The Essentials of Enterprise Risk Management. Steven C. Tourek, Senior Vice President, General Counsel & Secretary, The Marvin Companies

Transcription

1 The Essentials of Enterprise Risk Management Steven C. Tourek, Senior Vice President, General Counsel & Secretary, The Marvin Companies

2 Introduction How should an organization think about the management of risk in a VUCA world? 1

3 Overview of Traditional Risk Management Approach Focused on tangible assets to be found on a balance sheet and related contractual rights Management process tends to be fragmented, reactive and ad hoc Management activity is transaction-oriented, cost-based, narrowlyfocused and functionally-driven 2

4 Traditional Risk Management Focus on Tangible Assets Land Buildings Equipment Inventory Physical Assets Cash Receivables Investments Equity Prepaid and others Financial Assets 3

5 What is Enterprise Risk Management? A process, effected by an entity s Board of Directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. - Committee of Sponsoring Organizations (COSO) Enterprise Risk Management Integrated Framework (August 2004) A disciplined and integrated approach that supports the alignment of strategy, process, governance, people and technology and allows organizations to identify, prioritize and effectively manage their critical risks. - Integrated Governance Solutions 4

6 How Does ERM Differ from the Traditional Approach? The objective of the ERM approach is to enhance business strategy formation and attainment. Focus and application is broader: enhancing and protecting the unique combination of tangible and intangible assets comprising the organization s business model. Transitions risk management from a discipline of avoiding risk and hedging bets to one of enhancing as well as protecting enterprise value creation. 5

7 ERM Focus on Tangible and Intangible Assets Land Buildings Equipment Inventory Cash Receivables Investments Equity Prepaids and others Physical Assets Financial Assets Leadership Strategy Knowledge Values Physical Assets Organizational Assets Customer Assets Employee/ Supplier Assets Reputation Innovation Systems Process Customers Channels Affiliates Employees Suppliers Partners 6

8 What Is The Value Proposition For ERM? Provides reasonable assurance to management that business objectives are achievable by: Aligning risk appetite and strategy Improving risk response decisions Reducing operational surprises and resulting losses Identifying and managing cross enterprise risks Providing integrated responses to a portfolio of multiple risks Seizing opportunities and improving deployment of capital 7

9 Is ERM Only Appropriate For Large, Public Entities? ERM applies to all organizations, large and small, public and private because: Every successful organization faces risk. Every successful organization takes risks. Every successful organization responds to risk. ERM implementation proportionate to unique level of risk, aligned with other corporate activities and dynamic. 8

10 Framework Elements Of ERM A stable foundation for a healthy Enterprise Risk Management program includes six key elements: 1. Infrastructure 2. Identification 3. Assessment 4. Management 5. Monitoring 6. Reporting 9

11 Modification The ERM Framework Infrastructure The Organization s Strategic Objectives Risk Identification Risk Assessment Enterprise Risk Prioritization Risk Response Communication and Reporting Monitoring 24

12 ERM Infrastructure Provides the discipline, focus and structural support needed to advance the enterprise s capabilities around managing its priority risks. Elements include enterprise risk assessment process, clarity of roles and responsibilities related to management of risk, integration/alignment of risk management with strategy setting, risk reporting framework, common training and supporting technology. Represents the organizational commitment, processes, language and accountability for enterprise-wide risk management. 11

13 Risk Identification Sources of Value Catastrophic loss Unacceptable costs Poor economic performance Unexpected losses Insufficient liquidity Adapted from Proviti Guide to Enterprise Risk Management Physical Assets Financial Assets Unclear or obsolete strategies Ineffective/inefficient processes Obsolete systems Physical Assets Organizational Assets 12 Customer Assets Employee/ Supplier Assets Inadequate information for decision-making Business interruption Brand erosion Security breach Pervasive quality failures Significant losses of key customers or channels Talent shortages Work stoppages Excessive costs & lead times

14 Risk Identification Brainstorming Involve direct reports and those with significant knowledge of the function or business unit. Utilize broad categories of risk to generate ideas. Free-thinking but each risk, current mitigation program and potential consequence should be identified and examined. Categories are used to generate ideas; assignment of risk to a particular category is not important. Large number of identified risks are narrowed through a voting process. 13

15 Risk Identification Sources of Uncertainty Financial Risks Loss of Major Supplier(s) Externally Driven Currency Fluctuations Competition / New Entry Strategic Risks Interest Rate Fluctuations Technological Innovation Slow economic recovery Credit Loss Liquidity Default Risk Sourcing material costs Capital Availability Internally Driven Late to Market Capacity Constraints Inefficiency Risk Product Development Risk Market Saturation Channel Consolidation Customer Value Risk Supply Chain Risk Cyber Threat Fleet liability Power Outage Information system failure Product Failure Service Environmental Liability Aging workforce Appropriate staff expertise Workplace violence OSHA, EPA, EEOC, FCPA, ACA, etc Compliance and Cost Changes in standards and model codes Changes in Laws and Regulations Compliance Risks Operational Risks Catastrophic loss / Major damage to facility (fire, act of God) 14 Labor shortage Inability to attract talent Human Capital Risks

16 Risk Identification Top 10 Risks For Regulatory Changes and Scrutiny (67%) 2. Economic Conditions (56%) 3. Management of Cyber Threats (53%) 4. Talent Attraction and Retention (56%) 5. Inadequate Risk Culture (51%) 6. Resistance to Change (49%) 7. Privacy/Identity Management (52%) 8. Management of Unexpected Crisis (46%) 9. Customer Loyalty and Retention (48%) 10. Inability to Meet Performance Expectations (46%) - Feb Poole College ERM Initiative of North Carolina State University and Proviti Survey 15

17 Risk Assessment Scoring and Ranking Take each of the top X identified risks and score each on inherent and residual basis, using the probability, time until impact and severity equation: (Likelihood of Occurrence + Time Until Impact) X Severity = Ultimate Risk Score Once the ultimate residual risk score for each risk is determined, rank from highest to lowest. 16

18 Risk Assessment Scoring - Likelihood Score each top 10 risk by likelihood of occurrence (L): Factor Score Description Example Probability 1 Extremely rare Occurs once every 100 years 2 Rarely occurs Once every years 3 Periodically occurs Once every 5-7 years 4 Regularly occurs Once every 1-5 years 5 Occurs with such regularity to be accurately estimated Multiple times per year 17

19 Risk Assessment Scoring Time Until Impact Score each top 10 risk by time until impact (T): Factor Score Description Example Time to impact 1 2 Manifests gradually over a long period of time providing opportunity to adjust/react Occurs quickly limited advance warning 3 Occurs suddenly no advance warning Months or years of warning (e.g. regulatory or legislative change) Hours or days of warning (e.g. hurricane, flood) No warning (e.g. Fire or explosion, security, breach) 18

20 Risk Assessment Scoring Severity of Impact Score each top 10 risk by Severity Impact (S): Factor Score Description Example Severity 1 Small financial impact Self-insured workers compensation loss with no impact on business reputation or continuity Large financial loss or impact but not material with no impact on business strategy Significant or material financial loss or event which may slowdown or adversely impact business strategy Major financial loss and/or significant adverse impact to business strategy Potential to imperil organization s strategy/long-term adverse business strategy impact 19 Additional costs due to new regulation or loss of a customer with no impact on business reputation or continuity > 2 week information systems shut-down that slows sales and (in the short-term) damages reputation in the marketplace; > Key supplier fails causing shortage of component parts. Unable to produce certain products for 3 mos. > Technology innovation or regulatory change which changes access to market

21 Rank Top Risks by Score (Example ranked according to highest score) Risk (L + T) X S = Score 1. Loss of major supplier Staff s lack of expertise Information system failure Etc Risk Assessment (Likelihood + Time Until Impact) X Severity = Risk Score 20

22 Enterprise Risk Prioritization Implement Portfolio Perspective Collate all of the functional risk ranking scores and apply an enterprise-wide perspective. Look for clearly emerging enterprise-wide critical risks. Assess for strategic impact and interrelationships as well as aggregate impact. 21

23 1) Manageable Impact 2) Major 3) Critical Enterprise Risk Prioritization Consolidated Risk Profile Example Strategic Objectives Over the next three years: Grow the top line by 75 percent Improve customer satisfaction by 25 percent Motivate and retain exceptional people Develop distinctive brands 1 CONSOLIDATED RISK PROFILE Critical Risk Language 1. Catastrophic loss 2. Channel effectiveness 3. Customer wants 4. Environmental, health and safety 5. Human resources 6. Legal/regulatory 7. Reputation ) Remote 2) Possible 3) Likely Likelihood 22

24 Risk Management Response/Treatment Options Four fundamental responses to identified critical risks: Avoid/Terminate Accept/Tolerate Reduce/Treat Share/Transfer 23

25 Risk Management Mitigation Plan For each priority risk (top 5 to 10) Define controls already in place. Determine what new actions should be taken. Assign accountability for each new action. Define measurable deliverables or metrics for each planned mitigation action or control. Once in place, reassess risk priority number. Monitor periodically for mitigation plan effectiveness in addressing risk. 24

26 Thank You 25