Enterprise

1

• Enterprise
• Risk Management

Walter Gangl, Director, Society of Corporate
Secretaries and Governance Professionals Former
Deputy General Counsel and Corporate Secretary,
Armstrong World Industries R.R. Donnelley
SEC Hot Topics 2008 September 24, 2008
2
Serious failings have led to demands for enhanced
board oversight of Risk

• Sarbanes-Oxley
• Calls for enterprise-wide documentation and
  testing of controls over financial reporting
  risk.
• NYSE-Amendments to listing standards
• Requires the Audit Committee to discuss with
  internal and external auditors how the company
  handles risks and the steps taken to monitor and
  control exposure to such risks.
• SEC
• Now mandates disclosure of risks in periodic 34
  Act reports. Commissioner Cynthia Glassman urges
  public companies to use information gleaned from
  ERM to enhance disclosure in managements
  discussion and analysis.
• Boards of Directors
• A 2005 McKinsey survey of 1000 board members
  indicated that 76 would like to spend more time
  on risk. Source The Executive Board Treasury
  Leadership Roundtable, Organizing for Enterprise
  Risk Management, dated 18 August 2005

3
COSO Enterprise Risk Management Framework

• COSO (Committee Of Sponsoring Organizations of
  the Treadway Commission) is the father of SOX
  404s Internal Controls evaluation.
• COSOs ERM Framework provides an organizational
  scope, emphasis, and program to broaden risk
  management, create an enterprise-wide awareness
  and emphasis, and integrate risk management
  process into corporate strategy.
• ITS THE BIBLE Go to www.coso.org and click on
  Resources to download.

4
Key Definitions

• Risk
• Any event or circumstance which could impact the
  achievement of business objectives.
• Risk Assessment
• The process of identifying and evaluating the
  magnitude and likelihood of risks to achievement
  of business plans.
• Inherent Risk
• Exposure to a risk that is intrinsic to the
  business in the current environment before the
  consideration of risk mitigation and control
  activities that have been designed and
  implemented to address a given risk.
• Mitigation
• The process of reducing the likelihood and/or
  impact of a risk.
• Residual Risk
• Exposure to a risk remaining after considering
  the effect of mitigation through risk management
  and control activities.
• Risk Management
• The Composite of the processes of Risk Assessment
  and Risk Monitoring

5
ERM Defined

• a process, effected by an entity's board of
  directors, management and other personnel,
  applied in strategy setting and across the
  enterprise, designed to identify potential events
  that may affect the entity, and manage risks to
  be within its risk appetite, to provide
  reasonable assurance regarding the achievement of
  entity objectives.
• Source COSO Enterprise Risk Management
  Integrated Framework. 2004. COSO

6
Why?

• Risk Assessment is necessary to comply with SEC
  disclosures in 33 and 34 Act reports.
• Rating Agencies are beginning to take Risk
  Management into consideration on credit
  ratingsso it will affect companies cost of
  capital.
• Also, for Board oversight purposes. They want to
  know the Company has good Risk Management
  processes and check what management sees as the
  major risks and how they plan to deal with them.

7
Impact levels tie to disclosure standards
Risk Prioritization Using a Risk Matrix
8
Identify risks relevant to your particular
business strategy
Disaster Recovery Risks
ASBESTOS
Currency Volatility, Political Risk, Trade
Restrictions
Enterprise Risks
Hurricane, Natural Gas Price, Terrorist Attack,
Supplier Problems, etc
Internal Control, (SOX 404) Accounting
Reporting Risks

• .

Legal Compliance Risks (Product Liability, EHS,
Employment Practices, Antitrust)
STRATEGY
Culture (Tone at the Top) Risks
Workplace Safety, Product Quality and Safety
Reliance on Big Box Customers, Competitor
Strategies
9
ERM vs Compliance Risk Assessment

• Compliance Risk Assessment is just one
  component of an Enterprise-wide Risk Assessment.
  In an infelicitous use of nomenclature, many
  parties conflate the ERM term Risk Assessment
  with Compliance risks aloneavoid that confusion.

10
NOTE Strategic Risks cause most harm to
shareholder value
11
Risk Management Process

• Identify matters that create risk to achieving
  your business plans.
• Evaluate the risks by determining their
  likelihood and impact.
• Prioritize risks - start with those with most
  serious potential impact.
• Mitigate risks, starting with the most serious,
  through improved controls, processes or
  procedures or other action.
• Monitor risks to address whether mitigation is
  effective.
• Report risks to management and board.
• At least annually, management should report to
  the Board about
• Risk Management Processes
• Major Risks
• Mitigation of Major Risks
• Residual Risk levels

12
Managements Role

• Management's role is to guide and review ERM
  efforts, consider whether the residual risks are
  acceptable, and approve plans to mitigate serious
  risks.
• Business units (and functional units such as
  EHS, HR, Treasury) must explain their risk
  analysis in a way that allows management to test,
  accept and share it with other operations and the
  Board of Directors.
• Managements report to the Board is structured
  within the context of these five points
• Company processes to identify matters that create
  risk to achieving our business plans,
• Processes to assess the likelihood and impact of
  such risks in order to prioritize them,
• The Companys major risks and how it defines
  major,
• Who is responsible for mitigation and monitoring
  of those major risks, and
• The mitigation of major risks, and our view of
  the resulting residual risk.

13
Boards Role

• Boards Role
• The Board's role is to oversee the ERM process,
  monitor how risks are evaluated, prioritized and
  mitigated, review the Company's assessment and
  mitigation plans for serious risks, and improve
  or reshape management's decisions.
• In the end, they should
• Advise whether they are comfortable with
  Companys processes to identify and assess risks.
• Advise whether they agree with our
  identification, assessment and mitigation
  measures.
• Advise whether they view the ERM processes as
  effective.
• Advise whether they are comfortable with the
  level of residual risk accepted by management.
• Make any suggestions or recommendations they have
  relative to the ERM processes, including
  identification, assessment and mitigation plans.
  

14
Whos Responsible on the Board?

• Thats up to the Board to Decide
• The whole Board..or a committee. Whatever works
  best.
• Despite what you read in the press, the Audit
  Committee is NOT required to oversee ERM. NYSE
  rules only require the Audit Committee to monitor
  risks to financial reporting. And some companies
  have saddled Audit Committees with this
  additional duty.
• Whats the better arrangement?The Boards basic
  duties are to advise management and monitor
  performance. When dealing with strategy and
  other fundamental matters, the whole Board should
  be involved bringing their diverse backgrounds
  and experiences to the process.
• Risk Management is tied to and is the flip side
  of strategy. IMHO, Risk oversight generally
  belongs under the Board as a whole.

15
Whats this About Standard Poors Evaluation Our
Risk Management?

• Following a 2007 announcement about ERM ratings,
  SP announced May 2008 that it will begin an
  analysis of ERM implementation by companies in Q3
  2008.
• SP takes the expansive view of ERM outlined
  above. They expect companies to have a coherent,
  systematic risk management approach. They will
  discount a crammed-together collection of
  longstanding and disparate practices.
• SP will initially look at a companys
  risk-management culture and strategic risk
  management. (Remember the importance of
  strategic risk.)

16
Whats this About Standard Poors Evaluation Our
Risk Management?

• Within a year, SP expects all companies will
  have had at least an initial ERM discussion.
• A subsequent SP benchmarking process will form
  the basis of a new SP ERM scoring system that
  they intend to help identify situations that
  might require rating actions.
• Bottom Line Companies need to get to work on
  ERM. How well they do on ERM will affect their
  access to capital markets and borrowing costs.

17
What Needs to Be Done?

• Lots.
• A recent survey of approximately 600 major
  companies showed that 30 have not even taken the
  first steps in ERM.
• 27 were beginning to implement it.
• 15 responded Dont know.
• Only 24 claimed to have progressed to
  Intermediate (20) or Advanced (4)
  implementation.
• Source KPMG

18
Whats the Objective of ERM?

• SP wants to see that a companys Risk
  identification, assessment, controls, monitoring
  and reporting are beyond basic levels. They
  should at least become an integrated management
  process.
• Ideally, SP wants to see ERM become a strategic
  tool for the company, helping to set
  strategy, identify markets, guide product
  development, allocate capital budgets, and
  become a part of its analytical framework.

19
ERM The Sunoco Experience
Ken Somes

• September 24, 2008

20
Sunoco, Inc.

• Founded in 1886
• 2007 Revenue 45 billion
• As of 6/30/08
• 4.8 billion in market cap
• About 14,200 employees
• Five Business Lines
• 340 MMB / yr. refining prod.
• 5 billion gal. / yr. retail fuel sales
• 5 billion lbs / yr. chemical
• merchant sales
• Logistics MLP (NYSESXL)
• owned 43 by Sunoco, Inc.
• 4.2 MM tons / yr. coke prod.

Capital Employed, MM 6/30/08
Corp. 440
Coke 490
Refining Supply 1,215
Logistics 500
Retail Marketing 620
Chemicals 975
A2
21
Sunoco Operations
A3
22
Background/History of ERM Program

• Initiated in 2004
• Audit Committee of the Board
• ERM Manager Position Established
• Initial inventory of risks
• Program Continues to Evolve
• Learning/improving as we go
• External influences, e.g. Rating Agencies

23
ERM Organization

• Audit Committee of the Board

Chief Financial Officer
ERM Steering Committee
Quarterly
VP Investor Relations Strategic Planning
ERM Manager
24
ERM Risk Identification Follow-Up
Financial
Organizational
Operational
Legal/Political
Market
Strategic
Audit Committee
Identify and
Classify Risk
ERM

Coordinates,
Identify Risk
Tracks Reports
Owner
Status of Risks
Enterprise
Risk Management
Likelihood

• Examples
• Chairman's Health Environment Safety Committee
• Operations Committee
• Financial Information Committee
• Management Control Committee

Steering
Committee
Risk Rank
Risk Owner
Reports to Forum
Consequence
(business
impact)
Determine
Risk Owner
Appropriate
Develops
Report Out
Response Plan
Forum
25
Key Components of Risk Review Report

• Likelihood and Potential Impact of Risk
• Historical Perspective
• How Risk is Currently Managed
• Key responsibilities/structure in place
• Controls/policies/reviews, etc.
• Monitoring Reporting
• What is measured/tracked (leading lagging)
• Opportunities to Strengthen the Plan
• Who is doing what and by when

26
Example Risk Projected Retirements

• Percent Retirement Eligible Within 5 yrs
• Classified Organizational Risk
• Risk Owner SVP of Human Resources
• SVPs of Business Units
• Forums for Report
• Executive Human Resource Development Committee
• Full Board of Directors

27
Example Risk Projected Retirements

• Historical Perspective
• Demographics compiled and analyzed
• Industry/business units/departments experience
• How Currently Managed
• HR Development Committees
• Succession plans/development/external hiring
• Opportunities to Strengthen
• Identified critical positions/disciplines at risk
• Selective adjustments to compensation package
• Monitoring Reporting
• Personnel changes/succession plans/hiring
• Projected versus actual experience

28
Lessons Learned

• Support From the Top
• Benchmark/Learn From Others
• Tailor ERM to Company Culture
• Build off Processes Already in Place
• Simpler is Better
• Get Started, then Learn/Adjust
• Continuing evolution

29
AW Enterprise Risk Management Process Ellen
WolfSenior Vice President and Chief Financial
OfficerSeptember 2008
30
Who We AreWe are the largest investor-owned
water and wastewater service provider in the
United States.

• We serve a broad national footprint and a strong
  local presence
• We lead the industry in water quality, testing
  and research
• We provide services to over 15 million people in
  more than 1,600 communities in 32 states and in
  Ontario, Canada
• We employ nearly 7,000 dedicated and active
  employees and support ongoing community support
  and corporate responsibility
• We treat and deliver over one billion gallons of
  water daily

30
31
Where We AreWe manage more than 350 individual
water systems across the country

• Every day we operate and manage
• 45,000 miles of distribution and collection
  mains
• And more than
• 80 surface water treatment plants
• 600 groundwater treatment plants
• 1,000 groundwater wells
• 40 wastewater treatment plants

31
32
ENTERPRISE RISK MANAGEMENT Pre 2003

• Decentralized approach

Frenkel
Human Resources Department
Legal
Travelers
Operations
American Water Works Association
Finance Risk Management
Engineers
Risk Insurance Management Society
Directors of Loss Control
Water Quality
InfraGuard
Media Internet
Information Technology
33
ENTERPRISE RISK MANAGEMENT Pre IPO

• RWE Risk Management Process was implemented at
  American Water immediately after RWEs purchase
  of the Company.
• Key Attributes
• Risk Management Committees of senior executives
  at subsidiary and corporate.
• Risks and Opportunities Management (ROM) toolkit
  which offers a structured approach to the
  identification and evaluation of risk.
• The Risk Summary, signed by the CEO, Key Risk
  reports and Risk Map are updated and submitted to
  RWE on a quarterly basis.

34
ENTERPRISE RISK MANAGEMENT Pre IPO

• Goals of RWE process
• Identify and report to senior management at RWE
  risks which may have a material financial impact
  on RWE business plans.
• Process
• RMC committees at subsidiary level identify
  risks, mitigation activities and potential
  financial impact. Risks are aggregated and
  reviewed at each higher organizational level
  until final report is prepared for RWE board.
• Risk Management Committees (RMC)
• Corporate, Regional and Business Unit
• Corporate EMC includes SVP CFO, CEO, COO, VP
  Audit, SVP Legal, Regional Presidents, Regional
  Risk Representatives
• Regional and Business Unit RMC includes its
  Presidents, VP Finance, VP Legal, VP Service
  Delivery, VP Human Resources

35
ENTERPRISE RISK MANAGEMENT Pre IPO

• The ROM includes a risk register identifying all
  risks. Risks which are valued great than 20 of
  net operating income and have a greater than 1
  probability of occurrence are designated as Key
  Risks. The ROM includes
• Reports prepared for each Key Risk which include
  cause analysis, severity evaluation, control and
  mitigation strategy, monitoring and reporting by
  a Risk owner.
• A Risk Summary is from information generated in
  the Key Risk reports and prioritizes risks for
  the Company.
• A Risk Map which is a simple visual
  representation of the relative importance of Key
  Risks to achieving business objectives. The view
  of risk is achieved by plotting Key Risks in
  terms of their probability and impact on the
  heat map.

36
ENTERPRISE RISK MANAGEMENT POST IPO

• An American Water (AW) framework to manage risk
• To create awareness regarding risk so Management
  has full knowledge of risk and rewards related to
  AWs business objectives.
• Operational
• Financial
• Regulatory
• Addresses risk management needs of various
  stakeholders
• AW Management
• AW Board (Audit Committee)
• Rating Agencies
• Investment Firms
• External Auditors
• Securities and Exchange Commission (SEC)
• Regulators

37
Risk Assessment Process Information Flow
Risk Identification and Mitigation Process

• Operations
• Risk Assessment Meeting Attendees
• EVP Eastern Division
• EVP Western Division
• VP Operations Services
• AWE President
• SVP Sales/Business Development

Capital Investment Management Committee (CIMC)
Commercial Development (CD)
Operational Risk Assessment (Insurance, etc.)
Senior Risk Management Meeting Held prior to
Audit Committee Meeting
Operational Risk Management (ORM)

• Finance
• Risk Assessment Meeting Attendees
• VP Controller
• VP Planning Reporting
• VP Treasurer
• SEC Counsel

AW Board of Directors, Audit Committee
Business Performance Reviews

• Chief Executive Officer,
• President AW Services,
• President - Reg. Operations,
• Chief Financial Officer and
• VP Internal Audit (Coordinator)

Quarterly Disclosure Committee Meetings
OSHA

• Regulatory
• (Compliance with Laws Regulations)
• Risk Assessment Meeting Attendees
• SVP Legal General Counsel
• SVP Human Resources
• SVP Communications/Ext. Affairs
• VP Counsel Regulatory Programs

Labor Relations
Environment Audits
Other
Fraud Risk Management Integrated Throughout (See
following slide)

• Frequency of meetings is every 6 months and
  before Audit Committee meeting as necessary

38
Fraud Risk Management Process

• AW Management Oversight Controls
• AW Policies and Practices (i.e. Delegation of
  Authority)
• Posted on AW intranet
• Part of New Employee Orientation
• Owned and monitored by each applicable Senior
  Functional Executive
• Internal Audit reviews of various functions,
  states, etc. throughout year

AW Code of Ethics

• Annual communication
• Employees asked to read and certify
• Part of new employee orientation
• Periodic training
• Posted on AW intranet

39

• Senior Risk Management Meetings
• Meet quarterly before Audit Committee meeting
• Also meet on ad-hoc basis as business conditions
  warrant.
• Establish Enterprise Risk Management (ERM)
  Strategy
• Establish ERM Subgroups i.e. Operations,
  Finance, and Regulatory.
• Ensure compliance with and effectiveness of ERM
  Strategy.
• Set Delegation of Authority (DOA) limits, which
  is key to who is empowered for specific types of
  decision making.
• Review, approve, and monitor significant company
  initiatives
• i.e. Major cross divisional IT projects.
• i.e. Major business process and organizational
  changes.
• Establish Corporate Investment Criteria
  Risk/Return threshold
• Review all information (including 10Q and 10K)
  prior to Audit Comm. reporting
• Review, approve, and monitor significant
  financing and company capital structure
• ERM Subgroups Operations, Finance and
  Regulatory Mandate is to Identify, Monitor,
  and Mitigate Risk
• Report and discuss risk assessments at Senior
  Risk Management meetings

40
ENTERPRISE RISK MANAGEMENT - FUTURE

• Continuous Improvement
• New risks and mitigation efforts identified
  continuously
• Mitigation efforts for known risks continues to
  be monitored
• Strong senior management support up through Board
  of Directors
• Continuous Change to Adapt to Evolving Risk
  Environment