RISK MANAGEMENT

CONCEPTS GUIDE
AGENDA

• Design principles and end-state ERM.

• Manage risk component implementation.

• Identify and assess risks.

• Respond to and monitor risks.

• Address questions.

2
DESIGN PRINCIPLES OF END-STATE ERM

Component Design Principles

Focus All risks – strategic, operational, compliance and reporting – are covered.

Time Perspective Both current and emerging risks are covered.

• Boards provide informed oversight.

• Executive management owns the overall process and ensures that key risks are managed
Responsibilities across the enterprise.
• CROs (optional) facilitate and coordinate risk management.
• Individual managers are held accountable for managing risks.

• Consistent Processes: Define practices and language to consistently identify, manage and
aggregate risks.
• Integration: Build from existing practices and inject risk management into critical
management practices to enrich them; embed into the way of doing business; and link risk
Composition of management with opportunity pursuit/ROI (e.g., strategic planning, R&D, etc.). Also, integrate
Program with performance management processes to create a more balanced view of results.
• Culture: Drive awareness of top risks through the organization via communication, training,
linking to compensation and involving an informed board, with management and directors
focused on similar issues, while being objective and transparent.
• Infrastructure: Build processes, systems and reporting only to the extent necessary.

3
RISK MANAGEMENT IMPLEMENTATION COMPONENTS

Integrate With Mgt

Build Infrastructure Design Risk Management Process
Processes
Integration into key
• Develop a risk management activities
management Policy. that deal with risk
• Integrate risk Identify current and include:
management concepts emerging risks linked to • Strategic Planning
into current strategies and agreed-upon • Emerging Markets Risk
transactional and scenarios.
• Product Development
functional policies. Assess and prioritize
Perform ongoing report, • Ethics and Compliance
potential risk exposures
• Explicitly define roles action plan and corrective • Others:
based on potential size
and responsibilities. action monitoring. Business and impact velocity. − R&D
• Develop business unit Objectives
− Capital Expenditure
metrics and reporting. and
Strategies − M&A
• Ensure focused and Provide periodic reporting to Determine responses and − Crisis Management
insightful executive and the CRO and executive implement an
board reporting. • Etc.
committee against key infrastructure to manage
• Use consistent risk metrics and action plans. and control the risk.
language and
evaluation scales. Assign accountability for
• Integrate key systems. managing risks to risk
owners.

Build and Drive Culture

Awareness and regular reporting of top risks are enhanced.
Risk ownership is assigned to management within the organization.
Enterprise risk is more explicitly considered and communicated in risk-taking activities.
Risk is objectively and transparently discussed.

4
DESIGN RISK MANAGEMENT PROCESS

Identify current and emerging

risks linked to strategies and
agreed-upon scenarios.

Perform ongoing report, action Assess and prioritize potential

plan and corrective action risk exposures based on potential
monitoring. size and impact velocity.
Business Objectives
and Strategies

Provide periodic reporting to the

CRO and executive committee Determine responses and
against key metrics and action implement an infrastructure to
plans. manage and control the risk.

Assign accountability for

managing risks to risk owners.

5
INTEGRATE WITH MANAGEMENT PROCESSES

Integration into key Management activities that deal with risk; e.g.
• Strategic Planning
• Emerging Markets Risk
• Product Development
• Ethics and Compliance
• Others:
− R&D
− Capital expenditure
− M&A
− Crisis Management

6
BUILD AND DRIVE CULTURE

• Enhanced awareness and regular top risk reporting exist.

• Risk ownership is assigned to management within the organization.

• Enterprise risk is more explicitly considered and communicated in risk-taking activities.

• Risk is objectively and transparently discussed.

7
BUILD INFRASTRUCTURE

• Develop a risk management policy.

• Integrate risk management concepts into current transactional and functional policies.

• Explicitly define roles and responsibilities.

• Develop business unit metrics and reporting.

• Ensure focused and insightful executive and board reporting.

• Use consistent risk language and evaluation scales.

• Integrate key systems.

8
RISK IDENTIFICATION
AND RISK ASSESSMENT
 RISK MANAGEMENT VS. RISK OVERSIGHT

• The respective roles of management and the directors are different:

Risk Management Risk Oversight

Risk management is what management does. It
includes identifying, prioritizing, sourcing, managing
and monitoring risk that is significant to the execution of
the company’s strategic priorities and achievement of
its business objectives and performance goals.
Risk oversight is the board’s process for determining
that the company has a process in place for managing
its significant risks and that that process is improved
continuously as the business environment changes.

• The role of risk oversight is to enable the board to:

− Develop a mutual understanding with management regarding the obstacles and uncertainties the company
faces and key assumptions underlying its strategy and business model.
− Understand management’s choices in undertaking these obstacles and uncertainties, recognizing that the
nature of these choices will vary according to the underlying characteristics of the risks.
− Provide timely advice on matters pertaining to risk and risk management.

10
KEY TERMS

Some you may have heard:

• Risk Appetite: Risk appetite is the maximum amount of risk an entity is willing to accept in pursuit of value.
− Example: What minimum level of return we are willing to accept to pursue our growth strategy? What is the
maximum level of capital we are willing to put at risk to invest in an emerging market?
• Risk Tolerance: Risk tolerance is the acceptable level of variation relative to achievement of a specific objective.
− Example: How much of an increase in steel prices are we willing to accept before we take significant action
(e.g., price increase or alternative materials)?
• Risk Capacity: Risk capacity is the maximum impact an organization can absorb and maintain sustainable
operations.
− Example: What is the minimum level of sales that we can have before we fail?

11
FRAMING THE OVERALL ISSUE

Total Exposure to
Risk

Enhanced
Risk

Comprehensive
Risk Management
Existing Risk
Management Activities
Risk Appetite

Risk Tolerance

Today Time

12
IMPROVING OUR UNDERSTANDING OF THE RISK

Risk Capacity
Absorbed by Invoke Risk
Reserves on Absorbed Management
Balance by Equity and
Sheet Response
Plans

High number of
low impact events Events that exceed
risk tolerance
Frequency

Potentially ruinous events

Expected Impact Unexpected Impact Catastrophic Impact $’s

Focus of Risk Management

Focus of day-to-day
Management

13
IDENTIFYING RISK

Design Risk Management Process

Identify current and emerging

risks linked to strategies and
agreed-upon scenarios.

Assess and prioritize potential

Perform ongoing report, action
risk exposures based on
plan and corrective action
potential size and impact
monitoring.
velocity.
Business Objectives
and Strategies

Provide periodic reporting to

the CRO and executive Determine responses and
committee against key metrics implement an infrastructure to
and action plans. manage and control the risk.

Assign accountability for

managing risks to risk owners.

14
RISK MANAGEMENT FOCUSES OF ALL TYPES OF
RISK

• Current Risks: These are risks that the organization is facing, or has been known to face in the past, and
therefore could re-present themselves to the organization.

• Emerging Risks: These are risks that the company has not faced previously but could impact the organization
going forward.

• “Black Swan” Risks: These are risks that the company could face but would not know that they exist.

15
KEY CATEGORIES OF RISK

• Strategic: The risk of one or more future events invalidating fundamental assumptions underlying the
business strategy and management’s long-term outlook and that the business model is not effectively
aligned with the strategy.

• Operational: The risk of one or more future events impairing the effectiveness of the business model for
creating value for customers and achieving the financial results expected to increase shareholder value.

• Financial: The risk that cash flows and financial risks are not managed cost-effectively to:
− Maximize cash availability.
− Reduce uncertainty of currency, interest rate, credit and other financial risks.
− Move cash funds quickly and without loss of value to wherever they are needed most.
• Compliance: The risk of noncompliance with laws, regulations and internal policies may result in penalties,
fines, lost revenues and/or reputation loss.

16
ADDITIONAL THINGS TO CONSIDER

Risks have different characteristics and require different approaches to assessment

and management.

• Speed to impact

• Time horizon

• Precision of measurement

• Upside or downside consequences

17
ASSESSING RISK

Design Risk Management Process

Identify current and emerging

risks linked to strategies and
agreed-upon scenarios.

Assess and prioritize potential

Perform ongoing report, action
risk exposures based on
plan and corrective action
potential size and impact
monitoring.
velocity.
Business Objectives
and Strategies

Provide periodic reporting to

the CRO and executive Determine responses and
committee against key metrics implement an infrastructure to
and action plans. manage and control the risk.

Assign accountability for

managing risks to risk owners.

18
THINGS TO CONSIDER WHEN PRIORITIZING RISKS

Impact
• When determining the scale, it is important to consider:
− Financial loss
− Strategic impact
− Revenue targets
− Reputation
Likelihood
• Consider the time horizon in which it is reasonably expected that an event could occur that would trigger the
risk.
Persistence
• The time period over which the event is dealt with after an occurrence.
− Example: The lingering reputational impact of a major recall
Velocity
• Speed with which the full impact of the event is realized (i.e., required reaction time).
− Example: Sudden change in exchange rates vs. a chronic warranty issue causing customer
dissatisfaction
Response Readiness
• The organization’s preparedness to manage/respond to an event or a series of events (including
contingency plans).
− Example: Product recall or terrorist incident

19
 HOW DO WE KNOW WHAT IS MOST IMPORTANT?

Risk Prioritization

Risk: Moderate to High Risk: High Risk: Very High Legend

F
A Liquidity
B Capital Availability
E A C Reputation
I D Competitor
Risk: Moderate Risk: Moderate to High Risk: High
J G H E Equipment Reliability
Impact

C D F Environment
B
G Regulatory/Compliance
Knowledge Capital:
H Training
Risk: Low Risk: Low to Moderate Risk: Moderate
I Health and Safety
J Raw Material Sourcing

Likelihood

20
RESPONDING TO AND
MONITORING RISKS
DETERMINING RISK RESPONSE

Design Risk Management Process

Identify current and emerging

risks linked to strategies and
agreed-upon scenarios.

Assess and prioritize potential

Perform ongoing report, action
risk exposures based on
plan and corrective action
potential size and impact
monitoring.
velocity.
Business Objectives
and Strategies

Provide periodic reporting to

the CRO and executive Determine responses and
committee against key metrics implement an infrastructure to
and action plans. manage and control the risk.

Assign accountability for

managing risks to risk owners.

22
 RISK MANAGEMENT TECHNIQUES

• Divest • Target
Avoid
• Prohibit • Screen
Eliminate risk by preventing exposure to future possible events from • Stop • Eliminate
occurring.

• Retain • Self-Insure
Accept
• Re-Price • Offset
Maintain the risk at its current level. •

• Disperse
Reduce
• Test
Implement policies and procedures to lower the risk to an acceptable • Control • Improve
level. • Respond • Relocate
• Redesign
• Diminish • Diversify
• Isolate

• Insure • Outsource
Transfer
• Reinsure • Securitize
Shift the risk to a financially capable, independent counterparty. • Hedge • Indemnify
• Transfer

23
ELEMENTS OF MANAGEMENT AND CONTROL
INFRASTRUCTURE

The six elements of infrastructure is a framework that can be used to identify the components that influence the
operating and control environment (includes concept of multiple lines of defense).

Key elements of infrastructure must be linked by design:

Business Business People and Management Methodologies Systems

Policies Processes Organization Reports and Data

Risk if element is deficient:

Processes do not People lack the Reports do not Methodologies do Information is not
carry out established knowledge and provide information not adequately available for
policies or achieve experience to for effective analyze data and analysis and
intended result. perform processes. management. information. reporting.

24
ENTERPRISE APPROACH VS. SILO THINKING

The goal of this group is to avoid silo thinking and help bridge
the gaps between the functions and the regions.

25
ASSIGNING ACCOUNTABILITY

Design Risk Management Process

Identify current and emerging

risks linked to strategies and
agreed-upon scenarios.

Assess and prioritize potential

Perform ongoing report, action
risk exposures based on
plan and corrective action
potential size and impact
monitoring.
velocity.
Business Objectives
and Strategies

Provide periodic reporting to

the CRO and executive Determine responses and
committee against key metrics implement an infrastructure to
and action plans. manage and control the risk.

Assign accountability for

managing risks to risk owners.

26
RISK OWNERSHIP

• Responsibilities, authorities and accountabilities are defined for and articulated clearly so that an individual,
a group or a designated unit is accountable for managing each critical enterprise risk. The accountable
individual, group or unit is considered the “risk owner.”
• The risk owners have the responsibility, authority and accountability to manage the risk.
• Risk owners, at a minimum, must:
− Decide on the risk responses.
− Design the capabilities for managing the risks in accordance with the selected risk response.
− Monitor these capabilities over time to make sure they perform as intended. If gaps are noted, they fix
them on a timely basis.
• Risk owners may elect to outsource the responsibility to build and execute capabilities but that does not
compromise their ownership of the risk.
• The executive committee is responsible for ensuring that appropriate risk owners are designated for each
critical risk and monitor risk owner performance over time.

27
REPORTING AND ON-GOING MONITORING

Design Risk Management Process

Identify current and emerging

risks linked to strategies and
agreed-upon scenarios.

Assess and prioritize potential

Perform ongoing report, action
risk exposures based on
plan and corrective action
potential size and impact
monitoring.
velocity.
Business Objectives
and Strategies

Provide periodic reporting to

the CRO and executive Determine responses and
committee against key metrics implement an infrastructure to
and action plans. manage and control the risk.

Assign accountability for

managing risks to risk owners.

28
DEFINING METRICS THAT MATTER

Organizational Performance Equipment

Sources
Culture Incentive Maintenance

Lead Indicators
• Key performance indicators
(KPIs) and key risk
indicators (KRIs) should
converge to form a single
basket of key metrics (KMs).
• KMs are measures of Project
Management
performance developed to
monitor progress toward the
achievement of strategy,
mitigation of risks and the
ultimate creation of value for
stakeholders. Equipment
Outcomes EH&S Reputation
Reliability

Lag Indicators

29
MONITOR AND EVALUATE RESULTS

• Reviewing key metrics gives the company the ability to measure the rate of progress it is making toward its strategic
objectives and the mitigation of its critical risks and also includes an ongoing evaluation of risk responses.
• This process determines the effectiveness of integrated business plans and the ultimate creation of value within the
enterprise’s appetite for risk and established strategic boundaries.
Variance
Perspective/KPI Trend Status Period Actual Period Target Variance
Percentage
Profitable Growth

Intrinsic Value Creation $X $X ($X) -X%

EBIT Margin X% X% X% X%

Combined Ratio X% X% X% X%

Capital Protection
Return on Equity X% X% X% X%
xRoCe X% X% -X% -X%

Lean Organization

Expense Ratio X% X% -X% -X%

Motivated Employees

Retention X% X% X% X%

Preferred Business Partner

AM Best Rating A+ A+ 0% 0%

Partner Satisfaction X X (X) -X%

30
ENTERPRISE RISK PRIORITIZATION SCALES

Financial Loss ($) Strategic Impact Revenue Reputation

Catastrophic impact on
Catastrophic impact on Catastrophic impact on
company’s ability to meet
Very High company’s ability to hit corporate or brand
strategic goals or execute
revenue targets reputation
priority initiatives

Significant impact on
Significant impact on Significant impact on
company’s ability to meet
High company’s ability to hit corporate or brand
strategic goals or execute
revenue targets reputation
priority initiatives

Moderate impact on
Moderate impact on Moderate impact on
company’s ability to meet
Medium company’s ability to hit corporate or brand
strategic goals or execute
revenue targets reputation
priority initiatives
Low impact on company’s
Low impact on company’s Low impact on
ability to meet strategic
Low ability to hit revenue corporate or brand
goals or execute priority
targets reputation
initiatives
Minimal impact on
Minimal impact on Minimal impact on
company’s ability to meet
Very Low company’s ability to hit corporate or brand
strategic goals or execute
revenue targets reputation
priority initiatives

31
RISK PRIORITIZATION SCALES
Likelihood
Greater than 90% probability
Very High that the risk event will occur
within the next three years
65%-90% probability that the
High risk event will occur within the
next three years
35%-65% probability that the
Medium risk event will occur within the
next three years
10%-35% probability that the
Low risk event will occur within the
next three years
Less than 10% probability that
Very Low the risk event will occur within
the next three years
Risks with time horizons greater
Unknown
than three years
32
Velocity Persistence
Major impacts of a risk event will Impacts of a risk event will
affect company in less than two continue to develop and impact
weeks. the company over three years
Impacts of a risk event will
Major impacts of a risk event will
continue to develop and impact
affect company in between two
the company over the next one
to four weeks
to three years
Impacts of a risk event will
Major impacts of a risk event will
continue to develop and impact
affect company in between one
the company over the next six to
to three months
twelve months
Impacts of a risk event will
Major impacts of a risk event will
continue to develop and impact
affect company in between three
the company over the next three
to six months.
to six months
Impacts of a risk event will
Major impacts of a risk event will
continue to develop and impact
affect company in over six
the company over the next three
months
months or less
N/A N/A