RISK MANAGEMENT

CONCEPTS GUIDE
DESIGN PRINCIPLES OF END-STATE ERM

Component Design Principles

Focus All risks – strategic, operational, compliance and reporting – are covered.

Time Perspective Both current and emerging risks are covered.

• Boards provide informed oversight.

• Executive management owns the overall process and ensures that key risks are managed
Responsibilities across the enterprise.
• CROs (optional) facilitate and coordinate risk management.
• Individual managers are held accountable for managing risks.

• Consistent Processes: Define practices and language to consistently identify, manage and
aggregate risks.
• Integration: Build from existing practices and inject risk management into critical
management practices to enrich them, embed into the way of doing business, and link risk
Composition of management with opportunity pursuit/ROI (e.g., strategic planning, R&D, etc.). Also, integrate
Program it with performance management processes to create a more balanced view of results.
• Culture: Drive awareness of top risks through the organization via communication, training,
linking to compensation and involving an informed board, with management and directors
focused on similar issues, while being objective and transparent.
• Infrastructure: Build processes, systems and reporting only to the extent necessary.

2
RISK MANAGEMENT IMPLEMENTATION COMPONENTS

Integrate Them With

Build Infrastructure Design Risk Management Processes
Mgt Processes
• Develop a risk Integration into key
management policy. management activities
• Integrate risk that deal with risk
management Identify current and include:
concepts into current emerging risks linked to
strategies and agreed-upon • Strategic Planning
transactional and • Emerging Markets
scenarios.
functional policies.
Assess and prioritize Risk
• Explicitly define roles Perform ongoing report,
potential risk exposures • Product
and responsibilities. action plan and corrective
based on potential size Development
action monitoring. Business
• Develop business and impact velocity.
Objectives • Ethics and
unit metrics and and Compliance
reporting. Strategies
Provide periodic reporting to Determine responses and • Others:
• Ensure focused and
the CRO and executive implement an − R&D
insightful executive committee against key infrastructure to manage
and board reporting. − Capital
metrics and action plans. and control the risk.
• Use a consistent risk Expenditure
Assign accountability for − M&A
language and
managing risks to risk
evaluation scales. − Crisis Management
owners.
• Integrate key • Etc.
systems.

Build and Drive Culture

Awareness and regular reporting of top risks are enhanced.
Risk ownership is assigned to management within the organization.
Enterprise risk is more explicitly considered and communicated in risk-taking activities.
Risk is objectively and transparently discussed.

3
DESIGN RISK MANAGEMENT PROCESSES

Identify current and emerging

risks linked to strategies and
agreed-upon scenarios.

Perform ongoing report, action Assess and prioritize potential

plan and corrective action risk exposures based on potential
monitoring. size and impact velocity.
Business Objectives
and Strategies

Provide periodic reporting to the

CRO and executive committee Determine responses and
against key metrics and action implement an infrastructure to
plans. manage and control the risk.

Assign accountability for

managing risks to risk owners.

4
INTEGRATE WITH MANAGEMENT PROCESSES

Emerging Markets Product

Strategic Planning
Risk Development

Others:
• R&D
• Capital
Ethics and
Expenditure
Compliance
• M&A
• Crisis
Management

5
BUILD AND DRIVE CULTURE

Enterprise risk is
Enhanced more explicitly
awareness and considered and
regular top risk communicated in
reporting exist. risk-taking
activities.

Risk ownership is
Risk is
assigned to
objectively and
management
transparently
within the
discussed.
organization.

6
BUILD INFRASTRUCTURE

Develop a risk Explicitly define Ensure focused and

Integrate key
management roles and insightful executive
systems.
policy. responsibilities. and board reporting.

Integrate risk
management Use consistent risk
Develop business
concepts into language and
unit metrics and
current evaluation scales.
reporting.
transactional and
functional
policies.

7
RISK IDENTIFICATION
AND RISK ASSESSMENT
 RISK MANAGEMENT VS. RISK OVERSIGHT

• The respective roles of management and the directors are different:

Risk Management Risk Oversight

Risk management is what management does. It
includes identifying, prioritizing, sourcing, managing
and monitoring risk that is significant to the execution of
the company’s strategic priorities and achievement of
its business objectives and performance goals.
Risk oversight is the board’s process for determining
that the company has a process in place for managing
its significant risks and that that process is improved
continuously as the business environment changes.

• The role of risk oversight is to enable the board to:

− Develop a mutual understanding with management regarding the obstacles and uncertainties the company
faces and key assumptions underlying its strategy and business model.
− Understand management’s choices in undertaking these obstacles and uncertainties, recognizing that the
nature of these choices will vary according to the underlying characteristics of the risks.
− Provide timely advice on matters pertaining to risk and risk management.

9
KEY TERMS

Some of you may have heard:

• Risk Appetite: Risk appetite is the maximum amount of risk an entity is willing to accept in pursuit of value.
− Example: What minimum level of return we are willing to accept to pursue our growth strategy? What is the
maximum level of capital we are willing to put at risk to invest in an emerging market?
• Risk Tolerance: Risk tolerance is the acceptable level of variation relative to the achievement of a specific
objective.
− Example: How much of an increase in steel prices are we willing to accept before we take significant action
(e.g., price increase or alternative materials)?
• Risk Capacity: Risk capacity is the maximum impact an organization can absorb and maintain sustainable
operations.
− Example: What is the minimum level of sales that we can have before we fail?

10
FRAMING THE OVERALL ISSUE

Total Exposure to
Risk

Enhanced
Risk

Comprehensive
Risk Management
Existing Risk
Management Activities
Risk Appetite

Risk Tolerance

Today Time

11
IMPROVING OUR UNDERSTANDING OF THE RISK

Risk Capacity
Absorbed by Invoke Risk
Reserves on Absorbed Management
Balance by Equity and
Sheet Response
Plans

High number of
low-impact events Events that exceed
risk tolerance
Frequency

Potentially ruinous events

Expected Impact Unexpected Impact Catastrophic Impact $’s

Focus of Risk Management

Focus of Day-to-Day
Management

12
IDENTIFYING RISK

Design Risk Management Processes

Identify current and emerging

risks linked to strategies and
agreed-upon scenarios.

Assess and prioritize potential

Perform ongoing report, action
risk exposures based on
plan and corrective action
potential size and impact
monitoring.
velocity.
Business Objectives
and Strategies

Provide periodic reporting to

the CRO and executive Determine responses and
committee against key metrics implement an infrastructure to
and action plans. manage and control the risk.

Assign accountability for

managing risks to risk owners.

13
RISK MANAGEMENT FOCUSES OF ALL TYPES OF
RISK

Current Risks: These
are risks that the
organization is facing, or
has been known to face
in the past, and therefore
could re-present
themselves to the
organization.
01
Emerging Risks: These
are risks that the company
has not faced previously
but could impact the
organization going
forward.
02
“Black Swan” Risks: These
are risks that the company
could face but would not
know that they exist.
03

14
KEY CATEGORIES OF RISK

Strategic Operational Financial Compliance

The risk of one or The risk of one or The risk that cash The risk of
more future events more future events flows and financial noncompliance with
invalidating impairing the risks are not managed laws, regulations and
fundamental effectiveness of the cost-effectively to: internal policies may
assumptions business model for result in penalties,
underlying the creating value for • Maximize cash fines, lost revenues
business strategy and customers and availability. and/or reputation loss.
management’s long- achieving the financial • Reduce the
term outlook and that results expected to uncertainty of
the business model is increase shareholder
value. currency, interest
not effectively aligned
rate, credit and
with the strategy.
other financial
risks.
• Move cash funds
quickly and without
losses of value to
wherever they are
needed most.

15
ADDITIONAL THINGS TO CONSIDER

Risks have different characteristics and require different approaches to assessment and management.

Precision of Upside or Downside

Speed to Impact Time Horizon Measurement Consequences

16
ASSESSING RISK

Design Risk Management Process

Identify current and emerging

risks linked to strategies and
agreed-upon scenarios.

Assess and prioritize potential

Perform ongoing report, action
risk exposures based on
plan and corrective action
potential size and impact
monitoring.
velocity.
Business Objectives
and Strategies

Provide periodic reporting to

the CRO and executive Determine responses and
committee against key metrics implement an infrastructure to
and action plans. manage and control the risk.

Assign accountability for

managing risks to risk owners.

17
THINGS TO CONSIDER WHEN PRIORITIZING RISKS

Impact
• When determining the scale, it is important to consider:
− Financial loss
− Strategic impact
− Revenue targets
− Reputation
Likelihood
• Consider the time horizon in which it is reasonably expected that an event could occur that would trigger the
risk.
Persistence
• The time period over which the event is dealt with after an occurrence.
− Example: The lingering reputational impact of a major recall
Velocity
• Speed with which the full impact of the event is realized (i.e., required reaction time).
− Example: Sudden change in exchange rates vs. a chronic warranty issue causing customer
dissatisfaction
Response Readiness
• The organization’s preparedness to manage/respond to an event or a series of events (including
contingency plans).
− Example: Product recall or terrorist incident

18
 HOW DO WE KNOW WHAT IS MOST IMPORTANT?

Risk Prioritization

Risk: Moderate to High Risk: High Risk: Very High Legend

F
A Liquidity
B Capital Availability
E A C Reputation
I D Competitor
Risk: Moderate Risk: Moderate to High Risk: High
J G H E Equipment Reliability
Impact

C D F Environment
B
G Regulatory/Compliance
Knowledge Capital:
H Training
Risk: Low Risk: Low to Moderate Risk: Moderate
I Health and Safety
J Raw Material Sourcing

Likelihood

19
RESPONDING TO AND
MONITORING RISKS
DETERMINING RISK RESPONSE

Design Risk Management Process

Identify current and emerging

risks linked to strategies and
agreed-upon scenarios.

Assess and prioritize potential

Perform ongoing report, action
risk exposures based on
plan and corrective action
potential size and impact
monitoring.
velocity.
Business Objectives
and Strategies

Provide periodic reporting to

the CRO and executive Determine responses and
committee against key metrics implement an infrastructure to
and action plans. manage and control the risk.

Assign accountability for

managing risks to risk owners.

21
 RISK MANAGEMENT TECHNIQUES

• Divest • Target
Avoid
• Prohibit • Screen
Eliminate risk by preventing exposure to future possible events from • Stop • Eliminate
occurring.

• Retain • Self-Insure
Accept
• Re-Price • Offset
Maintain the risk at its current level. •

• Disperse
Reduce
• Test
Implement policies and procedures to lower the risk to an acceptable • Control • Improve
level. • Respond • Relocate
• Redesign
• Diminish • Diversify
• Isolate

• Insure • Outsource
Transfer
• Reinsure • Securitize
Shift the risk to a financially capable, independent counterparty. • Hedge • Indemnify
• Transfer

22
ELEMENTS OF MANAGEMENT AND CONTROL
INFRASTRUCTURE

The six elements of infrastructure is a framework that can be used to identify the components that influence the
operating and control environment (includes concept of multiple lines of defense).

Key elements of infrastructure must be linked by design:

Business Business People and Management Methodologies Systems

Policies Processes Organization Reports and Data

Risk if element is deficient:

Processes do not People lack the Reports do not Methodologies do Information is not
carry out established knowledge and provide information not adequately available for
policies or achieve experience to for effective analyze data and analysis and
intended result. perform processes. management. information. reporting.

23
ENTERPRISE APPROACH VS. SILO THINKING

The goal of this group is to avoid silo thinking and help bridge
the gaps between the functions and the regions.

24
ASSIGNING ACCOUNTABILITY

Design Risk Management Process

Identify current and emerging

risks linked to strategies and
agreed-upon scenarios.

Assess and prioritize potential

Perform ongoing report, action
risk exposures based on
plan and corrective action
potential size and impact
monitoring.
velocity.
Business Objectives
and Strategies

Provide periodic reporting to

the CRO and executive Determine responses and
committee against key metrics implement an infrastructure to
and action plans. manage and control the risk.

Assign accountability for

managing risks to risk owners.

25
RISK OWNERSHIP

• Responsibilities, authorities and accountabilities are defined for and articulated clearly so that an individual,
a group or a designated unit is accountable for managing each critical enterprise risk. The accountable
individual, group or unit is considered the “risk owner.”
• The risk owners have the responsibility, authority and accountability to manage the risk.
• Risk owners, at a minimum, must:
− Decide on the risk responses.
− Design the capabilities for managing the risks in accordance with the selected risk response.
− Monitor these capabilities over time to make sure they perform as intended. If gaps are noted, they fix
them on a timely basis.
• Risk owners may elect to outsource the responsibility to build and execute capabilities but that does not
compromise their ownership of the risk.
• The executive committee is responsible for ensuring that appropriate risk owners are designated for each
critical risk and monitor risk owner performance over time.

26
REPORTING AND ONGOING MONITORING

Design Risk Management Processes

Identify current and emerging

risks linked to strategies and
agreed-upon scenarios.

Assess and prioritize potential

Perform ongoing report, action
risk exposures based on
plan and corrective action
potential size and impact
monitoring.
velocity.
Business Objectives
and Strategies

Provide periodic reporting to

the CRO and executive Determine responses and
committee against key metrics implement an infrastructure to
and action plans. manage and control the risk.

Assign accountability for

managing risks to risk owners.

27
DEFINING METRICS THAT MATTER

Organizational Performance Equipment

Sources
Culture Incentive Maintenance

Lead Indicators
• Key performance indicators
(KPIs) and key risk
indicators (KRIs) should
converge to form a single
basket of key metrics (KMs).
• KMs are measures of Project
Management
performance developed to
monitor progress toward the
achievement of strategy,
mitigation of risks and the
ultimate creation of value for
stakeholders. Equipment
Outcomes EH&S Reputation
Reliability

Lag Indicators

28
MONITOR AND EVALUATE RESULTS

• Reviewing key metrics gives the company the ability to measure the rate of progress it is making toward its strategic
objectives and the mitigation of its critical risks and also includes an ongoing evaluation of risk responses.
• This process determines the effectiveness of integrated business plans and the ultimate creation of value within the
enterprise’s appetite for risk and established strategic boundaries.
Variance
Perspective/KPI Trend Status Period Actual Period Target Variance
Percentage
Profitable Growth

Intrinsic Value Creation $X $X ($X) -X%

EBIT Margin X% X% X% X%

Combined Ratio X% X% X% X%

Capital Protection
Return on Equity X% X% X% X%
xRoCe X% X% -X% -X%

Lean Organization

Expense Ratio X% X% -X% -X%

Motivated Employees

Retention X% X% X% X%

Preferred Business Partner

AM Best Rating A+ A+ 0% 0%

Partner Satisfaction X X (X) -X%

29
ENTERPRISE RISK PRIORITIZATION SCALES

Financial Loss ($) Strategic Impact Revenue Reputation

Catastrophic impact on the

Catastrophic impact on Catastrophic impact on
company’s ability to meet
Very High the company’s ability to corporate or brand
strategic goals or execute
hit revenue targets reputation
priority initiatives

Significant impact on the

Significant impact on the Significant impact on
company’s ability to meet
High company’s ability to hit corporate or brand
strategic goals or execute
revenue targets reputation
priority initiatives

Moderate impact on the

Moderate impact on the Moderate impact on
company’s ability to meet
Medium company’s ability to hit corporate or brand
strategic goals or execute
revenue targets reputation
priority initiatives
Low impact on the
Low impact on the Low impact on
company’s ability to meet
Low company’s ability to hit corporate or brand
strategic goals or execute
revenue targets reputation
priority initiatives
Minimal impact on the
Minimal impact on the Minimal impact on
company’s ability to meet
Very Low company’s ability to hit corporate or brand
strategic goals or execute
revenue targets reputation
priority initiatives

30
RISK PRIORITIZATION SCALES
Likelihood
This includes a greater than
90% probability that the risk
Very High
event will occur within the next
three years.
This includes a 65%-90%
probability that the risk event will
High
occur within the next three
years.
This includes a 35%-65%
probability that the risk event will
Medium
occur within the next three
years.
This includes a 10%-35%
Low probability that the risk event will affect the company in between
occur within the next three years three to six months.
This includes a less than 10%
probability that the risk event will
Very Low
occur within the next three
years.
This includes risks with time
Unknown horizons greater than three
years.
31
Velocity
Major impacts of a risk event will Impacts of a risk event will
affect the company in less than continue to develop and impact
two weeks.
Major impacts of a risk event will
affect the company in between
two to four weeks.
Major impacts of a risk event will
affect the company in between
one to three months.
Major impacts of a risk event will
Major impacts of a risk event will
affect the company in over six
months.
N/A
Persistence
the company over three years.
Impacts of a risk event will
continue to develop and impact
the company over the next one
to three years.
Impacts of a risk event will
continue to develop and impact
the company over the next six to
twelve months.
Impacts of a risk event will
continue to develop and impact
the company over the next three
to six months.
Impacts of a risk event will
continue to develop and impact
the company over the next three
months or less.
N/A