11/14/2014
1
Enterprise Risk ManagementAre You Doing Enough?
Society of Corporate Compliance & Ethics – Southeast Regional Conference
David KiddUnited Parcel ServiceNovember 7, 2014
SCCE – Southeast Regional Conference / 11/7/2014
SCCE – Southeast Regional Conference / 11/7/2014
Society of Corporate Compliance & Ethics – Southeast Regional Conference
11/14/2014
2
Risk Management / Enterprise Risk management
Why All the Attention?
Attributes of an Effective ERM Program
Are You Doing Enough?
SCCE – Southeast Regional Conference / 11/7/2014
Society of Corporate Compliance & Ethics – Southeast Regional Conference
(Traditional) Risk ManagementProcess of assessing, minimizing, and/or preventing an unforeseen loss through
the user of insurance or other financial measure
• Home owners/Renters Insurance/Life Insurance/Savings• Fuel Prices – Supplier contracts / Options (Buy & Sell)• Asset Protection – Traditional Insurance• Portfolio/Fund – Treasury notes, fixed income, indexes, stocks• Data Breach – Cyber‐Security Insurance
EXAMPLE –
SCCE – Southeast Regional Conference / 11/7/2014
Risk Management / Enterprise Risk Management
11/14/2014
3
Minimum age to rent a car: 26• Age 18‐20 $68 per day surcharge• Age 21‐25 $28 per day surcharge
SCCE – Southeast Regional Conference / 11/7/2014
Risk Management / Enterprise Risk Management
We Rent Cars to Minors!
SCCE – Southeast Regional Conference / 11/7/2014
11/14/2014
4
Enterprise Risk Management dates back to the 1960’s• Professors Robert Mehr and Bob Hedges• First textbook “Risk Management and the Business Enterprise”
“Risks should be managed in a comprehensive manner, and not simply insured.
Objective: To maximize the productive efficiency of the enterprise
SCCE – Southeast Regional Conference / 11/7/2014
Risk Management / Enterprise Risk Management
Enterprise Risk ManagementProcess used by organizations to identify and manage risks and seize opportunities related to the achievement of company objectives.
• Geopolitical – Emerging/Frontier Markets• Mergers/Acquisitions – Capitalize on synergies/Culture• Work Stoppage – Labor Agreements (Union Contracts)• Financial – FX, Interest Rates, Commodity Prices, Fraud
EXAMPLE –
Risk and Opportunity
SCCE – Southeast Regional Conference / 11/7/2014
Risk Management / Enterprise Risk Management
11/14/2014
5
Enterprise risk management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.
Source: Committee of Sponsoring Organizations of the Treadway Commission / ERM ‐ Integrated Framework / September 2004
September 2004
SCCE – Southeast Regional Conference / 11/7/2014
Risk Management / Enterprise Risk Management
Enterprise Risk ManagementWhy all the attention?
SCCE – Southeast Regional Conference / 11/7/2014
11/14/2014
6
Trigger/Event
Laws / Regulation
Investor / Consumer Confidence SEC 33‐9089Sarbanes‐Oxley ActDepartment of
Homeland Security
Transportation Security Administration
Dodd‐Frank Act
2001 2002 2008
???
Basel ORSA/Solvency
SCCE – Southeast Regional Conference / 11/7/2014
Enterprise Risk Management – Why all the attention?
Enterprise Risk Management – Why all the attention? Accounting Scandals
SCCE – Southeast Regional Conference / 11/7/2014
11/14/2014
7
(1) Fiduciary Failure. The Enron Board of Directors failed to safeguard Enron shareholders and contributed to the collapse of the seventh largest public company in the United States, by allowing Enron to engage in high risk accounting, inappropriate conflict of interest transactions, extensive undisclosed off-the-books activities, and excessive executive compensation. The Board witnessed numerous indications of questionable practices by Enron management over several years, but chose to ignore them to the detriment of Enron shareholders, employees and business associates.
(2) High Risk Accounting. The Enron Board of Directors knowingly allowed Enron to engage in high risk accounting practices.
(3) Inappropriate Conflicts of Interest. Despite clear conflicts of interest, the Enron Board of Directors approved an unprecedented arrangement allowing Enron’s Chief Financial Officer to establish and operate the LJM private equity funds which transacted business with Enron and profited at Enron’s expense. The Board exercised inadequate oversight of LJM transaction and compensation controls and failed to protect Enron shareholders from unfair dealing.
(4) Extensive Undisclosed Off-The-Books Activity. The Enron Board of Directors knowingly allowed Enron to conduct billions of dollars in off-the-books activity to make its financial condition appear better than it was and failed to ensure adequate public disclosure of material off-the books liabilities that contributed to Enron’s collapse.
(5) Excessive Compensation. The Enron Board of Directors approved excessive compensation for company executives, failed to monitor the cumulative cash drain caused by Enron’s 2000 annual bonus and performance unit plans, and failed to monitor or halt abuse by Board Chairman and Chief Executive Officer Kenneth Lay of a company-financed, multi-million dollar, personal credit line.
(6) Lack of Independence. The independence of the Enron Board of Directors was compromised by financial ties between the company and certain Board members. The Board also failed to ensure the independence of the company’s auditor, allowing Andersen to provide internal audit and consulting services while serving as Enron’s outside auditor.
Source: PERMANENT SUBCOMMITTEE ON INVESTIGATION OF THE COMMITTEE ON GOVERNMENTAL AFFAIRS UNITED STATES SENATE / July 8, 2002
Enterprise Risk Management – Why all the attention?
The Enron Board of Directors failed to safeguard Enron shareholders and contributed to the collapse of the seventh largest public company in the United States, by allowing Enron to engage in high risk accounting, inappropriate conflict of interest transactions, extensive undisclosed off-the-books activities, and excessive executive compensation. The Board witnessed numerous indications of questionable practices by Enron management over several years, but chose to ignore them to the detriment of Enron shareholders, employees and business associates.
SCCE – Southeast Regional Conference / 11/7/2014
Enterprise Risk Management – Why all the attention? Global Financial Crisis
SCCE– 2014 Atlanta Annual Conference / 11/7/2014
11/14/2014
8
Enterprise Risk Management – Why all the attention?
Without a doubt, the recent financial crisis has tested companies and their boards in ways not seen in many decades and has had a profound impact on corporate governance and risk management. Indeed, one group of institutional investors with $9.5 trillion in assets under management, has claimed, “It is now widely agreed that corporate governance failings were not the only cause of the crisis but they were highly significant, above all because boards failed to understand and manage risk and tolerated perverse incentives.”
Source: The Metropolitan Corporate Counsel / The Board’s Role in Risk Management – Lessons Learned From the Financial Crisis / King & Spalding, LLP SCCE – Southeast Regional Conference / 11/7/2014
Enterprise Risk Management – Why all the attention?
SEC 33‐9089
Risk: by requiring disclosure about the board’s role in risk oversight and, to the extent that risks arising from a company’s compensation policies and practices are reasonably likely to have a material adverse effect on the company, disclosure about such policies and practices as they relate to risk management;
Governance and Director Qualifications: by requiring expanded disclosure of the background and qualifications of directors and director nominees and new disclosure about a company’s board leadership structure, and accelerating the reporting of information regarding voting results; and
Compensation: by revising the reporting of stock and option awards in the Summary Compensation Table16
and Director Compensation Table,17 and requiring disclosure of potential conflicts of interest of compensation consultants in certain circumstances.
February 2010
SCCE – Southeast Regional Conference / 11/7/2014
11/14/2014
9
2013 Annual Corporate Directors Survey
‐ 934 public company directors responded ‐ >70% serve on boards of companies with >$1 billion in annual revenue
Source: PWC’s 2013 Annual Corporate Directors Survey SCCE – Southeast Regional Conference / 11/7/2014
Enterprise Risk Management – Why all the attention?
Attributes of an Effective ERM Program
SCCE – Southeast Regional Conference / 11/7/2014
11/14/2014
10
• ERM ambassador / Salesman• Communication (Top down/Bottom up) – A seat at the table?• Understand risk definitions and their value (Risk appetite, Inherent risk, residual risk, risk capacity, risk tolerance, etc.)
• Risk Assessment Objectives ‐ (Accept, Transfer, Terminate)• Culture (Bureaucratic) • Dynamic Program (Survey, benchmarking, external research, willingness to share)• Linkage between enterprise risks and strategic objectives• Linkage to governance activities/committees• 10‐K “Risk Factor” Comparison / Competitors and other organizations• Learn the backgrounds of Board Members – What other boards do members serve on?
• Constructively Dissatisfied
Attributes of an Effective ERM Program
SCCE – Southeast Regional Conference / 11/7/2014
Attributes of an Effective ERM ProgramInternal Environment – The internal environment encompasses the tone of an organization, and
sets the basis for how risk is viewed and addressed by an entity’s people, including risk management philosophy and risk appetite, integrity and ethical values, and the environment in which they operate.
Objective Setting – Objectives must exist before management can identify potential events affecting
their achievement. Enterprise risk management ensures that management has in place a process to set objectives and that the chosen objectives support and align with the entity’s mission and are consistent with its risk appetite.
Event Identification – Internal and external events affecting achievement of an entity’s objectives
must be identified, distinguishing between risks and opportunities. Opportunities are channeled back to management’s strategy or objective‐setting processes.
Risk Assessment – Risks are analyzed, considering likelihood and impact, as a basis for determining
how they should be managed. Risks are assessed on an inherent and a residual basis.
Risk Response – Management selects risk responses – avoiding, accepting, reducing, or sharing risk –
developing a set of actions to align risks with the entity’s risk tolerances and risk appetite.
Control Activities – Policies and procedures are established and implemented to help ensure the risk
responses are effectively carried out.
Information and Communication – Relevant information is identified, captured, and
communicated in a form and timeframe that enable people to carry out their responsibilities. Effective communication also occurs in a broader sense, flowing down, across, and up the entity.
Monitoring – The entirety of enterprise risk management is monitored and modifications made as
necessary. Monitoring is accomplished through ongoing management activities, separate evaluations, or both.
SCCE – Southeast Regional Conference / 11/7/2014
11/14/2014
11
Terrorism
Enterprise Risk and Control Framework
Ethics & Compliance
VP
Compliance
MC
VP
Sales & Marketing
MC
Operations/Infrastructure
VP
Legal & Public Affairs
MC
VP
InformationTechnology
MC
VP
Human Resources
MC
VP
Operations / Engineering
MC
Strategic
VP
MC
CorporateGovernance
VP
MC
VP
Security
MC
VP
Strategy
MC
VP
Finance & Accounting
Reporting
MC
UPS RiskCategories
COSO Framework
MCSponsor
ERCSponsor
Sustainability / Brand
Management
Compliance Monitoring &
Reporting
Ethical Culture “Tone at the
Top”
Compliance Structure & Oversight
Regulatory Compliance
Compliance Policies &
Procedures
Compliance Communication
& Training
Addressing Allegations
Compliance Program
Assessment
Records & Information
Management
Risk Sub-categories
Occupational Health & Safety
HR ResourcePolicies &
Procedures
Talent Pipeline/Recruitment
Performance &Compensation
Health & Welfare Benefits
Retirement & Pension
Programs
Training and Development
Company Culture
Retention / Succession
Diversity
Architecture
Global Business Services
I.T. RecordsManagement
Technology Licensing
I.T. Asset Management
I.T. Business Continuity
Management
I.T. ChangeManagement
I.T. Contracting & Outsourcing
Privacy and Data
Protection
I.T. Operations
I.T. Physical & Environmental
Security
I.T. ProblemManagement
I.T. Project Management
Competition / Antitrust
Contract Management
GovernmentInvestigations
Intellectual Property (IP)
Labor &Employment
Issues
Laws and Regulations
Litigation & Dispute
Resolution
Privacy and Security Laws
Union Labor/ Workforce
Issues
Facilities andEquipment
Market Research
Customers
Competition
Marketing Strategy
MarketingPrograms
Revenue Management /
Pricing
Product Development
E-Commerce/Internet Strategy
Sales Strategy
Customer Relations/
Customer Support
Customer Technology
EnvironmentalConcerns
Energy Management
Operational Security
Operational Planning
OperationsManagement
Asset Utilization
Operational Reporting
OperationsPerformance Management
Distribution &Warehousing
Social Media
Communication(Employee/ Customer)
Branding &Reputation
Advertisements & Sponsorships
Philanthropy
Sustainability Programs
SocialConcerns
Public Relations
Branding &Reputation
Board Effectiveness
Board Structure& Senior
Leadership
Risk Oversight & Management
Audit Quality
External Fraud
Business Continuity
EconomicConditions
GeopoliticalConcerns
Technology Strategy
Vision, Mission,and Values
IndustryTrends
Organization Structure
Third Party/Joint Venture
Strategy Communication
GrowthStrategy
BusinessConcentration
Mergers/Acquisitions/Divestitures
Scenario Planning
Business Model
Customer Credit Policy
Credit Rating
Financial AssetInvestment
Commodity Price Impact
Compliance w/Accounting
Standards
Financial Statement
Fraud
Accounting Processes
Business Information &
Analysis
CapitalManagement
Planning/Budgeting/Forecasting
Taxation
Procurement
Insurance and Hedging
Investor Relations
Aviation Security
Acquisition Integration
ILLUSTRATIVE
Risk Rating MatrixLikelihood of Risk Occurring
Impact if Risk Occurred
Value Likelihood Description
5 Very High Event has occurred in last 12 months, or; >75% chance of occurring within seven years.
4 High Event has occurred in last 24 months, or; 50‐75% chance of occurring within seven years.
3 Medium 20‐50% chance of occurring within seven years.
2 Low 10‐20% chance of occurring within seven years.
1 Very Low <10% of occurring within seven years.
Value Impact Mission Financial Operations Brand
5Very High(Severe)
Severely impacts our ability to achieve UPS Mission
Results in a single year financial impact >$ with ongoing impact
Severely disrupts enterprise‐wide customer service or operations reliability long term
Severe impact on brand reputation
4High
(Significant)
Significantly impacts our ability to achieve UPS Mission
Results in a single year financial impact greater than $ and less than $, with some ongoing impact
Significantly disrupts enterprise‐wide customer service or operations reliability
Significant impact on brand reputation
3Medium(Moderate)
Moderately impacts our ability to achieve UPS Mission
Results in a single year financial impact greater than $ and less than $, with some ongoing impact
Moderate impact on enterprise‐wide customer service or operations reliability
Moderate impact on brand reputation
2Low
(Minor)
Minor impact on our ability to achieve UPS Mission
Results in a single year financial impact greater than $ and less than $, with some ongoing impact
Limited disruption of customer service or operations reliability
Limited impact on brand reputation
1Very Low
(Insignificant)
Insignificant impact on our ability to achieve UPS Mission
Results in a single year financial impact <$, and little ongoing impact
Minimal disruption of customer service or operations reliability
Limited to no impact on brand reputation
ILLUSTRATIVE
11/14/2014
12
Enterprise Risk ManagementEnterprise Risk Management CONFIDENTIAL Likelihood
Impact
VL L M H VH
VL
LM
HVH
VL L M H VH
VL
LM
HVH
Consolidated Risk Map
7
13
9
14 1611
2 35 6
1
8
20
10
19
15
18
12
4
17
B
O
L
Z
W
F
H I R
N
AA
A K
ID J
UGMX V Q
TS
E PCY
BB
VH Very High
H High
M Medium
L Low
VL Very Low
ILLUSTRATIVE
Enterprise Risk ManagementEnterprise Risk Management CONFIDENTIAL
Risk Contributors Controls / Mitigation Status L IPlanned
Completion
Aggressive regulatory agencies pushing bans on carbon emitting vehicles
‐Deploy Public Affairs strategy to reach an agreement to delay the mandate, or obtain an exemption‐Collaborate/partner with IBT to strengthen position
Limited number of non‐carbon vehicles to meet the mandate
‐ Work with multiple manufactures to procure the necessary number of vehicles‐ Invest in additional forms of carbon‐free alternatives, including CNG/LNG, hydraulic, etc.
Limitations with battery life may require multiple trips to and from the hub/center
‐ Establish satellite locations in closer proximity to impacted delivery zones.‐Consider leasing/acquiring space within restricted areas
Risk Category:Compliance & Ethics
MC Sponsor Mary Doe
ERC Sponsor John Doe
Risk Sub-Category:Regulatory Compliance
Risk Owner(s) Bob, Sally, Joe
Risk SME(s) Rick, Sue, Steve
2013 Risk StatusL I
Current (Executed) 4 3
Planned Mitigation 1 1
Future (Planned) 3 2
Risk Statement
There is a risk that legislation in the next year could prohibit carbon emitting vehicles from operating within city limits.
Confidential, unpublished property of UPS. Do not distribute ‐ limited solely to authorized personnel.
Risk Profile ILLUSTRATIVE
11/14/2014
13
Attributes of an Effective ERM Program / 10‐K Risk Factors
• The Company’s products and services may experience quality problems from time to time that can result in decreased sales and operating margin and harm to the Company’s reputation.
• The Company could be impacted by unfavorable results of legal proceedings, such as being found to have infringed on intellectual property rights.
• There may be breaches of the Company’s information technology systems that materially damage business partner and customer relationships, curtail or otherwise adversely impact access to online stores and services, or subject the Company to significant reputational, financial, legal, and operational consequences.
• The Company’s success depends largely on the continued service and availability of key personnel.
• The Company’s future performance depends in part on support from third-party software developers.
SCCE – Southeast Regional Conference / 11/7/2014
Attributes of an Effective ERM Program / Proxy Review
Board Oversight of Risk ManagementThe Board believes that evaluating how the executive team manages the various risks confronting the Company is one of its most important areas of oversight. In carrying out this critical responsibility, the Board has designated the Audit Committee with primary responsibility for overseeing enterprise risk management. In fulfilling its oversight responsibilities with regard to risks inherent in the Company’s business, including the identification, assessment, management, and monitoring of those risks, and risk management decisions, practices and activities of the Company, the Audit Committee is assisted by a Risk Oversight Committee consisting of key members of management, including the Company’s Chief Financial Officer and General Counsel. The Risk Oversight Committee reports regularly to the Audit Committee, and the Audit Committee makes periodic reports to the Board. See the Audit Committee’s Charter at www.apple.com/investor for more information about its risk oversight function
SCCE – Southeast Regional Conference / 11/7/2014
11/14/2014
14
Attributes of an Effective ERM Program / Proxy Review
Board Risk OversightOur Board of Directors has oversight for risk management with a focus on the most significant risks facing the company, including strategic, operational, financial, and legal and compliance risks. At the end of each year, management and the Board jointly develop a list of major risks that GE plans to prioritize in the next year. Throughout the year, the Board and the committees to which it has delegated responsibility dedicate a portion of their meetings to review and discuss specific risk topics in greater detail. Strategic, operational and reputational risks are presented and discussed in the context of the CEO’s report on operations to the Board at regularly scheduled Board meetings and at presentations to the Board and its committees by the vice chairmen, CRO, general counsel and other employees.
Risks identified through our risk management processes are prioritized and, depending on the probability and severity of the risk, escalated to the chief risk officer (CRO). We have general response strategies for managing risks, which categorize risks according to whether the company will avoid, transfer, reduce or accept the risk. These response strategies are tailored to ensure that risks are within acceptable GE Board general guidelines. Depending on the nature of the risk involved and the particular business or function affected, we use a wide variety of risk mitigation strategies, including delegation of authorities, standardized processes and strategic planning reviews, operating reviews, insurance and hedging.
SCCE – Southeast Regional Conference / 11/7/2014
Enterprise Risk ManagementAre You Doing Enough?
SCCE – Southeast Regional Conference / 11/7/2014
11/14/2014
15
Are You Doing Enough?
• Board feedback
• C‐Suite engagement
• Customer engagement / New business opportunities
• Risk assessment
• Networking / Relationships / Credibility
• Insurance Incentives
• Constructively Dissatisfied
SCCE – Southeast Regional Conference / 11/7/2014
Thank You
Questions?
David KiddUnited Parcel ServiceNovember 7, 2014
SCCE – Southeast Regional Conference / 11/7/2014
Top Related