Enterprise Risk Management

1
Enterprise Risk Management

• September 2009

2
AGENDA

• Welcome/Purpose
• Introductions/Expectations
• Norms
• ERM Presentation
• Discussion
• Review Expectations
• QA

3
Introduction/Purpose

• Protecting the integrity and viability of an
  enterprise is the primary goal of risk
  management. Each year, companies struggle with
  many unknown factors that may have negative
  impact to the business. Enterprise Risk
  Management is seen by Senior Management and  BODs
  as the comprehensive solution that will enable
  them to address the unknown factors in a
  proactive way  to meet shareholder expectations
  and optimize their success.
• We will discuss and learn the most recent
  strategies for Enterprise Risk Management also
  the lessons learned, what works and what doesn't
  when designing and implementing an ERM strategy
  including
• Alignment with Strategic Business Model
• Specific Focus on Governance
• Optimal Organization
• Designing the ERM solution around YOUR
  environment
• KEEP IT SIMPLE
• Make it Scalable
• Making it pervasive throughout the entire
  organization
•  

4
Expectations

• What 1 or 2 pieces of information could we
  provide today that would make you say That
  session was really VALUE ADDED

5
What is ERM?
6
What is ERM?

• Different approaches
• Transactional
• Defensive/Reactive
• Control or Transfer Based
• Advanced Risk Management
• Risk Based vs Control
• Process Improvement
• Optimize the risk environment
• Proactively address risk potential
• Strategic
• Support Objectives
• Improve Earnings/Cashflow
• Manage Growth

7
Levels of Risk Management
Entity

• 3 Levels

Enterprise
Operational/Transactional
As the impact to the business increases the s
decrease
8
What is ERM?

• ERM (Enterprise Risk Management) is a continuous
  process that identifies, mitigates, and monitors
  potential future events that create uncertainty,
  in a manner that Optimizes Business Performance
  and Success.

9
Successful ERM

• Successful ERM is all about Business Basics and
  Business Excellence
• IT IS ALL IN THE GENES
• Yours and the Companys

10
How is Management defined in ERM

• Management vs. Control
• Risk Assessment vs. Risk Review
• Risk Climate Changes (Katrina)

11
Purpose of ERM

• The Purpose of ERM is to protect the integrity of
  the enterprise.
• This could be the integrity of
• Financial Statements
• Operations
• Products
• Investments
• Management (Tone at the Top)

12
ERM Drivers

• Regulatory (i.e. COSO, Sarbanes-Oxley, Federal
  Sentencing Guidelines, FASB, NCUA- Vice-Chairman
  All CUs no matter what size should have an
  effective ERM function 4/30/07)
• Financial (Moodys, Standard Poors)
• AND NOW THE NEW SEC ANNOUNCEMENT !!!!!
• Legal
• BOD Management Exposure
• Fiduciary Responsibility to Stakeholders
• Comverse Technology's former General Counsel
  faces prison time plus a 3.1M settlement to the
  SEC, serving as an example to other GCs that
  their fiduciary duties to a company and its
  shareholders outweigh duties to colleagues.
  (Source - Compliance Week)
• Recent class action suits for Fraudulent
  Disclosure
• Strategic way to Achieve Business Excellence

13
Business Drivers

• How Many Frameworks do you need ?????

14
ERM Drivers

• If Good Risk Management would have been
  pervasive in public companies, it would have
  avoided the need for Sarbanes Oxley. ERM is the
  OUNCE OF PREVENTION that should preclude the
  requirement for a SOX like legislation in other
  industries.
• Senator Oxley May 1.2007 Las Vegas Nevada

15
The majority of Risks that negatively impact
Stock Prices or Company VALUE are NOT Risks
that IA Typically Focuses On

• Market Capitalization Decline Drivers Fortune
  1000 (1988-2002)
• Financial Risks - 15
• Legal/Compliance Risks - 7
• Operational Risks - 13
• Strategic and Governance Risks - 65
• Source CFO Executive Board Audit Director
  Roundtable research
• Note All areas have additional Governance Risks
  that were not
• Included.
• Looking to make an IMPACT ON SHAREHOLDER VALUE ???

16
Lessons Learned Why Hasnt ERM Worked

• Not defined properly
• No real Governance Focus
• Too BIG/COMPLEX
• NOT Integrated into Business
• Paralysis Through Analysis
• Symptoms vs. Root Cause
• Too CONFUSING
• Use Risk AFFINITIES vs. Every Risk Element

17
Approach to ERM

• Encompass Governance
• Keep It Simple and Scaleable
• Common Language and Definitions
• Appetite Capacity Tolerance - ACCEPTANCE
• Utilize a Formal Framework with a Top-Down
  Governance and Bottom-Up Execution Approach
• Ongoing, Iterative Process
• Implement True Monitoring
• Train the Trainer
• Remember the GENES

18
ERM Organizational Structure

• Where does it fit in the organization ?
• Governance
• Execution
• ERM should become a mind-set for everyone. Just a
  part of your Business Excellence process. One of
  the primary reasons that many implementations do
  not meet expectations is that ERM is not
  pervasive within the fiber throughout the
  entire organization.

19
ERM at a Glance
20
ERM Framework Illustrated
21
Tools Templates Enterprise Architecture
22
Tools Templates Business Model
Subject/Purpose
Goal
Objective(s)
Success Metrics
Strategy(s)
Owner (Responsible/Accountable)
Scope (From/To)
Initial Trigger
Critical Control Points
Support/IT Systems
Activity Frequency
Customers
Suppliers
Problems, Issues and Future Expectations
May be developed for each enterprise entity or
process to be assessed.
23
ERM Framework Overview

• Begin with a high-level risk universe
• Prioritize risk areas based on severity,
  tolerance, and governance exposure assessments
• Repeat for higher priority risks down to the
  activity level

24
Enterprise Risk AssessmentFiltering to the
Mitigation Priorities
25
ERM FrameworkRisk Universe Overview
26
Tools Templates Assessment Matrix
Assess across Risk Factors to Derive Risk
Severity Score
27
Tools Templates Assessment Matrix
Assess COPPS to Derive Governance Exposure
For each risk area, determine if each C.O.P.P.S.
governance element is an enabler or disabler.
28
Tools Templates Ranking Matrix
Based on Assessment Results, Prioritize Risk Areas
Rank each risk area first by governance exposure,
and secondarily by tolerance and severity. In
this example, time was saved by excluding the
lower severity risk areas from the subsequent
tolerance and governance exposure assessments.
29
Tools Templates Charting Governance
Count up the number of disablers by governance
element. Later on, this may help focus the
mitigation activities, and provide an important
input for risk management dash boarding.
30
ERM Framework Overview

• Assess current mitigating activities
• Identify remediation strategy
• Eliminate - Change the process to eliminate the
  risk
• Reduce Modify Process to Reduce risk to
  acceptable levels
• Transfer Insure against or outsource
• Control - Implement controls (Prevent/Detect)
• Accept Do not take any action

31
ERM Framework Overview

• Implement sustainability into the process
• Risk Monitoring Program
• Control Assessment Program
• Adapt to all business activity categories
• Continuing Operations (Event Monitoring, Leading
  Indicators)
• Strategy Setting Budgeting (Annually, Qtrly,
  Monthly)
• Projects (Initiate, Plan, Execute, Control and
  Close)

32
ERM Framework Illustrated
33
Critical Success Factors

• Executive sponsorship/ownership
• Make pervasive through a formal governance
  framework (COPPS)
• Culture
• Organization
• Policies
• Process
• Systems
• Demonstrate the valueto line management
• RIMS Maturity Model

34
Critical Success Factors

• Adopt a common language
• Dont reinvent leverage what you have
• Same process regardless of size Scaleable
• Continuous monitoring
• K.I.S.S. principle
• Know what the GENES are
• Patience and perseverance

35
Tools Templates Risk Map
36

• Thank You
• WE WELCOME QUESTIONS

Joe Herr VP Business Excellence 724-333-7051
Cell

• joe_at_herracaneauctions.com