|
1
|
|
|
2
|
- Major organizations worldwide are seeking to better-integrate their
disparate efforts in managing risk.
- New function of “Enterprise Risk Management (ERM),” often headed by a
Chief Risk Officer
- The value of shareholder investments typically are measured in ways that
consider two factors:
- “Earnings” factor, consisting of the anticipated stream of future
earnings, and
- The “R” factor, consisting of investors’ required rate of return, based
on the perceived Risk Level attendant to the earnings projections.
- Seek Optimum tradeoff between risk and return, through active
management of the “R” factor. How Enterprise Risk Management is being
implemented by major organizations worldwide.
- Case study: The World Bank’s implementation of ERM
|
|
3
|
- I. Conceptual Framework
- II. Organizational and Governance Context
- III. Risk Decision-making
- IV. Leveraging Technology to Implement Enterprise Risk Management: Key
Planning Issues
- V. Sample views of Enterprise Risk Management software
|
|
4
|
- Contemporary business realities and governance guidelines demand greater
attention to identifying and managing risk.
- Increased business complexity and diversity make it difficult for “one
hand to know what the other is doing, in large enterprises.”
- The events of 9/11 underscored this problem, but large companies
previously have had many experiences with one division re-inventing what
another has already done.
|
|
5
|
- Financial theorists define risk as: Uncertainty as to achieving an
- Expected Outcome,
- observed through:
- Variability from an Expected Result.
|
|
6
|
- “Risk” is not simply the “chance of loss.”
- All economic activities involve a certain amount of loss all the time.
But if the losses are small and predictable, such “leakage” is not
“risk.”
- “Risk” is the possibility that economic impacts will significantly
deviate from “average.”
- Volatility, both on the upside and downside, creates uncertainty and
lesser predictability of overall results. Such volatility is penalized
by investors, who tend to be “risk-averse.”
|
|
7
|
- The VALUE of an investment, such as a company’s stock is:
- Based both on the
- Amount of the Estimated Future Earnings Stream, and the
- Degree of Uncertainty in realizing those estimated earnings.
|
|
8
|
- The value of the firm equals
- the sum of future earnings,
- divided by the investors’ required rate of return (cost of capital),
- which depends on the degree of risk associated with the future earnings
stream.
- i.e.: Value = S Earnings year 1…..n
- Investors’
Required Rate of Return
- Investors’ required rate of return is a squared function of Risk
(expressed as financial volatility.
- We call this R² - the “R Factor.”
|
|
9
|
- In the V = E / R2 formulation, it is clear that any small
change in a firm’s risk level has a magnified effect on the firm’s
overall valuation. This is because the effect of risk on share valuation
is squared.
- In fact, the negative effect of perceived increases in risk may offset
the positive effect of improved earnings.
- Conversely, the reduction in earnings resulting from lower-risk / lower
return investments, or from costs of risk transfer, may improve overall
valuation.
|
|
10
|
- Cost of risk reduction through risk transfer reduces incremental
earnings stream
- Benefit of risk reduction is reduction in the denominator of the
equation – Investors’ required rate of return
- Net benefit is achieved if Earnings minus cost of risk reduction,
divided by new (lower required rate of return) is higher than pre-risk
reduction equation.
|
|
11
|
- Before Risk Reduction:
- Present Value of $1 billion annual after tax income for 30-yr. horizon
/ .09 required rate of return = $10.27 billion.
- After Risk Reduction:
- Present Value of $.95 billion annual after tax income for 30-yr.
horizon / .085 required rate of return = $10.61 billion, which is more
than the value before incurring the cost of reducing risk.
- Decision: Yes, proceed with risk reduction.
|
|
12
|
- Risks that aggregate across the organization should be handled
differently by multi-divisional organizations, than risks which are
unique to individual operations. Example: corn futures
- Consider “law of large numbers” and correlation.
|
|
13
|
- Balancing Risk vs. Return.
- Who’s job is it to optimize ?
- Most jobs have singular objectives:
- Meet the sales quota.
- Get the new product launched on time.
- Make budget.
- The apex of the organization is best-positioned to coordinate the
recognition and balancing of competing objectives.
- Agile organizations inculcate an ethos and reward system that encourages
risk-thinking at all levels.
|
|
14
|
- An outgrowth of the trend toward Enterprise Risk Management. According
to a recent global Internet symposium, there are almost 200
"CROs" in place, generally in financial institutions, energy
and utility companies.
- 24% of Tillinghaust-surveyed organizations have a Chief Risk Officer
position.
- 60% of Chief Risk Officer positions have been created within past 4
years.
- Most CROs report to the CFO, though in many companies they report to the
CEO or to the Board.
|
|
15
|
|
|
16
|
- The difference between “risk aversion” and “risk avoidance”
- Enrique Sabater: The World Bank, Washington, DC
- “Sometimes we need to take more risk.”
- “Risk management is not about avoiding or getting rid of risk. It’s all
about “managing” the risks we choose to assume, or which we have no
choice but to undertake.”
- Good risk management decisions involve
- identifying risks,
- assessing their size and probability, and
- identifying alternative courses of action that have differing risk
profiles.
|
|
17
|
- Felix Kloman in An Iconoclastic View of Risk, Risk Management Reports,
December, 2000:
- “Over the years, numerous silos of risk management specialization have
been erected on the premise that each specialty is so arcane, so based
on long experience, that outsiders cannot appreciate, much less
practice, the trade. We see this in credit, safety and health,
financial derivatives, security, insurance, contingency planning,
auditing, contracts and regulatory management. Each group has its own
language, its own procedures, its own skill sets. Each wants to be left
alone to do the job. Yet this has led to enormous gaps and overlapping
and excessive costs in organizational risk responses. The recent move
to strategic, integrated, enterprise, or holistic risk management is a
recognition that the separation of risk functions is actually
counter-productive.
- Allowing the specialists to ply their trades separately does not work.
That is one reason for the rise of a new executive, the Chief Risk
Officer. This person is a generalist who reports to both the Chief
Executive and the Board and coordinates the work of other risk
specialists.
|
|
18
|
- Enterprise Risk Management Framework (Exposure Draft for Public Comment
– submit comments at www.erm.coso.org)
- “Enterprise risk management is a process, effected by an entity’s board
of directors, management and other personnel, applied in strategy
setting and across the enterprise, designed to identify potential
events that may affect the entity, and manage risks to be within its
risk appetite, to provide reasonable assurance regarding the
achievement of entity.”
|
|
19
|
- Benefits of enterprise risk management include:
- reducing the cost of capital by managing volatility
- exploiting natural hedges and portfolio effects
- focusing management attention on risks that matter by expressing
disparate risks in a common language
- identifying those risks to exploit for competitive advantage
- protecting and enhancing shareholder value.
|
|
20
|
|
|
21
|
- Per COSO exposure draft:, enterprise risk management provides enhanced
capability to:
- Align risk appetite and strategy – Risk appetite is the degree of risk,
on a broad-based level, that a company or other entity is willing to
accept in pursuit of its goals. Management considers the entity’s risk
appetite first in evaluating strategic alternatives, then in setting
objectives aligned with the selected strategy and in developing
mechanisms to manage the related risks.
- Link growth, risk and return – Entities accept risk as part of value
creation and preservation, and they expect return commensurate with the
risk. Enterprise risk management provides an enhanced ability to
identify and assess risks, and establish acceptable levels of risk
relative to growth and return objectives.
- Enhance risk response decisions – Enterprise risk management provides
the rigor to identify and select among alternative risk responses – risk
avoidance, reduction, sharing and acceptance. Enterprise risk management
provides methodologies and techniques for making these decisions.
- Minimize operational surprises and losses – Entities have enhanced
capability to identify potential events, assess risk and establish
responses, thereby reducing the occurrence of surprises and related
costs or losses.
- Identify and manage cross-enterprise risks – Every entity faces a myriad
of risks affecting different parts of the organization. Management needs
to not only manage individual risks, but also understand interrelated
impacts.
- Provide integrated responses to multiple risks – Business processes
carry many inherent risks, and enterprise risk management enables
integrated solutions for managing the risks.
- Seize opportunities – Management considers potential events, rather than
just risks, and by considering a full range of events, management gains
an understanding of how certain events represent opportunities.
- Rationalize capital – More robust information on an entity’s total risk
allows management to more effectively assess overall capital needs and
improve capital allocation.
|
|
22
|
- While New Capital Accord (Basel II) provides a risk management framework
that enhances the stability of financial institutions and global
financial markets, those implementing Basel II solutions think of it
more as a data integration nightmare.
- Why? Because in return for the reduced capital reserves offered by Basel
II, institutions must adapt advanced risk management practices that take
into account the entire scope of business activity…at the
transaction-level.
- These requirements are forcing financial institutions to tackle serious
data challenges, among them:
- Build operational loss databases, to quantify and monitor the risk of
operational losses
- Identify data 'gaps' to ensure that data required to calculate
Probability of Default, Exposure at Default and Loss Given Default is
available
- Conform to single enterprise data standard, to ensure the entire
institution defines, gathers and manages risk data in identical manner
- Deliver data in real time, to promote intra-day risk analysis in pace
with market demand
- Build an audit-proof infrastructure, to enable any user, at any time,
to track the origins of risk data, its meaning, and the business
processes performed against it.
|
|
23
|
- Specific to SOA, a company’s processes, systems and controls must make
available all material information needed for fair presentation and
disclosure, including the update of accounting estimates with current
and reliable information.
- Sections 302, 404 and 906 of Sarbanes-Oxley require companies to design
and maintain procedures and controls to identify in a timely manner all
material information for action and disclosure, and provide fairly
presented financial information and disclosure to the public in periodic
and current reports.
- There is a presumption in financial reporting that public companies will
be able to meet their reporting deadlines and have available all
material information needed for fair presentation and disclosure,
including the update of accounting estimates with current and reliable
information.
- These requirements create
obligations suggesting a need for companies to have an adequately
documented business impact analysis, with management’s agreement and
sign off, addressing the company’s broader business risks as well as its
regulatory and compliance risks, including those risks relating to
public reporting.
- Once an adequate business impact analysis is completed, the company can
evaluate whether changes are needed in its business continuity and
disaster recovery plans. These plans must be kept up-to-date and
periodically tested to maintain their adequacy in ensuring the company
can fulfill its obligations under Sarbanes-Oxley.
|
|
24
|
- Principal Risk Characteristics:
- Frequency of Loss
- Average Severity of Loss
- Degree of “Internal” Correlation
with other risks
- Relative “External” (I.e. Insurance or Capital Markets) risk
correlation.
- These factors affect the cost and benefit of risk transfer.
|
|
25
|
|
|
26
|
|
|
27
|
|
|
28
|
- Statistical measurement of historical performance
- Stochastic Modeling / measurement of correlation effects through
aggregation
- Sample tool: @Risk (Palisade Software – www.palisade.com)
- Fault trees and event trees (chains of probabilities and outcomes)
- Delphi Technique
|
|
29
|
- Scott McNealy of Sun Microsystems: “The network is the computer”
- Ability of HTML web pages to connect to any other computer connected to
the Internet
- One web page can draw data or applications from many computers at the
same time.
|
|
30
|
- Internet technology
- Rapidly being accepted as more than just a way of displaying text
information and graphics.
- Based on software and communications standards and shared protocols
- Provides a way for disparate organizations to share software
applications and databases.
- By providing easy access to and connections between "islands of
information," Internet technology is quickly emerging as the
software platform of choice.
- Systems that previously required expensive custom installation,
licensing, and training are becoming accessible to users having a
contemporary, free web browser, an appropriate access level, and user
privileges.
|
|
31
|
- Integration of differing types of data from varied systems can be
achieved at much lower cost than previously.
- Routine tasks of gathering information, processing transactional data,
and reporting are becoming less demanding.
- This enables individuals to interpret meaningful data and draw
significant conclusions.
|
|
32
|
- David McNamee, CIA, CISA, CFE, CGFM
- in Mc2 Management Consulting:
- Managing risk in tomorrow's organizations means:
- Active monitoring: ensuring the
organization's sensitivity to detect risk.
- Agile systems: ensuring its
flexibility to respond to risk.
- Adaptive learning: ensuring the
capability of the organization's resources to mitigate risk.
- This might be summarized by saying that an effective ERM system should
function much like a human’s “central nervous system.”
|
|
33
|
- David McNamee, CIA, CISA, CFE,
CGFM
- in Mc2 Management Consulting:
- “The key process in risk
analysis is to identify all the sources of material risks …. Risk
identification should proceed using the following three methods:
- Environmental Assessment: Using the knowledge of the organization's
operations, consider the probable changes in the environment to
identify possible consequences.
- Exposure Assessment: Using the knowledge of the organization's
resources, consider the possible consequences to the assets based on:
Size or Value, Type (Financial, Physical, Human, Intangible /
Information Assets, Portability / Accessibility and Location).
- Threat Scenarios: Defining the difficult-to-measure low-probability and
high-consequence events such as natural disasters, sabotage, terrorism,
and fraud.
|
|
34
|
- Economic: Possible changes in the general economy affecting prices and
employment levels.
- Political: The likelihood that government decisions will materially
affect the nature and scope of the organization's programs.
- Constituents: Changes in constituent needs and wants as well as changes
in the demographics of constituents to be served.
- Competition: Competition for resources, such as managerial talent and
funds, from either the private sector or from within government.
- Technology: Changes in both demand and supply of technology and
information and those effects on programs.
- Suppliers: Changes in the labor supply and unionism that may restrict
or expand opportunities and options for operations.
- Government Regulation: Significant pending legislative agenda items
with a probability of enactment and a material effect on operations.
- Physical: Changes in site, location, weather, terrain, and access that
could materially affect operations
|
|
35
|
- OpenPages 4.0 is well suited to handle unstructured information
OpenPages 40 is well-suited to handle both structured and unstructured
information. Built on Java™ 2 Enterprise Edition (J2EE) 1.3 standards.
Together, the open APIs and SPIs make OP4 an extensible, programmable
system that that fits well within existing enterprise IT architectures.
- Certus nth Orbit operates within Microsoft’s .Net environment
- CARD®decisions Inc. CARD®map
(Canadian company located in Mississauga, Ontario). Collaborative
Assurance & Risk Design (“CARD®”) In 1986 Bruce McCuaig and Tim
Leech (now CARD®decisions principals), launched one of the world's first
control self-assessment ("CSA") initiatives at Gulf Canada
Resources - work units
responsible for control and risk management periodically assess
and report on the state of risk and control in their business units.
- Methodware Operational Risk Advisor (New Zealand company)
- Oracle Internal Controls Manager (OICM)
- Accounting firm “home grown” systems, Protiviti
|
|
36
|
- Felix Kloman in Four Cubed, Risk Management Reports
- “Communication is the weakest link in the risk management process and
is generally omitted from process descriptions. Few organizations take
the time to reduce what they know-and what they do not know-about risk,
its organizational implications, and its responses into terms
understandable to stakeholders.”
- Using Extranets to improve communication
|
|
37
|
|
|
38
|
|
|
39
|
|
|
40
|
- Case study: Sample Navigation Elements:
- Conceptual Framework
- Information Sharing / Communication
- Risk Management Resources
- Methods to use in your function
- Risk Search / Risk Cartography
- (from case study: The World Bank)
|
|
41
|
|
|
42
|
|
|
43
|
|
|
44
|
|
|
45
|
|
|
46
|
|
|
47
|
|
|
48
|
|
|
49
|
|
|
50
|
|
|
51
|
- Need for access by internal and outside parties for sharing of
information, data, and workflow.
- Example: claims data needed by Risk Management department, other
department heads for cost allocation, TPAs, attorneys, actuaries, etc.
|
|
52
|
- Content and applications developed by specialists in “niche” areas of
knowledge.
- Not all users have access to the same data. Multi-tier access control
defines which applications users may access and what level of privilege
they have for obtaining specific specific “views” of information.
- More advanced user authentication, including digital signatures,
electronic tokens and “keys”, and biometrics are anticipated to improve
security.
- Need to coordinate with “single logon” to multiple applications.
|
|
53
|
- Sharing of software: systems usage costs plummet due to centralized
purchasing, system installation, hosting, support, and training.
- Sharing of data: enables benchmarking and data warehousing
- Access to sophisticated applications that previously were in the
province of specialists with expensive, sophisticated hardware and
software.
- Geographical Information Systems (GIS). Above-ground and underground
examples
- Data Warehousing, OLAP Data Mining (e.g. Seagate Info)
|
|
54
|
|
|
55
|
|
|
56
|
|
|
57
|
- Certificates of Insurance
- MetroRisk “decision tree” outgoing certificates of insurance
self-service
- Incoming certificates management (Port of Oakland)
- Claims and Injury Reporting and Analysis
- Web-enabled claims reporting module (AMB Property Corp.) with SQL
Server risk data warehouse
- INCAS II insurance cost allocation system
- Insurable Values / Underwriting Data
- Eaton Safety Intranet / Geographic Information System facilities
database
- View insurance coverage summaries
- View insurance specifications and interactive map with location data
|
|
58
|
|
|
59
|
|
|
60
|
- CARDMap
- MethodWare
- Option Finder
- Certus nth Orbit
- Oracle Internal Controls
|
|
61
|
|
|
62
|
|
|
63
|
|
|
64
|
|
|
65
|
- Helps you document risks and mitigating activities and provides
management with a complete risk index for financial accounts and
processes.
- 404 risks and controls
- Corporate best practices risk management
- Process and account relationships
- Built-in COSO library and supplements
- Controls framework for entities and sub-entities
- Risk assessments and ranking
- Controls documentation and substantiation
- Account assertions for controls
- Reporting on risk levels, summary reporting by processes and accounts
- Enterprise Topography. Assign,
deploy, assess, and report on controls by one or any combination of the
following:
- Business unit
- Geography or location
- Functional organization
- Hierarchical level
|
|
66
|
- Controls Automation
- Self assessments
- Certifications
- Estimation procedures
- Checklists
- Test procedures
- Authorizations
- Policy and procedure management
- Reporting
- System Architecture
- By using widely-accepted reference architectures such as .Net and W3C,
Certus fits easily into IT environments using such architectural
components.
|
|
67
|
- Risk Assurance activities to help companies comply with Sarbanes-Oxley
section 404 and 302 certifications.
- Oracle Internal Controls Manager (OICM) gathers the Internal Controls
that are already in Oracle’s eBusiness Suite and puts them in the
context of Business Processes that are exposed to risks.
- Allows users to make testing procedures explicit in the applications
suite, and to confirm progress of the compliance activity.
- Based on the COSO (Committee of Sponsoring Organizations) framework
recommended by the Treadway Commission and absorbed into
Sarbanes-Oxley.
- Users should consider that
certification requirements of section 302 are already in force and the
Attestation from external auditors will be force for the year end after
September 15th.
|
|
68
|
- Control Self Assessment (CSA) process
|
|
69
|
- Apply the best combination of risk management techniques, consistent with the optimum effect on
the firm’s overall Value.
|
|
70
|
|
Notes
