Enterprise Risk Management (ERM)

1
Enterprise Risk Management (ERM)

• Presented At
• Managing Risk Mission Possible
• Terri Sahli, Risk Manager
• State Of Oregon
• October 23, 2006

2
Topics

• ERM Definitions
• Traditional Risk Management v. ERM
• ERM Objectives Benefits
• ERM Framework Process
• ERM Risk Identification
• Interdependencies Systems Thinking
• ERM Tools, Techniques, Strategies
• ERM Implementation
• QA

3
ERM Definitions

• A disciplined approach aligning strategy,
  processes, people, technology and knowledge to
  manage uncertainties as the enterprise creates
  value. (KPMG)
• The identification and assessment of collective
  risks that affect value, and the formulation and
  implementation of a company wide strategy to
  maximize that value. (AON)

4
ERM Definitions

• The effort to find an integrated optimal way of
  managing risk by balancing financing techniques
  with organizational practices and processes.
  (Marsh)
• EWRM is a structured and disciplined approach
  it aligns strategy, processes, people, technology
  and knowledge with the purpose of evaluating and
  managing the uncertainties the enterprise faces
  as it creates value. (Arthur Andersen 2000)

5
ERM Definitions

• Enterprise risk management is a process, effected
  by an entitys board of directors, management and
  other personnel, applied in strategy setting and
  across the enterprise, designed to identify
  potential events that may affect the entity, and
  manage risk to be within its risk appetite, to
  provide reasonable assurance regarding the
  achievement of entity objectives. (COSO)

6
ERM Definitions

• ERM is a disciplined and integrated approach that
  supports the alignment of strategy, process,
  people, and technology and allows corporations to
  identify, prioritize and effectively manage their
  critical risk. By understanding all risks in an
  integrated framework, companies can execute
  proper strategies to successfully achieve their
  objectives and to meet their performance goals.
  (Unidentified) (Sahlis favorite)

7
Characteristics of Traditional RM

• Limited strategic scope or influence
• Narrowly focused
• Negative
• Reactive
• No systematic understanding of correlation and
  interdependencies among risks
• Fragmented

8
Characteristics of Traditional RM

• Risk mitigation and risk financing siloed
• Inconsistent risk reporting
• Infrequent, ad hoc risk assessment
• Ambiguous ownership of some types of risk lack
  of role definition
• Closed communication
• Functionally driven
• Cost based

9
Characteristics of ERM

• Supports strategy and planning
• Broadly focused
• Positive
• Proactive
• Correlation and interdependencies analyzed and
  understood
• Integrated
• Risk mitigation and risk financing coordinated

10
Characteristics of ERM

• Concise, consolidated reporting
• Continuous risk assessment, evaluation and
  management
• Assigned ownership with accountability defined
  roles and responsibilities
• Open communication
• Process driven
• Value based

11
Traditional RM

• In a decentralized environment, responsibility
  for managing various risks may be assigned to the
  business or functional area with the perceived
  exposure.
• Insurable risk Risk Management
• Interest rate risk Treasurer
• Litigation management risk Department of Justice

12
Traditional RM

• Traditional risk management efforts tend to focus
  on measurable risks while ill-defined or
  ambiguous strategic or operational risks, such as
  brand or reputation, may be acknowledged but
  ignored.
• How do you measure loss of reputation?

13
ERM Tear Down Those Walls

• ERM is an approach that requires the tearing down
  of walls between the management of strategic,
  operational, financial and hazard risks, and
  adoption of a single, comprehensive risk
  oversight structure.

14
ERM Integrated

• ERM is a holistic, integrated approach that
  requires systems thinking and an understanding of
  the interrelationship among component parts of a
  system.

15
ERM Tear Down Those Walls

• ERM helps break down the risk silos
• Within the state
• Within your agency
• Within your program
• Common language and common tools essential to
  begin the non-siloed discussion

16
Why ERM? Why Now?

• Perception that Enron, WorldCom, Global Crossing
  would not have happened had risks been more
  transparent.
• Need for risk transparency
• Performance pressures
• Better use of capital (taxpayer dollars)
• ERM tool development advancing rapidly
• Competitive advantage

17
ERM Objectives

• Better use of taxpayer dollars
• Competitive advantage preferred place to live
  and work
• Reduced budget volatility
• Lower cost of risk transfer
• Risks explicitly considered in decision making
• Avoid surprises and predictable failures
• Align risk exposures and mitigation programs
• Institute more rigorous risk measurement
• Integrate ERM into the strategic planning process

18
ERM Benefits

• Increased management confidence
• Improved risk transparency
• Risk appetite and risk tolerance are aligned with
  strategy
• Improved risk v. reward quantifications and
  performance measurements
• Competitive advantage
• Risk priced transactions
• Improved resource and allocation
• Optimized costs and efficiencies
• Reduced earnings volatility
• Early notification of risk patterns
• Ability to anticipate and communicate
  uncertainties

19
ERM Framework

• Mission Vision Statement
• Objectives Strategies
• Organizational Structure
• Roles Responsibilities
• Policies Procedures
• Tools Techniques
• Common language
• Overlays existing framework
• Integrated into, not isolated from, the
  organization

20
ERM Process RM Process

• Risk identification
• Risk analysis
• Formulation of risk management strategies and
  solutions
• Implementation of strategies and solutions
• Measure, monitor, and report
• Integration
• The process is the same. We are simply expanding
  the risks we identify and analyze.

21
Risk Identification - Traditional

• Will focus on insurable risks
• Employees
• Buildings
• Vehicles
• Third parties (general public)

22
Risk Identification - ERM

• Will focus on systemic risks (systems thinking)
• Hazard/insurable risks
• Operational risks
• Financial risks
• Strategic risks
• What could go wrong

23
Risk Identification - ERM

• Systems Thinking
• Operational risks arising out of your daily
  operations
• supply chain, human resource, IT security,
  culture, weather, regulation
• Financial risks arising around use of money
• credit risk, interest rate risk, cash-flow/budget
  management, economic up/down turns
• Strategic risks arising out of business/policy
  decisions
• reorganization decisions, customer/constituency
  base changes, changes in service offerings

24
ERM Risks

• Your turn lets identify
• Operational risks
• Financial risks
• Strategic risks
• Others

25
ERM Systems Thinking

• ERM is a holistic, integrated approach that
  requires systems thinking and an understanding of
  the interrelationship among component parts of a
  system
• Consider the interdependencies
• Upstream and downstream risks

26
Unintended Consequences

• At the core of siloed risk management is the lack
  of correlation of risks (interdependencies and
  interrelationships) and concomitantly, a failure
  to effectively and efficiently integrate risk
  management strategies.

27
Unintended Consequences

• Intense Focus on Single Objective or Risk
• Failure to Consider Corollary Risks
• Failure to Consider Interdependency Risks
• Unintended Consequences (the big oops)

28
Interdependencies of Risk

• Hazard theft of laptop with unsecured
  confidential bank account information
• Operational employees not trained in
  information security practices password
  protection
• Financial bank accounts drained of millions of
  dollars before accounts can be identified and
  frozen
• Strategic loss of vendors cant pay bills

29
ERM Tools Techniques

• Tools and techniques will vary by entity and must
  be compatible with the entitys risk
• Tools techniques
• Key risk indicators
• Individual self assessments or facilitated group
  assessments
• Scenario analysis
• Risk mapping using frequency and severity
• Statistical analysis/probabilistic modeling

30
Risk Maps A Tool
? ? ???
? ?
?? ?

?
?
Frequency
S e v e r i t y
31
Risk Strategies

• Accept
• Retain
• Reduce
• Transfer
• Acquire/exploit
• Share
• Reject
• Eliminate
• Avoid

32
ERM Implementation

• Barriers to successful implementation
• Lack of quantification of soft risks
• Lack of framework and strategic plan
• Just another audit or flavor of the day
• Lack of visibility and support from leadership
• Project v. process view

33
ERM Implementation

• Barriers to successful implementation
• Competing priorities
• Lack of needed processes and appropriate
  measurements
• Lack of consensus on benefits
• Insufficient resources (people and technology)
• Organizational resistance to change

34
ERM Implementation

• Factors for successful implementation
• Leadership and executive sponsorship
• Establishment of a vision
• Phased work plan with realistic goals and time
  frames
• Dedicated cross functional teams
• Managed expectations
• Quick early visible wins
• Integration into all planning

35
Who is implementing ERM?

• Financial services sector
• Insurance and banking
• Energy sector
• Utilities, energy gas
• Others
• Public sector

36
Conclusion

• ERM is traditional risk management
• on steroids
• ERM can begin within a single agency
• not the entire entity
• ERM can be FUN
• as well as hard work
• ERM is Mission Possible

37
Enterprise Risk Management

• Questions?
• Thank You!