Enterprise Risk Management

Framework for establishing industry requirements and priorities

Andreas Vogel September 13th, 2006

SAP CONFIDENTIAL

Framework for Discussion

This is a strawman proposal which summarizes some thinking and brainstorming
Next steps

Team discussion and refinement Framework for discussion with ISMs and IBUs Framework for discussion with partners, analysts, customers

The goal is to create a product strategy which optimizes between market requirements and SAP development capabilities.

SAP AG 2006, Enterprise Risk Management Andreas Vogel / 1

Train of Thought (for non-audio consumption)

Risk Management Processes

Identifying the key processes and process steps within Classify steps by generic vs. specific to a risk class Modeling and monitoring are risk class specific

Risk Monitoring

Identify a list of risk classes, the corresponding key risk identifiers, and the industries where they apply (some are generic)

Risk Modeling

Understand pre-requisites for quantitative modeling Identify techniques Identify industries which satisfy pre-requisites Understand approach to solution for qualitative modeling and analysis

Value drivers in key industries

ERM value pyramid Used banking as an example to identify key value drivers within the ERM process Provide similar analysis for other key industries

SAP AG 2006, Enterprise Risk Management Andreas Vogel / 2

Managing Enterprise Risk Processes View

Strategic Planning
Setting Risk Appetite
Periodically

Risk Identification and Assessment

Risk Identification Surveys Workshops Review Risk Registration Risk database Description Owners, etc. Risk Assessment Qualitative Quantitative Response Strategy To hazards

Actions to change Frequency Impact

Periodically

Models/Simulation VaR, Monte Carlo, etc.

Risk Monitoring
Monitoring Risk indicators

Continuously

Specific

Generic

SAP AG 2006, Enterprise Risk Management Andreas Vogel / 3

Train of Thought (for non-audio consumption)

Risk Management Processes

Identifying the key processes and process steps within Classify steps by generic vs. specific to a risk class Modeling and monitoring are risk class specific

Risk Monitoring

Identify a list of risk classes, the corresponding key risk identifiers, and the industries where they apply (some are generic)

Risk Modeling

Understand pre-requisites for quantitative modeling Identify techniques Identify industries which satisfy pre-requisites Understand approach to solution for qualitative modeling and analysis

Value drivers in key industries

ERM value pyramid Used banking as an example to identify key value drivers within the ERM process Provide similar analysis for other key industries

SAP AG 2006, Enterprise Risk Management Andreas Vogel / 4

Monitoring of Key Risk Indicators Industry Specific

Risk class
Supply chain risk

Risk indicator
Health of suppliers Delay in logistics Capacity (supplier, warehouses)

Source system
Supply Chain Management systems

Applicable industries
Manufacturing High-Tech Construction and Engineering

Environmental, Health & Safety

Accidents / incidents SAP EH&S Inspection reports Physical access systems Access violations HCM Certifications

Mining Oil&Gas Bio-tech Utilities (Nuclear Power) Public sector

Project management

Project

status (delays, critical mile stones, etc)

xRPM, ERP/PS, Microsoft Project

Manufacturing (Automotive, Aerospace, ...) High-Tech Construction and Engineering Professional Services High-tech Pharma

Intellectual property Government (FDA, etc.) approval

Patent

portfolio

External (patent office, etc.)

Approval

process

External

Pharma Utilities Mining

(Nuclear)

SAP AG 2006, Enterprise Risk Management Andreas Vogel / 5

Risk Monitoring of Key Risk Indicators - Generic

Risk class
IT

Risk indicator
Atypical network traffic Password probing

Source system
OpenView, Tivoli, Symantec, Cisco, etc.

Applicable industries
Generic

HR

Turn-over ERP / HR Key people succession planning Unions contracts Harassment and discrimination Accounting irregularities ERP Financials, BW

Generic

Corporate governance Big-ticket sales

Generic

Deals over threshold CRM

Generic

SAP AG 2006, Enterprise Risk Management Andreas Vogel / 6

Train of Thought (for non-audio consumption)

Risk Management Processes

Identifying the key processes and process steps within Classify steps by generic vs. specific to a risk class Modeling and monitoring are risk class specific

Risk Monitoring

Identify a list of risk classes, the corresponding key risk identifiers, and the industries where they apply (some are generic)

Risk Modeling

Understand pre-requisites for quantitative modeling Identify techniques Identify industries which satisfy pre-requisites Understand approach to solution for qualitative modeling and analysis

Value drivers in key industries

ERM value pyramid Used banking as an example to identify key value drivers within the ERM process Provide similar analysis for other key industries

SAP AG 2006, Enterprise Risk Management Andreas Vogel / 7

Risk Modeling and Simulation

What could be done outside the financials services industry?

Prerequisites for Quantitative Modeling

Statistically relevant historical data samples, e.g. Stock market data Accident static of thousands of employees over years available Historical demand data Applicable modeling and simulation technique, e.g. Value at Risk Monte Carlo Simulation

Apply quantitative modeling and simulation techniques Banking Insurance

Are there other industries Where quantitative modeling can be applied?

not available

Apply qualitative techniques What-if scenario analysis

How would tools for scenario analysis look like?

SAP AG 2006, Enterprise Risk Management Andreas Vogel / 8

Train of Thought (for non-audio consumption)

Risk Management Processes

Identifying the key processes and process steps within Classify steps by generic vs. specific to a risk class Modeling and monitoring are risk class specific

Risk Monitoring

Identify a list of risk classes, the corresponding key risk identifiers, and the industries where they apply (some are generic)

Risk Modeling

Understand pre-requisites for quantitative modeling Identify techniques Identify industries which satisfy pre-requisites Understand approach to solution for qualitative modeling and analysis

Value drivers in key industries

ERM value pyramid Used banking as an example to identify key value drivers within the ERM process Provide similar analysis for other key industries

SAP AG 2006, Enterprise Risk Management Andreas Vogel / 9

ERM Value Pyramid

Requirements too sophisticated for current SAP offering

Have agreement on what the sweet spot is and why? Need to review selected industry in this bucket with IBUs

ERM is core value driver Companies have sophisticated tools, processes and org structures in place Budget available

Banking Insurance

ERM is core business

Sweet spot for SAP ERM Failure to address certain classes of risk can put companies out of business Often regulated industries Budget available Some processes and org structures in place

ERM is key to business

Mining Oil & Gas Pharma / Biotech Aerospace and Defense Utilities

No $$$

ERM is important to business

Failure to address certain classes could have major impact on business Processes and org structures rudimentary

Remaining industries

SAP AG 2006, Enterprise Risk Management Andreas Vogel / 10

ERM Value Pyramid based on Deloitte Input

ERM is core value driver Companies have sophisticated tools, processes and org structures in place Budget available

Banking Insurance

ERM is core business

Failure to address certain classes of risk can put companies out of business Often regulated industries Budget available Some processes and org structures in place

ERM is key to business

Pharma Utilities / Energy Oil & Gas / Mining Selected manufacturing (large and complex)

ERM is important to business

Failure to address certain classes could have major impact on business Processes and org structures rudimentary May have very specific risks requiring special solutions

Public sector Healthcare Telco Retail

SAP AG 2006, Enterprise Risk Management Andreas Vogel / 11

Value Drivers in Financial Services

Strategic Planning
Setting Risk Appetite
Periodically

Can we make similar assessment for other industries?

Risk Identification and Assessment

Risk Identification Surveys Workshops Review Risk Registration Risk database Description Owners, etc. Risk Assessment Qualitative Quantitative Response Strategy To hazards

Periodically

Models/Simulation VaR, Monte Carlo, etc.

Actions to change Frequency Impact Investment decisions

Risk Monitoring
Monitoring Risk indicators

Continuously

SAP AG 2006, Enterprise Risk Management Andreas Vogel / 12

Case Studies and Customer Interviews I

Customer Industry
Chase Manhattan1 Financial Services

Requirements / Practices
Risk identification Well understood in finance Risk assessment Self-assessment scorecards Modeling / Simulation Value at Risk (VAR) Stress testing Risk identification Risk assessment No risk maps Modeling / Simulation Earnings at Risk (EAR) Worst case scenario probabilities Risk profiles Risk identification Face2face between risk managers and business managers Scenario analysis Risk assessment Risk maps (frequency) Risk measurements Not everything is measurable Modeling / Simulation Value at Risk (VAR)

Maturity
Organizationally Vice Chairman Chief Risk Officer Highly organized committee structure Process Integrated core business processes

du Pont1

Chemical

Organizationally CEO, CFO, Treasurer are key risk managers Risk management committee (incl. CFO) Process Risk management integrated in operational process Organizationally Treasurer and Risk Champion Risk management group Process Risk managers partners to business Systems Gibraltar Treasury Information System Intranet risk related info

Microsoft1

High-Tech

Excerpt from Barton et al, Making Enterprise Risk Management Pay Off, fei Research Foundation, 2002

SAP AG 2006, Enterprise Risk Management Andreas Vogel / 13

Case Studies and Customer Interviews II

Customer Industry
United Grain Growers1 Agriculture

Requirements / Practices
Risk identification Brainstorming sessions with senior management Risk assessment By management incl. prioritization Risk measurements Technology and regulatory risk cannot be quantified Modeling / Simulation Gain/loss probability curve Risk impact on earnings Risk identification Risk identification/assessment within business units Industry specific risks: incidents, hedging prices, political risk, technical (deepwater drilling), etc. Audit department created risk profiles Questionnaire (800 questions) Risk assessment Risk peer reviews Risk Matrix Status Board Modeling / Simulation Scenario analysis Quantitative unknown

Maturity
Organizationally CEO, CFO main driver Treasurer, internal audit, corporate risk manager Risk management committee (incl. CFO) Process Senior management buy-in Cross-silo integration

Unocal (now part of Chevron) 1

Oil & Gas

Organizationally Driven by Internal Audit and Health, Environment and Safety departments Process Risk management is integrated into line management

Excerpt from Barton et al, Making Enterprise Risk Management Pay Off, fei Research Foundation, 2002

SAP AG 2006, Enterprise Risk Management Andreas Vogel / 14

Case Studies and Customer Interviews III

Customer Industry
First Enery2 Utility

Requirements / Practices

Maturity

Risk identification Organizationally Workshops with cross-functional teams Chief Risk Officer Additionally root cause analysis of risks ERM Department Risk assessment Fully integrated with lines of business Risk prioritization based on shareholder Process impact Moved from silo to integrated risk Quantitative assessment for selected risks, management e.g. lead to earnings insurance Systems Earnings at risk Desk Manual Modeling / Simulation Electricity book Stress testing Monte Carlo Risk identification Survey Workshops with cross-functional teams Risk assessment Use risk framework for categorizing events Risk maps Control effectiveness in control framework Risk measurements Focus on qualitative assessments Modeling / Simulation n/a

Canada Post2

Automotive

Organizationally Driven by internal auditing Process Developed Dynamic Assessment of Risk and Enablers (DARE) perfected risk framework Systems Resolver Ballot

Excerpt from Paul et al, Enterprise Risk Management: Pulling it all together, The Institute of Auditors Research Foundation, 2002

SAP AG 2006, Enterprise Risk Management Andreas Vogel / 15

Case Studies and Customer Interviews IV

Customer Industry
Wal-Mart2 Chemical

Requirements / Practices
Risk identification Workshop with cross-functional teams Risk assessment Risk map Modeling / Simulation n/a

Maturity
Organizationally Driven by internal audit ERM team in place Process Moved from silo to integrated risk management, embedded into core business processes Workshops Scorecards Monitoring actions plans Process Resolver Ballot

General Motors2

High-Tech

Risk identification Objective Risk Management identify risks within business unit to business strategy Risk assessment Use risk framework for categorizing events (Business Risk Management strategic, operational and process risks) Risk measurements Focus on qualitative assessment Modeling / Simulation n/a

Organizationally Driven by GM Audit Services (GMAS) Process Workshops Process risk management embedded in all key processes Systems Option Finder Home-grown risk assessment tools On-line risk repository

Excerpt from Paul et al, Enterprise Risk Management: Pulling it all together, The Institute of Auditors Research Foundation, 2002

SAP AG 2006, Enterprise Risk Management Andreas Vogel / 16

Southern Company3
Profile
Company Southern Company Contact Silvia King Manager Strategic Finance and Enterprise Risk smking@southerco.com Utility Atlanta, GA 1/12 Microsoft Excel & PPT Decisioneering Crystal Ball (for modeling and Monte Carlo simulations)

Key Take-aways
Risk management at Southern Co Organizational structure: ERM within Finance Total 150 200 risk being managed, 7-10 per business unit End-goal Risk-adjusted financial plans Finical reporting incl. risk Critical success factor in ERM Balancing and integrating facilitation and collaboration, and statistical methods Common dictionary for consistent definition across the organization On software solutions Risk map is a must-have but needs excellent graphics to be useful Ranking must be always relative, absolute numbers dont make sense Tools for document processes and controls to deal with risk Linking risks with corresponding actions Linking to accountability and strategic goals On success factors for selling sw solutions Need to sell top down, CEO, CFO, directors Need to get acceptance by accounting firms and rating agencies

Industry Location Date Software

Follow-up interested

Phone interview by Andreas in 2005/2006

SAP AG 2006, Enterprise Risk Management Andreas Vogel / 17

Bombardier3
Profile
Company Bombardier Contact Bindesh Rach Director Enterprise Risk Management bindesh.rach@bombardier.com Manufacturing Montreal, Quebec, Canada 1/17 home-grown

Key Take-aways
On existing software solutions (Methodware, Paisley) methodology needs to drive tools and not the other way around Many organization are not yet ready for sophisticated tools On their in-house software solution Risk register database of identified risk, root cause, properties, potential impact, risk and mitigation owner, etc 3-dimensional analytical tool, enables managers on each hierarchy level to drill into the risk dimensions: External and internal environment Relationship to four objectives: strategy, compliance, reporting and operation Hierarchy level On risk definition Identify root cause for risk Quantify wherever possible, $ value or other key risk indicators Risk owner, mitigation owner Tolerance, i.e. risk appetite (they have given up on business due to high risk and invested in risk with low risk On Bombardier process Bindeshs team owns methodology, system and knowledge transfer, acts as mentor and facilitator, actual risk management done by line management Identification of risk , ownership, tolerance and key risk indicator Classification in 46 risk categories Mitigation plan (with owner) Monitoring and reporting, connection to strategic planning (all PPT) Use of value-at-risk, monte carlo, etc left to business units

Industry Location Date Software

Follow-up interest in design partnership

Phone interview by Andreas in 2005/2006

SAP AG 2006, Enterprise Risk Management Andreas Vogel / 18

Hydro One3
Profile
Company Hydro One Contact John Fraser Chief Risk Officer johm.fraser@hydroone.com Utility Toronto, Ontario, Canada 1/16 Resolver, Methodware, Paisley

Key Take-aways
On existing software solutions (Resolver, Methodware, Paisley) Use Resolver for identification Methodware as Risk Register Paisley for process risk / management of controls / SOX Tools consider as sufficient, need of an integrated tool acknowledged, but cost factor of software solutions stressed On integrated approach stresses strong ties to strategic planning tools and associated tools On monitoring and alerting sees close relationship to performance management, needs to be viewed and interpreted from a risk perspective On Hydro One process key consideration is the cost factor which risk are worthwhile to be managed? On Andreas framework Validates framework

Industry Location Date Software

Follow-up interested

Phone interview by Andreas in 2005/2006

SAP AG 2006, Enterprise Risk Management Andreas Vogel / 19