Executive Summary Exhibit 1



Similar documents
Tying It All Together: Practical ERM Integration. Richard Scanlon Vice President Enterprise Risk Management CIGNA Corporation

Guidance Note: Corporate Governance - Board of Directors. March Ce document est aussi disponible en français.

Enterprise Risk Management: From Theory to Practice

Framework for Enterprise Risk Management

Linking Risk Management to Business Strategy, Processes, Operations and Reporting

Capital Requirements Directive Pillar 3 Disclosure. December 2015

Enterprise Risk Management in a Highly Uncertain World. A Presentation to the Government-University- Industry Research Roundtable June 20, 2012

MISSION VALUES. The guide has been printed by:

Transforming risk management into a competitive advantage kpmg.com

ENTERPRISE RISK MANAGEMENT FRAMEWORK

The Essentials of Enterprise Risk Management. Steven C. Tourek, Senior Vice President, General Counsel & Secretary, The Marvin Companies

and Risk Tolerance in an Effective ERM Program

RSA ARCHER OPERATIONAL RISK MANAGEMENT

Improving Financial Performance, Governance and Compliance

ASAE s Job Task Analysis Strategic Level Competencies

Managing Risk at Bank of America Corporation. Overview

11/12/2013. Role of the Board. Risk Appetite. Strategy, Planning and Performance. Risk Governance Framework. Assembling an effective team

Audit, Risk Management and Compliance Committee Charter

Successfully identifying, assessing and managing risks for stakeholders

CSR / Sustainability Governance and Management Assessment By Coro Strandberg Principal, Strandberg Consulting

Streamlining the Annual Risk Assessment Process

Application of King III Corporate Governance Principles

Policy : Enterprise Risk Management Policy

Enterprise Risk Management & Information Technology

Application of King III Corporate Governance Principles

Operational Risk Management - The Next Frontier The Risk Management Association (RMA)

Commodity Price Risk Management (CPRM) - Trends and Challenges for Corporates

Public Sector Pension Investment Board

Applying Risk Assessment to Your Audit Plan Break-out Session T3, Tuesday, October 26 2:00-2:50pm

Camber Quality Assurance (QA) Approach

Placing a Value on Enterprise Risk Management ADVISORY

THE SOUTH AFRICAN HERITAGE RESOURCES AGENCY ENTERPRISE RISK MANAGEMENT FRAMEWORK

Matthew E. Breecher Breecher & Company PC November 12, 2008

GUIDANCE FOR MANAGING THIRD-PARTY RISK

RISK MANAGEMENT REPORTING GUIDELINES AND MANUAL 2013/14. For North Simcoe Muskoka LHIN Health Service Providers

POLICY. Number: Title: Enterprise Risk Management. Authorization

Developing an Effective Enterprise Risk Management Program

STANDARDS OF SOUND BUSINESS AND FINANCIAL PRACTICES. ENTERPRISE RISK MANAGEMENT Framework

Controls and accounting policies

How To Manage Risk At Atb Financial

Anti-Fraud Management Example In Accounts Payable. Michael Heckner October 12, 2012

Enterprise Risk Management

APPLICATION OF THE KING III REPORT ON CORPORATE GOVERNANCE PRINCIPLES

Operational Risk Management Program Version 1.0 October 2013

Enterprise Risk Management in Colleges and Universities

How to Develop Successful Enterprise Risk and Vendor Management Programs

APPLICATION OF KING III CORPORATE GOVERNANCE PRINCIPLES 2014

February Audit committee performance evaluation

POL ENTERPRISE RISK MANAGEMENT SC51. Executive Services Department BUSINESS UNIT: Executive Support Services SERVICE UNIT:

Deriving Value from ORSA. Board Perspective

Financial Services FINANCIAL SERVICES UTILITIES 57 FINANCIAL SERVICES AND UTILITIES BUSINESS PLAN. CR_2215 Attachment 1

Regulatory Compliance Management (RCM) (formerly Legislative Compliance Management (LCM))

Understanding and articulating risk appetite

Delphi Automotive PLC. Corporate Governance Guidelines

GUIDELINES ON RISK MANAGEMENT AND INTERNAL CONTROLS FOR INSURANCE AND REINSURANCE COMPANIES

The College of New Jersey Enterprise Risk Management and Higher Education For Discussion Purposes Only January 2012

Performance Management. Date: November 2012

building a business case for governance, risk and compliance

Risk Management Policy Adopted by:

AMTRAK CORPORATE GOVERNANCE: Implementing a Risk Management Framework is Essential to Achieving Amtrak s Strategic Goals

Third Party Risk Management 12 April 2012

Direct Line Insurance Group plc (the Company ) Board Risk Committee (the Committee ) Terms of Reference

IFAD Policy on Enterprise Risk Management

Enterprise-Wide Risk Assessment

Credit Union Liability with Third-Party Processors

Export Development Canada

Integrated Risk Management:

THE ROLE OF FINANCE AND ACCOUNTING IN ENTERPRISE RISK MANAGEMENT

RISK BASED AUDITING: A VALUE ADD PROPOSITION. Participant Guide

Enterprise Risk Management (ERM): In Action. January Co-presented by: Michael Yip, Marsh Risk Consulting Norma Essary, DFW International Airport

B o a r d of Governors of the Federal Reserve System. Supplemental Policy Statement on the. Internal Audit Function and Its Outsourcing

The Treasury 3.0 Framework: Deploying a Model of Best Practices Treasury Strategies, Inc. All rights reserved.

SAI GLOBAL LIMITED Risk Management Policy

RISK MANAGEMENt AND INtERNAL CONtROL

Guidelines for Financial Institutions Outsourcing of Business Activities, Functions, and Processes Date: July 2004

Consumer Goods and Services

APPENDIX 50. Enterprise risk management - Risk management overview

Saldanha Bay Municipality. Risk Management Strategy. Inclusive of, framework, procedures and methodology

Organization transformation in times of change

Close Brothers Group plc

Risk committee performance evaluation

Board Risk & Compliance Committee Charter

Internal Auditing Guidelines

University of St. Gallen Law School Law and Economics Research Paper Series. Working Paper No June 2007

Fraud Prevention and Deterrence

Simplify the Complexity of Managing 3rd Party Anti-Bribery / FCPA Compliance

As of July 1, Risk Management and Administration

One source. One amazing service. Procurement Process and the Sarbanes-Oxley Act

Framing the future of corporate governance Deloitte Governance Framework

THE DIGITAL AGE THE DEFINITIVE CYBERSECURITY GUIDE FOR DIRECTORS AND OFFICERS

The University of Texas at San Antonio. Business Affairs 2016 STRATEGIC PLAN December 2007

Moving Forward with IT Governance and COBIT

CORPORATE GOVERNANCE FRAMEWORK

Transcription:

Executive Summary Enterprise Risk Management (ERM) remains one of the most important tasks of corporate leadership teams. Global uncertainty driven by geopolitical events, sovereign debt concerns, natural catastrophes and the potential for slowing growth in key market economies have increased the need for leadership engagement on risk, particularly around strategic risks that could impact long term growth. Pressure remains on corporate boards and executive teams to enhance their ERM activities and improve the linkage between performance and accountability. Rating agencies have also placed increased attention and importance on proactive ERM programs. Our Enterprise Risk Management program continues to seek a healthy balance between risk and opportunity. We want to ensure that increased risk is balanced with appropriate reward and that our exposures don t exceed the appetite limits we have set. As the ERM program begins its ninth year, the Risk Committee felt several refinements were needed. The decision was made to separate the processes used to identify the most significant risks at the business unit (BU) level and at the enterprise-wide level (Exhibit 1). In making these changes, we wanted to shift the business units (BU) risk focus to the most important issues impacting their ability to achieve the plan while giving them the flexibility to manage and mitigate those specific challenges in a more focused manner. These top BU issues have been identified in a bottoms-up fashion and while there was some linkage from the more generic top down risk mapping we have conducted in the BUs over the years, the associated management and mitigation activities were somewhat disconnected from their actual risks. Going forward, the Committee feels the bottoms-up BU process is a more appropriate approach for BU risk identification and these program changes will improve the applicability and effectiveness of their mitigation efforts.

Exhibit 1 Revised bottoms-up and top-down ERM Approach On the Enterprise side, we have revised and reduced the size of the Enterprise Risk Universe with an eye toward focusing those risks on issues that impact the entire corporation. The Committee felt that the quantity of data coming out of the old mapping process diluted both the focus and effectiveness of that part of the program. The Committee determined that mapping input was still an important data source for identifying top Enterprise Risks but decided to reduce the breadth of participation to the Executive Leadership Team (~100 leaders). At the June 9 th 2014 Risk Committee meeting, the Committee used the new enterprise mapping data and the top down process to select the Top Ten Enterprise Risks facing the corporation. Three of these ten risks were common from the 2013 Top Consolidated Risks but the remaining seven were new and reflected the enterprise-wide focus of the process. All of the risks have been topics discussed in prior Committee meetings (e.g. Cyber Security, Leader Capacity, JVs and Alliances etc.) and going forward, the Committee itself will take a more active role in managing and mitigating these risks. The corporation also continues to make a conscience effort to increase the interaction among the corporate and business unit functions that regularly address risk in one form or another. Though the Enterprise Risk Management program is run independently from Financial Risk Management, Legal and Compliance, Risk and Insurance, and Enterprise Security - they are all critical pillars in Johnson Controls Total Risk Management Process. All five activities

continue to actively communicate and share risk data. The Enterprise Security team for example has introduced additional crisis management tools and processes that were instrumental in addressing some of the recent business continuity challenges. The 24-7-365 Crisis Management Center is a good example, providing global event-related command & control and support throughout an event s lifecycle. Total Risk Management at Johnson Controls We continue to place more attention on increasing the communication and coordination among the various corporate functions that assess and manage risk across the enterprise. As highlighted in Exhibit 2 there are five key pillars in our Total Risk Management Program. Each pillar provides a unique focus and set of resources in addressing discrete portions of the total risk environment. The Enterprise Risk Committee serves as the oversight body for this Total Risk Management approach - ensuring increased accountability and communication with the Board and the applicable Board Committees. The Committee uses the Committee forum to discuss key risks and their potential impact on corporation and the cross function structure to identify and respond to emerging risks. A brief overview of the activities of the other four risk pillars follows. Exhibit 2 Johnson Controls Total Risk Management Approach

Financial Risk Management Internal Audit The mission of Internal Audit at Johnson Controls is to provide independent and objective assurance on the control environment, reported financial information and advisory services designed to improve the Company s operations. Each year, the Internal Audit department undertakes a comprehensive exercise known as the Audit Risk Assessment ( Assessment ) to focus audit activities on the risks that matter most to the enterprise and to optimize the use of audit resources. The Assessment is designed to identify key business risks across the enterprise and serves as a foundational element to align the Internal Audit function with business activities. More specifically, the Assessment: Provides insight on the significant risks at the Company and links them to the relevant business processes; Efficiently captures insight on risk across the enterprise using a combination of web-enabled surveys, interviews and additional data points such as prior audit results and investigations; Helps the department to define opportunities for audit engagements and special projects; and Allows Internal Audit to identify relevant risks in the Company s Audit Risk Universe. Through the scope of audits and special projects, Internal Audit documents the relevant risks and works with each Business Unit, including Corporate, to focus on areas requiring further risk management or mitigation attention. Specific benefits and outcomes of this process include the following: Proactive identification and understanding of key business risks; Enhanced understanding of expectations from the Audit Committee and Executive Management, and a clearer communication of the audit plan; and Recommendations to improve the current risk management activities. The VP of Internal Audit and the VP of Corporate Planning meet regularly to discuss risk and risk management activities across the enterprise. Their increased communication is meant to ensure risk oversight and management coverage. Risk Committee minutes are shared with Internal Audit and ERM findings and activities are considered in building the current year s Audit Plan. Financial accounting and reporting The finance and reporting functions at Johnson Controls have completed their transition from a decentralized branch and plant level model to a large centralized regional business center (RBC) model. This transition will ensure we have adequate resources with standard processes and training which will

minimize the risk of errors. By the end of fiscal 2014, approximately 85% of our revenues were flowing through our four global RBCs (Milwaukee, Monterrey, Bratislava, and Dalian). Our global business services organization is now a corporate function and Michael Peterson continues to oversee the global RBC infrastructure and reports directly to Brian Stief. Centralization brings efficiency but it also brings its own unique risks. With such a large volume of critical activity flowing through a limited number of sites, business continuity and contingency planning becomes critical. Formal business continuity plans for each RBC have been developed, with live drills performed periodically in order to assess its performance and adequacy. The ultimate goal is to be able to seamlessly transition workflow from any RBC to another one in the event of a business interruption. Treasury and liquidity The mission of Treasury is to deliver, with unquestioned integrity, innovative, world class, Treasury services that support our global growth. Treasury is responsible for cash management, capital structure, financial risk management (derivatives and hedging), retirement plan funding and performance, customer finance. Treasury has developed and implemented guidelines, processes, and policies to manage its areas of responsibility. The Company's risk appetite statements for capital resources and liquidity are consistent with Treasury's guidelines, processes, and policies. Treasury actively monitors the Company's performance against such guidelines, processes, and policies and is regularly audited by the Company's external auditors and the internal audit department to ensure compliance. Additionally, Treasury regularly reports to the Finance Committee of the Board of Directors which oversees the Company's Treasury organization. Recently, Treasury successfully implemented a new Treasury Management System called Quantum, a universal internet banking platform called Trax which utilizes SwiftNet (replaces bank specific software platforms), and upgraded its commodity treasury system. Each of the systems significantly enhances the Company's compliance efforts, reduces currency exposure and risk and improves overall productivity. With respect to liquidity management, Treasury closely monitors current Johnson Controls requirements and global market conditions. Treasury utilizes a combination of committed bank revolvers and other lines of credit, capital market note and bond offerings, and cash management initiatives to ensure adequate liquidity and compliance with the Company's liquidity metrics. An example of a cash management initiative that enhances liquidity is Treasury's ongoing intra-month short-term borrowing reduction program which optimizes cash flows by matching global cash inflows and outflows as well as the implementation of various global supply chain financing programs which extend our accounts payable terms by allowing our suppliers to effectively factor our receivables at rates based on our credit rating.

Corporate Risk Management Insurance Johnson Controls Corporate Risk Management department resides within the company s Compliance organization. They are a key component of the Total Risk Management effort. The group is primarily responsible for managing the company s global Property and Casualty insurance programs. To support that effort, the Corporate Risk Management department oversees several programs that assist the company in identifying risks and implementing sustainable risk management solutions and programs to eliminate, reduce or mitigate the frequency and impact of those risks on the company s operations and financial statements. The Corporate Risk Management department is responsible for designing, placing and maintaining the company s global Property and Casualty insurance programs. These insurance programs include, but are not limited to, Property, Aviation, Workers Compensation, General Liability, Automobile Liability, Umbrella and Excess Liability, Professional Liability, Directors & Officers Liability, Fiduciary Liability, and Surety. In consultation with the Finance Committee, the CFO and Treasurer, Corporate Risk Management determines the amounts and types of insurance to be purchased including deductibles, retentions, limits, terms and conditions. The department also determines the structure of the company s global insurance programs and manages the company s captive insurance company. The Corporate Risk Management department, through its Regional Risk Management structure, works directly with the company s business units and senior management to provide risk management consulting and risk control services. The objective of this role is to proactively identify risks and implement solutions and programs to manage them before a loss occurs. This consulting includes risk identification and evaluation, contract review, loss prevention, crisis management and business continuity. The department is also responsible for the company s global property protection program. Johnson Controls is committed to the Highly Protected Risk (HPR) philosophy which strives to build and maintain the company s large and critical facilities to a higher standard of property protection to reduce the likelihood and impact of property loss. Corporate Risk Management oversees the delivery of property protection engineering services worldwide. This includes the establishment of property protection standards (based on the engineering standards of Factory Mutual), the selection and management of third party engineers, the oversight of new construction and renovations for property protection improvements, and the monitoring, tracking and resolution of outstanding property protection recommendations.

Health & Safety Reporting to the VP HR Employee & Labor Relations, the Corporate Health & Safety department, has oversight responsibility for the Company s global Health and Safety processes. Working with the Global Health & Safety Leadership Team, Global Manufacturing Operations Council (GMOC) and the Human Resources Leadership Team, the department sets the company s overall vision, strategy, standards and goals for the company s Health & Safety programs and processes. This includes the Health & Safety standards by which all Johnson Controls operations are required to comply. They consolidate and report on the company s Health & Safety metrics and performance while also managing the third party Health & Safety consultants, including those that conduct independent audits of our Health & Safety programs. Health and Safety is included in the GMOC to assist in raising the manufacturing capability by designing and following a single, common, distinctive and dynamic production system. Health and Safety is incorporated into the Johnson Controls Manufacturing System (JCMS) to deploy a health and safety maturity assessment model to facilitate health and safety culture improvement and mitigate or eliminate health and safety risks. Environmental, Health and Safety is implementing a global EHS IT software solution to update and modernize the current EHS technology platform to provide a foundation to transform JCI s current EHS management activities into a global integrated program that enables excellence in both EHS practices and business productivity in alignment with enterprise and GMOC priorities and vision. Enterprise Security Another key stakeholder in the company's risk management and mitigation program is Enterprise Security. Process driven and customer focused, the mission of Enterprise Security is to protect corporate assets (people, property & intellectual) through the implementation of appropriate risk based and business minded security and loss prevention tactics. Their responsibilities include providing thought leadership in the area of security operations, asset protection, executive protection, security investigations, brand protection, crisis management and business continuity planning. Enterprise Security provides many services and capabilities for risk mitigation including: subject matter expertise in the area of security; investigations and crisis management; and global risk assessment for company assets and high risk locations. They develop risk mitigation strategies, standardized security policy for protection planning, and training & awareness programs for our employees. They have built a robust travel security program, track global events that impact company assets and provide incident response via the new 24/7/365 Global Command Center.

Ethics & Compliance The Ethics and Compliance (E&C) function is another key pillar in our Total Risk Management Team. They have deployed an effective compliance program and robust governance structure to assist the business units in meeting their global regulatory and compliance requirements. The program is risk-based and tailored to fit the unique compliance risks of each business. The core of the Company s E&C program is based on the hallmarks of an effective compliance program as defined by the U.S. Federal Sentencing guidelines and includes the following key components: Communication Tone at the Top Risk Assessment Policies and Procedures Training and Education Helpline Vendor Master File Maintenance Third Party Due Diligence Investigation Support and Remediation Monitoring and Auditing Records Information Management Compliance Staffing Continuous Improvement The Compliance program s Governance Structure begins with oversight by the Company s Board of Directors, specifically with the Audit and Governance Committees. The Executive Compliance Council (ECC), which is led by the Company s CEO and the VP Compliance, is the body within the Company that is responsible for overall E&C program implementation and risk identification. The Corporate Compliance Team is charged with the day-to-day management of the E&C program. Within each Business Unit, and for the Company s Corporate Functions (Accounting, Finance, Tax, Legal, HR, IT, Communications, etc.), there is a BU (and Corporate Functions) Compliance Council and BU Compliance Management Team which guide program implementation, conduct risk identification, resolve compliance issues and monitor continuous improvement within each Business Unit. Each Compliance Council is support by a Program Management Office (PMO) which manages the day-to-day E&C activity within each Business Unit. Finally, each Business Unit maintains active Regional Compliance Councils (RCCs) which are supported by dedicated Geographic Program Leads (GPLs). The RCCs are where much of the E&C issues and risks are identified and addressed on an ongoing basis.

Compliance risks, including those for Corruption and Bribery, Anti-Competition, Trade Compliance, Data Privacy, Record Retention, Government Contracting, Federal Filings and Joint Ventures, are managed through the Compliance program and Governance Structure. Emerging Compliance risks are identified and evaluated for their potential impact on the company s legal position, financial performance and reputation. If needed, mitigation plans are developed and implemented to address these risks and to continuously improve the Company s E&C program. Total Risk Management in action The increased coordination and communication among the various risk functions provides many benefits. Emerging risk identification is probably the largest. The Enterprise Risk Committee has become the ideal forum for senior management to share information and increase visibility of emerging risks identified in a variety of functions and activities. The Committee is then in a position to quickly redirect attention and resources to address these new risks. ERM Program Overview This ERM program was designed to fit within the rhythm of our businesses. It is accomplished in a way that realizes real business value while providing the board the appropriate level of risk management information. The program is broad based, multi-faceted and continues to evolve to address the rapidly changing global business environment. The current program includes participation from senior leadership at each of the business units, corporate, and the Executive Operating Team (EOT). We continue to focus on Corporate Executive Board research that demonstrated that strategic risks pose a far greater threat and have had a far larger impact on corporate performance than more traditional audit related risks like fraud and compliance. For that reason, the Corporate Development Organization s Strategic Planning Group oversees and coordinates the ERM program at Johnson Controls. This CDO team works closely with the strategic planning functions in the business units to direct critical ERM activities. Even though strategic planning has the lead on ERM, the program has broad participation throughout the leadership ranks. In addition, regular benchmarking of the Fortune 500 has resulted in program changes and enhancements, including the addition of a formal executive level Risk Committee in January 2010 and the 2014 program restructuring described earlier. The Risk Committee provides C- suite leadership and regular attention on this important topic. The Committee oversees the ERM program and ensures increased accountability and communication with the Board and the applicable Board Committees.

ERM process steps Though the ERM process is a dynamic year-round activity, a new assessment phase commences every November, coinciding with the start of the strategic planning calendar. As the business units revisit their strategic plans, they assess the changing environment and perform a refresh of their bottoms up risk assessment. These risks are highlighted in their reviews with corporate and consolidated in their strategic plans. At the Enterprise level, the Risk Committee reviews the current enterprise risk universe, a collection of corporate-wide risks. This year s separation of the Business Unit and Enterprise Risks processes resulted in the consolidation of 106 risks in the 2013 program universe to 50 enterprise specific risks (see appendix A). The majority of the 50 risks came from the prior universe though several new risks were identified and many definitions were changed to address emerging issues and the change in focus to Enterprise-wide concerns. The next step in the process is to have the Executive Leadership Team (Top 100 executives) map each of the 50 risks. The mapping phase uses a Johnson Controls developed, web-hosted tool called the Risk Solutions Navigator. The tool evaluates each risk in four dimensions and maps them on a Navigator Board (Exhibit 3). The Enterprise Risk Committee reviews the mapping output and assesses whether the top 10 by formula are in fact the top 10 enterprise risks facing the corporation. The Committee has the option to modify the tool s output and report and manage the risks they feel present the largest threat. Exhibit 3 Risk Navigator Tool mapping dimensions

Once the Risk Committee and BUs have identified their respective top-down and bottoms-up risks, the Risk Committee reviews the final lists and provides additional perspectives and insight. The Risk Committee and BUs develop formal management / mitigation plans for each of their top Enterprise and BU risks. These mitigation roadmaps assign owners, identify specific actions and track ongoing progress. The corporation adopted a single page risk dashboard to track individual risk management / mitigation progress (Exhibits 4). The current Enterprise Risk list was only finalized on the 9 th of June and while Risk Committee members have been assigned responsibility for each of the ten risks, the dashboards are still under construction. Going forward, both the BU and Enterprise dashboards will be updated at least semi-annually, reviewed by the Risk Committee, and shared with the Board in the July Risk Narrative or by formal presentation. The strategic planning team in each business and at corporate will ensure that their risk management and mitigation plans are incorporated where appropriate in the BU and Enterprise strategic plans. Exhibit 4 Representative Automotive Experience s risk mitigation plan dashboard Every year, the top risks identified by the ERM bottoms-up and top-down processes are compared against the risks statements covered in our current 10K

report. The process confirms that the 10K risks are inclusive of the top risks identified in our ERM processes. The Risk Committee is responsible for reviewing the risk disclosures and updating or amending them as required based on risk process output or Committee discussion. Enterprise Risk Committee In January of 2010, the Johnson Controls Risk Committee was formed with high level leadership participation from the senior corporate staff and the business units (Exhibit 5). The Vice President of Corporate Strategy serves as the risk coordinator and committee secretary. He is responsible for coordinating the risk program and the Risk Committee meetings. A senior leader from each business unit serves as the risk leader for their business. This assignment is a leadership development step for each of these participants, one that gives each of them greater exposure to risks from across the corporation. The Risk Committee roles and responsibilities are summarized below. Exhibit 5 Johnson Controls Risk Committee members Johnson Controls Risk Committee Vice Chairman CFO General Counsel VP Human Resources VP/Chief Marketing Officer VP Corporate Strategy VP Legal & Compliance AE Representative BE Representative PS Representative Bruce McDonald Brian Stief Brian Cadwallader Simon Davis Kim Metcalf-Kupres Patrick Burns Brian Beeghly Jeff Williams Rod Rushing Jorge Guillen The Risk Committee assists the company s senior leadership and Board of Directors in fulfilling their responsibilities for oversight of the company s Total Risk Management programs. Responsibilities include: Development, deployment and monitoring of an Enterprise Risk Management process applicable to the company s operations worldwide

Review all information related to various risk identification processes at corporate and in the business units (ERM, Internal Audit, Legal & Compliance, etc) Use ERM mapping data and other inputs in a top-down process to identify the top ten Enterprise Risks facing the corporation. Assign responsibility to manage and mitigate these key risks and periodically assess progress throughout the year Raise and discuss potential risks that have been identified in other risk assessment forums like Internal Audit, Enterprise Security, Legal & Compliance, Insurance, etc. Maintain and periodically update the company s risk appetite framework quantifying risk appetite for 26 objectives in four key areas Identify emerging risks and threats both discrete and those created by aggregated and cascading risks - redirecting resources and focus if necessary Annually review the 10K Risk Factors and if necessary coordinate with the Disclosure Committee to report changes or updates in the 10Q Ensure regular reporting of program status to senior leadership and the Board of Directors to satisfy oversight responsibilities of the Board of Directors and its Committees Strategic Planning roles and responsibilities Corporate Strategic Planning works closely with the strategic planning functions in the business units and with the Enterprise Risk Committee to coordinate critical ERM activities. The BU strategy groups are responsible for supporting their individual risk representative. The strategic planning teams work with the BU President and his Executive Operating Team to identify in a bottoms-up fashion the top five risks to achieving the strategic plan. Management and mitigation plans are constructed to address each risk with specific actions assigned to key BU leaders. Progress is monitored on dashboards that are reported twice a year. The strategic planning teams also assist their risk representative in identifying emerging and competitive risks and ensure risks and risk mitigations are incorporated in strategic planning initiatives. Business Unit Risk Representatives roles and responsibilities The Business Unit Risk Committee member acts as the business unit representative to the Risk Committee. They use their senior position within the business unit to collect risk related information and emerging concerns. Their responsibilities include assisting in the creation of the BU top risk list, identifying "emerging" risks throughout the year and redirecting risk mitigation resources and attention as required. They work with the strategy leads to assess risk management / mitigation progress and they provide a two way communication channel for risk management issues between the business unit and the Risk Committee. Risk appetite

One of the most important tasks of the Risk Committee is the subject of risk appetite. Risk appetite is the amount of risk an entity is willing to accept in pursuit of value creation. Companies often consider risk appetite qualitatively, with such categories as high, moderate or low, or they may take a quantitative approach, reflecting and balancing goals for growth, return and risk. Risk appetite is directly related to an entity s strategy. It is considered in a strategy setting, where the desired return from a strategy should be aligned with the entity s risk appetite. Different strategies will expose the entity to different risks. Enterprise risk management, applied in a strategic setting, helps management select a strategy consistent with the entity s risk appetite. The approach to setting a risk appetite will largely depend on the type of risk. Easily quantifiable risks (e.g. market, financial, credit risk) naturally lend themselves for clear-cut risk thresholds that are relatively well defined. However, for less quantifiable risks the process of setting an appetite typically involved extensive discussions among senior management. A common mistake is to apply quantifiable metrics to setting risk appetites for risks involving a higher degree of subjectivity (e.g. regulatory risk, reputation risk). The end result should be a statement around the amount or degree of risk to be taken. In 2010, the Committee adopted a Risk Appetite Statement approach (thirty in all - in ten criteria areas) for Johnson Controls. That approach used these statements to communicate how Johnson Controls would assess risk appetite in relation to new investments and initiatives. Over the last several years, as the subject of risk appetite has evolved, new best-in-class benchmarks have emerged. In 2013, the Committee deployed a new Corporate Executive Board benchmark process that quantifies the level of risk and uncertainty the organization is willing to accept in relation to 26 key objectives in four areas: core; financial; operational; and strategic. Core areas like Ethics & Integrity or Reporting have the lowest possible appetite essentially never willing to accept uncertain outcomes or make trade-offs. Strategic risks in areas like innovation and emerging markets have substantially higher risk appetite scores related to the risk reward potential of the opportunities. This new process will be revisited periodically to assess actual performance versus target and modify target appetite if required. Risk universe network Emerging risk identification and monitoring risk management / mitigation are two other key roles of the Risk Committee. The Committee felt it was appropriate to continue to maintain a distributed pyramid structure to effectively monitor all 50 of our Enterprise Risks by assigning selected members of the Risk Committee a manageable number of risks that correspond to their area of responsibility. This network of leaders serves two main purposes: first as an earlier warning team to identify emerging risks throughout the year and second, as the primary people responsible to oversee the risk management / mitigation effort if one of their risks is identified as a top Enterprise Risk.

Other senior leaders that comprise the individual Executive Operating Teams of each of the business units provide input to their BU Risk Representative in advance of an upcoming Risk Committee meeting. The intent of the network is not to create a paper-work and reporting exercise but rather build a pyramid of distributed scanning / monitoring responsibilities that will create an informal conduit to identify and verbally share emerging enterprise risks, concerns and proposed actions. Every Risk Committee meeting will indirectly have input from over forty leaders. Risk topics and the calendar Since its inception, the Risk Committee has reviewed dozens of key risk topics to better understand the size and nature of potential risks that Johnson Controls is exposed to. This would include areas like Enterprise Security, Information Technology, Treasury, Environmental, and Cyber Security. At every meeting, time is set aside for a roundtable discussion of these and other emerging risks. The Enterprise Risk Committee communicates its activities, recommendations and risk management / mitigation status to the Executive Operating Team and Board of Directors through the publication of meeting minutes, an annual Risk Narrative and periodic formal presentations. Board of Directors Responsibility In 2010, the SEC issued a new rule (33-9089) requiring additional risk related disclosure requirements in the annual proxy statement including the Board s role in managing enterprise-wide risks. The regulation went into effect February 28, 2010 and focuses on disclosure of board measures to manage enterprise-wide risks, including policies related to risk identification, risk appetite, and management of risk/reward tradeoffs throughout the enterprise. The intent of the disclosure is to extend risk management responsibility beyond the C-suite and enhance risk management awareness for all employees. Key messages in the disclosure: Board of Directors has primary responsibility for overall risk oversight, including the Company s risk profile and management controls Board oversees the implementation of the Strategic Plan and the risks inherent in the operation of its businesses Company implemented an ERM program in 2008 to identify, assess, prioritize and manage risks across the Company Board endorsed an expansion of the ERM program in 2010 which included an executive level Risk Committee Risk Committee created and the Board reviewed a quantitative assessment of the Company s risk appetite related to 26 objective areas. Risk Committee reviews areas of risk within the BU operations, at the Enterprise level and identifies emerging risks and reports their findings on all three to the Board in Committee minutes and at regularly scheduled reviews.

Each of the Board committees is responsible for oversight of risk management practices for categories of top risks relevant to their functions as summarized in the proxy statement. While each of the four Board committees contributes to the risk management oversight function by assisting the Board, the Board itself remains responsible for the oversight of the Company s overall ERM program. As discussed, the Risk Committee communicates its activities, recommendations and risk management / mitigation status to the Executive Operating Team and Board of Directors through the publication of meeting minutes, the creation of an annual Risk Narrative and with periodic formal presentations. Summary The Board of Directors and the senior leadership team have embraced the importance of a robust corporate risk management program. The tone at the top has been clearly communicated and the corporation continues to develop a culture of prudent risk management. The creation of additional tools and the formation of a Risk Committee have greatly increased our ability to identify emerging risks, weigh appropriate risk appetite and improve the communication frequency and fidelity between corporate leadership and the Board of Directors (Exhibit 6). The Total Risk Management approach overseen by the Enterprise Risk Committee is being viewed as a best-in-class approach to enterprise risk management. The increased dialog and coordination across multiple functions has served to significantly improve our risk management effectiveness. The separation of the Business Unit and Enterprise Risk identification processes has allowed for a more focused effort and targeted mitigation activity in the BUs. In short, the right people are focused on addressing the right risks. Despite this good progress, we remain committed to our culture of continuous improvement. We will continue to search for new best-in-class approaches and better tools and processes to proactively identify, address and manage the risks that pose the greatest threat to Johnson Controls.

Exhibit 6 Johnson Controls ERM calendar and touch points

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information