1 C o m m i t t e e o f S p o s o r i g O r g a i z a t i o s o f t h e T r e a d w a y C o m m i s s i o T h o u g h t L e a d e r s h i p i E R M R I S K A S S E S S M E N T I N P R A C T I C E By Deloitte & Touche LLP Dr. Patchi Curtis Mark Carey The iformatio cotaied herei is of a geeral ature ad based o authorities that are subject to chage. Applicability of the iformatio to specific situatios should be determied through cosultatio with your professioal adviser, ad this paper should ot be cosidered substitute for the services of such advisors, or should it be used as a basis for ay decisio or actio that may affect your orgaizatio.
2 Authors Deloitte & Touche LLP Pricipal Cotributors Dr. Patchi Curtis Director, Deloitte & Touche LLP Mark Carey Parter, Deloitte & Touche LLP COSO Board Members David L. Ladsittel COSO Chair Douglas F. Prawitt America Accoutig Associatio Richard F. Chambers The Istitute of Iteral Auditors Marie N. Hollei Fiacial Executives Iteratioal Chuck E. Lades America Istitute of CPAs (AICPA) Sadra Richtermeyer Istitute of Maagemet Accoutats Preface This project was commissioed by the Committee of Sposorig Orgaizatios of the Treadway Commissio (COSO), which is dedicated to providig thought leadership through the developmet of comprehesive frameworks ad guidace o eterprise risk maagemet, iteral cotrol, ad fraud deterrece desiged to improve orgaizatioal performace ad goverace ad to reduce the extet of fraud i orgaizatios. COSO is a private-sector iitiative joitly sposored ad fuded by the followig orgaizatios: America Accoutig Associatio (AAA) America Istitute of CPAs (AICPA) Fiacial Executives Iteratioal (FEI) The Istitute of Maagemet Accoutats (IMA) The Istitute of Iteral Auditors (IIA) Committee of Sposorig Orgaizatios of the Treadway Commissio
3 T h o u g h t L e a d e r s h i p i E R M Research Commissioed by Committee of Sposorig Orgaizatios of the Treadway Commissio October 2012
4 Copyright 2012, The Committee of Sposorig Orgaizatios of the Treadway Commissio (COSO) PIP All Rights Reserved. No part of this publicatio may be reproduced, redistributed, trasmitted or displayed i ay form or by ay meas without writte permissio. For iformatio regardig licesig ad reprit permissios please cotact the America Istitute of Certified Public Accoutats licesig ad permissios aget for COSO copyrighted materials. Direct all iquiries to or AICPA, Att: Maager, Rights ad Permissios, 220 Leigh Farm Rd., Durham, NC Telephoe iquiries may be directed to
5 Thought Leadership i ERM Risk Assessmet i Practice iii Cotets Page Itroductio 1 The Risk Assessmet Process 2 Develop Assessmet Criteria 3 Assess Risks 8 Assess Risk Iteractios 1 2 Prioritize Risks 1 4 Puttig It ito Practice 18 About COSO 19 About the Authors 19
7 Thought Leadership i ERM Risk Assessmet i Practice 1 Itroductio Value is a fuctio of risk ad retur. Every decisio either icreases, preserves, or erodes value. Give that risk is itegral to the pursuit of value, strategic-mided eterprises do ot strive to elimiate risk or eve to miimize it, a perspective that represets a critical chage from the traditioal view of risk as somethig to avoid. Rather, these eterprises seek to maage risk exposures across all parts of their orgaizatios so that, at ay give time, they icur just eough of the right kids of risk o more, o less to effectively pursue strategic goals. This is the sweet spot, or optimal risk-takig zoe, referred to i exhibit 1. That s why risk assessmet is importat. It s the way i which eterprises get a hadle o how sigificat each risk is to the achievemet of their overall goals. To accomplish this, eterprises require a risk assessmet process that is practical, sustaiable, ad easy to uderstad. The process must proceed i a structured ad disciplied fashio. It must be correctly sized to the eterprise s size, complexity, ad geographic reach. While eterprise-wide risk maagemet (ERM) is a relatively ew disciplie, 1 applicatio techiques have bee evolvig over the last decade. The purpose of this paper is to provide leadership with a overview of risk assessmet approaches ad techiques that have emerged as the most useful ad sustaiable for decisio-makig. It represets aother i a series of papers published by Committee of Sposorig Orgaizatios of the Treadway Commissio (COSO) aimed at helpig orgaizatios move up the maturity curve i their ogoig developmet of a robust ERM process. Exhibit 1: Optimal Risk-Takig Isufficiet Risk-Takig Optimal Risk-Takig Excessive Risk-Takig Expected Eterprise Value Sweet Spot Risk Level 1 Committee of Sposorig Orgaizatios of the Treadway Commissio (COSO) Eterprise Risk Maagemet Itegrated Framework, 2004.
8 2 Risk Assessmet i Practice Thought Leadership i ERM The Risk Assessmet Process Withi the COSO ERM framework, 2 risk assessmet follows evet idetificatio ad precedes risk respose. Its purpose is to assess how big the risks are, both idividually ad collectively, i order to focus maagemet s attetio o the most importat threats ad opportuities, ad to lay the groudwork for risk respose. Risk assessmet is all about measurig ad prioritizig risks so that risk levels are maaged withi defied tolerace thresholds without beig overcotrolled or forgoig desirable opportuities. Evets that may trigger risk assessmet iclude the iitial establishmet of a ERM program, a periodic refresh, the start of a ew project, a merger, acquisitio, or divestiture, or a major restructurig. Some risks are dyamic ad require cotiual ogoig moitorig ad assessmet, such as certai market ad productio risks. Other risks are more static ad require reassessmet o a periodic basis with ogoig moitorig triggerig a alert to reassess sooer should circumstaces chage. Exhibit 2: Assess Risks Process Flow Diagram Assess Risks Idetify Risks Develop Assessmet Criteria Assess Risks Assess Risk Iteractios Prioritize Risks Respod to Risks Idetify risks. The risk (or evet) idetificatio process precedes risk assessmet ad produces a comprehesive list of risks (ad ofte opportuities as well), orgaized by risk category (fiacial, operatioal, strategic, compliace) ad sub-category (market, credit, liquidity, etc.) for busiess uits, corporate fuctios, ad capital projects. At this stage, a wide et is cast to uderstad the uiverse of risks makig up the eterprise s risk profile. While each risk captured may be importat to maagemet at the fuctio ad busiess uit level, the list requires prioritizatio to focus seior maagemet ad board attetio o key risks. This prioritizatio is accomplished by performig the risk assessmet. Develop assessmet criteria. The first activity withi the risk assessmet process is to develop a commo set of assessmet criteria to be deployed across busiess uits, corporate fuctios, ad large capital projects. Risks ad opportuities are typically assessed i terms of impact ad likelihood. May eterprises recogize the utility of evaluatig risk alog additioal dimesios such as vulerability ad speed of oset. Assess risks. Assessig risks cosists of assigig values to each risk ad opportuity usig the defied criteria. This may be accomplished i two stages where a iitial screeig of the risks is performed usig qualitative techiques followed by a more quatitative aalysis of the most importat risks. Assess risk iteractios. Risks do ot exist i isolatio. Eterprises have come to recogize the importace of maagig risk iteractios. Eve seemigly isigificat risks o their ow have the potetial, as they iteract with other evets ad coditios, to cause great damage or create sigificat opportuity. Therefore, eterprises are gravitatig toward a itegrated or holistic view of risks usig techiques such as risk iteractio matrices, bow-tie diagrams, ad aggregated probability distributios. Prioritize risks. Risk prioritizatio is the process of determiig risk maagemet priorities by comparig the level of risk agaist predetermied target risk levels ad tolerace thresholds. Risk is viewed ot just i terms of fiacial impact ad probability, but also subjective criteria such as health ad safety impact, reputatioal impact, vulerability, ad speed of oset. Respod to risks. The results of the risk assessmet process the serve as the primary iput to risk resposes whereby respose optios are examied (accept, reduce, share, or avoid), cost-beefit aalyses performed, a respose strategy formulated, ad risk respose plas developed. Discussios of evet idetificatio ad risk respose are beyod the scope of this paper. For detailed treatmet, refer to the COSO Eterprise Risk Maagemet Itegrated Framework (2004). 2 COSO, Eterprise Risk Maagemet Itegrated Framework (2004).
9 Thought Leadership i ERM Risk Assessmet i Practice 3 Develop Assessmet Criteria Traditioal risk aalysis defies risk as a fuctio of likelihood ad impact. Ideed, these are importat measures. However, ulikely evets occur all too ofte, ad may likely evets do t come to pass. Worse, ulikely evets ofte occur with astoishig speed. Likelihood ad impact aloe do ot pait the whole picture. To aswer questios like how fast could the risk arise, how fast could you respod or recover, ad how much dowtime could you tolerate, you eed to gauge vulerability ad speed of oset. By gaugig how vulerable you are to a evet, you develop a picture of your eeds. By gaugig how quickly it could happe, you uderstad the eed for agility ad rapid adaptatio. Developig Assessmet Scales Some form of measuremet of risk is ecessary. Without a stadard of compariso, it s simply ot possible to compare ad aggregate risks across the orgaizatio. Most orgaizatios defie scales for ratig risks i terms of impact, likelihood, ad other dimesios. These scales comprise ratig levels ad defiitios that foster cosistet iterpretatio ad applicatio by differet costituecies. The more descriptive the scales, the more cosistet their iterpretatio will be by users. The trick is to fid the right balace betwee simplicity ad comprehesiveess. Scales should allow meaigful differetiatio for rakig ad prioritizatio purposes. Five poit scales yield better dispersio tha three poit scales. Te poit scales imply precisio typically uwarrated i qualitative aalysis, ad assessors may waste time tryig to differetiate betwee a ratig of six or seve whe the differece is icosequetial ad idefesible. Illustrative scales are provided for impact, likelihood, vulerability, ad speed of oset. Every eterprise is differet ad the scales should be customized to fit the idustry, size, complexity, ad culture of the orgaizatio i questio. Impact Impact (or cosequece) refers to the extet to which a risk evet might affect the eterprise. Impact assessmet criteria may iclude fiacial, reputatioal, regulatory, health, safety, security, evirometal, employee, customer, ad operatioal impacts. Eterprises typically defie impact usig a combiatio of these types of impact cosideratios (as illustrated below), give that certai risks may impact the eterprise fiacially while other risks may have a greater impact to reputatio or health ad safety. Whe assigig a impact ratig to a risk, assig the ratig for the highest cosequece aticipated. For example, if ay oe of the criteria for a ratig of 5 is met, the the impact ratig assiged is 5 eve though other criteria may fall lower i the scale. Some etities defie impact scales for opportuities as well as risks.
10 4 Risk Assessmet i Practice Thought Leadership i ERM Illustrative Impact Scale Ratig Descriptor Defiitio 5 Extreme Fiacial loss of $X millio or more 3 Iteratioal log-term egative media coverage; game-chagig loss of market share Sigificat prosecutio ad fies, litigatio icludig class actios, icarceratio of leadership Sigificat ijuries or fatalities to employees or third parties, such as customers or vedors Multiple seior leaders leave 4 Major Fiacial loss of $X millio up to $X millio Natioal log-term egative media coverage; sigificat loss of market share Report to regulator requirig major project for corrective actio Limited i-patiet care required for employees or third parties, such as customers or vedors Some seior maagers leave, high turover of experieced staff, ot perceived as employer of choice 3 Moderate Fiacial loss of $X millio up to $X millio Natioal short-term egative media coverage Report of breach to regulator with immediate correctio to be implemeted Out-patiet medical treatmet required for employees or third parties, such as customers or vedors Widespread staff morale problems ad high turover 2 Mior Fiacial loss of $X millio up to $X millio Local reputatioal damage Reportable icidet to regulator, o follow up No or mior ijuries to employees or third parties, such as customers or vedors Geeral staff morale problems ad icrease i turover 1 Icidetal Fiacial loss up to $X millio Local media attetio quickly remedied Not reportable to regulator No ijuries to employees or third parties, such as customers or vedors Isolated staff dissatisfactio 3 Fiacial impact is typically measured i terms of loss or gai, profitability or earigs, or capital.
11 Thought Leadership i ERM Risk Assessmet i Practice 5 Likelihood Likelihood represets the possibility that a give evet will occur. Likelihood ca be expressed usig qualitative terms (frequet, likely, possible, ulikely, rare), as a percet probability, or as a frequecy. Whe usig umerical values, whether a percetage or frequecy, the relevat time period should be specified such as aual frequecy or the more relative probability over the life of the project or asset. Sometimes eterprises describe likelihood i more persoal ad qualitative terms such as evet expected to occur several times over the course of a career or evet ot expected to occur over the course of a career. Illustrative Likelihood Scale Ratig Aual Frequecy Descriptor Defiitio Probability Descriptor Defiitio 5 Frequet Up to oce i 2 years or more 4 Likely Oce i 2 years up to oce i 25 years 3 Possible Oce i 25 years up to oce i 50 years 2 Ulikely Oce i 50 years up to oce i 100 years 1 Rare Oce i 100 years or less Almost certai Likely Possible Ulikely Rare 90% or greater chace of occurrece over life of asset or project 65% up to 90% chace of occurrece over life of asset or project 35% up to 65% chace of occurrece over life of asset or project 10% up to 35% chace of occurrece over life of asset or project <10% chace of occurrece over life of asset or project
12 6 Risk Assessmet i Practice Thought Leadership i ERM Vulerability Vulerability refers to the susceptibility of the etity to a risk evet i terms of criteria related to the etity s preparedess, agility, ad adaptability. Vulerability is related to impact ad likelihood. The more vulerable the etity is to the risk, the higher the impact will be should the evet occur. If risk resposes icludig cotrols are ot i place ad operatig as desiged, the the likelihood of a evet icreases. Assessig vulerability allows etities to gauge how well they re maagig risks. Vulerability assessmet criteria may iclude capabilities to aticipate evets such as sceario plaig, real optios, 4 capabilities to prevet evets such as risk resposes i place, capabilities to respod ad adapt quickly as evets ufold, ad capabilities to withstad the evet such as capital buffer ad fiacial stregth. Other factors ca also be cosidered such as the rate of chage i the idustry or orgaizatio. There is o oe-size-fits-all assessmet scale. Every etity must defie scales to meet its eeds. Illustrative Vulerability Scale Ratig Descriptor Defiitio 5 Very High No sceario plaig performed Lack of eterprise level/process level capabilities to address risks Resposes ot implemeted No cotigecy or crisis maagemet plas i place 4 High Sceario plaig for key strategic risks performed Low eterprise level/process level capabilities to address risks Resposes partially implemeted or ot achievig cotrol objectives Some cotigecy or crisis maagemet plas i place 3 Medium Stress testig ad sesitivity aalysis of scearios performed Medium eterprise level/process level capabilities to address risks Resposes implemeted ad achievig objectives most of the time Most cotigecy ad crisis maagemet plas i place, limited rehearsals 2 Low Strategic optios defied Medium to high eterprise level/process level capabilities to address risks Resposes implemeted ad achievig objectives except uder extreme coditios Cotigecy ad crisis maagemet plas i place, some rehearsals 1 Very Low Real optios deployed to maximize strategic flexibility High eterprise level/process level capabilities to address risks Redudat respose mechaisms i place ad regularly tested for critical risks Cotigecy ad crisis maagemet plas i place ad rehearsed regularly 4 A real optio is a optio ivolvig real, as opposed to fiacial, assets. Real assets iclude lad, plat, ad machiery. Real optio aalysis uses optio pricig theory to value capital ivestmet opportuities. A example of a real optio would be the overbuildig of a facility to provide strategic flexibility i the evet that demad were to icrease faster tha productio capacity.
13 Thought Leadership i ERM Risk Assessmet i Practice 7 Speed of Oset (or Velocity) Speed of oset refers to the time it takes for a risk evet to maifest itself, or i other words, the time that elapses betwee the occurrece of a evet ad the poit at which the compay first feels its effects. Kowig the speed of oset is useful whe developig risk respose plas. Illustrative Speed of Oset Scale Ratig Descriptor Defiitio 5 Very High Very rapid oset, little or o warig, istataeous 4 High Oset occurs i a matter of days to a few weeks 3 Medium Oset occurs i a matter of a few moths 2 Low Oset occurs i a matter of several moths 1 Very Low Very slow oset, occurs over a year or more Iheret ad Residual Risk Whe assessig risks, it s importat to determie whether respodets will be asked to assess iheret risk, residual risk, or both. I Eterprise Risk Maagemet Itegrated Framework (2004), COSO defies iheret risk as the risk to a etity i the absece of ay actios maagemet might take to alter either the risk s likelihood or impact. Residual risk is the risk remaiig after maagemet s respose to the risk. Applyig this cocept is trickier tha it might seem at first glace. Some etities iterpret iheret risk to be level of risk assumig resposes curretly i place fail, ad residual risk to be the level of risk assumig existig resposes operate accordig to desig. Other etities iterpret iheret risk to be the curret level of risk assumig existig resposes operate accordig to desig ad residual to be the estimated risk after resposes uder cosideratio are put ito place. The first approach is focused more o cotrols effectiveess of the curret eviromet ad the secod approach o evaluatig risk respose optios. There is o oe right aswer ad either approach may be useful depedig upo the purpose of the assessmet ad the ature of the risks beig cosidered.
14 8 Risk Assessmet i Practice Thought Leadership i ERM Assess Risks Risk assessmet is ofte performed as a two-stage process. A iitial screeig of the risks ad opportuities is performed usig qualitative techiques followed by a more quatitative treatmet of the most importat risks ad opportuities ledig themselves to quatificatio (ot all risks are meaigfully quatifiable). Qualitative assessmet cosists of assessig each risk ad opportuity accordig to descriptive scales as described i the previous sectio. Quatitative aalysis requires umerical values for both impact ad likelihood usig data from a variety of sources. The quality of the aalysis depeds o the accuracy ad completeess of the umerical values ad the validity of the models used. Model assumptios ad ucertaity should be clearly commuicated ad evaluated usig techiques such as sesitivity aalysis. Both qualitative ad quatitative techiques have advatages ad disadvatages. Most eterprises begi with qualitative assessmets ad develop quatitative capabilities over time as their decisio-makig eeds dictate. Measuremet Techiques Compariso Techique Qualitative Quatitative Advatages Is relatively quick ad easy Provides rich iformatio beyod fiacial impact ad likelihood such as vulerability, speed of oset, ad o-fiacial impacts such as health ad safety ad reputatio Is easily uderstood by a large umber of employees who may ot be traied i sophisticated quatificatio techiques Allows umerical aggregatio takig ito accout risk iteractios whe usig a at risk measure such as Cash Flow at Risk Permits cost-beefit aalysis of risk respose optios Eables risk-based capital allocatio to busiess activities with optimal risk-retur Helps compute capital requiremets to maitai solvecy uder extreme coditios Disadvatages Gives limited differetiatio betwee levels of risk (i.e. very high, high, medium, ad low) Is imprecise risk evets that plot withi the same risk level ca represet substatially differet amouts of risk Caot umerically aggregate or address risk iteractios ad correlatios Provides limited ability to perform cost-beefit aalysis Ca be time-cosumig ad costly, especially at first durig model developmet Must choose uits of measure such as dollars ad aual frequecy which may result i qualitative impacts beig overlooked Use of umbers may imply greater precisio tha the ucertaity of iputs warrats Assumptios may ot be apparet
15 Thought Leadership i ERM Risk Assessmet i Practice 9 For qualitative assessmets, the most commoly used assessmet techiques are iterviews, cross-fuctioal workshops, surveys, bechmarkig, ad sceario aalysis. Quatitative techiques rage from bechmarkig ad sceario aalysis to geeratig forward lookig poit estimates (determiistic models) ad the to geeratig forward lookig distributios (probabilistic models). Some of the most powerful probabilistic models from a eterprise-wide stadpoit iclude causal at-risk models used to estimate gross profit margis, cash flows, or earigs over a give time horizo at give cofidece levels. Aalysis of Existig Data Reviewig iteral ad exteral data ca help idividuals assess the likelihood ad impact of a risk or opportuity. Sources of risk occurrece data iclude iteral ad exteral audit reports, public filigs, isurace claims ad iteral loss evet data icludig ear misses, published reports by isurace compaies, idustry cosortia, ad research orgaizatios. While relyig o existig data provides objectivity, it s importat to evaluate the relevace of the data uder curret ad projected coditios. Adjustmets may be warrated usig expert judgmet. I these cases, the ratioale for adjustmets must be clearly documeted ad commuicated. Iterviews ad Cross-Fuctioal Workshops Assessmet ca be coducted through oe-o-oe iterviews or facilitated meetigs. Cross-fuctioal workshops are preferable to iterviews or surveys for assessmet purposes as they facilitate cosideratio of risk iteractios ad break dow siloed thikig. Workshops improve uderstadig of a risk by brigig together diverse perspectives. For example, whe cosiderig a risk such as iformatio security breach, workshop participats from iformatio techology, legal ad compliace, public relatios, customer service, strategic plaig, ad operatios maagemet may each brig differet iformatio regardig causes, cosequeces, likelihoods, ad risk iteractios. Iterviews may be more appropriate for seior maagemet, board members, ad seior lie maagers due to their time costraits. Workshops may ot work well i cultures that suppress free sharig of iformatio or diverget opiios. Surveys Surveys are useful for large, complex, ad geographically distributed eterprises or where the culture suppresses ope commuicatio. Survey results ca be dowloaded ito aalytical tools allowig risks ad opportuities to be viewed by level (board members, executives, maagers), by busiess uit, by geography, or by risk category. Surveys have drawbacks too. Respose rates ca be low. If the survey is aoymous, it may be difficult to idetify iformatio gaps. Quality of resposes may be low if respodets give survey questios superficial attetio i a rush to completio, or if they misuderstad somethig ad do t have the opportuity to ask clarifyig questios. But perhaps most of all, respodets do t beefit from cross-fuctioal discussios which ehace people s risk awareess ad uderstadig, provide cotext ad iformatio to support the risk ratigs, ad aalyze risk iteractios across silos. For these reasos, surveys should ot be cosidered a substitute for workshops ad other techiques for i-depth aalysis of key risks. Bechmarkig Bechmarkig is a collaborative process amog a group of etities. Bechmarkig focuses o specific evets or processes, compares measures ad results usig commo metrics, ad idetifies improvemet opportuities. Data o evets, processes, ad measures are developed to compare performace. Some compaies use bechmarkig to assess the likelihood ad impact of potetial evets across a idustry. Bechmarkig data are available from research orgaizatios, idustry cosortia, isurace compaies ad ratig agecies, govermet agecies, ad regulatory ad supervisory bodies. For example, a oil field services compay might bechmark its safety risk usig measures such as lost time ijuries usig data for similar compaies available from the Bureau of Labor Statistics, the Occupatioal Health ad Safety Admiistratio (OSHA), the America Petroleum Istitute (API), or others.
16 10 Risk Assessmet i Practice Thought Leadership i ERM Sceario Aalysis Sceario aalysis has log bee recogized for its usefuless i strategic plaig. It is also useful for assessig risks ad tyig them back to strategic objectives. It etails defiig oe or more risk scearios, detailig the key assumptios (coditios or drivers) that determie the severity of impact, ad estimatig the impact o a key objective. I the example below, maagemet wated to uderstad how earigs could be egatively impacted. Six scearios impactig earigs were idetified, causal factors (such as price or volume chages or state of the ecoomy) determied, detailed assumptios calibrated, ad the earigs impact estimated. Scearios ca be developed joitly by risk owers ad ERM persoel ad built out ad validated with specialists from various fuctios ad maagemet. Sceario Aalysis Sceario Descriptio Detailed Assumptios EBIT* Impact ($MM) 1) Currecy chages impact 15% volume decrease - $500 competitive ladscape 20% price decrease Sustaied for 9 moths Recovery takes additioal 9 moths 2) Natural gas prices icrease $5/MM Btu icrease - $150 Sustaied for 12 moths No ability to pass through icrease 3) Crude oil prices icrease 100% icrease - $15 Sustaied for 3 moths Pass through 25% of cost icrease 4) Techology shift 15% volume decrease/year - $275 15% price decrease/year $2MM less i R&D expeditures 5) Competitive pressure 10% price decrease - $200 Sustaied for 24 moths 6) Supply chai disruptio 10% volume decrease - $175 Sustaied for 6 moths * Earigs before iterest ad taxes. Source: Frederick Fusto ad Stephe Wager, Survivig ad Thrivig i Ucertaity (Hoboke, NJ: Joh Wiley & Sos, Ic., 2010), 69.
17 Thought Leadership i ERM Risk Assessmet i Practice 11 Causal At-Risk Models Gross Margi at Risk (GMaR), Cash Flow at Risk (CFaR), ad Earigs at Risk (EaR) are metrics built o causal models where specific risk factors drive future ucertaity of key cash flow or earigs compoets. Each risk factor ca be modeled i detail ad icorporated ito the overall model. Usig a causal at-risk model ca provide isight ito how historical relatioships might become ucoupled ad deviate meaigfully from expectatios. Armed with the kowledge of how each risk factor could vary i the future ad impact cash flow or earigs, risk ca be better measured ad maaged. It is the added isight of the risk factors drivig ucertaity that makes causal models a step up from simply extrapolatig past relatioships i a pro forma approach. Model iputs may be derived from past records, relevat experiece, relevat published literature, market research, public cosultatio, experimets ad prototypes, ad ecoomic, egieerig or other models. Where historical data are ot available, ot relevat, or icomplete, expert elicitatio may be used. Expert elicitatio is most commoly used to estimate reasoable probabilities especially for low likelihood, high impact evets. Experts are valuable sources of iformatio ad kowledge. But experts also brig biases. Fortuately, a large body of kowledge exists with regard to heuristics ad biases ad ways to address them. For example, see COSO s recetly issued thought paper, Ehacig Board Oversight: Avoidig Judgmet Traps ad Biases (March 2012). I reality, both pro forma models built aroud historical ratios ad causal at-risk models ca be helpful ad should be see as complemetary views of a ucertai future. Regardless of the type of model, the cofidece placed o estimates of levels of risk ad assumptios made i the aalysis should be clearly stated.
18 12 Risk Assessmet i Practice Thought Leadership i ERM Assess Risk Iteractios ERM eables a itegrated ad holistic view of risks. The key here is that the whole does ot equal the sum of the parts. To uderstad portfolio risk, oe must uderstad the risks of the idividual elemets plus their iteractios due to the presece of atural hedges ad mutually amplifyig risks. Uderstadig risk iteractios ad the maagig them requires breakig dow silos. A simple way to cosider risk iteractios is to group related risks ito a broad risk area (such as groupig risks related to sourcig, distributio chaels, vedor cocetratios, etc. ito supply chai risk) ad the assigig owership ad oversight for the risk area. Three explicit ways to capture risk iteractios icreasig i level of complexity ad richess of iformatio are risk iteractio maps, correlatio matrices, ad bow-tie diagrams. Risk Iteractio Map A risk iteractio map is the simplest form of graphical represetatio i which the same list of risks form the x ad y axes. Risk iteractios are the idicated by a X or other qualitative idicator. Exhibit 3: Illustrative Risk Iteractio Map Risk Supply Chai Disruptio Customer Preferece Shift Copper Price Icrease >25% Work Stoppage >1 Week Ecoomic Dowtur Supplier Cosolidatio Local Competitor Eters Market New Substitutes Available Cost of Capital Icrease >5% Tighter Emissio Stadards FCPA Violatio Exchage Rate Fluctuatios Supply Chai Disruptio Customer Preferece Shift Copper Price Icrease >25% Work Stoppage >1 Week Ecoomic Dowtur Supplier Cosolidatio Local Competitor Eters Market New Substitutes Available Cost of Capital Icrease >5% Tighter Emissio Stadards FCPA Violatio Exchage Rate Fluctuatios
19 Thought Leadership i ERM Risk Assessmet i Practice 13 Where historical data are available, risk iteractios ca be expressed quatitatively usig a correlatio matrix. This is a especially useful techique to apply withi a risk category such as market risk. Difficulties i determiig correlatios for risks iclude the possibility that past causal relatioships will ot be idicative of future relatioships, lack of historical data, differeces i time frames (short-, medium-, ad log-term), ad the large umbers of risks required for a eterprise-wide assessmet. Developig the Full Picture Fault Trees, Evet Trees, ad Bow-Tie Diagrams Diagrams that break a complex risk occurrece ito its compoet parts showig the chais of evets that could lead to or result from the occurrece ca be idispesable for idetificatio ad assessmet of risk resposes ad key risk idicators. The diagrams ca be qualitative or serve as the basis for quatitative models. Three commoly used diagrams are fault trees, evet trees, ad bow-ties. Fault trees are used for aalyzig evets or combiatios of evets that might lead to a hazard or a evet. Evet trees are used for modelig sequeces of evets arisig from a sigle risk occurrece. A bow-tie diagram combies a fault tree ad a evet tree ad takes its ame from its shape. Probabilistic models built o bow-tie diagrams are versatile for quatifyig iheret ad residual risk levels ad performig what-if, sceario, ad sesitivity aalyses. Exhibit 4: Bow-Tie Diagram Risk Factors Risk Cosequeces Trigger Evet Itermediate Evet Ed Evet Cosequece Ed Evet (Loss) Trigger Evet Itermediate Evet Ed Evet Cosequece Ed Evet (Loss) Itermediate Evet Ed Evet Cosequece Ed Evet (Loss) Itermediate Evet Ed Evet Risk Cosequece Ed Evet (Loss) Coditio Itermediate Evet Ed Evet Cosequece Ed Evet (Loss) Coditio Itermediate Evet Ed Evet Cosequece Ed Evet (Loss) Coditio Itermediate Evet Ed Evet Cosequece Ed Evet (Loss) Note: The terms fault tree, evet tree, ad bow-tie diagram are sometimes used iterchageably.
20 14 Risk Assessmet i Practice Thought Leadership i ERM Prioritize Risks Oce the risks have bee assessed ad their iteractios documeted, it s time to view the risks as a comprehesive portfolio to eable the ext step prioritizig for risk respose ad reportig to differet stakeholders. The term risk profile represets the etire portfolio of risks facig the eterprise. Some etities represet this portfolio as a hierarchy, some as a collectio of risks plotted o a heat map. Etities with more mature ERM programs ad quatitative capabilities may aggregate idividual risk distributios ito a cumulative loss probability distributio ad refer to that as the risk profile. Similar to assessig risks, rakig ad prioritizig is ofte doe i a two-step process. First, the risks are raked accordig to oe, two, or more criteria such as impact ratig multiplied by likelihood ratig or impact multiplied by vulerability. Secod, the raked risk order is reviewed i light of additioal cosideratios such as impact aloe, speed of oset, or the size of the gap betwee curret ad desired risk level (risk tolerace threshold). If the iitial rakig is doe by multiplyig fiacial loss by likelihood, the the fial prioritizatio should take qualitative factors ito cosideratio. Hierarchies ad Rollig Up ad Drillig Dow The simplest way to aggregate risks is to orgaize them accordig to a hierarchy. This is ofte doe i risk maagemet systems where risks ca be orgaized by orgaizatioal uit, risk type, geography, or strategic objective. The better systems allow users to roll up ad drill dow for aalysis ad reportig. This provides a complete listig of the assessed risks but does ot help with prioritizig. Exhibit 5: Risk Hierarchies Risk Hierarchy by Org. Uit Risk Hierarchy by Risk Type Eterprise Eterprise Busiess Uit 1 Strategic Risk ABC Risk ABC Risk DEF Risk ABC i Bus. Uit 1 Project 1 Fiacial Risk ABC i Bus. Uit 2 Risk UVW Risk DEF Risk XYZ Risk DEF i Bus. Uit 1 Project 2 Risk UVW Risk XYZ Busiess Uit 2 Risk ABC Risk GHI Risk JKL Risk GHI Risk GHI i Bus. Uit 2 Operatioal Risk UVW Risk UVW i Project 1 Risk UVW i Project 2 Risk DEF Risk DEF i Bus. Uit 1 Compliace Risk...
A Valuable Tool to Uderstad ad Maage Your Compliace Risks The Uique Alterative to the Big Four Compliace is icreasigly beig idetified as a key risk withi a orgaizatio s eterprise risk maagemet (ERM) programs.
Itegrated Productio ad Ivetory Cotrol System MRP ad MRP II Framework of Maufacturig System Ivetory cotrol, productio schedulig, capacity plaig ad fiacial ad busiess decisios i a productio system are iterrelated.
Adoptio Date: 4 March 2004 Effective Date: 1 Jue 2004 Retroactive Applicatio: No Public Commet Period: Aug Nov 2002 INVESTMENT PERFORMANCE COUNCIL (IPC) Preface Guidace Statemet o Calculatio Methodology
Wells Fargo Isurace Services Claim Cosultig Capabilities Claim Cosultig Claims are a uwelcome part of America busiess. I a recet survey coducted by Fulbright & Jaworski L.L.P., large U.S. compaies face
Makig traiig work for your busiess Itegratig core skills of laguage, literacy ad umeracy ito geeral workplace traiig makes sese. The iformatio i this pamphlet will help you pla for ad build a successful
TIAA-CREF Wealth Maagemet Persoalized, objective fiacial advice for every stage of life A persoalized team approach for a trusted lifelog relatioship No matter who you are, you ca t be a expert i all aspects
Ivestig i Stocks Ivestig i Stocks Busiesses sell shares of stock to ivestors as a way to raise moey to fiace expasio, pay off debt ad provide operatig capital. Ecoomic coditios: Employmet, iflatio, ivetory
Public Procuremet Practice STANDARD The decisio to lease or purchase should be cosidered o a case-by case evaluatio of comparative costs ad other factors. 1 Procuremet should coduct a cost/ beefit aalysis
Itroducig Your New Wells Fargo Trust ad Ivestmet Statemet. Your Accout Iformatio Simply Stated. We are pleased to itroduce your ew easy-to-read statemet. It provides a overview of your accout ad a complete
Ivestor BulletI How to read A Mutual Fud shareholder report The SEC s Office of Ivestor Educatio ad Advocacy is issuig this Ivestor Bulleti to educate idividual ivestors about mutual fud shareholder reports.
CCH Accoutats Starter Pack We may be a bit smaller, but fudametally we re o differet to ay other accoutig practice. Util ow, smaller firms have faced a stark choice: Buy cheaply, kowig that the practice
Saudi Aramco Suppliers Safety Maagemet System SAFETY is Protectio (if oly we follow the rules) ''To live each day ijury ad violatio free, o ad off the job'' Foreword Foreword Saudi Aramco has developed
Flood Emergecy Respose Pla This reprit is made available for iformatioal purposes oly i support of the isurace relatioship betwee FM Global ad its cliets. This iformatio does ot chage or supplemet policy
INVESTMENT PEFOMANCE COUNCIL (IPC) INVITATION TO COMMENT: Global Ivestmet Performace Stadards (GIPS ) Guidace Statemet o Calculatio Methodology The Associatio for Ivestmet Maagemet ad esearch (AIM) seeks
30 Caada What is IT Goverace? ad why is it importat for the IS auditor By Richard Brisebois, pricipal of IT Audit Services, Greg Boyd, Director ad Ziad Shadid, Auditor. from the Office of the Auditor Geeral
ODBC Gettig Started With Sage Timberlie Office ODBC NOTICE This documet ad the Sage Timberlie Office software may be used oly i accordace with the accompayig Sage Timberlie Office Ed User Licese Agreemet.
Supply Chai Maagemet LOA Uiversity October 9, 205 Distributio D Distributio Authorized to Departmet of Defese ad U.S. DoD Cotractors Oly Aim High Fly - Fight - Wi Who am I? Dr. William A Cuigham PhD Ecoomics
The Forgotte Middle Esurig that All Studets Are o Target for College ad Career Readiess before High School Executive Summary Today, college readiess also meas career readiess. While ot every high school
Optimize your Network I the Courier, Express ad Parcel market ADDING CREDIBILITY Meetig today s challeges ad tomorrow s demads Aswers to your key etwork challeges ORTEC kows the highly competitive Courier,
Iformatio for Programs Seekig Iitial Accreditatio Aswers to Frequetly- Asked-Questios (from www.abet.org/ew-to-accreditatio/) Assurig Quality l Stimulatig Iovatio This documet iteds to aswer may of the
WILLIS CONSTRUCTION PRACTICE I-BEAM Jauary 2010 www.willis.com RISK TRANSFER FOR DESIGN-BUILD TEAMS Desig-builD work is icreasig each quarter. cosequetly, we are fieldig more iquiries from cliets regardig
Prescribig costs i primary care LONDON: The Statioery Office 13.50 Ordered by the House of Commos to be prited o 14 May 2007 REPORT BY THE COMPTROLLER AND AUDITOR GENERAL HC 454 Sessio 2006-2007 18 May
1/5 The Frech Govermet has three objectives : > improve Frace s fiscal competitiveess > cosolidate R&D activities > make Frace a attractive coutry for iovatio Tax icetives have become a key elemet of public
CCH Accouts Productio accouts productio facig today s challeges Preparig statutory ad fiacial accouts is a core activity for our practice, as it is for may professioal firms. Although legislatio ad accoutig
Preservig Your Fiacial Legacy with Life Isurace Premium Fiacig. Prepared by: Keeth M. Fujita, Natioal Director, The Private Bak Specialty Fiace Group Life Isurace Premium Fiace. James Mosrie, Seior Wealth
A Guide to Better Postal Services Procuremet A GUIDE TO better POSTAL SERVICES PROCUREMENT itroductio The NAO has published a report aimed at improvig the procuremet of postal services i the public sector
Ke blachard College of BUSINESS a history of excellece Established i 1949, Grad Cayo Uiversity has more tha a 60-year track record of helpig studets achieve their academic goals. The Ke Blachard College
March 2008 Pesios Legal Alert Amedmets to employer debt Regulatios The Govermet has at last issued Regulatios which will amed the law as to employer debts uder s75 Pesios Act 1995. The amedig Regulatios
Your support coectio Cosultig ad outsourced support for isurace ad reisurace compaies Cosultig ad outsourced support for isurace ad reisurace compaies With a global staff of over 500 professioals i Europe
BaaERP 5.0c Maufacturig Egieerig Data Maagemet Module Procedure UP128A US Documetiformatio Documet Documet code : UP128A US Documet group : User Documetatio Documet title : Egieerig Data Maagemet Applicatio/Package
Ehace Your Fiacial Legacy Variable Auities with Death Beefits from Pacific Life 9/15 20188-15C FOR CALIFORNIA As You Pla for Retiremet, Protect Your Loved Oes A Pacific Life variable auity ca offer three
529 DC College Savigs Pla Helpig Childre Reach a Higher Potetial reach Sposored by Govermet of the District of Columbia Office of the Mayor Office of the Chief Fiacial Officer Office of Fiace ad Treasury
Valuig Firms i Distress Aswath Damodara http://www.damodara.com Aswath Damodara 1 The Goig Cocer Assumptio Traditioal valuatio techiques are built o the assumptio of a goig cocer, I.e., a firm that has
1 CCH Practice Maagemet practice maagemet facig today s challeges Every year it seems we face more regulatios, growig cliet expectatios ad lower margis o our compliace work. It s a tough time for a accoutig
CCH CRM cliet relatios facig today s challeges As a accoutacy practice, maagig relatioships with our cliets has to be at the heart of everythig we do. That s why our CRM system ca t be a bolt-o extra it
My first gold holdigs. My first bak. Simple. Trasparet. Idividual. Our ivestmet solutios for cliets abroad. The perfect basis for workig together successfully The wheel of time is turig faster tha ever
Pre-Suit Collectio Strategies Writte by Charles PT Phoeix How to Decide Whether to Pursue Collectio Calculatig the Value of Collectio As with ay busiess litigatio, all factors associated with the process
CREATIVE MARKETING PROJECT 2016 The Creative Marketig Project is a chapter project that develops i chapter members a aalytical ad creative approach to the marketig process, actively egages chapter members
Guaratee cliets Withdrawals with SuAmerica Icome Plus 6% SM More Now More Later More Flexibility Growth with SuAmerica Icome Builder 8% SM For fiacial professioal use oly. Not for distributio to the public.
reportig solutios Create ad cotrol olie customized score reports to measure studet progress ad to determie ways to improve istructio. isight Customized Reportig empowers you to make data-drive decisios.
INDEPENDENT BUSINESS PLAN EVENT 2016 The Idepedet Busiess Pla Evet ivolves the developmet of a comprehesive proposal to start a ew busiess. Ay type of busiess may be used. The Idepedet Busiess Pla Evet
TIAA-CREF WEALTH MANAGEMENT A HIGHLY PERSONALIZED, SOPHISTICATED SERVICE DESIGNED TO MATCH ONE OBJECTIVE: YOURS TIAA-CREF: FINANCIAL SERVICES FOR THE GREATER GOOD. OUR HISTORY We are TIAA-CREF. A full-service
Office of the Privacy Commissioer of Caada PIPEDA Privacy Guide for Small Busiesses: The Basics Privacy is the best policy Hadlig privacy cocers correctly ca help improve your orgaizatio s reputatio. Whe
H E A L T H C A R E D E L I V E R Y S Y S T E M C A S E M A N A G E M E N T E D U C A T I O N Advacemet FORUM CULTIVATING LEADERS IN CASE MANAGEMENT DATES AND LOCATIONS LOS ANGELES, CA DECEMBER 11 DALLAS,
Subject CT5 Cotigecies Core Techical Syllabus for the 2015 exams 1 Jue 2014 Aim The aim of the Cotigecies subject is to provide a groudig i the mathematical techiques which ca be used to model ad value
Research Method (I) --Kowledge o Samplig (Simple Radom Samplig) 1. Itroductio to samplig 1.1 Defiitio of samplig Samplig ca be defied as selectig part of the elemets i a populatio. It results i the fact
Ideate, Ic. Traiig News 2014v1 Ideate, Ic. Traiig Solutios to Give you the Leadig Edge New Packages For All Your Traiig Needs! Bill Johso Seior MEP - Applicatio Specialist Revit MEP Fudametals Ad More!
PUBLIC RELATIONS PROJECT 2016 The purpose of the Public Relatios Project is to provide a opportuity for the chapter members to demostrate the kowledge ad skills eeded i plaig, orgaizig, implemetig ad evaluatig
Smart Coected Products & The Iteret of Thigs Who we are Taget delivers Talet Globally. Established for 40 years we specialise i delivery of iovative & tailored talet solutios to customers aroud the world.
GoVal Group Govermet Cosultig ad Valuatio Advisory Group real. Real expertise. Real choices. Real value. Novogradac s GoVal Group Specialized cosultig services from a idustry leader. real choices. A uique
Trusteed IRAs Itegrate ad simplify your retiremet ad estate plas Trusteed IRAs from Merrill Lych Trust Compay To create the legacy of your dreams, you may eed more tha a Idividual Retiremet Accout ad a
ItelliSOURCE Comverge s eterprise software platform provides the foudatio for deployig itegrated demad maagemet programs. ItelliSOURCE Demad maagemet programs such as demad respose, eergy efficiecy, ad
News SOLELY FOR BENEFIT December 2012 BOARD OF DIRECTORS PRESIDENT Tret White Pharmacists Associatio of Newfoudlad ad Labrador (PANL) SECRETARY/TREASURER Price Edward Islad Pharmacists Associatio (PEI)
How to use what you OWN to reduce what you OWE Maulife Oe A Overview Most Caadias maage their fiaces by doig two thigs: 1. Depositig their icome ad other short-term assets ito chequig ad savigs accouts.
Alterative Asset Classes Alterative Asset Classes Beyod the three primary asset classes stocks, bods ad cash may other types of ivestmets ca be used to diversify ivestmet portfolios. The term alterative
Iteratioal Delegatio A summary for fiacial advisers Cotets Please ote For fiacial adviser use oly. It should ot be distributed to, or relied upo by, retail cliets. AXA Wealth Iteratioal is the brad used
Comparig Credit Card Fiace Charges Comparig Credit Card Fiace Charges Decidig if a particular credit card is right for you ivolves uderstadig what it costs ad what it offers you i retur. To determie how
Maual VMware Lesso 1: Uderstadig the VMware Product Lie I this lesso, you will first lear what virtualizatio is. Next, you ll explore the products offered by VMware that provide virtualizatio services.
CotactPro Desktop for Multi-Media Cotact Ceter CCT CotactPro (CP) is the perfect solutio for the aget desktop i a Avaya multimedia call ceter eviromet. CotactPro empowers agets to efficietly serve customers
Roles of Pharmacists IN MANAGED HEALTH CARE ORGANIZATIONS Drug Distributio ad Dispesig Patiet Safety Cliical Program Developmet Commuicatio with Patiets, Prescribers ad Pharmacists Drug Beefit Desig Busiess
Maual Security+ Domai 1 Network Security Every etwork is uique, ad architecturally defied physically by its equipmet ad coectios, ad logically through the applicatios, services, ad idustries it serves.
Commercial Real Estate Wome Network About CREW Network Fouded i 1989, CREW Network is the idustry s premier busiess etworkig orgaizatio dedicated to ifluecig the success of the commercial real estate idustry
Real Optios for Egieerig Systems J: Real Optios for Egieerig Systems By (MIT) Stefa Scholtes (CU) Course website: http://msl.mit.edu/cmi/ardet_2002 Stefa Scholtes Judge Istitute of Maagemet, CU Slide What
, pp.180-184 http://dx.doi.org/10.14257/astl.2014.53.39 Evaluatig Model for B2C E- commerce Eterprise Developmet Based o DEA Weli Geg, Jig Ta Computer ad iformatio egieerig Istitute, Harbi Uiversity of
INTERNATIONAL BUSINESS PLAN EVENT 2016 The Iteratioal Busiess Pla Evet ivolves the developmet of a proposal to start a ew busiess veture i a iteratioal settig. Ay type of busiess may be used. The purpose
Page 1 of 7 RBC Retiremet Icome Plaig Process Create Icome for Your Retiremet At RBC Wealth Maagemet, we believe maagig your wealth to produce a icome durig retiremet is fudametally differet from maagig
Cotract Goverace Guidelies April 2014 1 2 Ackowledgemet The Departmet of Family ad Commuity Services (FACS) uder cotract with CPLI Pty Limited ad Terece Burke, ad usig The Burke Four Pillars Model of Cotract
STRATEGIC OUTCOMES PRACTICE TECHNICAL ADVISORY BULLETIN February 2011 FIRE PROTECTION SYSTEM INSPECTION, TESTING AND MAINTENANCE PROGRAMS www.willis.com Natioal Fire Protectio Associatio (NFPA) #25 a mai
PRICE BAILEY CHARITIES & NOT FOR PROFIT THE RIGHT ADVICE FOR LIFE OUR EXPERTISE To arrage a meetig with a member of for more iformatio about Price Bailey, At Price Bailey, we recogise that charity ad ot-for-profit
PENSION ANNUITY Policy Coditios Documet referece: PPAS1(7) This is a importat documet. Please keep it i a safe place. Pesio Auity Policy Coditios Welcome to LV=, ad thak you for choosig our Pesio Auity.
FME Server Security Table of Cotets FME Server Autheticatio - Access Cotrol Default Security Active Directory Trusted Autheticatio Guest User or Aoymous (u-autheticated) Loggig Out Authorizatio - Roles
Busiess Applicatio Services Busiess Applicatios that provide value to your eterprise. Sesiple s expertise ca help orgaizatio decode the performace issues ad trasform them ito valuable beefits that meet
Iteratioal Joural of Busiess ad Social Sciece Vol. 3 No. 22 [Special Issue November 2012] Developig the Applicatio of 360 Degree Performace Appraisal through Logic Model Ozge OZ Huma Resources Specialist
Factors Assessmet for Software Developmet Proect Based o Fuzzy Decisio Makig Shih-Tog Lu ad Shih-Heg Yu Abstract This study ivestigates ad idetifies the assessmet factors i software developmet proect risk
EUROCONTROL PRISMIL EUROCONTROL civil-military performace moitorig system Itroductio What is PRISMIL? PRISMIL is a olie civil-military performace moitorig system which facilitates the combied performace
Grow your busiess with savigs ad debt maagemet solutios A few great reasos to provide bak ad trust products to your cliets You have the expertise to help your cliets get the best rates ad most competitive
Iformatio about Bakruptcy Isolvecy Service of Irelad Seirbhís Dócmhaieachta a héirea Isolvecy Service of Irelad Seirbhís Dócmhaieachta a héirea What is the? The Isolvecy Service of Irelad () is a idepedet
IT Support IT Support Premier Choice Iteret has bee providig reliable, proactive & affordable IT Support solutios to compaies based i Lodo ad the South East of Eglad sice 2002. Our goal is to provide our
White Paper From Customer Satisfactio to Customer Advocacy Impact of First Time Resolutio (FTR) o Customer Satisfactio ad Sales Performace Baks ad Fiacial Istitutios are ivestig heavily i customer-cetric