Professional Documents
Culture Documents
Tools
April 1, 2015
Ali-Reza Khaleeli
ERM 603
Honor Code
• I will not lie or cheat in any way on any assignment for this course (including but
not limited to the following examples).
• My answers to homework, quizzes, and exams will be my own (except for
assignments that explicitly permit collaboration).
• I will not make solutions to homework, quizzes, or exams available to anyone else.
This includes both solutions written by me and official or unofficial solutions.
• I will not look up homework or exam answers on the internet.
• I will not engage in any other activities that will dishonestly improve my results
or dishonestly improve/hurt the results of others
Annual Frequence Probability
Rating
Descriptor Definition Descriptor Definition
5 Frequent Up to once in 6 months or more Almost Certain 90% or greater chance of certain occurrence over life of asset or project
4 Likely Once in 6 months up to once in 5 years Likely 70% up to 90% chance of occurrence over life of asset or project
3 Possible Once in 5 years up to once in 10 years Possible 40% up to 70% chance of occurrence over life of asset or project
2 Unlikely Once in 10 years up to once in 20 years Unlikely 15% up to 40% chance of occurrence over life of asset or project
1 Rare Once in 20 years or less Rare <15% chance of occurrence over life of asset or project
Likelihood Scale:
1
Rating Descriptor Definition
5 Extreme • Financial loss of $55 billion or more
• Considerable damage to global environment
• Unable to conduct daily operations
• No security for all employees and third parties, including customers or vendors
• Persistent negative international media coverage; enormous loss of market share
• Substantial prosecution and fines, litigation including class actions, incarceration of leadership
• Significant injuries or fatalities to employees or third parties
• Mass exodus of senior leaders, culture forever altered
4 Major • Financial loss of $15 billion up to $55 billion
• Considerable damage to local environment
• Extremely limited daily operations functioning
• Security of all employees and third parties threatened, including customers or vendors
• Persistent negative national media coverage; significant loss of market share
• Report to regulator requiring major project for corrective action
• Hospital care required for employees or third parties
• Some senior managers leave, high turnover of experienced staff, not perceived as employer of choice
3 Moderate • Financial loss of $2 billion up to $15 billion
• Sufficient damage to local environment
• Partial daily operations functioning
• Security of all employees and third parties deteriorating, including customers or vendors
• Temporary negative national media coverage
• Report of breach to regulator with immediate correction to be implemented
• Out-patient medical treatment required for employees or third parties
• Widespread staff morale problems, high turnover, shift in culture
2 Minor • Financial loss of $600 million up to $2 billion
• Slight damage to local environment
• Majority of daily operations functioning
• Security of all employees and third parties slightly weakened, including customers or vendors
• Local reputational damage
• Reportable incident to regulator, no follow up
• Minor injuries to employees or third parties
• General staff morale problems and increase in turnover, culture questioned
1 Incidental • Financial loss up to $600 million
• Next to no damage to local environment
• All, but 1 or 2, daily operations functioning
• No breach of security of all employees and third parties, including customers or vendors
• Local media attention quickly alleviated
• Not reportable to regulator
• No injuries to employees or third parties
• Isolated staff dissatisfaction, culture intact
Impact Scale:
2
Rating Descriptor Definition
5 Very High • Extreme rate of change in industry
• No ability to anticipate events
• No ability to withstand event
• No scenario planning performed
• No internal control capabilities to address risks
• No responses implemented
• No contingency or crisis management plans in place
4 High • High rate of change in industry
• Little ability to anticipate events
• Little ability to withstand event
• Limited scenario planning for key strategic risks performed
• Low internal control capabilities to address risks
• Partial responses implemented or not achieving control objectives
• Some contingency or crisis management plans in place
3 Medium • Modest rate of change in industry
• Selected ability to anticipate events
• Selected ability to withstand event
• Stress testing and sensitivity analysis of scenarios performed
• Medium internal control capabilities to address risks
• Majority of responses implemented and achieving objectives most of the time
• Certain contingency and crisis management plans in place, limited rehearsals
2 Low • Low rate of change in industry
• Strong ability to anticipate events
• Strong ability to withstand event
• Strategic options defined
• Medium to high internal control capabilities to address risks
• All responses implemented and achieving objectives except under extreme conditions
• All contingency and crisis management plans in place, some rehearsals
1 Very Low • Almost no rate of change in industry
• Can anticipate events
• Can fully withstand event
• Real options deployed to maximize strategic flexibility
• High internal control capabilities to address risks
• Redundant response mechanisms in place and regularly tested for critical risks
• All contingency and crisis management plans in place and rehearsed regularly
Vulnerability Scale:
ID Risk L I V S
1 Competition 3.3 4.3 3.5 3
2 Inves tment 2.5 3.5 3.7 3
3 Adoption 4 4.5 4.3 5
4 Advertis ement 3.5 4.8 4.5 5
5 Opera ting Ma rgi n 3.9 4.5 4.3 3
6 Regul a tory 2.8 3.4 3.1 2
7 Proceedi ngs 4.4 2 3.7 4
8 Acqui s i tions a nd Inves tments 4.5 4 3.5 2
9 Bra nd 1.2 4.8 4.5 5
10 U.S. a nd Forei gn La ws 4.9 3.3 3.6 3
11 Intel l ectua l Property Cl a i ms 4.3 3.2 4 3
12 Intel l ectua l Property Ri ghts 3.9 4.1 3.8 4
13 Onl i ne Servi ces a nd Content 4.1 3.2 4.3 3
14 Technol ogy Pri va cy 4 4.8 4.6 5
15 Ma nufa cturi ng a nd Suppl y Cha i n 3.9 4 4.5 4
16 Securi ty 4.8 4.8 4.6 5
17 Sea rch Qua l i ty 3.4 3.4 2.2 3
18 Interruption or Fa i l ure of Sys tems 4.6 4.7 4.3 5
19 Interna tiona l Opera tions 4.1 4.1 4.1 4
20 Opera ting Res ul ts 4 3.8 4.7 2
21 Bus i nes s Stra tegy Execution 2.5 4.5 2.9 2
22 Pers onnel 2.5 4.4 2.8 3
23 Internet Acces s Bl ock 1.5 3.5 4.6 4
24 Ad Bl ock 4.1 3.2 4.6 2
25 Inves tment Portfol i o Va l ue 4 4.8 3.3 4
26 Ta x Li a bi l i ties 3.8 3.2 3.1 3
27 Stock Tra di ng Pri ce 4.2 3.8 4.1 4
28 Stock Owners hi p Concentra tion 2.8 3.3 4.3 4
29 Documents a nd La w Provi s i ons 1.5 2.8 4.1 1
4
Risk Map
5
Ranking Risks by Impact and Speed of Onset, individually:
6
Risk Correlations
International Operations
U.S. and Foreign Law s
Operating Results
Risks
Stock Ow nership
Search Quality
Advertisement
Tax Liabilities
Concentration
Proceedings
Competition
Regulatory
Investment
Provisions
Personnel
Adoption
Ad Block
Systems
Security
Chain s
Brand
Competition x x x x x x x x x x
Investment x x x x x x x x x x x x x x x
Adoption x x x x x x x x x x x x x
Advertisement x x x x x x x x
Operating M argin x x x x x x x x x x x x
Regulatory x x x x x x
Proceedings x x x x x x x x
Acquisitions and Investments x x x x x x x x x x x x
Brand x x x x x x x x x x x x x x x x x x
U.S. and Foreign Law s x x x x x x x x
Intellectual Property Claims x x x x x x x x x x x x x
Intellectual Property Rights x x x x x x x x x x x x x x x x x
Online Services and Content x x x x x x x x x x x x x x x x
Technology Privacy x x x x x x x x x x x x x x
M anufacturing and Supply Chains x x x x x x x x
Security x x x x x x x x x x x x x x x x
Search Quality x x x x x x x x x x x
Interruption or Failure of Systems x x x x x x x x
International Operations x x x x x x x x x x x x x x x x x x x
Operating Results x x x x x x x x x x x x x x
Business Strategy Ex ecution x x
Personnel x x x x x x x x x
Internet Access Block x x x x x x x x x x x x
Ad Block x x x x x x x
Investment Portfolio Value x x x x x x
Tax Liabilities
By seeing these correlations, we are able to better understand the risks and risk portfolio. In addition,
performing this interaction map allows us to move away from silos and begin to see and practice
enterprise risk management as a collaboration of the company as a whole. This allows us to understand
how the different risks relate and how some can be managed together.
A next step that could be taken, but would need more information is using historical data to determine
which other risks might correlate as well as whether or not the risks that correlate have been properly
managed before or if these are new risks.
7
MARCI Chart
The MARCI chart allows us to prioritize risks based in risk response. In other words, the MARCI chart
allows us to prioritize the risks based on what needs to be done in order to manage each risk.
8
Quantitative Approaches
Google has proactively identified the potential risk that this particular trend is creating, and now faces the
challenge of taking a deeper dive into the most effective way to assess this risk. The document, Risk
Assessment in Practice, suggests a number of quantitative measures that companies should use in their
risk assessments, to include: benchmarking, scenario analysis, deterministic models, and probabilistic
models. Taking into consideration that Google is generally aware of the likelihood and impact of this risk,
they must focus on assessing the velocity of the risk, in order to develop a decision and action plan in
managing this trend. Using a risk interaction map to first link correlation, a bow tie diagram can then
further be developed using quantifiable data to illustrate the end events or losses stemming from the
consequences associated with the risk. Data used to assess the trend and velocity of this risk is an
extremely important factor, and should be derived from both the internal and external environment.
Competitor and industry trends data is crucial to assessing the real risk impact and the sensitivity of
timing. Analysis of both past and current relationships and partnerships with manufacturers and
distributors can provide good insight into the company’s current market share and future financial health.
All of the pertinent data used needs to then be modeled to look at the consequential impact on a range of
different factors, such as share price, research and development funding, marketing budgets, and others.
In developing this statement, we considered the overall mission and strategic objectives of the company,
how it can be implemented throughout the whole organization, and the risk capacity concerning its
financial health. In this example, because the risk appetite is moderately high, the risk tolerance had to
reflect a compromise of boundaries concerning the company’s financial well-being. This is why the
company is willing to assume a higher tolerance on loss of profit, so long as the company continues to
deliver on its net sales and not significantly deviate from their current market share.
Risk Appetite Statement: The Company operates within a moderately high-risk appetite in relation to the
declining trend of personal computer usage amongst the general population. The company assumes this
appetite with the intent to excel within the highly competitive environment, and strives to continue to be
the “first in market” leader, holding majority market share of the industry’s technology, products, and
systems. Operating a moderately high appetite will increase our competitiveness in research and
development, and cultivation of business agreements with top manufacturers and distributors.
In developing this statement, we considered the overall mission and strategic objectives of the company,
the boundaries of acceptable risk tolerance, the effect on the company’s risk profile, its applicability to
decision making and action implementation, the company’s risk attitudes, and its relevance towards this
specific risk. The company has to assume a moderately high-risk attitude because of the fast paced nature
of their industry, as well as the macro environment. For Google, high-risk endeavors, specifically in the
field of research and development, have the ability to turn into highly profitable opportunities.
9
Risk Appetite and Tolerance Statements 2
Risk Tolerance Statement: The Company is not willing to assume any risk to its reputation, and will
therefore enforce a zero tolerance policy to reputation risk.
Risk Appetite Statement: The Company operates with a low risk appetite concerning any decisions and
activities which may cause any and all damages to Google’s reputation. The company assumes this
appetite with the intent to protect the reputation of the brand, its technology, products, and services,
affiliates, employees, and value.
Reputation is a concerning element that affects all of Google’s individual risks, and is mentioned in most
of their listed risk factors under Item 1A. Unlike the previous statements, Google cannot afford to enforce
a high-risk appetite, nor allow an exposed risk tolerance. Additionally, because reputation risk correlates
to each function of the organization’s goals, it is a highly sensitive risk that can have high magnitude
adverse effects.
Google should balance risk taking and risk control in a holistic manner, as these two functions should be
balanced. This balance will set clear concise objectives and parameters, without limiting the company
from pursuing profitable opportunities. Both risk taking and risk controls should be set in accordance to
the company’s goals, overall culture, and legal and regulatory mandates.
10
References
Curtis, Patchin, and Mark Carey. “Risk Assessment in Practice.” Deloitte & Tuche LLP. Oct 2012.
The Committee of Sponsoring Organizations of the Treadway Commission.
Rittenberg, Larry, and Frank Martens. “Understanding and Communicating Risk Appetite.” The
Committee of Sponsoring Organizations of the Treadway Commission. Jan 2012.
Crowe Horwath. “Risk Appetite and Tolerance Guidance Paper.” Institute of Risk Management.
United States Securities and Exchange Comission. From 10k. Google Inc.
Marks, Norman. "Do You Realize How Fast You Need to Respond to Risk? What Does This
Mean?" Sustainable Business Forum. N.p., 16 Mar. 2012.
11