Managing Risk in a Global Airline - IAAIA one/6. Neohapsis Kevin-George... · Managing Enterprise...

Managing Enterprise Risks in a Global Airline

IAAIA Conference11 October 2010Istanbul, Turkey

2

Discussion Agenda

Discuss enterprise risk management (ERM) in the context of an enterprise governance, risk, compliance (GRC) programDiscuss developing a risk taxonomy/vocabulary Airline risk register“A day in the life…” Managing enterprise risks and compliance in a global airline (demonstration leveraging NeoGRC)

© 2010 Neohapsis, Inc. – Proprietary & Confidential

3

Defining Risk

Risk defined – anything that has the potential to keep you from achieving your business objectives

Risks are measurable– Magnitude of impact– Likelihood of occurrence– Velocity of onset


4

Hallmarks of an Effective ERM Program

ERM activities and GRC approach are driven by the organization’s strategy.An executive level individual is given the responsibility for driving the ERM process.Common risk and process vocabulary are used to assess, communicate, and respond to risks.Risk management is an ongoing management process.High-value information useful for management and stakeholders is generated.A culture of sound business practices and ethics is deep-rooted throughout the entity.Management has a strong understanding of its goals and approach to managing risk.Efficient processes are implemented to monitor and manage risks.Allows for distributed, cross-departmental, “bottom up” accumulation of key data elements and input.Leveraging a centralized platform that provides efficiency, scalability, and timeliness to relevant ERM information.


5

ERM Journey

Informal risk management activities Formal risk management process

Risk loosely understood Formal risks are understood by management

Risks considered within function / BU Risk considered in the context of business strategy

Risk universe not defined Formal risk universe is established and prioritized

Risks are locally addressed Risks are addressed universally

Reporting is inconsistent and focused on easy to quantify historical data

Qualitative and quantitative data (financial, operational, attitudes, etc.) is analyzed to provide insight for decision making

Reporting is local and fragmented Reporting is structured within ERM process

No defined ownership of risks Clearly defined ownership of risks

Informal monitoring Formal monitoring

From: To:


6

Evolving GRC Expectations


• Strong corporate governance includes effective and ongoing risk management• Integrating risk management functions at an enterprise level improves organizational

performance and reduces costs• Managing risks across the enterprise requires common methods and processes

Value

Time

Financial Risk Management Decision Support

Competitive Advantage

Innovation

Business Integration

Reactive, Financial Loss Avoidance

Compliance Risk Management

Strategic Risk Management

Operational Risk Management

Enterprise GRC

How do we communicate risk?

8

Consequence Classes

a. Class I - Catastrophic. A condition that may cause death or permanently disabling injury, facility destruction on the ground, or loss of crew, major systems, or vehicle during the mission; schedule slippage causing launch window to be missed; cost overrun greater than 50 percent of planned cost.

b. Class II - Critical. A condition that may cause severe injury or occupational illness, or major property damage to facilities, systems, equipment, or flight hardware; schedule slippage causing launch date to be missed; cost overrun between 15 percent and not exceeding 50 percent of planned cost).

c. Class III - Moderate. A condition that may cause minor injury or occupational illness, or minor property damage to facilities, systems, equipment, or flight hardware; internal schedule slip that does not impact launch date; cost overrun between 2 percent and not exceeding 15 percent of planned cost.

d. Class IV - Negligible. A condition that could cause the need for minor first aid treatment but would not adversely affect personal safety or health; damage to facilities, equipment, or flight hardware more than normal wear and tear level; internal schedule slip that does not impact internal development milestones; cost overrun less than 2 percent of planned cost.

NASA Risk Model

Source: www.nasa.gov© 2010 Neohapsis, Inc. – Proprietary & Confidential

9

Seve

rity

Category Definition

Insignificant (1-2) The risk may have almost no financial implications.

Minor (3-4) The risk may have a minimal impact on financial performance.

Moderate (5-6) The risk may have a significant impact on financial performance.

Major (7-8) The risk may have a substantial impact on financial performance requiring a multi-year recovery period.

Extreme (9-10) The risk may have a significant impact on corporate solvency.

Category DefinitionRare (1-2) The risk has a negligible probability of impact in the next 12-24 months.

Unlikely (3-4) The risk has a low probability of impact in the next 12-24 months.

Possible (5-6) The risk has a medium probability of impact in the next 12-24 months.

Likely (7-8) The risk has a high probability of impact in the next 12-24 months.

Almost Certain (9-10) The risk is affecting the organization right now or almost certainly will in the next 12-24 months.Li

kelih

ood

MasterCard Worldwide – Spencer Schwartz 11/2/07

MasterCard Risk Model


10

Example Airline Risk Model

Exposure (E) - How often are we exposed to the opportunity for the event sequence to occur?

– 0 — No Exposure– 1 — Seldom Exposed – Seldom exposed to

the opportunity for the event sequence to occur.

– 2 — Occasionally Exposed – Occasionally exposed to the opportunity for the event sequence to occur.

– 3 — Frequently Exposed – Frequently exposed to the opportunity for the event sequence to occur.

– 4 — Constantly or Continuously Exposed –Constantly exposed to the opportunity for the event sequence to occur.

Probability (P) - What is the probability of that sequence of event happening, including the consequence?

– 0 — Extremely Improbable; Mishap impossible; 10-9 and above

– 1 — Extremely Remote; Postulated event. (Has been planned for, and may be possible, but not known to have occurred); 10-7 — 10-9

– 2 — Remote; Has occurred rarely. (Known to have happened, but a statistically credible frequency cannot be determined) ; 10-5 — 10-7

– 3 — Reasonably Probable; Has occurred infrequently. (Occurs on order of less than once per exposure interval and is likely to reoccur within this interval) ; 10-3 — 10-5

– 4 — Frequent; Has occurred frequently. (Occurs on order of one or more per exposure interval and is very likely to reoccur within the this interval); 10 — 10-3


Risk Index Risk Level Action0 — 10 Level One Minimum Risk. Proceed after considering all elements of risk.11 — 30 Level Two Moderate Risk. Continue after taking action to manage overall level of risk> 30 Level Three High Risk. STOP

Risk Index (P x E x S = Risk)

11

Example Airline Risk Model (cont.)


Severity (S)0 —Negligible 1 —Minor 2 —Moderate 3 —Major 4 — Catastrophic

Personnel No injuries. First aid injury, no disabilityor lost time.

Lost time injury or passenger injuries (i.e. broken bone), no disability.Difficult for crew to cope with adverse conditions.

Disability or severe injuries.Crew extended because of workload or environmentalconditions.

Fatal injuries to personnel or passengers. Public exposed to life threatening hazard.

Operations Minor operational delay with no immediate costs.

May result in operating limitations, or emergency procedures. Operational delay requiring airline to incur relatively minimal costs.

Operational delay requiringgrounding of an aircraft and causing the operator substantial costs. May result in significant reduction in safety margins.

Operational delay grounding air operator’s fleet. May result in a large reduction in safety margins.

Operational delay grounding all operating certificates for the subject aircraft/engine/major component. Removal of the operating certificate for subject aircraft/engine /major component or airline.

Equipment No damage or minor technical delay with no immediate costs.

Technical delay requiring grounding of aircraft and causing the operator to incur relatively minimal costs.

Technical delay requiring grounding of an aircraft and causing the operator relatively substantial costs.

Technical delay grounding aircraft fleet causing substantial costs and long delays to return the aircraftto service.

Loss of aircraft.

Environment No environmental impact. Contained release. Small uncontained release. Moderate uncontained release.

Large uncontained release.

Media No media attention. Media attention that requires Briefing and Question Period notes and executive attention.

Media attention that elevates occurrence to High profile status requiring executive response

Media attention that initiates legal action

Media attention that requires resignations of the key executives.

Public Confidence No loss of public confidence.

May be lowered, but public still find situation acceptable.

Significantly lowered with high profile media coverage and numerous requests.

Shaken to the point where significant numbers do not fly on a particular aircraft type, or airline.

Public demonstrations organized.

12

Risk Model Example - #2

Rating Description Likelihood of Occurrence

1 RareHighly unlikely, but it may occur in exceptional circumstances. It could happen, but probably never will.

2 UnlikelyNot expected, but there’s a slight possibility it may occur at some time.

3 PossibleThe event might occur at some time as there is a history of casualoccurrence at similar organizations.

4 LikelyThere is a strong possibility the event will occur as there is a history of frequent occurrence at this or similar organizations.

5Almost Certain

Very likely. The event is expected to occur in most circumstances as there is a history of regular occurrence at this and similar organizations.

Risk Likelihood Descriptors

Risk = Likelihood * Consequences


13

Ris

k C

on

seq

uen

ce D

esc

rip

tors

Rating Description Financial Impact Clients & Staff Health & Safety

Business Interruption Reputation & Image Corporate Objectives

1 Insignificant Minimal financial loss; Less than $300,000

No or only minor personal injury; First Aid needed but no days lost

Negligible; Critical systems unavailable for less than one hour

Negligible impact Resolved in day‐to‐day management

2 Minor $300,000 to $2M; not covered by insurance

Minor injury; Medical treatment & some days lost

Inconvenient; Critical systems unavailable for several hours

Adverse local media coverage only

Minor impact

3 Moderate $2M to $5M; not covered by insurance

Injury; Possible hospitalization & numerous days lost

Client dissatisfaction; Critical systems unavailable for less than 1 day

Adverse capital city media coverage

Significant impact

4 Major $5M to $10M; not covered by insurance

Single death &/or long‐term illness or multiple serious injuries

Critical systems unavailable for 1 day or a series of prolonged outages

Adverse and extended national media coverage

Major impact

5 Catastrophic Above $10M; not covered by insurance

Fatality(ies) or permanent disability or ill‐health

Critical systems unavailable for more than a day (at a crucial time)

Demand for government inquiry

Disastrous impact

Risk Model Example - #2 (cont.)

Risk Consequence Descriptors

Airline Industry Risk Register

15

Airline Industry Risk Register Background

Researched 25 leading airlines to identify relevant industry risks and prevailing trendsSample included…– Global and regional– Premium and discount– Largely focused on publicly owned

airlines or airlines that published annual reports

– Annual revenues ranged from approx€300 million ($390 million USD) to €22 billion ($28 billion USD)

Analysis focused on the airline’s disclosed risks


16

Airline Risk Register Trends and Data Points

Two most notable expense categories– Fuel costs

• Ranged from €1.35 to €1.65 per gallon, €1.51 per gallon average over the sample set

• Ranged from 18% to 34% of total revenue, 26.4% average over data set

– Employment costs• Ranged from 20% to 34% of total revenue, 25.3% average over

data set

Declared Risks (from annual reports)– 5 to 28 declared risks per airline– Risk register totaled 45 declared airline industry risks– The most common risk declared by 96% of the airlines– The top 10 risks declared by 50% of the airlines


17

Most Common Airline Industry Risks

Rank Risk Cat Declared Risk % Declared

1 Operational Fuel Availability/ Fuel Cost & Hedging 95.83%

2 Credit Adequate Liquidity/ Downgrade of Credit Rating 75.00%

3 Credit Availability of Credit 66.67%

4 Financial Foreign Exchange Rate Changes/ Devaluation 62.50%

5 Financial Interest Rate Fluctuations 58.33%

5 Strategic Low Cost Competition/ Price Discounting 58.33%

7 Legal/ Regulatory Government Intervention/ Laws 50.00%

7 Operational Supply Chain Risks/ Key Supplier/Counterparty 50.00%

7 Operational Employee/ Labor Relations/ Retention of Key Personnel 50.00%

7 Strategic Global Economic Uncertainty 50.00%

11 Geopolitical Terrorism/ International Hostilities/ Military Escalation 45.83%

11 IT IT Failures ‐ Technology and e‐Commerce 45.83%

13 Financial Fixed Obligations/ Debt, Other Financial Commitments 41.67%

13 Operational Volatile or Seasonal Demand/ Tourism 41.67%


Source: Neohapsis airline industry research based on publically disclosed risks.

Managing Enterprise Risks in a Global Airline

A day in the life…

19

Demo Scenario


Source: Neohapsis airline industry research based on publically disclosed risks.

20

NeoGRC

The Business Case for NeoGRCPrimary drivers for implementing a GRC solution are the need to achieve regulatory compliance and manage risk. NeoGRC not only addresses these needs but also delivers positive business value. As a comprehensive, enterprise-wide GRC platform, NeoGRC helps organizations:

Improve efficiency of compliance and risk management activities. – NeoGRC enables you to automate, consolidate, analyze, and manage complex

compliance and risk management processes and controls for better results using the same or fewer resources.

Reduce organizational risk.– In addition to reducing the risk of non-

compliance, NeoGRC provides the ability to measure risk, monitor losses, and facilitate remediation to reduce overall organizational risk.

Improve business strategy and performance.

– NeoGRC enables you to integrate risk and compliance factors in corporate strategy and decision making, which leads to better decisions and improved performance.


21

Thank you!

Kevin [email protected]+1 773.269.6350

George [email protected]+44.0.20.8481.3883

Mark [email protected]+1 603.598.8586


mailto:[email protected]



22

About Neohapsis

Neohapsis provides GRC products and services to address the risk management, regulatory, and information protection needs of global enterprises and government agencies.

Through advanced GRC products and proven consulting services, Neohapsis delivers trusted infrastructures and fully integrated GRC products. Neohapsis solutions provide unprecedented visibility into the complex interrelationships between business objectives, people, information, risks, controls, and the state of compliance. Neohapsis leverages the power of the security and GRC relationship to enable sustainable governance frameworks that improve operational integrity and business performance.

To learn more about Neohapsis, visit www.neohapsis.com


The Power of Security & GRCCambridge, Massachusetts215 First Street, Suite 005Cambridge, MA 02142 USA

Chicago, Illinois217 North Jefferson Street, Suite 200Chicago, IL 60661 USA

San Jose, California2665 North First Street, Suite 202San Jose, CA 95134 USA

London, England 12B Talisman Business CenterBicester RoadOXON OX25 5HRUnited Kingdom

Chennai, IndiaSreyas, Chamiers Towers, 8th Floor, East WingNew No 37, Old No 23 & 24, ChamiersRoadTeynampet, Chennai - 600018.Tamil Nadu, India

Managing Risk in a Global Airline - IAAIA one/6. Neohapsis Kevin-George... · Managing Enterprise...

Documents

Transcript of Managing Risk in a Global Airline - IAAIA one/6. Neohapsis Kevin-George... · Managing Enterprise...