Professional Documents
Culture Documents
Enterprise Risk Management: Framework For Establishing Industry Requirements and Priorities
Enterprise Risk Management: Framework For Establishing Industry Requirements and Priorities
Team discussion and refinement Framework for discussion with ISMs and IBUs Framework for discussion with partners, analysts, customers
The goal is to create a product strategy which optimizes between market requirements and SAP development capabilities.
Identifying the key processes and process steps within Classify steps by generic vs. specific to a risk class Modeling and monitoring are risk class specific
Risk Monitoring
Identify a list of risk classes, the corresponding key risk identifiers, and the industries where they apply (some are generic)
Risk Modeling
Understand pre-requisites for quantitative modeling Identify techniques Identify industries which satisfy pre-requisites Understand approach to solution for qualitative modeling and analysis
ERM value pyramid Used banking as an example to identify key value drivers within the ERM process Provide similar analysis for other key industries
Periodically
Risk Monitoring
Monitoring Risk indicators
Continuously
Specific
Generic
Identifying the key processes and process steps within Classify steps by generic vs. specific to a risk class Modeling and monitoring are risk class specific
Risk Monitoring
Identify a list of risk classes, the corresponding key risk identifiers, and the industries where they apply (some are generic)
Risk Modeling
Understand pre-requisites for quantitative modeling Identify techniques Identify industries which satisfy pre-requisites Understand approach to solution for qualitative modeling and analysis
ERM value pyramid Used banking as an example to identify key value drivers within the ERM process Provide similar analysis for other key industries
Risk indicator
Health of suppliers Delay in logistics Capacity (supplier, warehouses)
Source system
Supply Chain Management systems
Applicable industries
Manufacturing High-Tech Construction and Engineering
Accidents / incidents SAP EH&S Inspection reports Physical access systems Access violations HCM Certifications
Project management
Project
Manufacturing (Automotive, Aerospace, ...) High-Tech Construction and Engineering Professional Services High-tech Pharma
Patent
portfolio
Approval
process
External
(Nuclear)
Risk indicator
Atypical network traffic Password probing
Source system
OpenView, Tivoli, Symantec, Cisco, etc.
Applicable industries
Generic
HR
Turn-over ERP / HR Key people succession planning Unions contracts Harassment and discrimination Accounting irregularities ERP Financials, BW
Generic
Generic
Generic
Identifying the key processes and process steps within Classify steps by generic vs. specific to a risk class Modeling and monitoring are risk class specific
Risk Monitoring
Identify a list of risk classes, the corresponding key risk identifiers, and the industries where they apply (some are generic)
Risk Modeling
Understand pre-requisites for quantitative modeling Identify techniques Identify industries which satisfy pre-requisites Understand approach to solution for qualitative modeling and analysis
ERM value pyramid Used banking as an example to identify key value drivers within the ERM process Provide similar analysis for other key industries
Statistically relevant historical data samples, e.g. Stock market data Accident static of thousands of employees over years available Historical demand data Applicable modeling and simulation technique, e.g. Value at Risk Monte Carlo Simulation
not available
Identifying the key processes and process steps within Classify steps by generic vs. specific to a risk class Modeling and monitoring are risk class specific
Risk Monitoring
Identify a list of risk classes, the corresponding key risk identifiers, and the industries where they apply (some are generic)
Risk Modeling
Understand pre-requisites for quantitative modeling Identify techniques Identify industries which satisfy pre-requisites Understand approach to solution for qualitative modeling and analysis
ERM value pyramid Used banking as an example to identify key value drivers within the ERM process Provide similar analysis for other key industries
Have agreement on what the sweet spot is and why? Need to review selected industry in this bucket with IBUs
ERM is core value driver Companies have sophisticated tools, processes and org structures in place Budget available
Banking Insurance
Mining Oil & Gas Pharma / Biotech Aerospace and Defense Utilities
No $$$
Failure to address certain classes could have major impact on business Processes and org structures rudimentary
Remaining industries
Banking Insurance
Pharma Utilities / Energy Oil & Gas / Mining Selected manufacturing (large and complex)
Failure to address certain classes could have major impact on business Processes and org structures rudimentary May have very specific risks requiring special solutions
Periodically
Risk Monitoring
Monitoring Risk indicators
Continuously
Requirements / Practices
Risk identification Well understood in finance Risk assessment Self-assessment scorecards Modeling / Simulation Value at Risk (VAR) Stress testing Risk identification Risk assessment No risk maps Modeling / Simulation Earnings at Risk (EAR) Worst case scenario probabilities Risk profiles Risk identification Face2face between risk managers and business managers Scenario analysis Risk assessment Risk maps (frequency) Risk measurements Not everything is measurable Modeling / Simulation Value at Risk (VAR)
Maturity
Organizationally Vice Chairman Chief Risk Officer Highly organized committee structure Process Integrated core business processes
du Pont1
Chemical
Organizationally CEO, CFO, Treasurer are key risk managers Risk management committee (incl. CFO) Process Risk management integrated in operational process Organizationally Treasurer and Risk Champion Risk management group Process Risk managers partners to business Systems Gibraltar Treasury Information System Intranet risk related info
Microsoft1
High-Tech
Excerpt from Barton et al, Making Enterprise Risk Management Pay Off, fei Research Foundation, 2002
Requirements / Practices
Risk identification Brainstorming sessions with senior management Risk assessment By management incl. prioritization Risk measurements Technology and regulatory risk cannot be quantified Modeling / Simulation Gain/loss probability curve Risk impact on earnings Risk identification Risk identification/assessment within business units Industry specific risks: incidents, hedging prices, political risk, technical (deepwater drilling), etc. Audit department created risk profiles Questionnaire (800 questions) Risk assessment Risk peer reviews Risk Matrix Status Board Modeling / Simulation Scenario analysis Quantitative unknown
Maturity
Organizationally CEO, CFO main driver Treasurer, internal audit, corporate risk manager Risk management committee (incl. CFO) Process Senior management buy-in Cross-silo integration
Organizationally Driven by Internal Audit and Health, Environment and Safety departments Process Risk management is integrated into line management
Excerpt from Barton et al, Making Enterprise Risk Management Pay Off, fei Research Foundation, 2002
Requirements / Practices
Maturity
Risk identification Organizationally Workshops with cross-functional teams Chief Risk Officer Additionally root cause analysis of risks ERM Department Risk assessment Fully integrated with lines of business Risk prioritization based on shareholder Process impact Moved from silo to integrated risk Quantitative assessment for selected risks, management e.g. lead to earnings insurance Systems Earnings at risk Desk Manual Modeling / Simulation Electricity book Stress testing Monte Carlo Risk identification Survey Workshops with cross-functional teams Risk assessment Use risk framework for categorizing events Risk maps Control effectiveness in control framework Risk measurements Focus on qualitative assessments Modeling / Simulation n/a
Canada Post2
Automotive
Organizationally Driven by internal auditing Process Developed Dynamic Assessment of Risk and Enablers (DARE) perfected risk framework Systems Resolver Ballot
Excerpt from Paul et al, Enterprise Risk Management: Pulling it all together, The Institute of Auditors Research Foundation, 2002
Requirements / Practices
Risk identification Workshop with cross-functional teams Risk assessment Risk map Modeling / Simulation n/a
Maturity
Organizationally Driven by internal audit ERM team in place Process Moved from silo to integrated risk management, embedded into core business processes Workshops Scorecards Monitoring actions plans Process Resolver Ballot
General Motors2
High-Tech
Risk identification Objective Risk Management identify risks within business unit to business strategy Risk assessment Use risk framework for categorizing events (Business Risk Management strategic, operational and process risks) Risk measurements Focus on qualitative assessment Modeling / Simulation n/a
Organizationally Driven by GM Audit Services (GMAS) Process Workshops Process risk management embedded in all key processes Systems Option Finder Home-grown risk assessment tools On-line risk repository
Excerpt from Paul et al, Enterprise Risk Management: Pulling it all together, The Institute of Auditors Research Foundation, 2002
Southern Company3
Profile
Company Southern Company Contact Silvia King Manager Strategic Finance and Enterprise Risk smking@southerco.com Utility Atlanta, GA 1/12 Microsoft Excel & PPT Decisioneering Crystal Ball (for modeling and Monte Carlo simulations)
Key Take-aways
Risk management at Southern Co Organizational structure: ERM within Finance Total 150 200 risk being managed, 7-10 per business unit End-goal Risk-adjusted financial plans Finical reporting incl. risk Critical success factor in ERM Balancing and integrating facilitation and collaboration, and statistical methods Common dictionary for consistent definition across the organization On software solutions Risk map is a must-have but needs excellent graphics to be useful Ranking must be always relative, absolute numbers dont make sense Tools for document processes and controls to deal with risk Linking risks with corresponding actions Linking to accountability and strategic goals On success factors for selling sw solutions Need to sell top down, CEO, CFO, directors Need to get acceptance by accounting firms and rating agencies
Follow-up interested
Bombardier3
Profile
Company Bombardier Contact Bindesh Rach Director Enterprise Risk Management bindesh.rach@bombardier.com Manufacturing Montreal, Quebec, Canada 1/17 home-grown
Key Take-aways
On existing software solutions (Methodware, Paisley) methodology needs to drive tools and not the other way around Many organization are not yet ready for sophisticated tools On their in-house software solution Risk register database of identified risk, root cause, properties, potential impact, risk and mitigation owner, etc 3-dimensional analytical tool, enables managers on each hierarchy level to drill into the risk dimensions: External and internal environment Relationship to four objectives: strategy, compliance, reporting and operation Hierarchy level On risk definition Identify root cause for risk Quantify wherever possible, $ value or other key risk indicators Risk owner, mitigation owner Tolerance, i.e. risk appetite (they have given up on business due to high risk and invested in risk with low risk On Bombardier process Bindeshs team owns methodology, system and knowledge transfer, acts as mentor and facilitator, actual risk management done by line management Identification of risk , ownership, tolerance and key risk indicator Classification in 46 risk categories Mitigation plan (with owner) Monitoring and reporting, connection to strategic planning (all PPT) Use of value-at-risk, monte carlo, etc left to business units
Hydro One3
Profile
Company Hydro One Contact John Fraser Chief Risk Officer johm.fraser@hydroone.com Utility Toronto, Ontario, Canada 1/16 Resolver, Methodware, Paisley
Key Take-aways
On existing software solutions (Resolver, Methodware, Paisley) Use Resolver for identification Methodware as Risk Register Paisley for process risk / management of controls / SOX Tools consider as sufficient, need of an integrated tool acknowledged, but cost factor of software solutions stressed On integrated approach stresses strong ties to strategic planning tools and associated tools On monitoring and alerting sees close relationship to performance management, needs to be viewed and interpreted from a risk perspective On Hydro One process key consideration is the cost factor which risk are worthwhile to be managed? On Andreas framework Validates framework
Follow-up interested