Enterprise Risk Management

ERM provides a framework for risk

management, which typically
involves identifying particular Risk
Identification
events or circumstances relevant to
the organization's objectives (risks
and opportunities), assessing them Risk
in terms of likelihood and Evaluation
Assessment
magnitude of impact, determining a
response strategy, and monitoring
progress. ERM
Framework

Monitoring Risk Analysis

By identifying and proactively
addressing risks and opportunities,
business enterprises protect and
creates value for their Implementation
stakeholders, including owners,
employees, customers, regulators,
and society overall.
Difference Between GRC & ERM

Governance Risk and Compliance

(GRC)
Embraces compliance as a separate
activity for each business silo.

Enterprise Risk Management (ERM)

Is concerned with delivering
measurable business value by tying
front line operational activities to goals
across all business units.
Burden of Compliance
Suppresses Risk Taking Activities

Risk taking activities are

not bad if an organization
Many organizations Risk has not been
has established their risk
believe that they must eradicated by regulation
appetite and risk
continue to eliminate risk instead it has been driven
tolerance levels and has
through compliance underground
the proper risk controls in
place
Risk Appetite and Risk Tolerance

Risk Appetite is the manner

in which an organization and
its stakeholders collectively
perceive, assess and treat
risk
Risk Tolerance requires a
company to consider in
quantitative terms exactly
how much of its capital its is
prepared to put at risk
ERM Is Used for Risk Optimization

Considering both the upside

and downside outcomes of
risk taking activities

When threats and

opportunities are better
understood, risk taking is
optimized and managers, in
turn, will make more informed
business decisions

Improved decision making

enables an organization to
quickly meet emerging
marketplace challenges
Six Step Approach to ERM

1
Risk
Identification

2
6
Risk
Evaluation
Assessment

5 3
Monitoring Risk Analysis

4
Implementation
1. Risk Identification

The process of taking inventory of

all risks in an organization and
defining the potential risk event,
the causes to that risk event, and
the potential outcome if that risk
event were to occur
Focus not only on hazard or operational risks,
but also strategic, financial, reputational,
compliance, environmental, human capital
and technology, market, and supply chain
risks
Scope of Risk Identification

Define where the

source of a potential
risk event is coming
Strategic Operational
from; Inside or Outside
the organization.
Establishing risk
categories helps to Risk
identify the sources of Categories
a risk event.

Financial Other
Strategic Risk Categories

Innovation
Risk
Customer
R&D Risk
Risk

Supply
Market
Chain
Risk Strategic Risk

Risks
Partnering Investor
Risk Risk

Planning Brand
Risk Risk
Operational Risk Categories
Financial
Governance
Reporting
Risk
Regulatory Risk
and Legal Fraud Risk
Risk

Sustainability
Emerging Risk
Risk

Communication Technology
Risk Risk

Human Capital Operational

Hazard Risk
Risk Risk
Financial Risk Categories

Financial
Market
Risk
Valuation
Credit Risk
Risk

Hedging Liquidity
Risk Risk
Financial
Risks

Inflation Interest
Risk Risk

Foreign
Asset
Investment
Risk
Risk
Other Risk Categories

Reputational
Risk

Investment Environmental
Risk Risk

Other
Third Party
Project Risk
Risk

Economic
Risk
Identify Subcategories

Hazard Risk Operational Risk Financial Risk Strategic Risk

Safety risk of Human capital risk Credit risk of 35% Sole supplier of a
increased slips, of 25% of of commercial raw material has
trips and falls workforce is loans will default in been acquired by
accidents occurring eligible for the third quarter competitor
in the organization retirement in the
next 5 years
Existing & Emerging Risk
What new business processes have been
added to the organization?
Look not only
What changes have been made in the
at existing organizational chart?
risks, but also What are some external risks that could
the emerging impact the organization like economic,
environmental, societal, geopolitical, and
risks to the technological?
organization.
Know Where You Stand

Meet with senior management to define

the strategic goals of your organization

Review the mission and vision

statements of the organization

Define the expectations of internal and

external stakeholders
Dont Be Conflicted
GlaxoSmithKline A study in conflicting strategic goals

This conflict caused One of GSKs strategic

the quality control of goals was to sell safe and
manufacturing to effective prescription
suffer. medication

Case in point the

Cidra Plant in
Puerto Rico made
Another goal was to
20 drugs under
increase profitability by
unhealthy conditions
outsourcing
that lead to a $750 manufacturing to other
million FDA fine parts of the world
Next Steps

Identify the risk

management objectives to
support the strategic goals
of the organization

Review the Risk Policy of

the organization

Create a SWOT Analysis

(Strengths, Weaknesses,
Opportunities, and Threats)
reviewing the internal and
external content of the
organization
SWOT Analysis
Risk Identification Activities

Structured
Interviews
Brainstorming Uses a risk survey or
Can effectively questionnaire to ask
generate lots of ideas specific questions Top Down / Bottom
of potential risk related to different Up Approach
scenarios that could types of potential risk
take place events facing a
particular risk owner
or risk center
Establish Risk Criteria

Prioritize the
critical risks
Determine critical from greatest to
risks in the least
Risk centers organization.
assigned to
risk owner
Responsibilities
of risk owner

External and internal

parameters for
managing risk in an
organization
 UCs ERM Work Plan
University of California has developed an ERM Work Plan for its
employees. Within the context of campus/medical centers mission, the
management team establishes strategic goals, selects strategy and aligns
ERM objectives to the strategic plan. The enterprise risk management
framework is geared to achieving objectives in four categories:

Strategic Operations Reporting Compliance

High-level Effective and Reliability of Compliance
goals, aligned efficient use of reporting with
with and their applicable
supporting resources laws and
their mission regulations
Key Performance Indicators (KPI)

% of customer attrition
% of employee turnover
Rejection rate
Meantime to repair IT
problems
Customer order waiting time
Profitability of customers by
demographic segments
Key Risk Indicators (KRIs)

KRIs are leading indicators of risk to business performance.

They give us an early warning to identify a potential event
that may harm continuity of the activity/project.
% of suppliers % of mission- % turnover of % of mission
with no business critical recovery mission-critical critical business
continuity plans not IT personnel processes with
management exercised with a
the last 12 backup/recovery
months architecture
Supply Chain Disruption
Some sources of risk are not
directly under the control of the
organization, but are a part of
their supply chain.
March 11, 2011 - A massive tsunami
devastated the coastline of Japan.
GM, who might had a competitive
advantage to their Japanese
competitors, had a transmission that
was manufactured in Japan for its
Chevy Volt
Cascading Effects

Business is
interrupted

Loss of employees

Quality and
productivity goes
down

Competitor takes
market share due to
business interruption
Tools and Techniques

Personal
Inspections
Interview Subject
Flowcharts
Matter Experts

Conduct HAZOP
Financial
and what if
Statements
scenarios

Define business
or process
Loss Histories
drivers of the
organization

Review what is
Tools and said about your
Questionnaire &
organization on
Risk Survey Techniques social media
networks
Create A Risk Register

Identify a
potential risk
event
Date to review Categorize the
risk risk event

Identify
Risk treatment Create A potential
causes
Risk
Register
What is the
Assign risk
financial
owner
impact

Determine the Determine the

consequences likelihood
Sample Risk Register
Sample Risk Heat Map
Risk Tornado Diagram
 2

2. Risk Assessment Risk

Assessment

Risk Assessment is a
process to determine
the cause of the risk
event, the risk event Quantitative Root Cause
itself, and the impact Assessment- Analysis- Find
and the velocity of the Measures the the root cause
value of the of a potential
risk event. impact risk event

Qualitative
Assessment-
Recognizes the source
of the risk event
 2

Causes of Risk Risk

Assessment

Three Basic Causes

Physical causes Human causes Organization causes
A tangible or material People did something A system, process or
item failed in some wrong or did not do policy that people use
way. something required. to make decisions in
doing their work is
faulty.
Brakes stop working on No one check the
a car condition of the brakes No procedure for
checking the
maintenance of the
cars
 2

Root Cause Analysis Risk

Assessment

The
Management 5-Whys
Oversight Barrier
and Risk Analysis
Tree

Fault Tree Change

Analysis Analysis

Methods
Failure Mode
Parent
Effect
Analysis
Analysis

Fish-Bone
Casual
Diagram or
Factor Tree
Ishikawa
Analysis
Diagram
 2

Fault Tree Analysis Risk

Assessment

Very useful in Top event will be placed Symbols provide a

examining the possible at the top of the tree pictorial representation
conditions that may and all subsequent of the event and how it
lead to a desired or events that lead to the interacts with other
undesired event main event will be events on the tree
placed as branches
 2

Example Fault Tree Risk

Assessment

Qualitative Analysis
Positive Fault Tree
Analysis
Will identify the events
necessary to achieve a top
desired event for example no
accident in manufacturing
facility
2
Risk
Assessment
Negative Fault Tree
Analysis
Constructed to show those
events or conditions that will
lead to a top undesired risk
event such as a fire in the
manufacturing facility
 2

Quantitative Analysis Risk

Assessment

When the likelihood of an event is know and

a probability value has be assigned, then
analysis of these events on a fault tree will
also yield quantitative results.

Financial impact can be added to each

stage of the Fault Tree Analysis.

Risk correlation can be demonstrated.

State of Washingtons Nine Step 2
Risk
Approach to Root Cause Analysis Assessment

Verify the incident

Map a timeline of Identify critical
and define the
events events
problem

Analyze the Support each root

Identify root
critical events cause with
causes
cause and impact evidence

Track
Identify and select Develop
implementation of
the best solutions recommendations
solutions
 3
3. Risk Analysis Risk Analysis

Risk aggregation
and risk
Understand correlation in an
organizations risk
portfolio

The
interrelationship of
Determine risk exposures to
a potential risk
event

The best risk

strategies for the
Formulate organization from
risk assessments
 3
Department of Homeland Security Risk Analysis

DHS plays a leadership role in the Nations

unified effort to manage risk working across
the homeland security enterprise which
includes Federal, state, local, tribal, territorial,
non-governmental and private sector entities.

As part of the analysis in their ERM program,

DHS used an integrated risk management
structure to share risk information and
analysis.

The goal of using integrated risk management

structure is to be able to work with its partners
to address uncertainty inherent in their
complex mission space, and help make the
tough decisions necessary to keep the nation
resilient and secure with limited resources.
 3
DHS Analysis Tools Risk Analysis

DHS uses
Influence Diagrams
to analyze the
interrelationships
and
interdependencies
of risks across the
enterprise.
 3
DHS Analysis Tools Risk Analysis

DHS uses analytic

tools like RAPID-
Risk Assessment
Process for
Informed Decision-
Making to manage
risks associated
with their strategic
goals.
 3
Value of Data Analysis to DHS Risk Analysis

Data analysis allows for more transparent and defensible decisions.

Contextualizes homeland security threats, showing which are the

most likely and which have the highest impact.

Helps prioritization decisions among terrorism, natural disasters,

cyber, pandemics, and border security hazards.

Provides a performance measure for programs across the

homeland security mission space.

Identifies opportunities for reducing risk exposures of potential risk

events.

Allows for understanding of the impact of combined risk exposures

taking place at the same time.
 4
4. Implementation Implementation

Implementation - incorporating an ERM

structure, practices, and strategies to fulfill
the goals of the organization.
ERM framework
Risk controls
Risk champions and risk centers
Risk communication structure
Crisis management protocol
Business Continuity
 4
ERM Frameworks Implementation

Focus is to establish ERM goals as part of

COSO the strategic management process. It does
not dive into the details of risk management
approaches and process, but addresses
II threats to the organization and the need for
proper controls.

ISO Rooted in risk management principles and

designed to provide an organized
methodology to evaluate risk exposures and
31000 react to the environment.
 4
Risk Controls Implementation

Management is
responsible for Financial &
IT Systems
implementing Operations
appropriate
controls to
reduce risk and Some Areas
to achieve for Risk
operational Controls
objectives.

Property & Assets Safety & Liability

 4
Risk Champions and Risk Centers Implementation

Risk Champions Risk Center

Accountable for ensuring A department or unit within the

accuracy within their organization charged with the
department or business unit risk exposures that are related
around the identification, to their duties and
assessment, management and responsibilities
monitoring of risk
They are the eyes and ears of
risk information for the risk
manager who is in charge of
assessing risk across the
enterprise
Not necessarily responsible
for performing the actual risk
management activities
 4
Intuit Case Study Implementation

When we talk CRO and ERM program office have

about growth ownership and accountability for Intuits ERM
strategies for program and drive Intuits ERM capabilities
the company,
we talk Ownership and accountability for identified
deliberately risks are shared by executive and business
about both unit level leaders
risks and
opportunities Risk communication is not only to report
Janet Nasburg, progress, but also so that business units can
Chief Risk Officer share and leverage risk knowledge
at Intuit
 4
Risk Communication Structure Implementation

Simple State Complicated Complex Chaotic

System State System State System State System

The event can The event is The event is The event is a

be resolved more difficult to unusual, and dramatic,
through routine resolve than a potentially unforeseen
decisions simple system, critical to the situation that
but it not organization threatens the
unusual organizations
survival
 4
Crisis Management Implementation

Messages to all
stakeholders must be clear,
address the pressing
issues and engage all the
stakeholders to be diligent
in plans of recovery
Communication must
Risk communication demonstrate that senior
becomes a key component management is committed
in surviving a crisis to maintain an environment
situation of transparency in it
decision making

Crisis
Management
 4
Elements of Continuity Plan Implementation

Recovery time
Statement of
objectives, resources Task and activities
acceptable level of
needed and potential required
functioning
failure points

Supporting
Structure to support Procedures and
documentation and
the plan processes
information

Describe
Description of
interdependencies
personnel duties and
among the various
responsibilities
departments
 5
5. Monitoring Monitoring

Monitoring involves communication of risk both

upstream and downstream across the organization.
It includes periodic reporting and follow-up on the
risks by various levels of management, risk
committees, and internal auditors

KPIs and KRIs are a valuable way to monitor key

risks linked to improved cash flows and earnings
 5
Tools Used for Monitoring Monitoring

Governance Enterprise
Balanced Risk and Risk
Spreadsheets Dashboards
Scorecards Compliance Management
Software Software

Captures
companys
strategy by
Customer
Internal
Processes
Innovation Pictorial Focus on ERM focus
Like risk
and Learning reporting of audit and on software
registers
Financial risks compliance solutions
 5
Critical Risk: Mitigation Plan Monitoring
 5
Case Study: Walmart Monitoring

Developed KPI and KRI metrics

incorporated in a balanced scorecard.

Metrics used to track performance on

risk and to determine the companys
progress in managing the risk.

Walmart also uses these metrics to

determine the value added by the ERM
process.
 6
6. Evaluation Evaluation

Ascertaining the strengths

and weaknesses of the ERM Risk Optimization / Value
program with regard to the Creation
organizations strategic goals

Evaluation

Return on Investment ERMs Role in Governance

 6
Risk Optimization Evaluation

Balance between taking

on too much risk and
Explore various risk-
not taking on enough
return outcomes
risk to explore
opportunities for growth

Evaluate risk controls in

place and decide the
best use of financial
resources to provide
needed protection
 6
Cost of Risk Evaluation

Case Study: University of California

Since 2003-2004 fiscal year, they

Each year have reduced Cost of Risk by
University of $493 million dollars
California holds an
Annual ERM
Summit focused on
their continuous
effort in improving Reduced the Cost of Risk from
their ERM program $18.46 per $1,000 of operating
by reducing their
Cost of Risk. budget to $13.31 per $1,000 of
operating budget
 6
Risk Governance Evaluation

Crafting the right Establishing and

Monitoring
Key drivers of relationship providing
potential risks in Developing an
success and between the appropriate
the companys effective risk
risks in the board and its resources to
culture and dialogue with
companys standing support risk
incentive management
strategy committees as to management
systems
risk oversight systems

Guidance principles for board risk oversight

National Association of Corporate Directors

report, Risk Governance: Balancing Risk and
Reward

Executive Risk Committee
The Executive Risk Committee
Provides the Board of Directors with:
A structure that provides the
board with the appropriate
information that defines the
firms risk profile
A system that provides an audit
of the effectiveness of the risk
management process
A system that affords an
evolving understanding of key
risks to the company
6
Evaluation
Boards are now finally asking
management about the nature of
the risk information process in
place. Boards want to gather
information about new or emerging
risks and the extent to which these
risks require a more in-depth
analysis. This is being done to
ensure future opportunities and
threats to the companys
performance are appropriately
managed.- John Bugalla, James
Kallman, Chris Mandel and Kristina
Narvaez in The Corporate Board
Thank you. Questions?
Presented by
Kristina Narvaez
President & CEO
ERM Strategies
www.erm-strategies.com