Valuendo Erm In An Extended Environment (March 2007)
description
Transcript of Valuendo Erm In An Extended Environment (March 2007)
1
ERM
Marc VaelValuendo March 2007
© 2007 Valuendo. All rights reserved. 1INFORMATION CLASSIFICATION = PUBLIC
Enterprise Risk Management in an extended enterprise
Friday March 16th 2007
Mr. Marc VaelManaging Director
Valuendo
© 2007 Valuendo. All rights reserved. 2INFORMATION CLASSIFICATION = PUBLIC
• Marc Vael• Managing Director Valuendo (“value & do”) since July 2001• Education
– Master Applied Economics (UAntwerp)– Master Information Management (UHasselt)– Master+ Applied Economics & ICT (KUL)
• Core Services– Enterprise Risk Management– IT Governance– Information Security Management– Data Privacy & Protection– Business Continuity / Disaster Recovery – Crisis Management– IT Audit & Compliance
• Certifications– CISA / CISM / CISSP / ITIL Service Manager
Introduction
2
ERM
Marc VaelValuendo March 2007
© 2007 Valuendo. All rights reserved. 3INFORMATION CLASSIFICATION = PUBLIC
Why is “risk” a key business issue?
Risk is now seen as an issue that affects all parts of the business and influences business success and failure . . .
. . . consequently, risk management is increasingly the focus of the Board and executive management, and is proactive versus reactive
External ForcesExternal Forces
CompetitionCompetition
RegulationRegulation
Alliances/PartnersAlliances/Partners
SuppliersSuppliers
+
BusinessBusinessRisk ProfileRisk Profile
Market Market CapCap
=PerformancePerformance
€€
Business Business ProcessProcess
BusinessBusinessUnitsUnits
RiskRisk
Efficiency and CostEfficiency and Cost--Based ImprovementBased Improvement
Executive
ExecutiveExecutive
BoardBoard
RisksRisks
© 2007 Valuendo. All rights reserved. 4INFORMATION CLASSIFICATION = PUBLIC
What is Enterprise Risk Management?Valuendo’s View:
– Enterprise Risk Management (ERM) is an organization-wide approach to the identification, assessment, communication andmanagement of all relevant risks in a cost-effective manner.
What are potential benefits?– Improves decision making within the company
– Allows the broadening of 404 efforts (financial – operational)
– Increases accountability
– Provides clarity on key organizational risks
– Greater confidence from compliance activities
– Supports organizational strategy
– Risk-Based Key Performance Measurement
– Improves controls efficiency
– Improves identification of opportunities and threats
– Established pro-active management
– Effective allocation and use of resources
– Improves incident management and reduction in loss and the cost of risk, including insurance premiums
– Improves stakeholder confidence
ERM is a dynamic process which is focused on protecting an organization’s value.
3
ERM
Marc VaelValuendo March 2007
© 2007 Valuendo. All rights reserved. 5INFORMATION CLASSIFICATION = PUBLIC
What are the ERM priorities?
© 2007 Valuendo. All rights reserved. 6INFORMATION CLASSIFICATION = PUBLIC
A risk management framework is an essential part of beginning to meet today’s challenges
ERM is not a “One-Size-Fits-All” approach. The key is to determine the degree of maturity that is right for your organisation
Risk-adjusted approaches, performance evaluation, and capital allocation
Greater stakeholder confidence and improved risk mitigation approaches
Fewer surprises through management of key risks
Risk and Control Optimization
Alignment of all risk reporting to provide a comprehensive single view of risk
Extensive reporting to the board and audit committee on current risk levels and future risk issues
Business risk reporting designed to support external requirements
Risk Monitoring and Reporting
Entity-wide aggregation across all risk areas
Quantification of operational risk; advanced quantification of selected risks
Quantification of selected risksRisk Quantification and Aggregation
Risk and control activities embedded in business processes
Frequent risk assessment in line with normal management reporting and including analysis
Annual risk assessment with limited analysis and interpretation Risk Assessment
Risk management accountability integrated with performance management
A risk management structure with clear accountabilities to support risk management objectives
A central risk management policy to support external requirementsRisk Governance
ADVANCEDADVANCEDA Strategic Tool
MATUREMATUREA Management Process
BASICBASICRemain in ComplianceFramework ElementFramework Element
4
ERM
Marc VaelValuendo March 2007
© 2007 Valuendo. All rights reserved. 7INFORMATION CLASSIFICATION = PUBLIC
Example of Risk Ranking Criteria
Event is expected to occur in most circumstancesAlmost certain5
Event could occur in most circumstancesLikely4
Event could occur at some timePossible3
Event could occur in rare circumstancesUnlikely2
Event may only occur in exceptional circumstancesExceptional1
Ranking CriteriaDescriptionLevel
Likelihood of Risk Occurrence
• >€100 million impact on profitability• Serious diminution in reputation• Sustained loss of market share
Catastrophic5
• >€50 million to €100 million impact on profitability• Market share will be affected in the short term• Reputation is affected in the short term
Major4
• >€25 million to €50 million impact on profitability• There is some impact on market share• There is some impact on reputation
Moderate3
• €5 million to €10 million impact on profitability• Consequences can be absorbed under normal operating conditions• Potential impact on market share• Potential impact on reputation
Minor2
• <€5 million impact on profitability• No impact on market share• No impact on reputation
Insignificant1
Ranking CriteriaDescriptionLevel
Risk Consequence
© 2007 Valuendo. All rights reserved. 8INFORMATION CLASSIFICATION = PUBLIC
Risk Categories
Reputation Risks Produce Performance andQuality Risks
Key
Top Ten Risks Regulatory and Compliance Risks
3j Loss of building, together with key staff or technology infrastructure
1c Adverse changes in law and government affecting the company’s business model
5a Loss of market share or revenue through competition or regulation
5b Introduction of competing products and technologies by other companies
5c Inability to attract and retain key employees
1b Failure to develop global management and information systems
4d Exposure to litigation related to the company’s products/services
3h Deficient products/services provided resulting in loss of reputation
4a Inability to react to changes in overseas legal, economic, or regulatory environment
3i Increased pricing pressure from competitors and/or customers
1
Top 10 Risks#
2
3
4
5
6
7
8
9
10
Insignificant
Likelihood of Risk Occurrence
Minor
Moderate
Major
Exceptional Unlikely Possible Likely Almost certain
1f
3e4c
4e4f
4j
1c
1d1e
2b
3g
3b 3d3f
3a
3h
4b
4d
4g
4h
4i
5a
5c
1a2c
2a
5b
3j
3i3c
1b
4a
Catastrophic
Ris
k C
onse
quen
ce
Sample Risks
(Random Plotting)
Operating Risks Growth and Strategic Risks
5
ERM
Marc VaelValuendo March 2007
© 2007 Valuendo. All rights reserved. 9INFORMATION CLASSIFICATION = PUBLIC
Controllable vs. Uncontrollable Risks
Uncontrollable (Management cannot prevent risk occurrence; it can only detect risk occurrence and manage risk consequence)
Controllable (Management can prevent risk occurrence)
Key
Top Ten Risks Combination of controllable and uncontrollable
3j Loss of building, together with key staff or technology infrastructure
1c Adverse changes in law and government affecting the company’s business model
5a Loss of market share or revenue through competition or regulation
5b Introduction of competing products and technologies by other companies
5c Inability to attract and retain key employees
1b Failure to develop global management and information systems
4d Exposure to litigation related to the company’s products/services
3h Deficient products/services provided resulting in loss of reputation
4a Inability to react to changes in overseas legal, economic, or regulatory environment
3i Increased pricing pressure from competitors and/or customers
1
Top 10 Risks#
2
3
4
5
6
7
8
9
10
Insignificant
Likelihood of Risk Occurrence
Minor
Moderate
Major
Remote Unlikely Possible Likely Almost certain
1f3e
4c
4e4f
4j
1c
1d1e
2b
3g
3b 3d3f
3a
3h
4b
4d
4g
4h
4i
5a
5c
1a2c
2a
5b
3j
3i3c
1b
4a
Catastrophic
Ris
k C
onse
quen
ceSample Risks
(Random Plotting)
© 2007 Valuendo. All rights reserved. 10INFORMATION CLASSIFICATION = PUBLIC
Unique vs. Ongoing Risks
Unique Risks: One time event nature of riskthat impacts operating earnings over a limited time frame that may reoccur.
Ongoing Risks: Iterative trend nature of risk. Economic, market, and regulatory conditions that impact operating earnings over an indefinite time frame.
Key
Top Ten Risks
Insignificant
Likelihood of Risk Occurrence
Minor
Moderate
Major
Remote Unlikely Possible Likely Almost certain
1f
3e4c
4e4f
4j
1c
1d1e
2b
3g
3b 3d3f
3a
3h
4b
4d
4g
4h
4i
5a
5c
1a2c
2a
5b
3j
3i3c
1b
4a
Catastrophic
Ris
k C
onse
quen
ce
Sample Risks
(Random Plotting)
1
Top 10 Risks#
2
3
4
5
6
7
8
9
10
3j Loss of building, together with key staff or technology infrastructure
1c Adverse changes in law and government affecting the company’s business model
5a Loss of market share or revenue through competition or regulation
5b Introduction of competing products and technologies by other companies
5c Inability to attract and retain key employees
1b Failure to develop global management and information systems
4d Exposure to litigation related to the company’s products/services
3h Deficient products/services provided resulting in loss of reputation
4a Inability to react to changes in overseas legal, economic, or regulatory environment
3i Increased pricing pressure from competitors and/or customers
6
ERM
Marc VaelValuendo March 2007
© 2007 Valuendo. All rights reserved. 11INFORMATION CLASSIFICATION = PUBLIC
Assessment of Actions to Manage Risks
Key to assessment of current actions to manage risks:(0) Exceed Requirement – The risk management processes have been over-engineered for the level of risk involved.(1) Meet Requirement – The risk management processes are appropriate for the level of risk identified.(2) Need Strengthening (Minor) – Minor improvements in the risk management processes are necessary to reach “meet requirement.”(3) Need Strengthening (Important) – Risk management processes need to be strengthened in important ways to reach “meet requirement.”(4) Need Strengthening (Critical) – Risk management processes are clearly deficient in critical ways.(5) Unestablished – Risk management processes have not yet been established. This will most likely be the situation in the case of a new business initiative.
Risk #1 Mitigating Actions Recommendations Assessment of current actions
(0 - 5)
Risk Owner/ Risk Monitor
5c Inability to attract and retain key employees (Operating Risks, People)
Actions to prevent risk occurrence - Quarterly analysis of turnover metrics - Company-wide career development program for top performers - Attractive compensation package Actions to respond to risk occurrence - Exit interviews with employees - Renegotiation with employee Actions to manage risk consequence - Succession planning
Consider introducing flexible working hours
3
Risk Owners • Business Unit Heads • Chief HR Officer Risk Monitor CEO
Sample risk
© 2007 Valuendo. All rights reserved. 12INFORMATION CLASSIFICATION = PUBLIC
Low High
High
IMPACT ON RISK MITIGATION OR OPTIMIZATION
Prioritization of Potential Areas for Improvement
The prioritization below factors the impact on cost, speed, and quality—and improving process performance
LEVE
L O
F EF
FOR
T
4
10
3
9
2
75
61
8
Must do’sDon’t do’s
Quick winsDon’t care’s
7
ERM
Marc VaelValuendo March 2007
© 2007 Valuendo. All rights reserved. 13INFORMATION CLASSIFICATION = PUBLIC
An assessment can help highlight the risk strategy, process, and activities for your organization
An assessment yields a tailored implementation approach, including:– A road map for implementing potential ERM improvements– A clear articulation of the desired degree of ERM maturity for your business
ERM
5544332211 5544332211
Risk Governance
Risk Assessment
Risk Quantification & Aggregation
Risk Monitoring & Reporting
Risk and Control Optimization
Risk Governance
Risk Assessment
Risk Quantification & Aggregation
Risk Monitoring & Reporting
Risk and Control Optimization
Remain in Compliance
Basic
Remain in Compliance
Basic
A Strategic Tool
Advanced
A Strategic Tool
Advanced
A Management Process
Mature
A Management Process
MatureToday Target
Example
Industry Benchmark
Risk Maturity Continuum
© 2007 Valuendo. All rights reserved. 14INFORMATION CLASSIFICATION = PUBLIC
There are some barriers to improving Enterprise Risk Management
Addressing these can help improve your
ability to manage risks
in a coordinated, cost-effective
manner
• Risk management is not connected to corporate strategy• Leadership from the top is lacking• Risk management is positioned as compliance• Risk management is seen as a backroom exercise• Risk is being managed in silos• The focus is on risk assessment alone—no integrated
framework is in place• Past mistakes are overlooked—no corporate learning from
previous risk events• There is no clear road map for improvement• Soft issues of behavior and attitude are ignored—focus on
policy, quantification, etc. • The scope of change management required is
underestimated
BARRIERS
8
ERM
Marc VaelValuendo March 2007
© 2007 Valuendo. All rights reserved. 15INFORMATION CLASSIFICATION = PUBLIC
Conclusion
ERM is a dynamic process which is focused on
protecting an organization’s value.
© 2007 Valuendo. All rights reserved. 16INFORMATION CLASSIFICATION = PUBLIC
Mr. Marc Vael, Mr. Marc Vael, CISA, CISM, CISSP, ITILCISA, CISM, CISSP, ITIL
Managing DirectorManaging Director
ValuendoValuendoKriebrugstraat 33Kriebrugstraat 331760 Roosdaal1760 RoosdaalBelgiumBelgium
T: +32 5 433 61 93T: +32 5 433 61 93M: +32 473 99 30 31M: +32 473 99 30 31M: M: mvaelmvael@@valuendovaluendo.com.com
Contact information