ERM: The Next Step in the Evolution of Business Management

Similar documents
Guiding Principles for Implementing Enterprise Risk Management (ERM)

Deriving Value from ORSA. Board Perspective

How To Learn About An Enterprise Risk Management

THE ROLE OF FINANCE AND ACCOUNTING IN ENTERPRISE RISK MANAGEMENT

Zurich s approach to Enterprise Risk Management. John Scott Chief Risk Officer Zurich Global Corporate

Principles for An. Effective Risk Appetite Framework

Stochastic Analysis of Long-Term Multiple-Decrement Contracts

How to Develop Successful Enterprise Risk and Vendor Management Programs

University of St. Gallen Law School Law and Economics Research Paper Series. Working Paper No June 2007

Remarks by. Carolyn G. DuChene Deputy Comptroller Operational Risk. at the

Much attention has been focused recently on enterprise risk management (ERM),

Risk Based Internal Auditing & Enterprise Risk

Tying It All Together: Practical ERM Integration. Richard Scanlon Vice President Enterprise Risk Management CIGNA Corporation

Placing a Value on Enterprise Risk Management ADVISORY

ERM from a Small Insurance Company Perspective

Featured article: Evaluating the Cost of Longevity in Variable Annuity Living Benefits

Operational Risk Management - The Next Frontier The Risk Management Association (RMA)

Effective risk management

How To Manage Risk

2/22/2011. Agenda. Managing Emerging Risks --- An Oxymoron? Emerging Risk Definition. Emerging Risk Management Basics. Active Risk Management

A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000

Guidance Note: Corporate Governance - Board of Directors. March Ce document est aussi disponible en français.

OCC 98-3 OCC BULLETIN

THE SOUTH AFRICAN HERITAGE RESOURCES AGENCY ENTERPRISE RISK MANAGEMENT FRAMEWORK

Enterprise Risk Management

The Role of the Board in Enterprise Risk Management

Solvency Management in Life Insurance The company s perspective

Enterprise Risk Management: From Theory to Practice

How To Integrate Hr

FlyntGroup.com. Enterprise Risk Management and Business Impact Analysis: Understanding, Treating and Monitoring Risk

ENTERPRISE RISK MANAGEMENT BENCHMARK REVIEW: 2013 UPDATE

How ERM programs evolve

Table Of Contents. iii

QUANTITATIVE MODEL FOR INFORMATION SECURITY RISK MANAGEMENT

Practical Issues Relating to Setting Up a Hedging Program

Modelling and Management of Tail Risk in Insurance

Scenario Analysis Principles and Practices in the Insurance Industry

Operational Risk An Enterprise Risk Management Presentation

Enterprise Risk Management

PEI: New Strategies for Risk Management in Private Equity

The task of Orava s risk management is also to support in adapting to the changes in business and risk environment.

Risks and uncertainties

How To Audit A Company

Policy : Enterprise Risk Management Policy

Cybersecurity The role of Internal Audit

ERM Learning Objectives

OWN RISK AND SOLVENCY ASSESSMENT AND ENTERPRISE RISK MANAGEMENT

Enterprise Risk Management Quantification An Opportunity

Risk Assessment & Enterprise Risk Management

Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session Three

Subject ST9 Enterprise Risk Management Syllabus

THE NEW REALITY OF RISK CYBER RISK: TRENDS AND SOLUTIONS

Risk Management and Solutions to the Current Financial Crisis

Mergers & Acquisitions A snapshot Change the way you think about tomorrow s deals * Stay ahead of the new accounting and reporting standards for M&A

Adding Value Through Risk and Capital Management

Hand IN Hand: Balanced Scorecards

Substantive Requirements for a Registered Investment Adviser under the U.S. Investment Advisers Act of 1940

Enterprise Risk Management (ERM) for Smaller Insurance Companies

Insurance as Operational Risk Management Tool

Society of Actuaries in Ireland

Translating to the language of payers

Enterprise Risk Management & Information Technology

Enterprise-Wide Risk Assessment

Principal risks and uncertainties

Accenture Risk Management. Industry Report. Life Sciences

Corporate Portfolio Management

A Risk Management Standard

ENTERPRISE RISK MANAGEMENT FOR BANKS

Operational Risk Management Program Version 1.0 October 2013

1. This Prudential Standard is made under paragraph 230A(1)(a) of the Life Insurance Act 1995 (the Act).

Risk appetite in the financial services industry A requisite for risk management today

THE GOVERNANCE OF RISK MANAGEMENT. Session 5

Dataline A look at current financial reporting issue

CRISC Glossary. Scope Note: Risk: Can also refer to the verification of the correctness of a piece of data

Chapter 11 Building Information Systems and and Managing Projects

Actuarial Risk Management

Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement

Morgan Stanley Reports Fourth Quarter and Full Year 2015:

Enterprise Risk Management in a Highly Uncertain World. A Presentation to the Government-University- Industry Research Roundtable June 20, 2012

2015 Report on the Current State of Enterprise Risk Oversight:

CHAPTER 17 DIVISIONAL PERFORMANCE EVALUATION

Since the 1990s, accountability in higher education has

GAINING CONTROL: Building Your Existing Framework into an ERM Model

SCOR Papers. Using Capital Allocation to Steer the Portfolio towards Profitability. Abstract. September 2008 N 1

Enterprise Risk Management (ERM): In Action. January Co-presented by: Michael Yip, Marsh Risk Consulting Norma Essary, DFW International Airport

Measuring Continuity Planning Program. Performance

Governance and Risk Management in the Public Sector. Fernando A. Fernandez Inter-American Development Bank (202)

Dealing with Predictable Irrationality. Actuarial Ideas to Strengthen Global Financial Risk Management. At a macro or systemic level:

The Upside of Risk: Enterprise Risk Management and Public Real Estate Companies

Transcription:

ERM: The Next Step in the Evolution of Business Management Sim Segal, FSA, CERA, MAAA Adjunct Professor Columbia Business School Decision, Risk & Operations Shanghai Jiao Tong University EMBAs Asia-Pacific Development Society, Columbia University April 22, 2010

Agenda Drivers of ERM adoption ERM challenges Defining risk Defining ERM ERM approaches ERM and the financial crisis Appendices Contact information 2

Drivers of ERM adoption Events Accounting fraud (e.g. Enron) September 11 th H1N1 pandemic Financial crisis Stakeholders Rating agency scrutiny SEC Feb 2010 disclosure rule Other Technology Increased risk savvy 3

ERM challenges Confusion over what ERM is Providers jumping into the market, portraying traditional risk-related products and services as ERM o Consultants o Auditors o Insurance brokers o Technology firms Full promise of ERM still not realized Best practices not yet widely identified 4

Defining risk Uncertainty Is anything 100% certain? Death and taxes? Includes upside volatility A bit unusual, but important for our purposes (all volatility impacts a company s value, e.g., discount rate of future free cash flows) Deviation from expected Not just loss but loss above and beyond expected loss in Strategic Plan 5

DEFINING ERM 6

Basic definition of ERM The process by which companies identify, measure, manage and disclose all key risks to increase value to stakeholders 7

ERM 10 key criteria 1) Enterprise-wide all areas in scope 2) All risk categories financial, operational & strategic 3) Key risks only not hundreds of risks 4) Integrated captures interactivity of 2+ risks 5) Aggregated enterprise-level risk exposure/appetite 6) Decision-making not just risk reporting 7) Risk-return mgmt mitigation plus risk exploitation 8) Risk disclosures integrates ERM information 9) Value impacts includes enterprise value metrics 10) Primary stakeholder not rating agency-driven 8

ERM process cycle Risk Identification Risk Messaging Risk Quantification Risk Decision- Making 9

Benefits of ERM Shareholders Board of directors C-Suite Management Rating agencies Regulators Increased likelihood company achieves strategy Enhanced risk disclosures Assurance key risks well understood / managed Compliance with SEC Feb 2010 disclosure rule Better stakeholder communications Higher stock price Stronger rating Tools to manage exposure within appetite Better risk-return decisions Prospective information for better credit risk assessment Lower systemic risk 10

ERM APPROACHES 11

Obstacles in traditional ERM frameworks 1) Quantifying operational and strategic risks 2) Defining risk appetite 3) Integrating ERM into decision-making 12

Value-Based ERM Framework 30 29 9 8 25 31 10 21 12 34 19 4 1 14 2 7 24 32 33 35 27 23 18 28 6 13 15 16 22 26 3 20 17 5 11 Risk Appetite All Risks Strategy Qualitative Assessment Severity Likelihood Scenario Development Key Risk Scenarios Mostly Objective Risk Mgmt Tactics Correlation Value Impact Likelihood ERM Committee Enterprise Risk Exposure X Enterprise Value FINANCIAL Market Credit STRATEGIC Strategy Execution OPERATIONAL HR Key Risks Mostly Subjective 1+ events / sim 1 event / sim ERM Model Baseline Value ΔValue Pain Point Likelihood ΔValue -10% 15% ΔValue -20% 3% Individual Risk Exposures Enterprise Value Impact IT Risk 1 Process Legislatiion Risk Loss of Critical EEs M&A Risk Execution Risk International Risk 1 Loss of Key Supplier Loss of Key Distributor IT Risk 2 International Risk 2 Union Negotiations Competitor Risk 1 Consumer Relations Risk 0.0% -5.0% -10.0% -15.0% -20.0% -25.0% Identification Quantification Decision-Making

1) Quantifying operational and strategic risks Traditional Approach Value-based Approach Method 1: Qualitative Method 2: Industry data Method 3: Risk capital Cannot support decision-making Often unavailable or inappropriate Understates risk Arbitrary / often directionally incorrect Quantifies impact to value / supports decision-making Company/situation-specific Fully quantifies risk impacts Risk-based See Appendix 1: Examples of operational and strategic risks 14

ILLUSTRATIVE EXAMPLE Developing risk scenarios: FMEA 1) Identify interviewees - Those closest to the risk - Usually 1 or 2 risk experts 2) Develop risk scenario - Begin with credible worst case - Select specific scenario and think it through 3) Assign likelihood 4) Quantify - Determine impacts on free cash flow Risk: Legislation Risk Attendees: xxx, xxx, xxx Scenario 1: Legislation passes reducing business opportunity in certain markets Likelihood: 5% Financial impact: Revenue impact o 50% loss of planned revenues in market A 1 st year: -$2.5M 2 nd year: -$2.6M etc. o 100% loss of planned revenues in market B 1 st year: -$1.0M 2 nd year: -$1.1M etc. Expense impact o Reduction in workforce -10% of salary and related benefits +$100K severance costs 15

Modified case study: Quantifying individual risk exposures on enterprise value basis Modified Case Study Individual Risk Quantification Enterprise Value Impact IT Risk 1 Legislatiion Risk Loss of Critical EEs M&A Risk Execution Risk International Risk 1 Loss of Key Supplier Loss of Key Distributor IT Risk 2 International Risk 2 Union Negotiations Competitor Risk 1 Consumer Relations Risk 0.0% -5.0% -10.0% -15.0% -20.0% -25.0% 16

Modified case study: Quantifying individual risk exposures on multiple bases Modified Case Study Risk Δ Enterprise Value Δ Revenue Growth Δ EPS Growth 1 IT Risk 1-23.0% -5.3% -7.4% 2 Legislation Risk -19.0% -17.0% 5.9% 3 Loss of Critical EEs -14.5% -8.9% -9.5% 4 M&A Risk -8.7% 0.0% -3.7% 5 Execution Risk -7.9% -1.1% -4.1% 6 International Risk 1-5.8% -1.8% -4.0% 7 Loss of Key Supplier -5.5% -0.9% -3.3% 8 Loss of Key Distributor -4.4% -2.7% -2.2% 9 IT Risk 2-3.0% 0.0% -1.4% 10 International Risk 2-2.8% -2.0% -1.7% 11 Union Negotiations -2.0% -1.3% -1.0% 12 Competitor Risk 1-2.0% -1.8% -0.8% 13 Consumer Relations Risk -1.5% -1.2% -0.5% 17

Case studies: Quantifying impact to value supports decision-making Case Studies A) Technology External attack B) Human resources Critical employees C) Fraud Money Laundering D) Supplier Disruption E) Technology Data Privacy F) Strategy Strategic Planning Process 18

Case study A Technology External attack Sector Event Quantification Management action(s) Lessons Financial services External attack through unprotected wireless device leading to numerous impacts on systems, data and customers Ranked as #3 risk by value impact Primary driver found to be customer privacy data violation Make two immediate decisions: 1) Identified and secured PCs with customer data 2) Purged ex-customer data, cutting exposure in half Value metric leads to decision-making Attribution focuses mitigation opportunities 19

Case study B Human Resources Critical employees Sector Event Quantification Management actions(s) Lessons Insurance Plane crash results in death of some top salespeople, sales managers and executives Attribution identified sales managers as primary driver Decision to strengthen adherence to company policy limiting concentration of key employees on flights, particularly for sales managers Value metric superior to traditional capital metric, which does not rank this risk properly Attribution focuses mitigation opportunities 20

Case study C Fraud Money Laundering Sector Situation Event Quantification Management actions(s) Lessons Insurance Decision needed on whether to resume AML spending Money laundering violation with fines and criminal prosecutions Destroys approximately half the company s value Immediate decision to continue AML spending Quantification exercise adds value, despite approximate nature of inputs Value metric leads to decision-making 21

Case study D Supplier Disruption Sector Event Quantification Management actions(s) Lessons Chemical manufacturer Sole source supplier facility destroyed by fire Ranked as #1 risk by value impact 100% destruction of minor product line Market share loss in major product line, some permanent Immediate decision to qualify backup supplier Value metric fully quantifies impact, including future years FMEA process translates and shares experts knowledge 22

Case study E Technology Data Privacy Sector Situation Event Quantification Management actions(s) Lessons Telecommunications Rapid decision needed on response to customer request to guarantee data privacy Multiple scenarios under each of three decision options Produced within required short time frame ERM information helped management arrive at their decision Value-based ERM model can be modified and run rapidly, making it practical to include in decision-making process Value metric is the language of business decision-makers 23

Case study F Strategy Strategic Planning Process Sector Event Quantification Management actions(s) Lessons Technology Strategic plan process is unrealistic, and 4 elements of the plan are not achieved 20% drop in enterprise value from baseline valuation Attribution identified which of the 4 elements most impactful Realized source of bias, vis-à-vis stock options Focused attention on achieving most impactful elements Value metric is relatable to existing business metrics Attribution focuses mitigation opportunities 24

2) Defining risk appetite Traditional Approach Value-Based Approach Metrics Multiple, competing metrics Single, unifying metrics Trade-off decisions between exposures? Aggregated enterprise risk exposure? Ability to set risk limits by cascading downward? X X X 25

Enterprise risk exposure pain points are used to define risk appetite ILLUSTRATIVE EXAMPLE Likelihood What is it now? What do we want it to be? -10% Enterprise Value Pain Point Likelihood ΔValue -10% 15% Likelihood? ΔValue -20% 3%? Likelihood -20% Enterprise Value Current exposure (calculated) Target exposure (defined by ERM Committee) RISK APPETITE 26

Modified case study: Other key metrics supplement enterprise value metrics Modified Case Study Pain Point Decrease in enterprise value of more than 10% Likelihood 15% Ratings downgrade one level 7% Falling short of Planned revenue growth by more than 200 basis points Falling short of Planned earnings by more than 2 per share 11% 10% 27

3) Integrating ERM into decision-making Traditional Approach Value-Based Approach Do metrics support decision-making? NO Not for operational or strategic risks Only risk, not return YES Metrics for all risks ΔValue = rigorous business case Do ERM models work? NO Complex Increases risk Too many inputs Slow run time Violates significant digits rule YES Practical balance Robust enough for decisions Nimble enough for speed and changes Apples-to-apples math Is there buy-in from business units? NO Corporate-driven Compliance-oriented YES Business unit input Corporate for consistency Supports business unit goals/initiatives 28

Case study insurance company Enhanced business segment buy-in / risk culture Baseline scenario exercise Risk scenario development exercises Board sees ERM as management decision-making tool S&P upgraded company s rating Ability to quantify diversification benefits Robust ERM program generally ERM goals into long-term bonus pool formula ERM drove decision to increase strategic planning frequency from annual to quarterly 29

ERM is more than risk management Rather than the next step in risk management, ERM is the next step in business management 30

ERM AND THE FINANCIAL CRISIS 31

ERM 10 key criteria 1) Enterprise-wide all areas in scope 2) All risk categories financial, operational & strategic 3) Key risks only not hundreds of risks 4) Integrated captures interactivity of 2+ risks 5) Aggregated enterprise-level risk exposure/appetite 6) Decision-making not just risk reporting 7) Risk-return mgmt mitigation plus risk exploitation 8) Risk disclosures integrates ERM information 9) Value impacts includes enterprise value metrics 10) Primary stakeholder not rating agency-driven 32

X X X X X X X X ERM 10 key criteria banking scorecard 1) Enterprise-wide golden boys out of scope 2) All risk categories overly-focused on financial 3) Key risks only 4) Integrated silo management / measurement 5) Aggregated no aggregate enterprise-level metrics 6) Decision-making 7) Risk-return mgmt metrics only support mitigation 8) Risk disclosures inappropriate even post-event 9) Value impacts only capital metrics 10) Primary stakeholder focus on ratings / regulators 33

ERM process cycle Risk Identification Risk Messaging Risk Quantification Risk Decision- Making 34

ERM process cycle banking scorecard Incentive compensation does not adjust for risk exposure X Risk Messaging Poor performance X Risk Identification Risk Decision- Making X Lack of focus on non-financial risks Risk Quantification X Poor risk exposure metrics and poor model assumptions 35

Value-Based ERM Framework 30 29 9 8 25 31 10 21 12 34 19 4 1 14 2 7 24 32 33 35 27 23 18 28 6 13 15 16 22 26 3 20 17 5 11 Risk Appetite All Risks Strategy Qualitative Assessment Severity Likelihood Scenario Development Key Risk Scenarios Mostly Objective Risk Mgmt Tactics Correlation Value Impact Likelihood ERM Committee Enterprise Risk Exposure X Enterprise Value FINANCIAL Market Credit STRATEGIC Strategy Execution OPERATIONAL HR Key Risks Mostly Subjective 1+ events / sim 1 event / sim ERM Model Baseline Value ΔValue Pain Point Likelihood ΔValue -10% 15% ΔValue -20% 3% Individual Risk Exposures Enterprise Value Impact IT Risk 1 Process Legislatiion Risk Loss of Critical EEs M&A Risk Execution Risk International Risk 1 Loss of Key Supplier Loss of Key Distributor IT Risk 2 International Risk 2 Union Negotiations Competitor Risk 1 Consumer Relations Risk 0.0% -5.0% -10.0% -15.0% -20.0% -25.0% Identification Quantification Decision-Making

30 29 9 8 25 31 10 21 12 34 19 4 1 14 2 7 24 32 33 35 27 23 18 28 6 13 15 16 22 26 3 20 17 5 11 Value-Based ERM Framework banking scorecard Qualitative Assessment 1) Risks not defined by source All Risks FINANCIAL Market Credit STRATEGIC Strategy Execution OPERATIONAL HR Process 1 Identification Strategy Severity Likelihood Quantification Key Risks Decision-Making Scenario Development Key Risk Scenarios Mostly Objective 3) Not analyzing multiple risks occurring together 2) Not using discrete scenarios for nonfinancial risks 2 Mostly Subjective Risk Mgmt Tactics 5) Overly complex correlations 3 1+ events / sim 1 event / sim 4 Correlation 5 ERM Model Baseline Value ΔValue 4) Not measuring/reporting risk on pre-mitigation basis 6 7) Lack of enterprise value metrics 10 10) No definition of risk appetite 6) Poor model assumptions Value Impact Likelihood Risk Appetite ERM Committee 9) No calculation of enterprise risk exposure 9 Enterprise Risk Exposure 8 X Enterprise Value Pain Point Likelihood 8) VaR metric hides ΔValue -10% 15% exposure beyond tail ΔValue -20% 3% Individual Risk Exposures IT Risk 1 Legislatiion Risk Loss of Critical EEs M&A Risk 7 Execution Risk International Risk 1 Loss of Key Supplier Loss of Key Distributor IT Risk 2 International Risk 2 Union Negotiations Competitor Risk 1 Consumer Relations Risk Enterprise Value Impact 0.0% -5.0% -10.0% -15.0% -20.0% -25.0%

Some actions to prevent another crisis Require companies to implement ERM, in a robust manner Require incentive compensation plans to reflect risk exposure (SEC rule) Require enhanced risk disclosures, including free cash flow projection Baseline scenario (strategic plan) / key risk scenarios (defined by management )/ standard risk scenarios (defined by regulators) Investors apply their own discount rates, and compare scenarios cross-sector Replace capital requirements with pooled risk charges Capital not there when needed anyway (must replace or be downgraded) Government guarantee protects rating during rehab period to rebuild capital Employ ERM principles at the country level (e.g., concentration risks) Firms too large to fail (e.g., banks, auto companies) / supplier concentration (e.g., energy) / oligopolies (e.g., rating agencies, monoline insurers) Employ ERM principles at the retail level (e.g., financial planning) Holistic view of risks and solutions for individuals/families 38

APPENDICES 39

Appendix 1: Examples of operational and strategic risks Operational HR risk (e.g., critical employees) Technology (e.g., data security) Disasters (e.g., pandemic) Etc. Strategic Strategy (e.g., wrong product set chosen) Execution (e.g., poor integration of acquisitions) Competitor (e.g., unexpected innovation by competitor) Supplier (e.g., sudden change in supplier capacity) External relations (e.g., negative publicity) Etc. 40

Contact information Sim Segal, FSA, CERA, MAAA Adjunct Professor Columbia Business School Decision, Risk & Operations (917) 699-3373 Mobile ss3866@columbia.edu 41

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information