Enterprise Risk Management: The Elements, The Players… · 1 Enterprise Risk Management: The...
Transcript of Enterprise Risk Management: The Elements, The Players… · 1 Enterprise Risk Management: The...
1
Enterprise Risk Management: The Elements, The Players, and The Case for Collaboration
Cole Emerson MBCP CPP
KPMG LLP
Monday, May 5th 4:00 pm – 5:00 pm
Enterprise Risk Management
• What is it?
• What are the elements?
• Who are the players?
• What is the case for collaboration?
• How does BCM contribute to “Enterprise Risk
Management”
• What are the common goals
– Managing Risk
• What is a risk
– The chance that something will happen (good or bad)
that impacts the organization (positively or negatively)
• Risks are not always bad—the risk of production capacity not meeting the demands of a wildly
successful product launch
Business Continuity Management & Risk Management
2
Business Continuity Management & Risk Management
• What is risk management in the broadest sense
– Risk Management is:
• the methods and processes used to manage those risks, possible events or circumstances that can have
negative influence on the Enterprise
The Elements of Risk Management – ERM Perspective
Risk Management – ERM Perspective
• Three forms of risk management
– Loss avoidance
– Risk transfer
– Preparedness
3
Loss Avoidance
• Goal of limiting the frequency and extent of loss events
Risk Transfer
• Goal of alleviating the burden should a loss event occur by
transferring part of the risk to a third party—e.g. insurance
Preparedness
• Goal of being in a position to restore the state of affairs
that prevailed before the onset of a loss as rapidly as
possible.
4
Impacts
• Involves the capacity to both avoid and deal with losses
• To reap the preparedness benefits the following should be taken into account
– Probability
– Extent
– Impact
Preparedness
• In the context of preparedness
– The question of whether a loss will occur is of less
interest than how significantly it would be and what
would need to be done were it to occur
– Managing a loss can only consist in dealing with the consequences and thereby diminishing its significance
– The ability to accept and make the best of the loss
Four Levels Of Impact - Examples
• Trivial
• Disruptive
• Survival threatening
• Destructive losses
5
Trivial
• May at worst reduce the financial value, but not the
functionality, of a system and therefore require no or only
minimal countermeasures
Disruptive
• Impairs key functions and hence the performance of the
system
• Primary task of event management is to restore or
temporarily replace the functions that have been lost
Survival Threatening
• The system’s vital functions are impaired to such an extent
that it can no longer maintain itself unaided
6
Destructive
• Natural
• Social
• Financial and Economic
• Technological Systems
Goal of Preparedness
• To keep a system or process operational despite losses
• To restore to the status quo ASAP
• To improve on the original state of affairs
Fire Example
• Fire prevention—avoiding losses
• Remaining risk is transferred by means of property and
business interruption insurance
• Preparation involves establishing an emergency and crisis
management organization which will ensure that critical
business processes can be maintained even if a loss event
occurs
7
Trade Offs
• Loss avoidance, risk transfer and preparedness may be
traded off against each other
– Organization well prepared to deal with fire-related
losses
• Can afford to spend slightly less on prevention or
may opt for a higher insurance deductible
Preparedness
• May serve both to enhance safety and to reduce a
company’s expenditures
– On loss avoidance
– On costs of risk transfer
Risk Strategy
• Risk strategy determines whether a company places
primary emphasis on loss avoidance, risk transfer or
preparedness
• If the strategy demands that no serious losses should, risk
management will have to focus on prevention losses
8
What’s Driving Enterprise Risk Management?
More prescriptive NYSE Listing Requirements �Audit Committee – requirements to discuss policies
with respect to risk assessment and risk managementIncreased regulatory compliance importance, e.g., SOX 404
�Leveraging the 404 infrastructure to broaden the definition of risk
Recently updated COSO/ERM framework
Adverse media coverage – reduced market tolerance for surprises
Increased complexity and speed of change in business
�The risk profile of today’s global and virtual organization warrants study and more precision
ERM is a dynamic process which is focused on protecting
an organization’s value proposition
Operational Risk Management Goal is to Reduce
• Regulatory Compliance
• Robustness
• Vendor Management
• Records Management
• Risk Management
• Continuity Management
• Health & Safety Mgt
• Quality Management
• Workplace Violence
• Death-on-Site
• Death-on-Study
• Loss of Key Staff
• Loss of Intellectual Property
• Human Error / Sabotage
• Security Breach
• Failure of LAN / WAN
• Malicious Code Attacks
• Loss of InformationSystem Integrity
• Loss of data /vital records
• Inability to recover data
• Interrupted services
• Animal Activists
• Natural Disaster
• Fire, Explosion
• Pipe Break, Flooding
• Hazardous Spill
• Regulatory Change
Wonderful World of Risks
Leadership Authority
Environment Risk
Regulatory Legal
Financial Markets
Informationfor Decision Making Risk
Regulatory ReportingFinancial Reporting
Process Risk
Shareholder Relations Competitor
Sovereign/PoliticalSensitivity
Catastrophic Loss
Industry (Weather )
Capital Availability
Leadership Authority
LimitOutsourcing CommunicationsIncentives
InnovationChange Readiness
Customer Satisfaction Human ResourcesEfficiency Capacity TransportationPerformance GapsCycle TimeBasis RiskObsolescenceComplianceBusiness InterruptionService FailureEnvironmentalHealth & SafetyMarket IntelligenceProcessing TechnologySupply ConsolidationTrademark / Brand Name
Management FraudEmployee FraudIllegal ActsUnauthorized UseReputation
RelevanceIntegrityAccessAvailabilityInfrastructure
CommodityBasisInterest RateFinancial InstrumentCurrencyEquity
PricingContract CommitmentMeasurement / ModelingAlignment
Business PortfolioTransaction & Valuation
Performance MeasurementOrganizational Structure
Resource AllocationPlanning
Life Cycle1
Planning and BudgetAccounting InformationFinancial Reporting/ EvaluationTaxationPension FundInvestment Evaluation
Financial Operational
Reporting & Compliance
Strategic
Operations Risk
Integrity RiskEmpowerment Risk Technology Risk
Financial Risk
Price
Liquidity
Credit
Cash FlowOpportunity Cost
DefaultCollateralConcentrationCounter Party
9
Risk Goes Beyond Regulatory Compliance
To Other Aspects of the Business
• A typical risk profile now shows many more potential risks than three years ago
• The risk profile needs to look at 1-5 years
Key: Timeline
3-5 years
1-3 years
Now
Additional risks
Source: KPMG LLP (U.K.)’s aggregated experience facilitating client risk assessment workshops, 2005
Geopolitical and security risk
Oil prices
Rising cost of employee benefits
Innovation
Regulatory compliance
Competitive pressures
Outsourcing
Changing market conditions
Bankruptcy & credit risk
Management data and transparency
Macroeconomic & financial riskCountry risk
Attract and retain staff
Start-ups, alliances and acquisitions
Governance
Major customer
default
Demography
IT networks and security
Self-reporting relationships
Fraud
Insurance coverage
Energy & climate
Financial reporting
Corporate responsibility
Emerging markets
Supply chain
Transfer pricing
Health
Off-shoring
Ecological
Business continuity
Human rights
Pensions
Product pipeline
Product liability
Physical asset
protection
Tax
Treasury
Reputation
Technology
Market risk
Financing riskForeign
exchange risk
Commoditization
Terrorism
Natural hazard risk
Inflation
Human capital risk
Now
3-5 Years 1-3 Years
IP Management
New Challenges – New Risks
– Climate Change
• Discussed and considered as a major risk by major insurance and reinsurance organizations
• Site placement and/or expansion a key risk
• Differing opinions even within the scientific community
– Terrorism
• Statistics showed that pre-Iraq terrorism was on a decline
• Discussions and concern about future domestic terrorism
• Potential lack of consideration and understanding of different cultures
New Challenges – New Risks
– Regulatory and Compliance
• New legislation promoting voluntary certification of corporate business continuity plans position business continuity management (BCM) as a topic of discussion at the board level
• At some point in time
– A certification process will be established
» Utilizing multiple existing standards
10
• Enterprise Risk Management
– External financial event that has broad, global impact and long-lasting consequences
– Heavy dependency on key business relationships (e.g. Business Partner, Air Transportation, Federal Government)
– Increased risk associated with a heightened legal, compliance and customer advocacy environment
– Lack of investment on competitive online capabilities
– US based processes do not align with International market needs or regulations
• Operational Risk Management
– External non-financial event that has broad, global impact and long-lasting consequences
– Risk of data compromise via internal and external intrusion
– Breakdown in operating procedures & employee responsibilities
– Loss of key talent & proprietary skills
– Platform infrastructure and stability
– Shifting staff support leads to operational error
– Service disruption caused by outsourcing relationship
Examples of Enterprise and Operational Risks
How Do We Portray Risk
Reputation Risks Produce Performance and
Quality Risks
Key
Top Ten Risks Regulatory and
Compliance Risks
3j Loss of building, together with key staff or technology infrastructure
1c Adverse changes in law and government affecting the company’s business model
5a Loss of market share or revenue through competition or regulation
5b Introduction of competing products and
technologies by other companies
5c Inability to attract and retain key
employees
1b Failure to develop global management
and information systems
4d Exposure to litigation related to the company’s products/services
3h Deficient products/services provided resulting in loss of reputation
4a Inability to react to changes in overseas legal, economic, or regulatory
environment
3i Increased pricing pressure from competitors and/or customers
1
Insignificant
Likelihood of Risk Occurrence
Minor
Moderate
Major
Remote Unlikely Possible Likely Almost certain
1f3e4c 4e4f 4j 1c1d 1e 2b 3g3b 3d3f 3a 3h4b4d4g 4h 4i 5a5c1a2c 2a 5b3j 3i3c 1b 4aCatastrophic
Ris
k C
on
se
qu
en
ce
Sample Risks (Random
Plotting)
Operating Risks Growth and Strategic Risks
1
2
3
4
5
6
7
8
9
10
The Players
11
• What organizations should BCM aligned with to develop EWS
– Enterprise Wide Synergy
• Operational Risk Management (ORM)
– Physical, environmental, security, technology, financial, regulatory, compliance, political, terrorism, war
– Most closely aligned with BCM related risks
Risk Management Organizations
Risk Management Organizations
• Enterprise Risk Management (ERM)
– Is similar to operational risk management (ORM) but also includes credit risk and market risk. ERM when combined with ORM is the highest level of risk management within the organization
• ERM and ORM may sometimes be combined under one organization
• Business Continuity Management
– Primarily focuses on the risk of an interruption of operations
Risk Management Organizations
• ORM and ERM risks are broader than just interruption of
operations
– Any risk that could disrupt strategic or operational
plans
12
Risk Ownership & Accountability
• BCM, ERM and ORM programs make risk accountability highly visible and documented practices
• Risk management must consider diverse views of risk
– One manager’s opportunity may be another manager’s disaster
• What is not a risk to one group may well be a risk to others
• In Asia the characters representing the word for risk is also the word for opportunity
Risk Ownership & Accountability
• BCM identifies dependencies on sets of business processes and the interruption consequences associated with those processes
• BIA identifies dependencies on what sets of technology, infrastructure and applications
• RA identifies likely threats, vulnerabilities, mitigation options, potential impacts
• ERM & ORM typically identify organizationally who within the enterprise owns specific sets of risks and has responsibility identify, evaluate and develop appropriate risk mitigation strategies
Risk Awareness May Be Critical
• Case Study 1
• Case Study 2
13
Risk Awareness – Case Study 1
– Dockworker Strike 2002
• 29 US ports locked down for ten days
• Container ships had to wait in open water for the
strike to end
• Strike followed months of deteriorating relations
between the union and Pacific Maritime Association
• Wal-Mart and Costco recognized the impending
threat
– Took steps to ramp up imports prior to the shut
down to minimize risk of being left without
stock
Increase Sensitivity to Risk
• Other companies could only wait for the lockdown to end before resuming transportation of theirpre-Christmas stock
– First organization to recognize an impending crisis will get:
• Best price on insurance
• First bite at alternative partners
• The best rates on additional facilities
– Warehousing or shipping
– Firms lower down the chain:
• Will have to pay more• May find all alternative capacity has been consumed
Lack of Awareness Delays Response
Note: As time progresses, the information surrounding a given risk event may increase. But as it does, the options available for effective mitigation are bound
to reduce. Risk mitigation – as with risk itself – involves degrees of uncertainty. Taking proactive mitigation policies implies operating under considerable uncertainty, with incomplete indicators.
Source: Crisis and Risk Network, Swiss Federal Institute for Technology
14
Risk Awareness – Case Study 2
– In 2000, for example, a minor fire at a semiconductor manufacturing plant in New Mexico operated by Philips, the electronics company, led to very different outcomes for the factory’s two main customers, Scandinavian handset manufacturers Nokia and Ericsson
– Philips initially told its customers that the factory would resume production within a week, but it greatly underestimated the scale of the disruption caused by smoke and debris to the sterile environment required for chip production. In the end, it took many months to restore the factory and resume production
Case Study 2 - First in Line
– Nokia responded to the fire by immediately sourcingother supplies and put pressure on Philips to provide alternative sources of chips from other factories
– Ericsson, meanwhile, assumed that the fire was a minor technical glitch and waited for normal business to be resumed. By the time it realized the magnitude of the problem, it was too late
– The company was unable to find alternative supplies and production of its new generation of handsets was severely affected
• At the end of 2000, Ericsson posted a loss of US$2.34m, much of which could be attributed to the disruption in chip supplies caused by the New Mexico fire
First in Line
– Nokia, meanwhile, went on to increase its share of the handset market from 27% to 30% in the six months that followed the incident
– The different responses of Nokia and Ericsson to what initially seemed a minor disruptionillustrate an important point about the need for businesses to prepare effectively for a wide range of incidents
15
Collaboration
• Enterprise & Operational Risk Management
– Analyses conducted by BCM
• BIA example:
– Provides impact information to complete the enterprise and operational risk management profiles
– Provides data to help create a risk profile with threat and impact data by country, city, location, function and line of business
Where do BCM practices fit into the ERM Picture?
Insurance
• The analyses:
– Provides impact data by location to assist in a
more focused allocation of coverage to high
impact locations
• Can aggregate potential loss information
from multiple lines of business by location
16
Corporate Security
• The analyses:
– Provides security information needed to create an impact profile for each major location
– Allows security to focus more attention and
resources on the highest impact locations
Real Estate
• The analyses:
– Provides numbers of staff required by critical process and timeframe for relocation if necessary
– Provides insight into number of seats within nearby
company sites that may be made available until more
permanent alternate facilities can be found
• Assuming less time sensitive staff can give up seats
to more critical staff
Applications
• The analyses:
– Associates applications with business processes and business process recovery time objectives
– Provides business process owners a better understanding of application dependencies
– Provides IT opportunities for flexible, phased and more cost effective recovery strategies and solutions
17
Information Security
• The analyses:
– Provides information needed to understand the
consequences of shutting down servers, email and web
applications
Risk Model Examples
Risk Model Examples
• Monte Carlo
• Qualitative Model
• Semi-quantitative Model
• Mini Time-Series Model
• Fate Transport (Process/Health) Model
• Decision Tree Conversion
• Legal Model
• Comprehensive Risk Assessment
18
Monte Carlo Model
• Technique generally used to solve problems for which the
definition of specific solution equations to calculate a
specific answer is either too complex or too cumbersome
to be practical
– Input – array of data points, e.g. frequency, severity,
scope, variations, etc.
– Output – probability of occurrence under a broad array
of circumstances
Legal Model
• A model that calculates the net benefit of settlement vs.
litigation was built to aid in legal decisions
– Input
• Net benefit of settlement
• Net cost of litigation
• Net cost of settlement
• Total cost of verdict
– Output
• Net benefit of settlement vs. litigation
Environmental Health & Safety model
• Models built to calculate the total environmental, health and safety risk and cost associated with entry by the organization into various countries around the world
– Input
• Public perception
• Government approvals/permits
• Ecological/cultural parameters
• Health and safety considerations• Evaluation of preexisting damage
– Output
• Risk values
19
Pipeline Route-Selection Model
• A comprehensive time-series model was constructed to help a consortium decide which of several routes would be selected to construct a pipeline for a major oil field.
– Inputs• tariffs and other parameters from variables
• Political concerns
• Environmental problems
• Commercial considerations
• Financial parameters
• Technical considerations• Taxes
– Output
• Routes prioritized and ranked
Political Models
• Models constructed to evaluate other countries based on categories of variables.
– Input
• Political stability
• Foreign investment conditions
• Operating environment
• Transportation infrastructure
– Output
• Comparison of countries on a common scale
Capital Project Ranking and Portfolio Mgmt
• Model calculates
– Profitability index (PI)
– Internal rate of return (IRR)
– Net present value (NPV)– Other financial outputs
• Inputs
– Project safety and environmental aspects, cost estimates, incentives, discount rates, taxes, maintenance, insurance costs
• Output
– Projects are ranked and portfolio managed based on model output
20
Qualitative Model
• Most risk assessment model requires the integration of
“hard” data from real world measurements or forecasts and
“soft” data that are not expressed quantitatively.
– One approach (of many) to treating qualitative data is to rank-order the qualitative answers in increasing-risk
order.
New Product Model
• Research and development organizations generate products and processes, each of which has a commercial value
– Input
• Technical considerations
• Marketing aspects
• Financial/commercial facets
– Output
• Data to prioritize potential new products
Fate/Transport Model
• Model constructed to calculate inhalation exposure. Exposure represented by the average daily does for non-carcinogens and the lifetime average daily dose for carcinogens
– Input
• Concentration of chemicals in the air
• Inhalation rate
• Bioavailability
• Exposure duration
• Exposure frequency
• Body weight
• Average lifetime
– Output
• Inhalation risk
21
Common Success Factors
Companies that successfully continue or recover
operations practice risk management against a specific
risk…the risk of disruption to operations
– They:
• Identify and assess the potential risks and impacts
• Validate and measure the necessary controls
• Take specific actions to mitigate or optimize the risks
• Prove mitigation and recovery solutions work
• Monitor the current state of action plans and
• Are aware and responsive to change
Common Success Factors
– They have:
• Strong executive and financial commitment
• Integrated planning to align processes, impacts and
risks
• Processes to protect critical operations
• Well planned communication strategies
– They are:
• Prepared to meet the needs of its clients and customers
– Regardless of whatever disruption may occur
Program Effectiveness
• BCM, ERM and ORM require the same level of:
– Strong executive sponsorship
– Well defined process governance
– Integrated planning and
– Accountability, ongoing communications and sharing of information between the groups
22
Conclusion
• Business Continuity Management and other risk related
programs such as Security, Information Security,
Emergency Response, Crisis Management are all part of
the larger Enterprise Risk Management Process
• Unfortunately many times there is no working
relationship-it’s a must to establish that relationship
• Many times the terminology is different even though each
are talking about the same thing—synchronize the terms
• The end benefit? -Together the whole is definitely greater
than the sum of its parts
COLE EMERSON MBCP CPP
Director
Firmwide Business Continuity
KPMG LLP
Mr. Emerson serves as the Director of Firmwide Business Continuity. He has direct responsibility or oversight over Emergency Response, Crisis Management, Business Continuity and Disaster Recovery for the United States. Cole has over 30 years of experience in developing and evaluating many aspects of enterprise risk management, including Business Continuity, Crisis Management, Disaster Recovery, Data and Vital Records Management and Project Risk Management for national and international businesses and governments.
Background & Qualifications
Mr. Emerson received a Bachelor of Science in Business Administration from the University of Redlands and his Master Business Continuity Professional (MBCP) certification – one of less than 80 globally - from DRII. The American Society certifies Mr. Emerson for Industrial Security (ASIS) as a Board Certified Protection Professional. Prior to joining KPMG, Cole managed his own firm for 12 years, where he developed and implemented Business Continuity, Crisis Management, and Disaster Recovery programs for Fortune 500 companies. Mr. Emerson has extensive and unique experience utilizing business continuity plans and managing recovery teams in actual major disasters.
Contact details
Email: [email protected]
Office: 1-916-554-1777
Cell: 1-916-296-9747