ENTERPRISE RISK

MANAGEMENT SUMMARY
APPROACH GUIDE
TABLE OF CONTENTS

03 Enterprise Risk Management Summary 28 Enterprise Risk Management Summary

Approach Guide: Sample 1 Approach Guide: Sample 2
04 Today’s Agenda 29 ERM Approach
05 Welcome and Introductions 36 Coordination and Oversight
09 ERM Foundational Concepts 37 Enterprise Risk Management Summary
Approach Guide: Sample 3
16 Moving to ERM
38 Phase I and II
21 ERM Implementation Overview
41 Interview List
42 Questionnaire Recipients

2
ENTERPRISE RISK MANAGEMENT
SUMMARY APPROACH GUIDE:
SAMPLE 1
TODAY’S AGENDA

• Welcome and Introductions

− New Enterprise Risk Management (ERM) Infrastructure
− Reasons for Change
• ERM: What’s in It for XYZ and for You?
− How Do We Get There?
• ERM Foundational Concepts
• Moving to ERM
• ERM Implementation Overview
• Next Steps and Closing Remarks

4
WELCOME AND INTRODUCTIONS: NEW ENTERPRISE
RISK MANAGEMENT (ERM) INFRASTRUCTURE

Estimated
Dates

Board of Directors
The VP of ERM includes the audit committee
and reports to the CEO/CFO.

The ERM oversight committee includes all ERM Oversight

senior-level executives. Committee

The ERM working group includes a member

from each risk and compliance group as well
as multiple business unit owners throughout
the organization. ERM Working Group

5
WELCOME AND INTRODUCTIONS: REASONS FOR
CHANGE

1 Credit rating agencies are beginning to factor the company’s ERM processes into an overall rating.

2 Legislators and the general public are pressuring companies to specifically disclose how both the board
and senior executives oversee and monitor the risk management practices of the company.

3 Focus dedicated resources on the development of an ERM process for XYZ.

4 Develop a process where the board and senior executives are routinely updated on the risk profile of the
company associated with its strategy and operations.

5 Integrate efforts of the risk and compliance groups to eliminate redundancies in work performed (e.g.,
agency billing audits).

6
WELCOME AND INTRODUCTIONS: ERM – WHAT’S IN IT
FOR XYZ AND YOU?

Fewer surprises occur.

1
Exposure to loss is reduced and

2 rewards are increased.

Decision-making is more effective.

4
Corporate governance is improved.

5
Risk and control activities are aligned
with the highest corporate priorities.

7
WELCOME AND INTRODUCTIONS: HOW DO WE GET
THERE?

Ensure that front-line managers and above understand the importance of risk identification,
01 assessment and management and are willing to embrace it.

Evolve ERM from a special project to being part of your daily routine (e.g., ask yourself, “What are
02 the risks associated with XYZ?”).

Leverage existing tools, reports, etc. to assist with risk assessment and management where
03 possible. Also, identify other methods or tools that can facilitate this in a more effective manner
across the entire company.

We may request meetings with you to understand the portion of the company’s overall risk profile
04 that you help to monitor and manage.

GRC software is implemented to support the ERM process, as well as PMO support from the
05 internal auditor.

8
 ERM FOUNDATIONAL CONCEPTS: A DEFINITION OF
ERM

A definition provided by former Federal Reserve Board Governor Susan Bies:

ERM is a process that enables management to deal effectively with uncertainty and the associated risk
and opportunity, enhancing the capacity to build stakeholder value.

ERM includes:

• Aligning XYZ’s risk appetite and strategies

• Reducing the frequency and severity of operational surprises and losses
• Identifying and managing multiple and cross-enterprise risks
• Enhancing the rigor of XYZ’s risk-response decisions
• Proactively seizing on the opportunities presented to XYZ

9 9
ERM FOUNDATIONAL CONCEPTS: RISK

• Risk is a threat or barrier preventing the achievement of

organizational objectives.
Strategy
• Risk appetite is the amount of risk that XYZ is willing to accept. It
sets the boundaries for the broad risk-taking activities of an
organization. Governance
− This can be quantitative or qualitative.
Risk
− This may be expressed as an acceptable balance of growth, risk Appetite
and return, or as risk-adjusted shareholder value-added
measures.
− Risk appetite guides resource allocation.
• Risk tolerance is the acceptable level of variation relative to the Risk
achievement of a specific objective.
Tolerance
− These are generally quantitative and measured in the same units
as the related objective. Execution
• Risk Appetite (resource allocation): “Management looks to align
organization, people, processes and infrastructure to facilitate Objectives
successful strategy implementation and enable the entity to stay
within its risk appetite.”

10
ERM FOUNDATIONAL CONCEPTS: ILLUSTRATIVE RISK
APPETITE STATEMENT
Management will accept a moderate level of risk when pursuing strategies to grow revenue and earnings.

Management may choose to pursue product expansion and/or acquisitions that are complementary to the
existing business and capabilities and are expected to be accretive to earnings within a maximum of 18 months.

Management will accept earnings volatility of up to 50% over within a one-year time frame, provided that long-
term operating margins can be maintained at 5% or higher.

Capital and liquidity must be maintained at a level that will not result in a reduction of our current dividend.

Management will not accept risks that result in more than an extremely remote threat to its state insurance
licenses or Medicare contracts.

Management will not accept risks that result in more than a remote chance that our members are not
receiving the level of medical care promised.

Management will not accept risks that result in a more than remote chance that our agents and providers are
not reimbursed properly.

The investment portfolio will be maintained with an aggregate rating of at least AA.

11
ERM FOUNDATIONAL CONCEPTS: ERM AS A PICTURE

Risk
Appetite

Risk
Tolerances

Accept
IMPACT
9
Catastrophic
Risk - Moderate to Risk - High Risk – Very High
High 1
8 5 1 Competitor
2
2 Business Interruption
9
Major 7 13 3
3 IT- Systems Implement.
4 Sourcing/Supply Chain

Share
10
5 Customer Satisfaction
6 Risk – Moderate Risk – Moderate to Risk - High
14 6 IT- Infrastructure
High 4
7 Human Resources
8 7
Moderate 5 8 Shrink/Loss Prevention
11
6 9 Consumer Privacy

4 10 Reg.- Price Integrity

11
Reduce
Price- Interest Rate
Risk – Low Risk – Low to Risk – Moderate 12 Rev. Rec.- Allowances
Minor 3
Moderate 13 Taxation
12
14 Business Model
2 15
15 Organizational Culture

Insignificant

Avoid
1
1 2 3 4 5 6 7 8 9
Remote Unlikely Reasonably Possible Probable Almost Certain
10% 25% 50% 75% 90%
LIKELIHOOD

Understand the inherent Determine the risk

Determine your strategic
risks associated with management techniques to
objectives based on your
achieving your business meet your established risk
risk appetite.
strategy. tolerances.

Feedback

12
ERM FOUNDATIONAL CONCEPTS: COMMON
FRAMEWORK FOR ERM PROGRAMS
Establish the Risk
Management Goals,
Objectives and
Infrastructure

ERM is a continuous, formalized

process of: Assess the Business Risk
• Identify
• Establishing • Source
• Assessing • Measure
• Developing
• Implementing
• Monitoring Continuously Improve Formulate the Business
Information
• the Business Risk Risk Management
Improving for
Management Process Decision- Strategies
ERM is primarily focused on key Making
risks to the organization, not
necessarily all risks.

Measure/Monitor the Risk Design/Implement the

Management Process Risk Management
Performance Process

13
ERM FOUNDATIONAL CONCEPTS: ERM INTEGRATION
WITH STRATEGIC PLANNING

Key ERM Components

• Identify the risks to achieving objectives.
• Source the risks.
Key ERM Components
• Identify, monitor and respond to emerging risks.
• Enable communication on
achieving strategic
objectives. Assess the
• Monitor, evaluate and External
update KRIs and risk Environment
management action Key ERM Components
Formulate
• Assess and prioritize risks.
Strategic Plans
Monitor and Adju
plans. Comm and Select a
• Update operational plans. Strategy • Select strategies within the
organization’s risk
un ic

Corporate appetite.
at e,

Mission, Vision
and Values
st

Allo Set Strategic

and cate R Measurements
Op Deve esour and Targets Key ERM Components
era l ces
tion op
al P • Set strategic measurements
lan
s and key risk indicators
Key ERM Components (KRIs).
• Allocate risk management resources. • Identify the strategic risk
owners.
• Develop risk mitigation plans.
• Develop additional KRIs.

14
ERM FOUNDATIONAL CONCEPTS: VALUE OF ERM
1 2
Sustain Competitive
Advantage
• Incorporate operational risk
management best practices.
• Identify, assess and manage
emerging external risks,
including regulatory changes,
access to capital and financial
market volatility.
• Evaluate and manage risks
associated with strategic
business decisions
(product/service offerings,
etc.).
• Respond effectively to low
probability critical/catastrophic
risks (e.g., Black Swan).
15
3
Optimize Costs
• Standardize the business
process and collaborate
efforts to integrate it.
• Allocate resources more
efficiently.
• Eliminate unnecessary
controls.
Improve Business
Performance
• Manage KPI shortfalls and
tightened margins.
• Better understand risks and
improve risk management
capabilities across business
functions and units.
• Improve strategic
management and business
planning processes.
• Expand and improve
corporate governance,
addressing expectations of
and requests from the board
(including reporting needs).
MOVING TO ERM: FIRST VERSION HAS BASIC
FUNCTIONALITY

16
MOVING TO ERM: FAST FORWARD: RISK BECOMES
OPPORTUNITY

17
MOVING TO ERM

Risk Management Business Risk Management Enterprise Risk Management

Financial and hazard risks and internal Business risk and internal controls, Business risk and internal controls, taking
Focus
controls taking a risk-by-risk approach an entity-level portfolio view of risk

Objective Protect enterprise value Protect enterprise value Protect and enhance enterprise value

Treasury, insurance and operations are Applied across the enterprise, at every
Scope Business managers are accountable
primarily responsible level and unit

Emphasis Finance and operations Management Setting a strategy

Selected risk areas, units and Selected risk areas, units and
Application Enterprisewide to all sources of value
processes processes

“Current-State” Capabilities “Future-State” Vision

Physical Physical Customer Physical Customer

Assets Assets Assets Assets Assets
Organizational
Assets
Financial Financial Employee/
Financial Employee/
Assets Assets Supplier
Assets Supplier
Assets
Assets

18
MOVING TO ERM: POINT OF VIEW ON ERM

• ERM will never begin if you don’t know what your risks are.
• ERM is not something to build in a day. Start somewhere and build incrementally.
• The purpose of ERM infrastructure is to drive continuous improvement of ERM capabilities.
− The objective is to continuously improve capabilities around managing priority risks as circumstances change.
• The tenets of effective ERM implementation:
− Leverage what you have.
− Integrate it with what you do.
− Keep it simple.
• Enterprise risk management requires XYZ to take a portfolio view of risk:
− Organizations typically manage risk within silos.
− This ignores cross-functional impacts.
− It requires increased communication to manage a business.

19
MOVING TO ERM: COMMON ERM OBSTACLES AND
PITFALLS TO AVOID

01 Failure to get “buy-in” and support from

executive management (CEO) 06 Ineffective or inefficient risk identification
techniques

02 An inability to demonstrate value to

operational personnel and risk owners 07 Risk responsibility that is not linked to
rewards

03 Enterprise list management

08 General counsel concerns exist over risk
documentation

ERM that is not integrated with other

04 A lack of dedicated resources with the
appropriate background 09 activities and functions within the
organization

05 An inability to capture, summarize and

manage information 10 Failure to link risks to strategy

20
ERM IMPLEMENTATION OVERVIEW: STEP 1

“ERM Infrastructure”
Key Elements
• Develop an ERM governance structure (e.g., charter, philosophy and risk appetite).
• Define a process/organizational classification scheme.
• Adopt a standardized risk model.
• Define roles and responsibilities.
• Conduct ERM awareness training.
• Understand existing risk management processes and/or areas of overlap.
• Gather information on company strategy and value drivers.
• Implement GRC software.

Key Outputs for XYZ

• ERM vision and responsibilities
• Process/organizational classification scheme
• Risk model (common language) and risk definitions

21
ERM IMPLEMENTATION OVERVIEW: STEP 2

“Risk Assessment and Prioritization”

Key Elements
• Incorporate information from internal audit’s risk assessment, along with input from other executives on existing and/or emerging risk
areas for XYZ.
• Define risk ranking criteria (likelihood of occurrence and impact/significance to XYZ).
• Link strategic objectives/initiatives to risks.
• Prioritize key risks.

Key Outputs for XYZ

• Preliminary prioritization of identified risks
• Risk map

22
ERM IMPLEMENTATION OVERVIEW: SAMPLE RISK
MAP
Key risks on the XYZ risk model will eventually be mapped based on the significance and likelihood of each risk. The
risk profile associated with each quadrant of the Significance/Likelihood map is noted below.
5
High

Secondary Risks Key Risks

• Black Swan
• Likelihood is lower but could
have a significant adverse
4 effect on the company’s ability
to achieve its objectives if risk
is realized.
• Monitoring is limited and
Impact/Significance
• Critical risks potentially
threaten the achievement
of companywide
objectives.
• High-monitoring activity
and preventive controls
are essential in mitigating

detective controls are needed. these risks.

3 Risk Appetite
Low Priority Risks Secondary Risks

• The overall business impact • Less significance exists but is

is not deemed as more likely to occur.
significant. • Cost/benefit tradeoff is
2 • Significant monitoring is not considered.
necessary unless change • Some monitoring and effective
occurs in risk classification. detective controls are needed.
• Risks are often re-assessed to
evaluate changing conditions
(move to high significance).
Low

2 4
1 3 5
Low
High
High
Likelihood

23
ERM IMPLEMENTATION OVERVIEW: QUANTIFYING
RISK

01 02 03
Inputs Models and Outputs
Assumptions

The quality of data input These should align with Create outputs that are
determines the quality of the firm’s goals and relevant to the overall firm
data coming out of the objectives as well as and business units. Link
model. This is often the current outputs to performance
most challenging aspect marketplace/industry measures/KPIs.
of quantifying risk. realities.

24
ERM IMPLEMENTATION OVERVIEW: RISK
MEASUREMENT VALUE

Allows for return to be evaluated on a risk-adjusted basis

Provides a method to produce comparable results across businesses with different

risk profiles

Provides a method to rank opportunities based on the opportunity risk profile

Serves as feedback to the effect of changes in portfolio composition and risk policies (e.g.,
increasing percentage of hospice)

25
 ERM IMPLEMENTATION OVERVIEW: STEP 3

Risk Response/Management
Key Elements
• Understand key controls/risk management activities that
currently exist to address key risks, as well as gaps.
• Define key risk indicators (KRIs) and risk tolerance levels.
• Develop risk reports/dashboards and present information to
executive management and the board.

Key Outputs for XYZ

• Key risk indicators for key risks
• Risk reports/dashboards

26 26
ERM IMPLEMENTATION OVERVIEW: WHAT DO WE DO
WITH RISK?
Avoid
• Divest • Screen
• Prohibit • Eliminate
Eliminate risk by preventing exposure to future possible
• Stop • Target
events from occurring.

Accept
• Retain • Self-Insure
• Reprice • Offset
Maintain the risk at its current level.

Reduce • Disperse • Isolate

• Test
• Control • Improve
Implement policies and procedures to lower the risk to an • Respond • Relocate
acceptable level. • Redesign
• Diminish • Diversify

Share
• Insure • Outsource
• Reinsure • Securitize
Shift the risk to a financially capable, independent • Hedge • Indemnify
counterparty. • Transfer

27
ENTERPRISE RISK MANAGEMENT
SUMMARY APPROACH GUIDE:
SAMPLE 2
ERM APPROACH

Identifying, understanding and evaluating an organization’s most significant risk areas will set the
foundation for a robust ERM program. The diagram below outlines an effective and proven approach to
building ERM capabilities that will ultimately:
• Enhance corporate governance.
• Align and integrate varying views of risk and risk management.
• Respond to the changing business environment.

Facilitating Risk External Management

Planning Risk Analysis Gap Assessment
Discussion Verification Review

Coordination and Oversight

The following pages detail each component of this ERM approach.

29
PLANNING

Activities Output/Deliverables

• Meet with ABC’s ERM project sponsor to confirm • ABC-specific risk model (inclusive of key risk
the scope and risk management objectives categories)
(including guidelines for defining “catastrophic”
risks).
• Leverage ABC corporate audit’s risk model and
confirm that it includes the necessary
environment, process and information for
decision-making risk categories. Adjust the model
as necessary.
• Identify a cross-section of leaders within each
business/region/function to participate in a
facilitated risk discussion (workshop). If necessary,
there may be multiple workshops within each
business, region and function.
• Conduct interviews with workshop participants to
better understand key risk areas within each
business/region/function and to verify that the
necessary risk categories are included in the risk
model. Complete these interviews prior to
conducting the facilitated risk workshops.
• Distribute the risk model to attendees prior to
conducting each workshop to set the foundation
for a common risk language.

30
FACILITATING RISK DISCUSSION

Activities Output/Deliverables

• Conduct facilitated risk discussions to evaluate the • A prioritized list of risk categories within each
inherent significance and likelihood of identified business/region/function
risks. Using real-time, anonymous voting • Information on risk-specific events and/or
technology, identify ABC’s top nontraditional, scenarios that could significantly impact ABC
catastrophic risk categories.
− Facilitated workshops provide an effective and
efficient approach to holistically evaluating an
organizational risk. Participants can discuss
and verify issues and facts and reach
meaningful conclusions that ultimately enhance
risk management capabilities.
• Gather initial input on the top risk categories to
begin the process to identify specific events and/or
scenarios that cause each category to have an
elevated priority.

31
RISK ANALYSIS

Activities Output/Deliverables

• Explore the specific events within each top risk • Documentation of ABC’s prioritized catastrophic
category that could have a significant or risks supported by specific events and supporting
catastrophic impact on ABC. Evaluate these explanations
events in the context of broad organizational
impact to identify the discrete risk points within
each risk area (i.e., catalog the Level 2 and Level
3 risks).
− Example: If “Illegal Acts” is identified as a top
risk category, outline and document the specific
illegal acts that would cause the most damage
to ABC. It may be necessary to approach these
risks using a worst-case scenario.
• Identify an expert panel of ABC management
relevant to each of the top five to six risk
categories and facilitate discussions to identify
potential risk events/scenarios within each top risk
category. Confirm that the agreed-upon events are
ABC-specific and adequately describe how each
would contribute to a potentially catastrophic
outcome.
• Consolidate and prioritize the top events in each of
the priority risk categories from each of the expert
panel workshops.

32
EXTERNAL VERIFICATION

Activities Output/Deliverables

• Identify external resources with expert • An updated universe of ABC’s most critical risks
perspectives on industry and risk management that incorporates feedback from external experts
topics.
• Distribute ABC’s consolidated risk universe and
solicit feedback.
• Discuss external feedback with
business/region/function leaders and adjust the
risk universe as necessary.

33
MANAGEMENT REVIEW

Activities Output/Deliverables

• Discuss the prioritized list of critical risks with • A finalized list of ABC’s top risk areas
members of ABC’s executive leadership team. • A board-level reporting summary
Solicit feedback and update the risk list as
necessary.
• Develop summary materials to communicate ERM
activities and results to the board.

34
GAP ASSESSMENT

Activities Output/Deliverables

• Evaluate ABC’s current capabilities to manage the • A summary of risk management activities to
identified risk categories and potential risk address ABC’s top risk areas, including process
events/scenarios through a discussion and gaps and associated recommendations
documentation review.
• Identify risks that may not be adequately
controlled and perform a gap analysis.
• Communicate gaps and confirm them with
business/region/function leaders.

35
COORDINATION AND OVERSIGHT

• Communication between management and each

business/region/function is of paramount importance to
successfully complete this ERM initiative. In coordination with
management, the risk management project team will have
responsibility for overseeing all engagement activities.
• Senior members of the risk management project team will
coordinate ERM activities throughout the entirety of this project.
• The risk management project team will facilitate risk workshops,
summarize workshop results, identify and introduce external
experts, and present the results to management.
• As necessary, the risk management project team will be
available to assist with preparing and/or presenting relevant
materials to the board.

36
ENTERPRISE RISK MANAGEMENT
SUMMARY APPROACH GUIDE:
SAMPLE 3
PHASE I AND II TASKS
Environmental Scan, Project Kickoff
and Awareness
• Gather information (e.g., risk
assessment activities, approach,
background, regulatory reports, etc.).
• Develop a project plan and timeline
and agree-upon key deliverables.
• Validate the project plan and
deliverables with management.
• Identify the preliminary risk language
and develop risk inventory
questionnaires.
• Develop materials and hold
education/risk awareness session(s)
with senior management and/or the
boards’ risk management committee.
• Initiate/schedule interviews with senior
management at Company ABC.
• Identify questionnaire recipients at the
(Insert Name) business units.
38
Conduct Risk Assessment Workshops
• Conduct risk assessment interviews
with key members of management for
Company ABC.
• Compile the results of the interviews.
• Execute (Insert Number) risk
assessment facilitated workshops to
identify, analyze and prioritize key
risks and strategies.
• Develop and distribute a risk
assessment survey for the (Insert
Name) business units.
• Compile and analyze the results of
risk assessments and surveys for all
(Insert Number) business units.
Develop High-Level Action Plan for
ERM and Report
• Develop risk maps to prioritize key
risks for each entity.
• Create an overall risk map for the
holding company.
• Assess the maturity of risk
management strategies for the top
(Insert Number) business risks
(holding company-level or business-
unit risks).
• Prepare a gap analysis and identify
goals for improving risk management
for the top (Insert Number) key
business risks.
• Define a high-level ERM
implementation plan for the next three
to six months to improve risk
management capabilities.
• Finalize a long-term implementation
plan for ERM on a company-wide
basis, including communication
strategies for the board and
management.
• Prepare, review and deliver the final
report.
PHASE I AND II DELIVERABLES
Environmental Scan, Project Kickoff
and Awareness
• Create a project planning document.
• Utilize risk awareness session slides
and/or materials.
• Develop the Company ABC risk
universe.
• Utilize a risk inventory questionnaire
(for distribution to [Insert Name]
business units and for use in
conducting interviews).
3
9
Conduct Risk Assessment Workshops
• Design and deliver a facilitated risk
assessment workshop.
• Identify and prioritize Company ABC’s
key enterprise risks.
• Review the preliminary assessment of
the current state of risk management
activities.
• Identify risk management gaps and
initial strategies to achieve the desired
future state.
Develop High-Level Action Plan for
ERM and Report
• Develop risk maps to summarize and
prioritize key risks for each entity.
• Create an overall risk map for the
holding company.
• Review the final assessment of the
current state of risk management for
key risks.
• Address the gaps to achieve the
desired future state for the top (Insert
Number) key business risks.
• Incorporate high-level ERM
implementation plans for the next
three to six months to improve risk
management capabilities for up to
(Insert Number) risks.
• Finalize a long-term implementation
plan for ERM on a companywide
basis, including communication
strategies for the board and
management.
PHASE I AND II TIMELINE
Date Date Date Date Date Date Date Date

Year
ERM Milestones
Information Gathering and Review
Project Plan and Timeline
Validate Plan With Management
Develop Risk Language/Distribute Risk Questionnaires
Develop Education Session Materials/Hold Sessions
Schedule Risk Assessment Interviews ( BUs)
Identify Questionnaire Recipients (BUs)
Conduct Risk Assessment Interviews (BUs)
Compile Results of Interviews (BUs)
Conduct Facilitated Risk Assessment Sessions (BUs)
Develop/Distribute Risk Assessment Survey (BUs)
Compile Results of Risk Interviews and Surveys
Develop Risk Maps
Assess Risk Management Strategies for Top 10 Risks
Gap Analysis and Improvement Opportunities
Develop Three-to-Six-Month ERM Project Plan
Develop Long-Term ERM Project Plan
Summarize and Report Phase I and II Results
Agree on Next Steps

40
INTERVIEW LIST

(Insert Names and Titles of People Interviewed)

41
QUESTIONNAIRE RECIPIENTS

(Insert Names and Titles of People Receiving Questionnaire)

42