Developing and Selling anEnterprise Risk Management Approach

Presented by:Dave Cunningham, Managing DirectorBaker Robbins & Company

713-840-0510dcunningham@brco.com

Topics

Enterprise Risk Management

1. Defined2. Trends and Issues3. Applied to Law Firms4. Technology5. Value6. Program Development

1. ERM Defined

ERM is a management approach focused on maximizing shareholder value and ensuring business continuity by creating a single view of internal and external risks and an executive-level strategy to deal with those risks.

Risk Management Categories

Risk can be analyzed in these categories:

Risk Types Internal External

Economic

Strategic

Operational

Market

Technical

ERM Processes

Understanding Risk Management

RM is about managing risks, not eliminating them.

Risks are both positive and negative, involving gains and losses.

Risk management’s overall goal is building and maintaining stakeholder confidence: the key to organizational resilience.

2. ERM Trends and Issues

Compliance RequirementsRole of Chief Risk OfficerEuropean Influences (Data Protection, Ethical Walls, Anti-Cartel, Anti-Money Laundering, External Investments)Technology

Dependency as business toolRisk management tool

Convergence of Performance and Risk Management

3. ERM Applied to Law Firms

“It doesn’t take a visionary to see that an enterprise view of risk is right for law firms. We

are 20 years behind the big accounting firms. It’s just a matter of how fast we move forward.”

- General Counsel of AmLaw 20 law firm

ERM Applied to Law Firms

“Law firms should, in theory, be good in managing risks across the firm because the people we are dealing with are those who are most affected.”

“We are coming off of a difficult loss cycle. Firm are now being much more active in managing risks.”

- Managing Director of Aon

CONFLICTS & ETHICSConflicts & Ethics and Securities Transaction CommitteesInformation Services and Records DepartmentOutside Counsel

EMPLOYMENT &PERSONNEL MATTERSProfessional Personnel and Admin HROutside Counsel

PARTNERSHIP ELECTIONSPolicy CommitteeExecutive GroupFinance DepartmentIT

PARTNERSHIP ELECTIONS(Governance, Departures, Disputes)

Executive GroupPolicy CommitteePension CommitteeFinance DepartmentProfessional PersonnelOutside Counsel

LITIGATION & SUBPOENA MATTERSLitigation Attorneys Managing Attorney’s OfficeOutside Counsel

DATA PRIVACY, SECURITY MATTERSFinance DepartmentITProfessional Personnel and Admin HR

MARKETING & COMMUNICATIONS (Website, Branding, Copyright, Reviewing Marketing Materials, etc.)

Marketing/Communications Department

PROFESSIONAL DEVELOPMENTProfessional Development DepartmentProfessional Personnel

VENDOR CONTRACTSApplicable Departments (IT, Finance, HR, M/C, etc.)

AUDITAudit CommitteeFinance Department

INSURANCE

Professional IndemnityProfessional Insurance CommitteeExecutive GroupFinance Department

Employment/Worker’s CompensationAdministrative HRFinance Department

Other Insurance Finance DepartmentExecutive Group

FIRM MANUALS AND GUIDANCEExecutive Group (and delegates)Applicable Practice Groups & Departments

INFORMATION RETENTIONIR Project TeamSteering GroupOutside ConsultantsAll Practice Groups and Departments

FIRM INVESTMENTSInvestment Committee

Areas of a Firm Addressing Risk (Example)

Risk Exposure

1. Clients2. Employees3. Operations

What keeps General Counsels awake at night?

4. ERM and Technology

IT is not only a source of risk; it provides management with tools

to implement a risk framework.

Technology: Source of Risk

Continuity IntegrityAccessibilityPrivacy

Technology: Mitigating Risks

System Fault TolerancePhysical and Electronic SecurityPerformance ModelingIntranet / Communications

Technology: Mitigating Risks

Firm Business ProcessesConflicts and Ethical WallsBillingBusiness intelligence and reportingRecords (e-mail, paper and document) managementTeam-based folders and workspacesKnowledge management and expertise identificationClient relationship managementEnterprise resource planningSelf-ServiceLitigation Support Management

Technology: Risk Management Tool (example)

InternalLoss Data

ExternalData

EnterpriseRisk Assessor

Map

ping

Frequency

Severity

PanjerRecursion

Unexpected Loss

Adjust for Internal Control

RequiredCapital

Expected Loss

1. Damage to physical assets2. Business disruption and system failures3. Execution, delivery and process management4. Employment practices and workplace safety5. Clients, products and business practice6. Internal fraud7. External fraud

ERM Dashboard (example)

IT Management Dashboard (example)

5. ERM Business Impact

Gartner research shows that 60% of large enterprises without best practice risk management implemented consistently across the enterprise will significantly under-perform their peers.

Aon: Impact on insurable losses has not been measured. ERM helps you look better to the insurance company and establish a sense of awareness.

ERM Business Impact – IT Perspective

Awareness of existing risksMitigation of IT risksNecessary component of:

Service level agreementsBusiness continuity planningProject charters / business cases

Reduction of surprisesA seat with firm management on business issues

6. Program Development

Two TracksIT (Performance and) Risk ManagementEnterprise Risk Management

IT Performance and Risk Management

IT ProcessesIT Service LevelsIT Key Performance IndicatorsRoles and Responsibilities related to risk:

Change and configuration managementQuality assuranceData architecture and integritySecurity and privacy

Content management initiatives

ERM Program Development

Initial StepsContext

Consider current actions and how they may or may not be aligned with desired culture of riskEstablish a baseline

IdentifyIdentify existing risk-related responsibilitiesIdentify existing gaps in risk managementDecide roles and responsibilitiesDetermine maturity of the existing situation

Maturity Assessment Model

Maturity Assessment: Risk Process Ratings

Maturity Assessment: Business Processes

Maturity Assessment: IT Processes (1 of 4)

Maturity Assessment: IT Processes (2 of 4)

ERM Standards and Influences

ERMCOSO ERM FrameworkAS NZS 4360: 2004

ComplianceSarbanes-OxleyBasel IIISO

Standards with risk aspects:IT Infrastructure Library (ITIL)Project Management Institute PMBOK

Risk Identification Example

Risk Types Internal External

Economic

Strategic

Operational

Market

Technical

Continuity

Access Management

Integrity

Privacy

Risk Prioritization

Conclusion

Next StepsReview how risk is considered and managed in IT projectsHave initial conversations in your firm about risksDetermine your own role in enterprise riskPerform an assessment of risk areas and understand the implications

Questions and Comments?