1

Enterprise Risk Management: The Elements, The Players, and The Case for Collaboration

Cole Emerson MBCP CPP

KPMG LLP

Monday, May 5th 4:00 pm – 5:00 pm

Enterprise Risk Management

• What is it?

• What are the elements?

• Who are the players?

• What is the case for collaboration?

• How does BCM contribute to “Enterprise Risk

Management”

• What are the common goals

– Managing Risk

• What is a risk

– The chance that something will happen (good or bad)

that impacts the organization (positively or negatively)

• Risks are not always bad—the risk of production capacity not meeting the demands of a wildly

successful product launch

Business Continuity Management & Risk Management

2

Business Continuity Management & Risk Management

• What is risk management in the broadest sense

– Risk Management is:

• the methods and processes used to manage those risks, possible events or circumstances that can have

negative influence on the Enterprise

The Elements of Risk Management – ERM Perspective

Risk Management – ERM Perspective

• Three forms of risk management

– Loss avoidance

– Risk transfer

– Preparedness

3

Loss Avoidance

• Goal of limiting the frequency and extent of loss events

Risk Transfer

• Goal of alleviating the burden should a loss event occur by

transferring part of the risk to a third party—e.g. insurance

Preparedness

• Goal of being in a position to restore the state of affairs

that prevailed before the onset of a loss as rapidly as

possible.

4

Impacts

• Involves the capacity to both avoid and deal with losses

• To reap the preparedness benefits the following should be taken into account

– Probability

– Extent

– Impact

Preparedness

• In the context of preparedness

– The question of whether a loss will occur is of less

interest than how significantly it would be and what

would need to be done were it to occur

– Managing a loss can only consist in dealing with the consequences and thereby diminishing its significance

– The ability to accept and make the best of the loss

Four Levels Of Impact - Examples

• Trivial

• Disruptive

• Survival threatening

• Destructive losses

5

Trivial

• May at worst reduce the financial value, but not the

functionality, of a system and therefore require no or only

minimal countermeasures

Disruptive

• Impairs key functions and hence the performance of the

system

• Primary task of event management is to restore or

temporarily replace the functions that have been lost

Survival Threatening

• The system’s vital functions are impaired to such an extent

that it can no longer maintain itself unaided

6

Destructive

• Natural

• Social

• Financial and Economic

• Technological Systems

Goal of Preparedness

• To keep a system or process operational despite losses

• To restore to the status quo ASAP

• To improve on the original state of affairs

Fire Example

• Fire prevention—avoiding losses

• Remaining risk is transferred by means of property and

business interruption insurance

• Preparation involves establishing an emergency and crisis

management organization which will ensure that critical

business processes can be maintained even if a loss event

occurs

7

Trade Offs

• Loss avoidance, risk transfer and preparedness may be

traded off against each other

– Organization well prepared to deal with fire-related

losses

• Can afford to spend slightly less on prevention or

may opt for a higher insurance deductible

Preparedness

• May serve both to enhance safety and to reduce a

company’s expenditures

– On loss avoidance

– On costs of risk transfer

Risk Strategy

• Risk strategy determines whether a company places

primary emphasis on loss avoidance, risk transfer or

preparedness

• If the strategy demands that no serious losses should, risk

management will have to focus on prevention losses

8

What’s Driving Enterprise Risk Management?

More prescriptive NYSE Listing Requirements �Audit Committee – requirements to discuss policies

with respect to risk assessment and risk managementIncreased regulatory compliance importance, e.g., SOX 404

�Leveraging the 404 infrastructure to broaden the definition of risk

Recently updated COSO/ERM framework

Adverse media coverage – reduced market tolerance for surprises

Increased complexity and speed of change in business

�The risk profile of today’s global and virtual organization warrants study and more precision

ERM is a dynamic process which is focused on protecting

an organization’s value proposition

Operational Risk Management Goal is to Reduce

• Regulatory Compliance

• Robustness

• Vendor Management

• Records Management

• Risk Management

• Continuity Management

• Health & Safety Mgt

• Quality Management

• Workplace Violence

• Death-on-Site

• Death-on-Study

• Loss of Key Staff

• Loss of Intellectual Property

• Human Error / Sabotage

• Security Breach

• Failure of LAN / WAN

• Malicious Code Attacks

• Loss of InformationSystem Integrity

• Loss of data /vital records

• Inability to recover data

• Interrupted services

• Animal Activists

• Natural Disaster

• Fire, Explosion

• Pipe Break, Flooding

• Hazardous Spill

• Regulatory Change

Wonderful World of Risks

Leadership Authority

Environment Risk

Regulatory Legal

Financial Markets

Informationfor Decision Making Risk

Regulatory ReportingFinancial Reporting

Process Risk

Shareholder Relations Competitor

Sovereign/PoliticalSensitivity

Catastrophic Loss

Industry (Weather )

Capital Availability

Leadership Authority

LimitOutsourcing CommunicationsIncentives

InnovationChange Readiness

Customer Satisfaction Human ResourcesEfficiency Capacity TransportationPerformance GapsCycle TimeBasis RiskObsolescenceComplianceBusiness InterruptionService FailureEnvironmentalHealth & SafetyMarket IntelligenceProcessing TechnologySupply ConsolidationTrademark / Brand Name

Management FraudEmployee FraudIllegal ActsUnauthorized UseReputation

RelevanceIntegrityAccessAvailabilityInfrastructure

CommodityBasisInterest RateFinancial InstrumentCurrencyEquity

PricingContract CommitmentMeasurement / ModelingAlignment

Business PortfolioTransaction & Valuation

Performance MeasurementOrganizational Structure

Resource AllocationPlanning

Life Cycle1

Planning and BudgetAccounting InformationFinancial Reporting/ EvaluationTaxationPension FundInvestment Evaluation

Financial Operational

Reporting & Compliance

Strategic

Operations Risk

Integrity RiskEmpowerment Risk Technology Risk

Financial Risk

Price

Liquidity

Credit

Cash FlowOpportunity Cost

DefaultCollateralConcentrationCounter Party

9

Risk Goes Beyond Regulatory Compliance

To Other Aspects of the Business

• A typical risk profile now shows many more potential risks than three years ago

• The risk profile needs to look at 1-5 years

Key: Timeline

3-5 years

1-3 years

Now

Additional risks

Source: KPMG LLP (U.K.)’s aggregated experience facilitating client risk assessment workshops, 2005

Geopolitical and security risk

Oil prices

Rising cost of employee benefits

Innovation

Regulatory compliance

Competitive pressures

Outsourcing

Changing market conditions

Bankruptcy & credit risk

Management data and transparency

Macroeconomic & financial riskCountry risk

Attract and retain staff

Start-ups, alliances and acquisitions

Governance

Major customer

default

Demography

IT networks and security

Self-reporting relationships

Fraud

Insurance coverage

Energy & climate

Financial reporting

Corporate responsibility

Emerging markets

Supply chain

Transfer pricing

Health

Off-shoring

Ecological

Business continuity

Human rights

Pensions

Product pipeline

Product liability

Physical asset

protection

Tax

Treasury

Reputation

Technology

Market risk

Financing riskForeign

exchange risk

Commoditization

Terrorism

Natural hazard risk

Inflation

Human capital risk

Now

3-5 Years 1-3 Years

IP Management

New Challenges – New Risks

– Climate Change

• Discussed and considered as a major risk by major insurance and reinsurance organizations

• Site placement and/or expansion a key risk

• Differing opinions even within the scientific community

– Terrorism

• Statistics showed that pre-Iraq terrorism was on a decline

• Discussions and concern about future domestic terrorism

• Potential lack of consideration and understanding of different cultures

New Challenges – New Risks

– Regulatory and Compliance

• New legislation promoting voluntary certification of corporate business continuity plans position business continuity management (BCM) as a topic of discussion at the board level

• At some point in time

– A certification process will be established

» Utilizing multiple existing standards

10

• Enterprise Risk Management

– External financial event that has broad, global impact and long-lasting consequences

– Heavy dependency on key business relationships (e.g. Business Partner, Air Transportation, Federal Government)

– Increased risk associated with a heightened legal, compliance and customer advocacy environment

– Lack of investment on competitive online capabilities

– US based processes do not align with International market needs or regulations

• Operational Risk Management

– External non-financial event that has broad, global impact and long-lasting consequences

– Risk of data compromise via internal and external intrusion

– Breakdown in operating procedures & employee responsibilities

– Loss of key talent & proprietary skills

– Platform infrastructure and stability

– Shifting staff support leads to operational error

– Service disruption caused by outsourcing relationship

Examples of Enterprise and Operational Risks

How Do We Portray Risk

Reputation Risks Produce Performance and

Quality Risks

Key

Top Ten Risks Regulatory and

Compliance Risks

3j Loss of building, together with key staff or technology infrastructure

1c Adverse changes in law and government affecting the company’s business model

5a Loss of market share or revenue through competition or regulation

5b Introduction of competing products and

technologies by other companies

5c Inability to attract and retain key

employees

1b Failure to develop global management

and information systems

4d Exposure to litigation related to the company’s products/services

3h Deficient products/services provided resulting in loss of reputation

4a Inability to react to changes in overseas legal, economic, or regulatory

environment

3i Increased pricing pressure from competitors and/or customers

1

Insignificant

Likelihood of Risk Occurrence

Minor

Moderate

Major

Remote Unlikely Possible Likely Almost certain

1f3e4c 4e4f 4j 1c1d 1e 2b 3g3b 3d3f 3a 3h4b4d4g 4h 4i 5a5c1a2c 2a 5b3j 3i3c 1b 4aCatastrophic

Ris

k C

on

se

qu

en

ce

Sample Risks (Random

Plotting)

Operating Risks Growth and Strategic Risks

1

2

3

4

5

6

7

8

9

10

The Players

11

• What organizations should BCM aligned with to develop EWS

– Enterprise Wide Synergy

• Operational Risk Management (ORM)

– Physical, environmental, security, technology, financial, regulatory, compliance, political, terrorism, war

– Most closely aligned with BCM related risks

Risk Management Organizations

Risk Management Organizations

• Enterprise Risk Management (ERM)

– Is similar to operational risk management (ORM) but also includes credit risk and market risk. ERM when combined with ORM is the highest level of risk management within the organization

• ERM and ORM may sometimes be combined under one organization

• Business Continuity Management

– Primarily focuses on the risk of an interruption of operations

Risk Management Organizations

• ORM and ERM risks are broader than just interruption of

operations

– Any risk that could disrupt strategic or operational

plans

12

Risk Ownership & Accountability

• BCM, ERM and ORM programs make risk accountability highly visible and documented practices

• Risk management must consider diverse views of risk

– One manager’s opportunity may be another manager’s disaster

• What is not a risk to one group may well be a risk to others

• In Asia the characters representing the word for risk is also the word for opportunity

Risk Ownership & Accountability

• BCM identifies dependencies on sets of business processes and the interruption consequences associated with those processes

• BIA identifies dependencies on what sets of technology, infrastructure and applications

• RA identifies likely threats, vulnerabilities, mitigation options, potential impacts

• ERM & ORM typically identify organizationally who within the enterprise owns specific sets of risks and has responsibility identify, evaluate and develop appropriate risk mitigation strategies

Risk Awareness May Be Critical

• Case Study 1

• Case Study 2

13

Risk Awareness – Case Study 1

– Dockworker Strike 2002

• 29 US ports locked down for ten days

• Container ships had to wait in open water for the

strike to end

• Strike followed months of deteriorating relations

between the union and Pacific Maritime Association

• Wal-Mart and Costco recognized the impending

threat

– Took steps to ramp up imports prior to the shut

down to minimize risk of being left without

stock

Increase Sensitivity to Risk

• Other companies could only wait for the lockdown to end before resuming transportation of theirpre-Christmas stock

– First organization to recognize an impending crisis will get:

• Best price on insurance

• First bite at alternative partners

• The best rates on additional facilities

– Warehousing or shipping

– Firms lower down the chain:

• Will have to pay more• May find all alternative capacity has been consumed

Lack of Awareness Delays Response

Note: As time progresses, the information surrounding a given risk event may increase. But as it does, the options available for effective mitigation are bound

to reduce. Risk mitigation – as with risk itself – involves degrees of uncertainty. Taking proactive mitigation policies implies operating under considerable uncertainty, with incomplete indicators.

Source: Crisis and Risk Network, Swiss Federal Institute for Technology

14

Risk Awareness – Case Study 2

– In 2000, for example, a minor fire at a semiconductor manufacturing plant in New Mexico operated by Philips, the electronics company, led to very different outcomes for the factory’s two main customers, Scandinavian handset manufacturers Nokia and Ericsson

– Philips initially told its customers that the factory would resume production within a week, but it greatly underestimated the scale of the disruption caused by smoke and debris to the sterile environment required for chip production. In the end, it took many months to restore the factory and resume production

Case Study 2 - First in Line

– Nokia responded to the fire by immediately sourcingother supplies and put pressure on Philips to provide alternative sources of chips from other factories

– Ericsson, meanwhile, assumed that the fire was a minor technical glitch and waited for normal business to be resumed. By the time it realized the magnitude of the problem, it was too late

– The company was unable to find alternative supplies and production of its new generation of handsets was severely affected

• At the end of 2000, Ericsson posted a loss of US$2.34m, much of which could be attributed to the disruption in chip supplies caused by the New Mexico fire

First in Line

– Nokia, meanwhile, went on to increase its share of the handset market from 27% to 30% in the six months that followed the incident

– The different responses of Nokia and Ericsson to what initially seemed a minor disruptionillustrate an important point about the need for businesses to prepare effectively for a wide range of incidents

15

Collaboration

• Enterprise & Operational Risk Management

– Analyses conducted by BCM

• BIA example:

– Provides impact information to complete the enterprise and operational risk management profiles

– Provides data to help create a risk profile with threat and impact data by country, city, location, function and line of business

Where do BCM practices fit into the ERM Picture?

Insurance

• The analyses:

– Provides impact data by location to assist in a

more focused allocation of coverage to high

impact locations

• Can aggregate potential loss information

from multiple lines of business by location

16

Corporate Security

• The analyses:

– Provides security information needed to create an impact profile for each major location

– Allows security to focus more attention and

resources on the highest impact locations

Real Estate

• The analyses:

– Provides numbers of staff required by critical process and timeframe for relocation if necessary

– Provides insight into number of seats within nearby

company sites that may be made available until more

permanent alternate facilities can be found

• Assuming less time sensitive staff can give up seats

to more critical staff

Applications

• The analyses:

– Associates applications with business processes and business process recovery time objectives

– Provides business process owners a better understanding of application dependencies

– Provides IT opportunities for flexible, phased and more cost effective recovery strategies and solutions

17

Information Security

• The analyses:

– Provides information needed to understand the

consequences of shutting down servers, email and web

applications

Risk Model Examples

Risk Model Examples

• Monte Carlo

• Qualitative Model

• Semi-quantitative Model

• Mini Time-Series Model

• Fate Transport (Process/Health) Model

• Decision Tree Conversion

• Legal Model

• Comprehensive Risk Assessment

18

Monte Carlo Model

• Technique generally used to solve problems for which the

definition of specific solution equations to calculate a

specific answer is either too complex or too cumbersome

to be practical

– Input – array of data points, e.g. frequency, severity,

scope, variations, etc.

– Output – probability of occurrence under a broad array

of circumstances

Legal Model

• A model that calculates the net benefit of settlement vs.

litigation was built to aid in legal decisions

– Input

• Net benefit of settlement

• Net cost of litigation

• Net cost of settlement

• Total cost of verdict

– Output

• Net benefit of settlement vs. litigation

Environmental Health & Safety model

• Models built to calculate the total environmental, health and safety risk and cost associated with entry by the organization into various countries around the world

– Input

• Public perception

• Government approvals/permits

• Ecological/cultural parameters

• Health and safety considerations• Evaluation of preexisting damage

– Output

• Risk values

19

Pipeline Route-Selection Model

• A comprehensive time-series model was constructed to help a consortium decide which of several routes would be selected to construct a pipeline for a major oil field.

– Inputs• tariffs and other parameters from variables

• Political concerns

• Environmental problems

• Commercial considerations

• Financial parameters

• Technical considerations• Taxes

– Output

• Routes prioritized and ranked

Political Models

• Models constructed to evaluate other countries based on categories of variables.

– Input

• Political stability

• Foreign investment conditions

• Operating environment

• Transportation infrastructure

– Output

• Comparison of countries on a common scale

Capital Project Ranking and Portfolio Mgmt

• Model calculates

– Profitability index (PI)

– Internal rate of return (IRR)

– Net present value (NPV)– Other financial outputs

• Inputs

– Project safety and environmental aspects, cost estimates, incentives, discount rates, taxes, maintenance, insurance costs

• Output

– Projects are ranked and portfolio managed based on model output

20

Qualitative Model

• Most risk assessment model requires the integration of

“hard” data from real world measurements or forecasts and

“soft” data that are not expressed quantitatively.

– One approach (of many) to treating qualitative data is to rank-order the qualitative answers in increasing-risk

order.

New Product Model

• Research and development organizations generate products and processes, each of which has a commercial value

– Input

• Technical considerations

• Marketing aspects

• Financial/commercial facets

– Output

• Data to prioritize potential new products

Fate/Transport Model

• Model constructed to calculate inhalation exposure. Exposure represented by the average daily does for non-carcinogens and the lifetime average daily dose for carcinogens

– Input

• Concentration of chemicals in the air

• Inhalation rate

• Bioavailability

• Exposure duration

• Exposure frequency

• Body weight

• Average lifetime

– Output

• Inhalation risk

21

Common Success Factors

Companies that successfully continue or recover

operations practice risk management against a specific

risk…the risk of disruption to operations

– They:

• Identify and assess the potential risks and impacts

• Validate and measure the necessary controls

• Take specific actions to mitigate or optimize the risks

• Prove mitigation and recovery solutions work

• Monitor the current state of action plans and

• Are aware and responsive to change

Common Success Factors

– They have:

• Strong executive and financial commitment

• Integrated planning to align processes, impacts and

risks

• Processes to protect critical operations

• Well planned communication strategies

– They are:

• Prepared to meet the needs of its clients and customers

– Regardless of whatever disruption may occur

Program Effectiveness

• BCM, ERM and ORM require the same level of:

– Strong executive sponsorship

– Well defined process governance

– Integrated planning and

– Accountability, ongoing communications and sharing of information between the groups

22

Conclusion

• Business Continuity Management and other risk related

programs such as Security, Information Security,

Emergency Response, Crisis Management are all part of

the larger Enterprise Risk Management Process

• Unfortunately many times there is no working

relationship-it’s a must to establish that relationship

• Many times the terminology is different even though each

are talking about the same thing—synchronize the terms

• The end benefit? -Together the whole is definitely greater

than the sum of its parts

COLE EMERSON MBCP CPP

Director

Firmwide Business Continuity

KPMG LLP

Mr. Emerson serves as the Director of Firmwide Business Continuity. He has direct responsibility or oversight over Emergency Response, Crisis Management, Business Continuity and Disaster Recovery for the United States. Cole has over 30 years of experience in developing and evaluating many aspects of enterprise risk management, including Business Continuity, Crisis Management, Disaster Recovery, Data and Vital Records Management and Project Risk Management for national and international businesses and governments.

Background & Qualifications

Mr. Emerson received a Bachelor of Science in Business Administration from the University of Redlands and his Master Business Continuity Professional (MBCP) certification – one of less than 80 globally - from DRII. The American Society certifies Mr. Emerson for Industrial Security (ASIS) as a Board Certified Protection Professional. Prior to joining KPMG, Cole managed his own firm for 12 years, where he developed and implemented Business Continuity, Crisis Management, and Disaster Recovery programs for Fortune 500 companies. Mr. Emerson has extensive and unique experience utilizing business continuity plans and managing recovery teams in actual major disasters.

Contact details

Email: chemerson@kpmg.com

Office: 1-916-554-1777

Cell: 1-916-296-9747