1. Enterprise Risk Management Walter Gangl , Director, Society of Corporate Secretaries and Governance Professionals; Former Deputy General Counsel and Corporate Secretary, Armstrong World Industries R.R. Donnelley SEC Hot Topics 2008 September 24, 2008

2. Serious failings have led to demands for enhanced board oversight of Risk:

• • Sarbanes-Oxley

• • • Calls for enterprise-wide documentation and testing of controls over financial reporting risk.

• • NYSE-Amendments to listing standards

• • • Requires the Audit Committee to discuss with internal and external auditors how the company handles risks and the steps taken to monitor and control exposure to such risks.

• • SEC

• • • Now mandates disclosure of risks in periodic 34 Act reports. Commissioner Cynthia Glassman urges public companies to use information gleaned from ERM to enhance disclosure in managements discussion and analysis.

• • Boards of Directors

• • • A 2005 McKinsey survey of 1000 board members indicated that 76% would like to spend more time on risk. Source: The Executive Board Treasury Leadership Roundtable, Organizing for Enterprise Risk Management, dated 18 August 2005

3. COSO Enterprise Risk Management Framework

• • • COSO (Committee Of Sponsoring Organizations of the Treadway Commission) is the father of SOX 404s Internal Controls evaluation.

• • • COSOs ERM Framework provides an organizational scope, emphasis, and program to broaden risk management, create an enterprise-wide awareness and emphasis, and integrate risk management process into corporate strategy.

• • • ITS THE BIBLE : Go to: www.coso.org and click on Resources to download.

4. Key Definitions

• Risk

• Any event or circumstance which could impact the achievement of business objectives.

• Risk Assessment

• The process of identifying and evaluating the magnitude and likelihood of risks to achievement of business plans.

• Inherent Risk

• Exposure to a risk that is intrinsic to the business in the current environment before the consideration of risk mitigation and control activities that have been designed and implemented to address a given risk.

• Mitigation

• The process of reducing the likelihood and/or impact of a risk.

• Residual Risk

• Exposure to a risk remaining after considering the effect of mitigation through risk management and control activities.

• Risk Management

• The Composite of the processes of Risk Assessment and Risk Monitoring

5. ERM Defined:

• a process, effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.

• • • • • Source: COSO Enterprise Risk Management Integrated Framework . 2004. COSO

6. Why?

• Risk Assessment is necessary to comply with SEC disclosures in 33 and 34 Act reports.

• Rating Agencies are beginning to take Risk Management into consideration on credit ratingsso it will affect companies cost of capital.

• Also, for Board oversight purposes. They want to know the Company has good Risk Management processes and check what management sees as the major risks and how they plan to deal with them.

7. Risk Prioritization Using a Risk Matrix Impact levels tie to disclosure standards

8.

• .

Disaster Recovery Risks Legal Compliance Risks (Product Liability, EH&S, Employment Practices, Antitrust) Internal Control, (SOX 404) Accounting & Reporting Risks Culture (Tone at the Top) Risks Enterprise Risks Hurricane, Natural Gas Price, Terrorist Attack, Supplier Problems, etc Currency Volatility, Political Risk, Trade Restrictions Workplace Safety, Product Quality and Safety Reliance on Big Box Customers, Competitor Strategies ASBESTOS STRATEGY Identify risks relevant to your particular business & strategy

9. ERM vs Compliance Risk Assessment

• Compliance Risk Assessment is just one component of an Enterprise-wide Risk Assessment. In an infelicitous use of nomenclature, many parties conflate the ERM term Risk Assessment with Compliance risks aloneavoid that confusion.

10. NOTE: Strategic Risks cause most harm to shareholder value

11. Risk Management Process

• Identify matters that create risk to achieving your business plans.

• Evaluate the risks by determining their likelihood and impact.

• Prioritize risks - start with those with most serious potential impact.

• Mitigate risks, starting with the most serious, through improved controls, processes or procedures or other action.

• Monitor risks to address whether mitigation is effective.

• Report risks to management and board.

• • At least annually, management should report to the Board about:

• • • Risk Management Processes

• • • Major Risks

• • • Mitigation of Major Risks

• • • Residual Risk levels

12.

• Management's role is to guide and review ERM efforts, consider whether the residual risks are acceptable, and approve plans to mitigate serious risks.

• Business units (and functional units such as EH&S, HR, Treasury) must explain their risk analysis in a way that allows management to test, accept and share it with other operations and the Board of Directors.

• Managements report to the Board is structured within the context of these five points :

• • Company processes to identify matters that create risk to achieving our business plans,

• • Processes to assess the likelihood and impact of such risks in order to prioritize them,

• • The Companys major risks and how it defines major ,

• • Who is responsible for mitigation and monitoring of those major risks, and

• • The mitigation of major risks , and our view of the resulting residual risk.

Managements Role

13. Boards Role

• Boards Role

• The Board's role is to oversee the ERM process, monitor how risks are evaluated, prioritized and mitigated, review the Company's assessment and mitigation plans for serious risks, and improve or reshape management's decisions.

• In the end, they should:

• Advise whether they are comfortable with Companys processes to identify and assess risks.

• Advise whether they agree with our identification, assessment and mitigation measures.

• Advise whether they view the ERM processes as effective.

• Advise whether they are comfortable with the level of residual risk accepted by management.

• Make any suggestions or recommendations they have relative to the ERM processes, including identification, assessment and mitigation plans.

14. Whos Responsible on the Board?

• Thats up to the Board to Decide:

• The whole Board..or a committee. Whatever works best.

• Despite what you read in the press, the Audit Committee is NOT required to oversee ERM . NYSE rules only require the Audit Committee to monitor risks to financial reporting . And some companies have saddled Audit Committees with this additional duty.

• Whats the better arrangement? The Boards basic duties are to advise management and monitor performance. When dealing with strategy and other fundamental matters, the whole Board should be involved bringing their diverse backgrounds and experiences to the process.

• Risk Management is tied to and is the flip side of strategy. IMHO, Risk oversight generally belongs under the Board as a whole.

15. Whats this About Standard & Poors Evaluation Our Risk Management?

• Following a 2007 announcement about ERM ratings, S&P announced May 2008 that it will begin an analysis of ERM implementation by companies in Q3 2008.

• S&P takes the expansive view of ERM outlined above. They expect companies to have a coherent, systematic risk management approach. They will discount a crammed-together collection of longstanding and disparate practices.

• S&P will initially look at a companys risk-management culture and strategic risk management. (Remember the importance of strategic risk.)

16. Whats this About Standard & Poors Evaluation Our Risk Management?

• Within a year, S&P expects all companies will have had at least an initial ERM discussion.

• A subsequent S&P benchmarking process will form the basis of a new S&P ERM scoring system that they intend to help identify situations that might require rating actions.

• Bottom Line : Companies need to get to work on ERM. How well they do on ERM will affect their access to capital markets and borrowing costs.

17. What Needs to Be Done?

• Lots.

• A recent survey of approximately 600 major companies showed that 30% have not even taken the first steps in ERM.

• 27% were beginning to implement it.

• 15% responded Dont know.

• Only 24% claimed to have progressed to Intermediate (20%) or Advanced (4%) implementation.

• Source: KPMG

18. Whats the Objective of ERM?

• S&P wants to see that a companys Risk identification, assessment, controls, monitoring and reporting are beyond basic levels. They should at least become an integrated management process.

• Ideally, S&P wants to see ERM become a strategic tool for the company, helping to: set strategy, identify markets, guide product development, allocate capital budgets, and become a part of its analytical framework.

19. ERM: The Sunoco Experience September 24, 2008 Ken Somes

20. Sunoco, Inc. Refining & Supply 1,215 Chemicals 975 Retail Marketing 620 Coke 490 Logistics 500 Corp. 440 Capital Employed, MM$ 6/30/08

• Founded in 1886

• 2007 Revenue = $45 billion

• As of 6/30/08:

• • $4.8 billion in market cap

• • About 14,200 employees

• Five Business Lines

• • 340 MMB / yr. refining prod.

• • 5 billion gal. / yr. retail fuel sales

• • 5 billion lbs / yr. chemical

• • merchant sales

• • Logistics MLP (NYSE:SXL)

• • owned 43% by Sunoco, Inc.

• • 4.2 MM tons / yr. coke prod.

A2

21. A3 Sunoco Operations Refineries Chemical Plants Coke Plants Terminal Retail Marketing Western Pipeline System Eastern Pipeline System Philadelphia Marcus Hook Refinery Tulsa Jewell Indiana Harbor Haverhill Neal Toledo Frankford Marcus Hook Polypropylene La Porte Nederland Bayport Eagle Point

22. Background/History of ERM Program

• Initiated in 2004

• • Audit Committee of the Board

• ERM Manager Position Established

• • Initial inventory of risks

• Program Continues to Evolve

• • Learning/improving as we go

• • External influences, e.g. Rating Agencies

23. ERM Organization

• Audit Committee of the Board

ERM Manager Chief Financial Officer VP Investor Relations & Strategic Planning ERM Steering Committee Quarterly

24. ERM Risk Identification & Follow-Up

• Examples

• Chairman's Health Environment & Safety Committee

• Operations Committee

• Financial Information Committee

• Management Control Committee

Audit Committee Likelihood Consequence (business impact) Enterprise Risk Management Steering Committee Identify and Classify Risk Determine Appropriate Report Out Forum ERM Coordinates, Tracks & Reports Status of Risks Strategic Financial Operational Identify Risk Owner Risk Owner Develops Response Plan Risk Rank Organizational Legal/Political Market Risk Owner Reports to Forum

25. Key Components of Risk Review Report:

• Likelihood and Potential Impact of Risk

• Historical Perspective

• How Risk is Currently Managed

• • Key responsibilities/structure in place

• • Controls/policies/reviews, etc.

• Monitoring & Reporting

• • What is measured/tracked (leading & lagging)

• Opportunities to Strengthen the Plan

• • Who is doing what and by when

26. Example Risk: Projected Retirements

• Percent Retirement Eligible Within 5 yrs

• Classified: Organizational Risk

• Risk Owner: SVP of Human Resources

• • • • • SVPs of Business Units

• Forums for Report:

• • Executive Human Resource Development Committee

• • Full Board of Directors

27. Example Risk: Projected Retirements

• Historical Perspective

• • Demographics compiled and analyzed

• • Industry/business units/departments experience

• How Currently Managed

• • HR Development Committees

• • Succession plans/development/external hiring

• Opportunities to Strengthen

• • Identified critical positions/disciplines at risk

• • Selective adjustments to compensation package

• Monitoring & Reporting

• • Personnel changes/succession plans/hiring

• • Projected versus actual experience

28. Lessons Learned

• Support From the Top

• Benchmark/Learn From Others

• Tailor ERM to Company Culture

• Build off Processes Already in Place

• Simpler is Better

• Get Started, then Learn/Adjust

• • Continuing evolution

29. AW Enterprise Risk Management Process Ellen Wolf Senior Vice President and Chief Financial Officer September 2008

30. Who We Are We are the largest investor-owned water and wastewater service provider in the United States .

• We serve a broad national footprint and a strong local presence

• We lead the industry in water quality, testing and research

• We provide services to over 15 million people in more than 1,600 communities in 32 states and in Ontario, Canada

• We employ nearly 7,000 dedicated and active employees and support ongoing community support and corporate responsibility

• We treat and deliver over one billion gallons of water daily

31. Where We Are We manage more than 350 individual water systems across the country

• Every day we operate and manage:

• 45,000 miles of distribution and collection mains

• And more than:

• 80 surface water treatment plants

• 600 groundwater treatment plants

• 1,000 groundwater wells

• 40 wastewater treatment plants

Utility Only O&M Only Both

32. ENTERPRISE RISK MANAGEMENT Pre 2003

• Decentralized approach

Directors of Loss Control Finance Risk Management Frenkel Legal Human Resources Department Operations Engineers Water Quality Information Technology Travelers American Water Works Association Risk & Insurance Management Society InfraGuard Media Internet

33. ENTERPRISE RISK MANAGEMENT Pre IPO

• • RWE Risk Management Process was implemented at American Water immediately after RWEs purchase of the Company.

• • Key Attributes:

• • • Risk Management Committees of senior executives at subsidiary and corporate.

• • • Risks and Opportunities Management (ROM) toolkit which offers a structured approach to the identification and evaluation of risk.

• • • The Risk Summary, signed by the CEO, Key Risk reports and Risk Map are updated and submitted to RWE on a quarterly basis.

34. ENTERPRISE RISK MANAGEMENT Pre IPO

• • Goals of RWE process

• • • Identify and report to senior management at RWE risks which may have a material financial impact on RWE business plans.

• • Process

• • • RMC committees at subsidiary level identify risks, mitigation activities and potential financial impact. Risks are aggregated and reviewed at each higher organizational level until final report is prepared for RWE board.

• • Risk Management Committees (RMC):

• • • Corporate, Regional and Business Unit

• • • Corporate EMC includes SVP & CFO, CEO, COO, VP Audit, SVP Legal, Regional Presidents, Regional Risk Representatives;

• • • Regional and Business Unit RMC includes its Presidents, VP Finance, VP Legal, VP Service & Delivery, VP Human Resources

35. ENTERPRISE RISK MANAGEMENT Pre IPO

• The ROM includes a risk register identifying all risks. Risks which are valued great than 20% of net operating income and have a greater than 1% probability of occurrence are designated as Key Risks. The ROM includes:

• • Reports prepared for each Key Risk which include cause analysis, severity evaluation, control and mitigation strategy, monitoring and reporting by a Risk owner.

• • A Risk Summary is from information generated in the Key Risk reports and prioritizes risks for the Company.

• • A Risk Map which is a simple visual representation of the relative importance of Key Risks to achieving business objectives. The view of risk is achieved by plotting Key Risks in terms of their probability and impact on the heat map.

36. ENTERPRISE RISK MANAGEMENT POST IPO

• An American Water (AW) framework to manage risk

• • To create awareness regarding risk so Management has full knowledge of risk and rewards related to AWs business objectives.

• • • Operational

• • • Financial

• • • Regulatory

• Addresses risk management needs of various stakeholders

• • AW Management

• • AW Board (Audit Committee)

• • Rating Agencies

• • Investment Firms

• • External Auditors

• • Securities and Exchange Commission (SEC)

• • Regulators

37. Risk Assessment Process Information Flow Commercial Development (CD) Capital Investment Management Committee (CIMC) Operational Risk Management (ORM) Operational Risk Assessment (Insurance, etc.) Labor Relations Environment Audits Other Business Performance Reviews Quarterly Disclosure Committee Meetings

• * Operations

• Risk Assessment Meeting Attendees:

• EVP Eastern Division

• EVP Western Division

• VP Operations Services

• AWE President

• SVP Sales/Business Development

• * Regulatory

• (Compliance with Laws & Regulations)

• Risk Assessment Meeting Attendees:

• SVP Legal & General Counsel

• SVP Human Resources

• SVP Communications/Ext. Affairs

• VP & Counsel Regulatory Programs

• * Finance

• Risk Assessment Meeting Attendees

• VP & Controller

• VP Planning & Reporting

• VP & Treasurer

• SEC Counsel

Senior Risk Management Meeting Held prior to Audit Committee Meeting

• Chief Executive Officer,

• President AW Services,

• President - Reg. Operations,

• Chief Financial Officer and

• VP Internal Audit (Coordinator)

AW Board of Directors, Audit Committee Fraud Risk Management Integrated Throughout (See following slide)

• Frequency of meetings is every 6 months and before Audit Committee meeting as necessary

OSHA Risk Identification and Mitigation Process Sarbanes Oxley Significant company initiatives (various owners)

38. Fraud Risk Management Process AW Code of Ethics

• Annual communication

• Employees asked to read and certify

• Part of new employee orientation

• Periodic training

• Posted on AW intranet

• AW Management Oversight Controls

• AW Policies and Practices (i.e. Delegation of Authority)

• • Posted on AW intranet

• • Part of New Employee Orientation

• • Owned and monitored by each applicable Senior Functional Executive

• Internal Audit reviews of various functions, states, etc. throughout year

AW Ethics Hotline

• Third-Party Provider that receives calls regarding potential violations of AW Code of Ethics.

• Third-Party Provider immediately reports calls to designated AW Senior Management.

AW Compliance Officer

• Manages reported Code of Ethics violations, investigations and reporting to Senior Management.

• Promotes proactive communications regarding AW Code of Ethics through various company communication channels.

AW Ethics Committee Committee of Senior AW Executives that govern/monitor Code of Ethics, Hotline calls, investigations, disciplinary actions, communications regarding Code of Ethics and reporting to Board of Directors, Audit Committee. AW Board of Directors, Audit Committee Quarterly, reviews Code of Ethics violations, investigations and disciplinary actions.

39.

• Senior Risk Management Meetings

• Meet quarterly before Audit Committee meeting

• • Also meet on ad-hoc basis as business conditions warrant.

• Establish Enterprise Risk Management (ERM) Strategy

• • Establish ERM Subgroups i.e. Operations, Finance, and Regulatory.

• • Ensure compliance with and effectiveness of ERM Strategy.

• • Set Delegation of Authority (DOA) limits, which is key to who is empowered for specific types of decision making.

• Review, approve, and monitor significant company initiatives

• • i.e. Major cross divisional IT projects.

• • i.e. Major business process and organizational changes.

• Establish Corporate Investment Criteria Risk/Return threshold

• Review all information (including 10Q and 10K) prior to Audit Comm. reporting

• Review, approve, and monitor significant financing and company capital structure

• ERM Subgroups Operations, Finance and Regulatory Mandate is to Identify, Monitor, and Mitigate Risk

• Report and discuss risk assessments at Senior Risk Management meetings

40. ENTERPRISE RISK MANAGEMENT - FUTURE

• Continuous Improvement

• • New risks and mitigation efforts identified continuously

• • Mitigation efforts for known risks continues to be monitored

• • Strong senior management support up through Board of Directors

• Continuous Change to Adapt to Evolving Risk Environment