Transcript of Enterprise risk-management1973
- 1. Enterprise Risk Management Walter Gangl , Director, Society
of Corporate Secretaries and Governance Professionals; Former
Deputy General Counsel and Corporate Secretary, Armstrong World
Industries R.R. Donnelley SEC Hot Topics 2008 September 24,
2008
- 2. Serious failings have led to demands for enhanced board
oversight of Risk:
-
-
- Calls for enterprise-wide documentation and testing of controls
over financial reporting risk.
-
- NYSE-Amendments to listing standards
-
-
- Requires the Audit Committee to discuss with internal and
external auditors how the company handles risks and the steps taken
to monitor and control exposure to such risks.
-
-
- Now mandates disclosure of risks in periodic 34 Act reports.
Commissioner Cynthia Glassman urges public companies to use
information gleaned from ERM to enhance disclosure in managements
discussion and analysis.
-
-
- A 2005 McKinsey survey of 1000 board members indicated that 76%
would like to spend more time on risk. Source: The Executive Board
Treasury Leadership Roundtable, Organizing for Enterprise Risk
Management, dated 18 August 2005
- 3. COSO Enterprise Risk Management Framework
-
-
- COSO (Committee Of Sponsoring Organizations of the Treadway
Commission) is the father of SOX 404s Internal Controls
evaluation.
-
-
- COSOs ERM Framework provides an organizational scope, emphasis,
and program to broaden risk management, create an enterprise-wide
awareness and emphasis, and integrate risk management process into
corporate strategy.
-
-
- ITS THE BIBLE : Go to: www.coso.org and click on Resources to
download.
- 4. Key Definitions
- Any event or circumstance which could impact the achievement of
business objectives.
- The process of identifying and evaluating the magnitude and
likelihood of risks to achievement of business plans.
- Exposure to a risk that is intrinsic to the business in the
current environment before the consideration of risk mitigation and
control activities that have been designed and implemented to
address a given risk.
- The process of reducing the likelihood and/or impact of a
risk.
- Exposure to a risk remaining after considering the effect of
mitigation through risk management and control activities.
- The Composite of the processes of Risk Assessment and Risk
Monitoring
- 5. ERM Defined:
- a process, effected by an entity's board of directors,
management and other personnel, applied in strategy setting and
across the enterprise, designed to identify potential events that
may affect the entity, and manage risks to be within its risk
appetite, to provide reasonable assurance regarding the achievement
of entity objectives.
-
-
-
-
- Source: COSO Enterprise Risk Management Integrated Framework .
2004. COSO
- 6. Why?
- Risk Assessment is necessary to comply with SEC disclosures in
33 and 34 Act reports.
- Rating Agencies are beginning to take Risk Management into
consideration on credit ratingsso it will affect companies cost of
capital.
- Also, for Board oversight purposes. They want to know the
Company has good Risk Management processes and check what
management sees as the major risks and how they plan to deal with
them.
- 7. Risk Prioritization Using a Risk Matrix Impact levels tie to
disclosure standards
- 8.
Disaster Recovery Risks Legal Compliance Risks (Product Liability,
EH&S, Employment Practices, Antitrust) Internal Control, (SOX
404) Accounting & Reporting Risks Culture (Tone at the Top)
Risks Enterprise Risks Hurricane, Natural Gas Price, Terrorist
Attack, Supplier Problems, etc Currency Volatility, Political Risk,
Trade Restrictions Workplace Safety, Product Quality and Safety
Reliance on Big Box Customers, Competitor Strategies ASBESTOS
STRATEGY Identify risks relevant to your particular business &
strategy
- 9. ERM vs Compliance Risk Assessment
- Compliance Risk Assessment is just one component of an
Enterprise-wide Risk Assessment. In an infelicitous use of
nomenclature, many parties conflate the ERM term Risk Assessment
with Compliance risks aloneavoid that confusion.
- 10. NOTE: Strategic Risks cause most harm to shareholder
value
- 11. Risk Management Process
- Identify matters that create risk to achieving your business
plans.
- Evaluate the risks by determining their likelihood and
impact.
- Prioritize risks - start with those with most serious potential
impact.
- Mitigate risks, starting with the most serious, through
improved controls, processes or procedures or other action.
- Monitor risks to address whether mitigation is effective.
- Report risks to management and board.
-
- At least annually, management should report to the Board
about:
-
-
- Risk Management Processes
-
-
- Mitigation of Major Risks
- 12.
- Management's role is to guide and review ERM efforts, consider
whether the residual risks are acceptable, and approve plans to
mitigate serious risks.
- Business units (and functional units such as EH&S, HR,
Treasury) must explain their risk analysis in a way that allows
management to test, accept and share it with other operations and
the Board of Directors.
- Managements report to the Board is structured within the
context of these five points :
-
- Company processes to identify matters that create risk to
achieving our business plans,
-
- Processes to assess the likelihood and impact of such risks in
order to prioritize them,
-
- The Companys major risks and how it defines major ,
-
- Who is responsible for mitigation and monitoring of those major
risks, and
-
- The mitigation of major risks , and our view of the resulting
residual risk.
Managements Role
- 13. Boards Role
- The Board's role is to oversee the ERM process, monitor how
risks are evaluated, prioritized and mitigated, review the
Company's assessment and mitigation plans for serious risks, and
improve or reshape management's decisions.
- Advise whether they are comfortable with Companys processes to
identify and assess risks.
- Advise whether they agree with our identification, assessment
and mitigation measures.
- Advise whether they view the ERM processes as effective.
- Advise whether they are comfortable with the level of residual
risk accepted by management.
- Make any suggestions or recommendations they have relative to
the ERM processes, including identification, assessment and
mitigation plans.
- 14. Whos Responsible on the Board?
- Thats up to the Board to Decide:
- The whole Board..or a committee. Whatever works best.
- Despite what you read in the press, the Audit Committee is NOT
required to oversee ERM . NYSE rules only require the Audit
Committee to monitor risks to financial reporting . And some
companies have saddled Audit Committees with this additional
duty.
- Whats the better arrangement? The Boards basic duties are to
advise management and monitor performance. When dealing with
strategy and other fundamental matters, the whole Board should be
involved bringing their diverse backgrounds and experiences to the
process.
- Risk Management is tied to and is the flip side of strategy.
IMHO, Risk oversight generally belongs under the Board as a
whole.
- 15. Whats this About Standard & Poors Evaluation Our Risk
Management?
- Following a 2007 announcement about ERM ratings, S&P
announced May 2008 that it will begin an analysis of ERM
implementation by companies in Q3 2008.
- S&P takes the expansive view of ERM outlined above. They
expect companies to have a coherent, systematic risk management
approach. They will discount a crammed-together collection of
longstanding and disparate practices.
- S&P will initially look at a companys risk-management
culture and strategic risk management. (Remember the importance of
strategic risk.)
- 16. Whats this About Standard & Poors Evaluation Our Risk
Management?
- Within a year, S&P expects all companies will have had at
least an initial ERM discussion.
- A subsequent S&P benchmarking process will form the basis
of a new S&P ERM scoring system that they intend to help
identify situations that might require rating actions.
- Bottom Line : Companies need to get to work on ERM. How well
they do on ERM will affect their access to capital markets and
borrowing costs.
- 17. What Needs to Be Done?
- A recent survey of approximately 600 major companies showed
that 30% have not even taken the first steps in ERM.
- 27% were beginning to implement it.
- Only 24% claimed to have progressed to Intermediate (20%) or
Advanced (4%) implementation.
- 18. Whats the Objective of ERM?
- S&P wants to see that a companys Risk identification,
assessment, controls, monitoring and reporting are beyond basic
levels. They should at least become an integrated management
process.
- Ideally, S&P wants to see ERM become a strategic tool for
the company, helping to: set strategy, identify markets, guide
product development, allocate capital budgets, and become a part of
its analytical framework.
- 19. ERM: The Sunoco Experience September 24, 2008 Ken
Somes
- 20. Sunoco, Inc. Refining & Supply 1,215 Chemicals 975
Retail Marketing 620 Coke 490 Logistics 500 Corp. 440 Capital
Employed, MM$ 6/30/08
- 2007 Revenue = $45 billion
-
- $4.8 billion in market cap
-
- 340 MMB / yr. refining prod.
-
- 5 billion gal. / yr. retail fuel sales
-
- 5 billion lbs / yr. chemical
-
- owned 43% by Sunoco, Inc.
-
- 4.2 MM tons / yr. coke prod.
A2
- 21. A3 Sunoco Operations Refineries Chemical Plants Coke Plants
Terminal Retail Marketing Western Pipeline System Eastern Pipeline
System Philadelphia Marcus Hook Refinery Tulsa Jewell Indiana
Harbor Haverhill Neal Toledo Frankford Marcus Hook Polypropylene La
Porte Nederland Bayport Eagle Point
- 22. Background/History of ERM Program
-
- Audit Committee of the Board
- ERM Manager Position Established
-
- Initial inventory of risks
- Program Continues to Evolve
-
- Learning/improving as we go
-
- External influences, e.g. Rating Agencies
- 23. ERM Organization
- Audit Committee of the Board
ERM Manager Chief Financial Officer VP Investor Relations &
Strategic Planning ERM Steering Committee Quarterly
- 24. ERM Risk Identification & Follow-Up
- Chairman's Health Environment & Safety Committee
- Financial Information Committee
- Management Control Committee
Audit Committee Likelihood Consequence (business impact) Enterprise
Risk Management Steering Committee Identify and Classify Risk
Determine Appropriate Report Out Forum ERM Coordinates, Tracks
& Reports Status of Risks Strategic Financial Operational
Identify Risk Owner Risk Owner Develops Response Plan Risk Rank
Organizational Legal/Political Market Risk Owner Reports to
Forum
- 25. Key Components of Risk Review Report:
- Likelihood and Potential Impact of Risk
- How Risk is Currently Managed
-
- Key responsibilities/structure in place
-
- Controls/policies/reviews, etc.
-
- What is measured/tracked (leading & lagging)
- Opportunities to Strengthen the Plan
-
- Who is doing what and by when
- 26. Example Risk: Projected Retirements
- Percent Retirement Eligible Within 5 yrs
- Classified: Organizational Risk
- Risk Owner: SVP of Human Resources
-
- Executive Human Resource Development Committee
- 27. Example Risk: Projected Retirements
-
- Demographics compiled and analyzed
-
- Industry/business units/departments experience
-
- HR Development Committees
-
- Succession plans/development/external hiring
- Opportunities to Strengthen
-
- Identified critical positions/disciplines at risk
-
- Selective adjustments to compensation package
-
- Personnel changes/succession plans/hiring
-
- Projected versus actual experience
- 28. Lessons Learned
- Benchmark/Learn From Others
- Tailor ERM to Company Culture
- Build off Processes Already in Place
- Get Started, then Learn/Adjust
- 29. AW Enterprise Risk Management Process Ellen Wolf Senior
Vice President and Chief Financial Officer September 2008
- 30. Who We Are We are the largest investor-owned water and
wastewater service provider in the United States .
- We serve a broad national footprint and a strong local
presence
- We lead the industry in water quality, testing and
research
- We provide services to over 15 million people in more than
1,600 communities in 32 states and in Ontario, Canada
- We employ nearly 7,000 dedicated and active employees and
support ongoing community support and corporate responsibility
- We treat and deliver over one billion gallons of water
daily
- 31. Where We Are We manage more than 350 individual water
systems across the country
- Every day we operate and manage:
- 45,000 miles of distribution and collection mains
- 80 surface water treatment plants
- 600 groundwater treatment plants
- 40 wastewater treatment plants
Utility Only O&M Only Both
- 32. ENTERPRISE RISK MANAGEMENT Pre 2003
Directors of Loss Control Finance Risk Management Frenkel Legal
Human Resources Department Operations Engineers Water Quality
Information Technology Travelers American Water Works Association
Risk & Insurance Management Society InfraGuard Media
Internet
- 33. ENTERPRISE RISK MANAGEMENT Pre IPO
-
- RWE Risk Management Process was implemented at American Water
immediately after RWEs purchase of the Company.
-
-
- Risk Management Committees of senior executives at subsidiary
and corporate.
-
-
- Risks and Opportunities Management (ROM) toolkit which offers a
structured approach to the identification and evaluation of
risk.
-
-
- The Risk Summary, signed by the CEO, Key Risk reports and Risk
Map are updated and submitted to RWE on a quarterly basis.
- 34. ENTERPRISE RISK MANAGEMENT Pre IPO
-
-
- Identify and report to senior management at RWE risks which may
have a material financial impact on RWE business plans.
-
-
- RMC committees at subsidiary level identify risks, mitigation
activities and potential financial impact. Risks are aggregated and
reviewed at each higher organizational level until final report is
prepared for RWE board.
-
- Risk Management Committees (RMC):
-
-
- Corporate, Regional and Business Unit
-
-
- Corporate EMC includes SVP & CFO, CEO, COO, VP Audit, SVP
Legal, Regional Presidents, Regional Risk Representatives;
-
-
- Regional and Business Unit RMC includes its Presidents, VP
Finance, VP Legal, VP Service & Delivery, VP Human
Resources
- 35. ENTERPRISE RISK MANAGEMENT Pre IPO
- The ROM includes a risk register identifying all risks. Risks
which are valued great than 20% of net operating income and have a
greater than 1% probability of occurrence are designated as Key
Risks. The ROM includes:
-
- Reports prepared for each Key Risk which include cause
analysis, severity evaluation, control and mitigation strategy,
monitoring and reporting by a Risk owner.
-
- A Risk Summary is from information generated in the Key Risk
reports and prioritizes risks for the Company.
-
- A Risk Map which is a simple visual representation of the
relative importance of Key Risks to achieving business objectives.
The view of risk is achieved by plotting Key Risks in terms of
their probability and impact on the heat map.
- 36. ENTERPRISE RISK MANAGEMENT POST IPO
- An American Water (AW) framework to manage risk
-
- To create awareness regarding risk so Management has full
knowledge of risk and rewards related to AWs business
objectives.
- Addresses risk management needs of various stakeholders
-
- AW Board (Audit Committee)
-
- Securities and Exchange Commission (SEC)
- 37. Risk Assessment Process Information Flow Commercial
Development (CD) Capital Investment Management Committee (CIMC)
Operational Risk Management (ORM) Operational Risk Assessment
(Insurance, etc.) Labor Relations Environment Audits Other Business
Performance Reviews Quarterly Disclosure Committee Meetings
- Risk Assessment Meeting Attendees:
- SVP Sales/Business Development
- (Compliance with Laws & Regulations)
- Risk Assessment Meeting Attendees:
- SVP Legal & General Counsel
- SVP Communications/Ext. Affairs
- VP & Counsel Regulatory Programs
- Risk Assessment Meeting Attendees
Senior Risk Management Meeting Held prior to Audit Committee
Meeting
- President - Reg. Operations,
- Chief Financial Officer and
- VP Internal Audit (Coordinator)
AW Board of Directors, Audit Committee Fraud Risk Management
Integrated Throughout (See following slide)
- Frequency of meetings is every 6 months and before Audit
Committee meeting as necessary
OSHA Risk Identification and Mitigation Process Sarbanes Oxley
Significant company initiatives (various owners)
- 38. Fraud Risk Management Process AW Code of Ethics
- Employees asked to read and certify
- Part of new employee orientation
- AW Management Oversight Controls
- AW Policies and Practices (i.e. Delegation of Authority)
-
- Part of New Employee Orientation
-
- Owned and monitored by each applicable Senior Functional
Executive
- Internal Audit reviews of various functions, states, etc.
throughout year
AW Ethics Hotline
- Third-Party Provider that receives calls regarding potential
violations of AW Code of Ethics.
- Third-Party Provider immediately reports calls to designated AW
Senior Management.
AW Compliance Officer
- Manages reported Code of Ethics violations, investigations and
reporting to Senior Management.
- Promotes proactive communications regarding AW Code of Ethics
through various company communication channels.
AW Ethics Committee Committee of Senior AW Executives that
govern/monitor Code of Ethics, Hotline calls, investigations,
disciplinary actions, communications regarding Code of Ethics and
reporting to Board of Directors, Audit Committee. AW Board of
Directors, Audit Committee Quarterly, reviews Code of Ethics
violations, investigations and disciplinary actions.
- 39.
- Senior Risk Management Meetings
- Meet quarterly before Audit Committee meeting
-
- Also meet on ad-hoc basis as business conditions warrant.
- Establish Enterprise Risk Management (ERM) Strategy
-
- Establish ERM Subgroups i.e. Operations, Finance, and
Regulatory.
-
- Ensure compliance with and effectiveness of ERM Strategy.
-
- Set Delegation of Authority (DOA) limits, which is key to who
is empowered for specific types of decision making.
- Review, approve, and monitor significant company
initiatives
-
- i.e. Major cross divisional IT projects.
-
- i.e. Major business process and organizational changes.
- Establish Corporate Investment Criteria Risk/Return
threshold
- Review all information (including 10Q and 10K) prior to Audit
Comm. reporting
- Review, approve, and monitor significant financing and company
capital structure
- ERM Subgroups Operations, Finance and Regulatory Mandate is to
Identify, Monitor, and Mitigate Risk
- Report and discuss risk assessments at Senior Risk Management
meetings
- 40. ENTERPRISE RISK MANAGEMENT - FUTURE
-
- New risks and mitigation efforts identified continuously
-
- Mitigation efforts for known risks continues to be
monitored
-
- Strong senior management support up through Board of
Directors
- Continuous Change to Adapt to Evolving Risk Environment