Valuendo Erm In An Extended Environment (March 2007)

1

ERM

Marc VaelValuendo March 2007

© 2007 Valuendo. All rights reserved. 1INFORMATION CLASSIFICATION = PUBLIC

Enterprise Risk Management in an extended enterprise

Friday March 16th 2007

Mr. Marc VaelManaging Director

Valuendo


• Marc Vael• Managing Director Valuendo (“value & do”) since July 2001• Education

– Master Applied Economics (UAntwerp)– Master Information Management (UHasselt)– Master+ Applied Economics & ICT (KUL)

• Core Services– Enterprise Risk Management– IT Governance– Information Security Management– Data Privacy & Protection– Business Continuity / Disaster Recovery – Crisis Management– IT Audit & Compliance

• Certifications– CISA / CISM / CISSP / ITIL Service Manager

Introduction

2

ERM



Why is “risk” a key business issue?

Risk is now seen as an issue that affects all parts of the business and influences business success and failure . . .

. . . consequently, risk management is increasingly the focus of the Board and executive management, and is proactive versus reactive

External ForcesExternal Forces

CompetitionCompetition

RegulationRegulation

Alliances/PartnersAlliances/Partners

SuppliersSuppliers

+

BusinessBusinessRisk ProfileRisk Profile

Market Market CapCap

=PerformancePerformance

€€

Business Business ProcessProcess

BusinessBusinessUnitsUnits

RiskRisk

Efficiency and CostEfficiency and Cost--Based ImprovementBased Improvement

Executive

ExecutiveExecutive

BoardBoard

RisksRisks


What is Enterprise Risk Management?Valuendo’s View:

– Enterprise Risk Management (ERM) is an organization-wide approach to the identification, assessment, communication andmanagement of all relevant risks in a cost-effective manner.

What are potential benefits?– Improves decision making within the company

– Allows the broadening of 404 efforts (financial – operational)

– Increases accountability

– Provides clarity on key organizational risks

– Greater confidence from compliance activities

– Supports organizational strategy

– Risk-Based Key Performance Measurement

– Improves controls efficiency

– Improves identification of opportunities and threats

– Established pro-active management

– Effective allocation and use of resources

– Improves incident management and reduction in loss and the cost of risk, including insurance premiums

– Improves stakeholder confidence

ERM is a dynamic process which is focused on protecting an organization’s value.

3

ERM



What are the ERM priorities?


A risk management framework is an essential part of beginning to meet today’s challenges

ERM is not a “One-Size-Fits-All” approach. The key is to determine the degree of maturity that is right for your organisation

Risk-adjusted approaches, performance evaluation, and capital allocation

Greater stakeholder confidence and improved risk mitigation approaches

Fewer surprises through management of key risks

Risk and Control Optimization

Alignment of all risk reporting to provide a comprehensive single view of risk

Extensive reporting to the board and audit committee on current risk levels and future risk issues

Business risk reporting designed to support external requirements

Risk Monitoring and Reporting

Entity-wide aggregation across all risk areas

Quantification of operational risk; advanced quantification of selected risks

Quantification of selected risksRisk Quantification and Aggregation

Risk and control activities embedded in business processes

Frequent risk assessment in line with normal management reporting and including analysis

Annual risk assessment with limited analysis and interpretation Risk Assessment

Risk management accountability integrated with performance management

A risk management structure with clear accountabilities to support risk management objectives

A central risk management policy to support external requirementsRisk Governance

ADVANCEDADVANCEDA Strategic Tool

MATUREMATUREA Management Process

BASICBASICRemain in ComplianceFramework ElementFramework Element

4

ERM



Example of Risk Ranking Criteria

Event is expected to occur in most circumstancesAlmost certain5

Event could occur in most circumstancesLikely4

Event could occur at some timePossible3

Event could occur in rare circumstancesUnlikely2

Event may only occur in exceptional circumstancesExceptional1

Ranking CriteriaDescriptionLevel

Likelihood of Risk Occurrence

• >€100 million impact on profitability• Serious diminution in reputation• Sustained loss of market share

Catastrophic5

• >€50 million to €100 million impact on profitability• Market share will be affected in the short term• Reputation is affected in the short term

Major4

• >€25 million to €50 million impact on profitability• There is some impact on market share• There is some impact on reputation

Moderate3

• €5 million to €10 million impact on profitability• Consequences can be absorbed under normal operating conditions• Potential impact on market share• Potential impact on reputation

Minor2

• <€5 million impact on profitability• No impact on market share• No impact on reputation

Insignificant1

Ranking CriteriaDescriptionLevel

Risk Consequence


Risk Categories

Reputation Risks Produce Performance andQuality Risks

Key

Top Ten Risks Regulatory and Compliance Risks

3j Loss of building, together with key staff or technology infrastructure

1c Adverse changes in law and government affecting the company’s business model

5a Loss of market share or revenue through competition or regulation

5b Introduction of competing products and technologies by other companies

5c Inability to attract and retain key employees

1b Failure to develop global management and information systems

4d Exposure to litigation related to the company’s products/services

3h Deficient products/services provided resulting in loss of reputation

4a Inability to react to changes in overseas legal, economic, or regulatory environment

3i Increased pricing pressure from competitors and/or customers

1

Top 10 Risks#

2

3

4

5

6

7

8

9

10

Insignificant


Minor

Moderate

Major

Exceptional Unlikely Possible Likely Almost certain

1f

3e4c

4e4f

4j

1c

1d1e

2b

3g

3b 3d3f

3a

3h

4b

4d

4g

4h

4i

5a

5c

1a2c

2a

5b

3j

3i3c

1b

4a

Catastrophic

Ris

k C

onse

quen

ce

Sample Risks

(Random Plotting)

Operating Risks Growth and Strategic Risks

5

ERM



Controllable vs. Uncontrollable Risks

Uncontrollable (Management cannot prevent risk occurrence; it can only detect risk occurrence and manage risk consequence)

Controllable (Management can prevent risk occurrence)

Key

Top Ten Risks Combination of controllable and uncontrollable











1

Top 10 Risks#

2

3

4

5

6

7

8

9

10

Insignificant


Minor

Moderate

Major

Remote Unlikely Possible Likely Almost certain

1f3e

4c

4e4f

4j

1c

1d1e

2b

3g

3b 3d3f

3a

3h

4b

4d

4g

4h

4i

5a

5c

1a2c

2a

5b

3j

3i3c

1b

4a

Catastrophic

Ris

k C

onse

quen

ceSample Risks

(Random Plotting)


Unique vs. Ongoing Risks

Unique Risks: One time event nature of riskthat impacts operating earnings over a limited time frame that may reoccur.

Ongoing Risks: Iterative trend nature of risk. Economic, market, and regulatory conditions that impact operating earnings over an indefinite time frame.

Key

Top Ten Risks

Insignificant


Minor

Moderate

Major

Remote Unlikely Possible Likely Almost certain

1f

3e4c

4e4f

4j

1c

1d1e

2b

3g

3b 3d3f

3a

3h

4b

4d

4g

4h

4i

5a

5c

1a2c

2a

5b

3j

3i3c

1b

4a

Catastrophic

Ris

k C

onse

quen

ce

Sample Risks

(Random Plotting)

1

Top 10 Risks#

2

3

4

5

6

7

8

9

10











6

ERM



Assessment of Actions to Manage Risks

Key to assessment of current actions to manage risks:(0) Exceed Requirement – The risk management processes have been over-engineered for the level of risk involved.(1) Meet Requirement – The risk management processes are appropriate for the level of risk identified.(2) Need Strengthening (Minor) – Minor improvements in the risk management processes are necessary to reach “meet requirement.”(3) Need Strengthening (Important) – Risk management processes need to be strengthened in important ways to reach “meet requirement.”(4) Need Strengthening (Critical) – Risk management processes are clearly deficient in critical ways.(5) Unestablished – Risk management processes have not yet been established. This will most likely be the situation in the case of a new business initiative.

Risk #1 Mitigating Actions Recommendations Assessment of current actions

(0 - 5)

Risk Owner/ Risk Monitor

5c Inability to attract and retain key employees (Operating Risks, People)

Actions to prevent risk occurrence - Quarterly analysis of turnover metrics - Company-wide career development program for top performers - Attractive compensation package Actions to respond to risk occurrence - Exit interviews with employees - Renegotiation with employee Actions to manage risk consequence - Succession planning

Consider introducing flexible working hours

3

Risk Owners • Business Unit Heads • Chief HR Officer Risk Monitor CEO

Sample risk


Low High

High

IMPACT ON RISK MITIGATION OR OPTIMIZATION

Prioritization of Potential Areas for Improvement

The prioritization below factors the impact on cost, speed, and quality—and improving process performance

LEVE

L O

F EF

FOR

T

4

10

3

9

2

75

61

8

Must do’sDon’t do’s

Quick winsDon’t care’s

7

ERM



An assessment can help highlight the risk strategy, process, and activities for your organization

An assessment yields a tailored implementation approach, including:– A road map for implementing potential ERM improvements– A clear articulation of the desired degree of ERM maturity for your business

ERM

5544332211 5544332211

Risk Governance

Risk Assessment

Risk Quantification & Aggregation

Risk Monitoring & Reporting


Risk Governance

Risk Assessment

Risk Quantification & Aggregation

Risk Monitoring & Reporting


Remain in Compliance

Basic

Remain in Compliance

Basic

A Strategic Tool

Advanced

A Strategic Tool

Advanced

A Management Process

Mature

A Management Process

MatureToday Target

Example

Industry Benchmark

Risk Maturity Continuum


There are some barriers to improving Enterprise Risk Management

Addressing these can help improve your

ability to manage risks

in a coordinated, cost-effective

manner

• Risk management is not connected to corporate strategy• Leadership from the top is lacking• Risk management is positioned as compliance• Risk management is seen as a backroom exercise• Risk is being managed in silos• The focus is on risk assessment alone—no integrated

framework is in place• Past mistakes are overlooked—no corporate learning from

previous risk events• There is no clear road map for improvement• Soft issues of behavior and attitude are ignored—focus on

policy, quantification, etc. • The scope of change management required is

underestimated

BARRIERS

8

ERM



Conclusion

ERM is a dynamic process which is focused on

protecting an organization’s value.


Mr. Marc Vael, Mr. Marc Vael, CISA, CISM, CISSP, ITILCISA, CISM, CISSP, ITIL

Managing DirectorManaging Director

ValuendoValuendoKriebrugstraat 33Kriebrugstraat 331760 Roosdaal1760 RoosdaalBelgiumBelgium

T: +32 5 433 61 93T: +32 5 433 61 93M: +32 473 99 30 31M: +32 473 99 30 31M: M: mvaelmvael@@valuendovaluendo.com.com

Contact information

Valuendo Erm In An Extended Environment (March 2007)

Business

Transcript of Valuendo Erm In An Extended Environment (March 2007)