08.12.03 Well above average Above average Average Below average Well below average S&P 500
Data source: GovernanceMetrics Data source: GovernanceMetrics International International +5.4% +1.7% -0.2% -6.2% -13.3% -8.8% 0 Quality of Governance
The Associated Press The Associated Press
NEW YORKNEW YORK Jan 7, 2005Jan 7, 2005 —— Ten former Ten former
WorldCom directors will
WorldCom directors will personallypersonally pay $18 pay $18
million to compensate for investor losses from million to compensate for investor losses from an accounting scandal that caused one of the an accounting scandal that caused one of the largest bankruptcies in U.S. history.