Professional Documents
Culture Documents
Risk Management Concepts Guide
Risk Management Concepts Guide
CONCEPTS GUIDE
AGENDA
• Address questions.
2
DESIGN PRINCIPLES OF END-STATE ERM
Focus All risks – strategic, operational, compliance and reporting – are covered.
• Consistent Processes: Define practices and language to consistently identify, manage and
aggregate risks.
• Integration: Build from existing practices and inject risk management into critical
management practices to enrich them; embed into the way of doing business; and link risk
Composition of management with opportunity pursuit/ROI (e.g., strategic planning, R&D, etc.). Also, integrate
Program with performance management processes to create a more balanced view of results.
• Culture: Drive awareness of top risks through the organization via communication, training,
linking to compensation and involving an informed board, with management and directors
focused on similar issues, while being objective and transparent.
• Infrastructure: Build processes, systems and reporting only to the extent necessary.
3
RISK MANAGEMENT IMPLEMENTATION COMPONENTS
4
DESIGN RISK MANAGEMENT PROCESS
5
INTEGRATE WITH MANAGEMENT PROCESSES
Integration into key Management activities that deal with risk; e.g.
• Strategic Planning
• Emerging Markets Risk
• Product Development
• Ethics and Compliance
• Others:
− R&D
− Capital expenditure
− M&A
− Crisis Management
6
BUILD AND DRIVE CULTURE
7
BUILD INFRASTRUCTURE
• Integrate risk management concepts into current transactional and functional policies.
8
RISK IDENTIFICATION
AND RISK ASSESSMENT
RISK MANAGEMENT VS. RISK OVERSIGHT
Risk management is what management does. It Risk oversight is the board’s process for determining
includes identifying, prioritizing, sourcing, managing that the company has a process in place for managing
and monitoring risk that is significant to the execution of its significant risks and that that process is improved
the company’s strategic priorities and achievement of continuously as the business environment changes.
its business objectives and performance goals.
10
KEY TERMS
• Risk Appetite: Risk appetite is the maximum amount of risk an entity is willing to accept in pursuit of value.
− Example: What minimum level of return we are willing to accept to pursue our growth strategy? What is the
maximum level of capital we are willing to put at risk to invest in an emerging market?
• Risk Tolerance: Risk tolerance is the acceptable level of variation relative to achievement of a specific objective.
− Example: How much of an increase in steel prices are we willing to accept before we take significant action
(e.g., price increase or alternative materials)?
• Risk Capacity: Risk capacity is the maximum impact an organization can absorb and maintain sustainable
operations.
− Example: What is the minimum level of sales that we can have before we fail?
11
FRAMING THE OVERALL ISSUE
Total Exposure to
Risk
Enhanced
Risk
Comprehensive
Risk Management
Existing Risk
Management Activities
Risk Appetite
Risk Tolerance
Today Time
12
IMPROVING OUR UNDERSTANDING OF THE RISK
Risk Capacity
Absorbed by Invoke Risk
Reserves on Absorbed Management
Balance by Equity and
Sheet Response
Plans
High number of
low impact events Events that exceed
risk tolerance
Frequency
Focus of day-to-day
Management
13
IDENTIFYING RISK
14
RISK MANAGEMENT FOCUSES OF ALL TYPES OF
RISK
• Current Risks: These are risks that the organization is facing, or has been known to face in the past, and
therefore could re-present themselves to the organization.
• Emerging Risks: These are risks that the company has not faced previously but could impact the organization
going forward.
• “Black Swan” Risks: These are risks that the company could face but would not know that they exist.
15
KEY CATEGORIES OF RISK
• Strategic: The risk of one or more future events invalidating fundamental assumptions underlying the
business strategy and management’s long-term outlook and that the business model is not effectively
aligned with the strategy.
• Operational: The risk of one or more future events impairing the effectiveness of the business model for
creating value for customers and achieving the financial results expected to increase shareholder value.
• Financial: The risk that cash flows and financial risks are not managed cost-effectively to:
− Maximize cash availability.
− Reduce uncertainty of currency, interest rate, credit and other financial risks.
− Move cash funds quickly and without loss of value to wherever they are needed most.
• Compliance: The risk of noncompliance with laws, regulations and internal policies may result in penalties,
fines, lost revenues and/or reputation loss.
16
ADDITIONAL THINGS TO CONSIDER
• Speed to impact
• Time horizon
• Precision of measurement
17
ASSESSING RISK
18
THINGS TO CONSIDER WHEN PRIORITIZING RISKS
Impact
• When determining the scale, it is important to consider:
− Financial loss
− Strategic impact
− Revenue targets
− Reputation
Likelihood
• Consider the time horizon in which it is reasonably expected that an event could occur that would trigger the
risk.
Persistence
• The time period over which the event is dealt with after an occurrence.
− Example: The lingering reputational impact of a major recall
Velocity
• Speed with which the full impact of the event is realized (i.e., required reaction time).
− Example: Sudden change in exchange rates vs. a chronic warranty issue causing customer
dissatisfaction
Response Readiness
• The organization’s preparedness to manage/respond to an event or a series of events (including
contingency plans).
− Example: Product recall or terrorist incident
19
HOW DO WE KNOW WHAT IS MOST IMPORTANT?
Risk Prioritization
C D F Environment
B
G Regulatory/Compliance
Knowledge Capital:
H Training
Risk: Low Risk: Low to Moderate Risk: Moderate
I Health and Safety
J Raw Material Sourcing
Likelihood
20
RESPONDING TO AND
MONITORING RISKS
DETERMINING RISK RESPONSE
22
RISK MANAGEMENT TECHNIQUES
• Divest • Target
Avoid
• Prohibit • Screen
Eliminate risk by preventing exposure to future possible events from • Stop • Eliminate
occurring.
• Retain • Self-Insure
Accept
• Re-Price • Offset
Maintain the risk at its current level. •
• Disperse
Reduce
• Test
Implement policies and procedures to lower the risk to an acceptable • Control • Improve
level. • Respond • Relocate
• Redesign
• Diminish • Diversify
• Isolate
• Insure • Outsource
Transfer
• Reinsure • Securitize
Shift the risk to a financially capable, independent counterparty. • Hedge • Indemnify
• Transfer
23
ELEMENTS OF MANAGEMENT AND CONTROL
INFRASTRUCTURE
The six elements of infrastructure is a framework that can be used to identify the components that influence the
operating and control environment (includes concept of multiple lines of defense).
Processes do not People lack the Reports do not Methodologies do Information is not
carry out established knowledge and provide information not adequately available for
policies or achieve experience to for effective analyze data and analysis and
intended result. perform processes. management. information. reporting.
24
ENTERPRISE APPROACH VS. SILO THINKING
The goal of this group is to avoid silo thinking and help bridge
the gaps between the functions and the regions.
25
ASSIGNING ACCOUNTABILITY
26
RISK OWNERSHIP
• Responsibilities, authorities and accountabilities are defined for and articulated clearly so that an individual,
a group or a designated unit is accountable for managing each critical enterprise risk. The accountable
individual, group or unit is considered the “risk owner.”
• The risk owners have the responsibility, authority and accountability to manage the risk.
• Risk owners, at a minimum, must:
− Decide on the risk responses.
− Design the capabilities for managing the risks in accordance with the selected risk response.
− Monitor these capabilities over time to make sure they perform as intended. If gaps are noted, they fix
them on a timely basis.
• Risk owners may elect to outsource the responsibility to build and execute capabilities but that does not
compromise their ownership of the risk.
• The executive committee is responsible for ensuring that appropriate risk owners are designated for each
critical risk and monitor risk owner performance over time.
27
REPORTING AND ON-GOING MONITORING
28
DEFINING METRICS THAT MATTER
Lead Indicators
• Key performance indicators
(KPIs) and key risk
indicators (KRIs) should
converge to form a single
basket of key metrics (KMs).
• KMs are measures of Project
Management
performance developed to
monitor progress toward the
achievement of strategy,
mitigation of risks and the
ultimate creation of value for
stakeholders. Equipment
Outcomes EH&S Reputation
Reliability
Lag Indicators
29
MONITOR AND EVALUATE RESULTS
• Reviewing key metrics gives the company the ability to measure the rate of progress it is making toward its strategic
objectives and the mitigation of its critical risks and also includes an ongoing evaluation of risk responses.
• This process determines the effectiveness of integrated business plans and the ultimate creation of value within the
enterprise’s appetite for risk and established strategic boundaries.
Variance
Perspective/KPI Trend Status Period Actual Period Target Variance
Percentage
Profitable Growth
EBIT Margin X% X% X% X%
Combined Ratio X% X% X% X%
Capital Protection
Return on Equity X% X% X% X%
xRoCe X% X% -X% -X%
Lean Organization
Motivated Employees
Retention X% X% X% X%
AM Best Rating A+ A+ 0% 0%
30
ENTERPRISE RISK PRIORITIZATION SCALES
Catastrophic impact on
Catastrophic impact on Catastrophic impact on
company’s ability to meet
Very High company’s ability to hit corporate or brand
strategic goals or execute
revenue targets reputation
priority initiatives
Significant impact on
Significant impact on Significant impact on
company’s ability to meet
High company’s ability to hit corporate or brand
strategic goals or execute
revenue targets reputation
priority initiatives
Moderate impact on
Moderate impact on Moderate impact on
company’s ability to meet
Medium company’s ability to hit corporate or brand
strategic goals or execute
revenue targets reputation
priority initiatives
Low impact on company’s
Low impact on company’s Low impact on
ability to meet strategic
Low ability to hit revenue corporate or brand
goals or execute priority
targets reputation
initiatives
Minimal impact on
Minimal impact on Minimal impact on
company’s ability to meet
Very Low company’s ability to hit corporate or brand
strategic goals or execute
revenue targets reputation
priority initiatives
31
RISK PRIORITIZATION SCALES
Greater than 90% probability Major impacts of a risk event will Impacts of a risk event will
Very High that the risk event will occur affect company in less than two continue to develop and impact
within the next three years weeks. the company over three years
Impacts of a risk event will
65%-90% probability that the Major impacts of a risk event will
continue to develop and impact
High risk event will occur within the affect company in between two
the company over the next one
next three years to four weeks
to three years
Impacts of a risk event will
35%-65% probability that the Major impacts of a risk event will
continue to develop and impact
Medium risk event will occur within the affect company in between one
the company over the next six to
next three years to three months
twelve months
Impacts of a risk event will
10%-35% probability that the Major impacts of a risk event will
continue to develop and impact
Low risk event will occur within the affect company in between three
the company over the next three
next three years to six months.
to six months
Impacts of a risk event will
Less than 10% probability that Major impacts of a risk event will
continue to develop and impact
Very Low the risk event will occur within affect company in over six
the company over the next three
the next three years months
months or less
32