Integrating new business activities – Value-added application of ERM

Robert Serena
May 26, 2018

Background
A well-designed and implemented Enterprise Risk Management program is a critical success factor and capability for any organization (e.g.
public sector, private sector, for-profit, non-profit) that seeks to enhance its operational resiliency, enable greater scalability, and improve
overall financial and operational performance. Now, it’s important to note that even after the legion corporate and economic catastrophic
events/failures of the last 20 years – Global Financial Crisis 2008, WorldCom, Enron, Equifax, Bear Stearns, Lehman Brothers, etc. – well-
functioning and fully-matured ERM programs are still a relative rarity in large organizations. There are practical reasons for this:

 ERM programs require enormous investment in human, physical, and process capital – personnel, systems, insurance premiums, training
programs, control infrastructures, etc. – there is manifestly no “free lunch” when it comes to developing and implementing an ERM
program.
 ERM programs also require unyielding support from senior management in the organization – this is a condition precedent for initiating
an ERM program. But that initial commitment is not sufficient – the commitment must be persistent and sustainable, as does the
messaging to the employees of the organization of the value of the ERM program.

The exhibit below illustrates one variant of the ERM Maturity Model – for any organization looking to implement an ERM program, Level 1
(Very Basic) and Level 2 (Basic) are the phases that require the highest levels of investment and executive commitment – if a program is
going to fail, that failure will typically occur in these early stages.

EXHIBIT 1 – Risk Management Maturity Model

The Risk Management Process (hereafter RMP) or Lifecycle is the critical activity that occurs in these early stages and is illustrated in
Exhibit 2 below. There are essentially 5 steps that must be applied in the initial execution of the RMP:

1. Strategic Objectives - Identify corporate objectives.

2. Risk Identification – Identify all of the risk factors confronting the organization, and link those risks to the objectives determined in
Step 1.
3. Risk Assessment/Aggregation – Determine the impact/likelihood for each risk identified in step 2, the correlation effects between the
various effects, and aggregate the impacts across the organization.
4. Risk Treatment – For each risk factor, compare the level of the risk with the organization’s established risk appetite and risk tolerance.
For any risk level that exceeds the risk appetite, the risk manager must recommend one of four risk treatment options based on a
cost/benefit analysis – Transfer, Accept, Mitigate/Reduce, or Avoid.
5. Risk Monitoring - Once all risks have been treated within the constraints of the organization’s budget and risk appetite framework, the
risk profile must be regularly monitored to ensure that if the risk profile “drifts” from its initial level due to internal/external regulatory
and competitive dynamics, the cycle must begin again.

EXHIBT 2 – Risk Management Process (RMP)

Select Classification Level

For any organization that has struggled through Level 1 and Level 2 above, they are well-familiar with the 5 steps in the RMP.

But a key attribute of a well-functioning ERM program that many organizations completely miss is that the ERM framework is equally
valuable when applied to the integration of incrementally new activities into the “enterprise portfolio”. Even when an organization has
refined their broader ERM program to a more mature state (Level 4 or 5), that doesn’t imply that they should stop thinking holistically about
ERM or apply less rigor around the RMP.

Even if an organization has a well-managed portfolio of risk factors for which the residual risk is within established risk appetite levels, there
is an ever present need to be vigilant, particularly if the organization is in a period of rapid growth. The external environment is ever
changing, which means that the organization’s risk profile is dynamic and changing as well. And every incremental decision that the firm
makes, whether it be to introduce a new product line or acquire a competitor, has the potential for materially increasing the organization’s
risk profile.

We’ll discuss the application of ERM techniques to new activity integration in the following section.

Using ERM to “make the donuts”

I spent 14 years in the Commodity trading industry – I witnessed the industry evolve dramatically in those 14 years. In the early days, many
shops were relatively thinly capitalized and thinly staffed operational “side shows” of vertically integrated, large energy firms – integrated oil
& gas, electric utilities, independent power producers. Towards the end of my stint in the industry, many of these early energy participants
had been displaced by investment banks, large hedge funds, pension funds, and private equity firms.

But one commonality across all these different market players was the recognition that a critical business imperative was the ability to
quickly assess and size the risk profile of new commercial activities and capital projects, and then assuming the projected return on a given
activity passed muster, run a robust but time-compressed due diligence regime to ensure that the incremental new activity did not adversely
impact the organization’s existing portfolio of assets – transactions, systems, people. This type of due diligence process, if applied
consistently and sensibly, is a flexible and powerful tool for integrating a wide range of “new activities”:

 Complex structured transactions with embedded derivatives

 New trading products – physical transactions or financial derivatives
 New system implementations
 Transacting in a new country or region, or transacting across international boundaries
 Opening up a new physical office
 Onboarding a new vendor
 Enabling transactions on regulated trading platforms

Page 2 of 4
 Acquiring blocks of business/transactions

A useful and compact tool to capture and articulate the risk with a particular activity set is through the use of “Spiderweb analysis”. The
exhibit below provides a generic example of this technique – it clearly calls out the risk areas that are beyond the risk appetite/risk tolerance
at current levels. Then the decision point becomes to determine what are the most cost-effective options to effectively reduce the risk to
acceptance levels.

EXHIBIT 3 – Spiderweb Analysis

 For Operational Risks, the risk reduction activities could take the form of strengthened existing controls or introduction of new controls
to the inventory.
 For Legal Risks, the risk reduction tool could take the form of strong indemnification language in commercial contracts or more robust
compliance training in high-risk areas like Anti-Money Laundering and Bribery & Corruption.
 For any financial or traded risks, the risk reduction tool could take the form of adding financial hedges (e.g. exchange-traded or Over-
the-Counter derivatives) to offset any natural market or credit risk exposures that flow from the business activities undertaken by the
firm. In the event that cost-effective financial hedges are not available, another alternative in this area would be to reduce the sale of
products or services that give rise to the financial risk exposures.

The “ERM flavor” to the process of integrating the new activity takes the form of a formal risk assessment of new activity. The assessment
requires the engagement of all impacted functional groups across the firm – it’s critical that each group consider the risks that the new
activity poses to the firm (and specific to their function), and rate the risk, typically on a qualitative scale (e.g. 1 = No incremental risk, 2 =
Incremental risk that can be fully mitigated, 3 = Incremental risk that can’t be fully mitigated, 4 = Recommendation to not proceed).

The organization should establish a formal policy around the new activity due diligence process, and each discrete activity should be
documented on a standard template – a “term sheet” of sorts. A sample risk assessment template is illustrated below in Exhibit 4:

EXHIBIT 4 – Risk Assessment Template

Functional Group Date of Risk Supporting
evaluation Rating Rationale
Accounting 05/25/2018 1
Compliance 05/25/2018 2
Credit Risk 05/25/2018 1
Health & Safety 05/25/2018 3
Market Risk 05/25/2018 2
Regulatory Affairs 05/25/2018 1
Legal/General 05/25/2018 3
Counsel
Financial Reporting 05/25/2018 1
Operational Risk 05/25/2018 1
Corporate Tax 05/25/2018 1

Page 3 of 4
Key takeaways:
 The sponsor for the new activity, as a pre-condition to beginning the due diligence process, should prepare a rigorous business case that
captures the economic and portfolio benefits of the new activity:
o If a new commercial transaction, how much PnL is the transaction adding?
o If a new derivative contract, will the firm be able to more cost-effectively hedge market risk?
o If a new system, will there be an increase in process efficiency and a reduction in operational and personnel costs?
o If establishing a new regional office, will the organization’s customers in that region receive better customer service? Will it
increase sales in that region?
 The group that coordinates and project manages the due diligence function will then convene an initial meeting with functional
stakeholders to critical evaluate the new activity and provide a go/no-go decision to progress the due diligence process further.
 If a decision is made to move forward, then an implementation plan needs to be developed. This plan should clearly identify project
team members, roles and responsibilities, and timelines for interim and final deliverables.
 At a defined time-interval after the implementation is completed, a different team (typically from the Risk Management function) will
perform what is often termed a “Post Implementation Review” to assess the implementation project and identify and document any
lessons learned that can be fed back into the overall process to drive continuous improvement.

Page 4 of 4