ERM enterprise risk management pricewaterhousecoopers

• ERM is: - A process built into routine business practices - Designed to identify emerging events with the potential to affect the entity, assess the potential impact consistently and t

Enterprise Risk Management

October 12, 2010

ERM is a principles-based approach to manage, not just

minimize, risk.

• ERM is:

- A process built into routine business practices

- Designed to identify emerging events with the potential to affect the entity, assess the potential impact consistently and to

manage risk within a pre-determined risk appetite

- Geared to the achievement of objectives

- Applied across the enterprise

- Tied to the organization’s strategic goals

ERM is about the routine execution of risk management principles built into normal business operations

ERM Defined

Risk Defined

We define “risk” as:

ability to meet its strategic objectives or

sustain key processes.

3

Risk Defined

To use an analogy:

objectives it is like asking

people to navigate an uncharted

minefield

• It is an avoidance strategy –

stay as far away from the mines

(risks) as possible.

• If someone steps on one (risk

event) everyone scatters.

• The team’s focus is down on the

ground, not on the other side of

the field (objective).

Risk Defined

5

Identifying &

Assessing barriers

(Risks)

Confirming objectives

Assigning ownership

Responding to risks by

priority

= Achieving objectives

To use an analogy:

more closely resembles coaching a

football game.

• You confirm your game objectives

• You study the defence IN ADVANCE of

the game (risk identification) and assess

who the biggest defensive threats are (risk

assessment).

• You choose plays that navigate through

the defence and assign blocking

assignments (Ownership).

• You run plays and block the ball carrier,

double teaming their best players

(mitigation/controls).

• It’s identifying and managing barriers to

success in advance to increase

performance.

Evolving how we view risk

Think of risk as NEUTRAL

Liability Vs Opportunity

Financial Strength Product / Service Innovation Public endorsements

Improved staff safety record Competitive superiority

Positive Gov Influence Effective Staff Transitions

Financial Instability Product / Service Failure Reputational Damage Staff Health and Safety Incident

Lowered competitive advantage

Government relations challenge

Poor Succession Plan

The business and regulatory environments have become

increasingly complex, raising corporate risk profiles

Higher Risk Profiles

• Increasing scope and complexity of

business activities

• Increasing risks from technology (e.g.,

speed of execution, data vulnerability)

• Continuous changes in regulatory

requirements

Higher Expectations

• Regulators expect corporate risk infrastructure to be commensurate with and scale of business activities

• Investors demand more corporate visibility and accountability for risk management

• Rating agencies (e.g., S&P and Moody’s) are evaluating risk management program

effectiveness

Strategic consequences exist if companies are unable to manage risk,

compliance and control requirements effectively

• Depressed market value and share price

• Financial losses and/or damaged reputation

• Regulators / legal noncompliance resulting in damaged reputation/costs,

• Regulatory enforcement actions which limit acquisition/strategic plans

Issues Driving Focus on ERM

Slide 7

Crises management

and compliance

Business continuity protection

Business Performance Management

Risk management embedded within key processes & culture Link between RM and capital allocation

Centralized risk mgnt across divisions tied to objectives Centralized risk management across divisions

Common risk language created across independent divisions Divisions manage their own risks (independent actions/language)

Avoiding personal liability / failure (the personal fear factor) Compliance with corporate governance standards (fiduciary responsibility) React to your own company crises

Risk Management Maturity Scale

ERM

CEOs and Boards find value in ERM beyond S&P compliance.

CEOs find value because ERM:

• Helps align organizational elements around the enterprise strategy and

increases the likelihood of achieving plan objectives

• Creates a common language and a common approach to identifying,

assessing and managing risk efficiently, effectively and in prioritized manner

• Increases management confidence related to meeting targets including taking

on new programs (acquisitions, business transformation, etc)

• Results in cost reduction opportunities by reducing surprises and increasing

the efficiency of the internal risk management spend.

Directors find value because ERM:

• Provides a routine program that updates the organizational risk profile for

changes ( internal and external)

• Involves the Board in the discussion and with more information upon which

they can make their decisions

• Provides a new basis to monitor management decisions and actions

Issues Driving Focus on ERM

Slide 9

Leading practice ERM programs are not stand-alone, “layered-on” processes, but rather embedded within normal business

operations and existing processes.

Analysis

Reporting

Key

Controls

Business

Cycle

Business Strategy

& Planning

Validate/Refine Strategy

Business Process

& Execution Evaluation

• Explicit integration of risk identification and assessment into strategic planning.

• Set risk appetite and ensure its consistency with strategy.

• Integrate financial planning and risk assessment.

• Allocate capital to business units / risk activities.

• Set business and individual performance goals.

• Manage key risk indicators related to meeting

performance targets.

• Enterprise risk management policy standards and controls including limits.

• Consistent risk measures and aggregation.

• Aggregated enterprise risk/performance reports.

• External reporting.

• Risk and performance data infrastructure.

• Modify risk planning based on results.

Procedures

Process

Policy

Resources

Leading Practices in ERM

Process to Identify, Assess, Manage and Monitor Risk

High

Eliminate Risk

Transfer Risk

Accept Risk

Reduce Risk Hazard Uncertainty Opportunity

Action Planning and Reporting

of Residual Risk

Determine Risk Strategy

State and Prioritize Objectives

Identify and Analyze Risks

Assess and Design Control

High

High

High Most

Critical Objectives

Low Low

Low

Critical Control Improvement Areas

Excessive Control Areas

Most Critical Risks

Business Impact of Risk Business Impact

Timing Probability of Occurrence Level of Control

Illustrative

Objectives Map Risk Map Risk Management

Response

Control Map

High

Low

Criticality

Leading Practices in ERM

Decide Tolerance

Slide 14

Risk Analysis Matrix

10

8

6

4

2

Impact

Likelihood

Inherent Risk

Tolerance (target)

Residual Risk

Leading Practices in ERM

Example Enterprise-Level Risk Profile and Report of Residual Risk Compared to Risk Tolerance Conclusions

Financial

Capital

Adequacy

Market Strategic

Operational Information

Credit

Financial

Process

Commodity

Equity

Foreign Exchange

Competitive

Financial Rep

Compliance

Industry

Dealer / Distributor

Equipment

Engineering

Health and Safety

Product Quality

Regulatory Compliance Security

Information Technology

Decision

Organization

Human Resources

Organizational

Environmental

Legal / Political

Governance

Insurance

Interest Rate

Liquidity

Litigation

Political

Macro-economic Marketing

Natural Disaster

Regulatory

Supplier

Stakeholder

Tax

Technology

Significantly Over

Slightly Over

Within Tolerance

Tolerance Evaluation

Slide 16

Leading Practices in ERM

Slide 16

Case Study

2010

Tgt Yr 2 2011

Tgt Yr 3

Financial

F1.Provide efficient cost and effective services to customers

F1a.% of controllable costs to total fixed costs

Base year;

see REM1 below

3% Reduction see REM2 below

9%

Reduction see REM3 blow

Initiative Initiative Initiative

Customer

Perspective

C1.Identify Service Expectations and increase

"Internal" Customer Satisfaction

C1a.KPI Survey Results Implement 2

Surveys

15%

improvement per year

90%

Satisfaction

Initiative Initiative Initiative

Internal

Processes

P1 Asset / infrastructure improvements

P1a.Asset improvement work plan

10% renewal

in 2010

20% renewal

in 2011

20% renewal

in 2012

Initiative Initiative Initiative

PR1 Develop, communicate and execute strategy

PR1a % of workforce that understands strategy

Initiative Initiative Initiative

Learning &

Growth

L1.Attract a competent workforce /Recruiting Process

L1a Offer acceptance rate 40%

90%

50%

95%

60% 100%

Initiative Initiative Initiative LR1 Ensure human capital

readiness through succession

LR1a % of key positions with succession plans in place

Initiative Initiative Initiative

TRADITIONAL BALANCE SCORECARD

Case Study

18

Objective Measures

(KPI)

Target Yr

1

Target Yr

2

Target Yr

Risk Scores (I*L)

Risk Measures (KRI)

Initiatives

BALANCE SCORECARD INTEGRATED WITH ERM

simultaneously

As the organizational competency around identifying and

assessing risk increases, the portfolio of unknown risk events

shrinks and with it the probability of surprise!

Benefits of ERM

Unidentified Risks Identified Risks

Continuous risk management processes, instead of episodic efforts,

result in a more well defined and understood risk universe.

Initial Risk “Radar”

Unknown Unknowns (Unidentified

Risks)

Known

Unknowns

Known Unknowns

Known Knowns

Intermediate Risk “Radar”

Known Knowns

Known Unknowns

Known Unknowns

Unknown Unknowns

Advanced Risk “Radar”

Known Knowns

Known Unknowns

Unknown Unknowns

Known Knowns

ERM as a management tool provides benefits that enhance the corporate culture.

Business Planning:

• Increased thoroughness

• More anticipatory and aggressive

Plan Execution:

• More Explicit

• Improved effectiveness

• Improved communication

• More easily monitored

Management and employees:

• Better understand responsibilities

• Improved accountability

• Anticipate risk vs react

Competitive Advantage:

• Improved and achieved

Benefits of ERM

Surprises:

Operating costs:

New projects:

Management Attention:

strategy

Cost of capital

Slide 21

In Summary

Richard Wilson Director, Risk & Regulatory Advisory Services 416.941.8374

richard.m.wilson@ca.pwc.com

ERM is about the routine execution of risk management principles built into normal business operations