Professional Documents
Culture Documents
CONCEPTS GUIDE
DESIGN PRINCIPLES OF END-STATE ERM
Focus All risks – strategic, operational, compliance and reporting – are covered.
• Consistent Processes: Define practices and language to consistently identify, manage and
aggregate risks.
• Integration: Build from existing practices and inject risk management into critical
management practices to enrich them, embed into the way of doing business, and link risk
Composition of management with opportunity pursuit/ROI (e.g., strategic planning, R&D, etc.). Also, integrate
Program it with performance management processes to create a more balanced view of results.
• Culture: Drive awareness of top risks through the organization via communication, training,
linking to compensation and involving an informed board, with management and directors
focused on similar issues, while being objective and transparent.
• Infrastructure: Build processes, systems and reporting only to the extent necessary.
2
RISK MANAGEMENT IMPLEMENTATION COMPONENTS
3
DESIGN RISK MANAGEMENT PROCESSES
4
INTEGRATE WITH MANAGEMENT PROCESSES
Others:
• R&D
• Capital
Ethics and
Expenditure
Compliance
• M&A
• Crisis
Management
5
BUILD AND DRIVE CULTURE
Enterprise risk is
Enhanced more explicitly
awareness and considered and
regular top risk communicated in
reporting exist. risk-taking
activities.
Risk ownership is
Risk is
assigned to
objectively and
management
transparently
within the
discussed.
organization.
6
BUILD INFRASTRUCTURE
Integrate risk
management Use consistent risk
Develop business
concepts into language and
unit metrics and
current evaluation scales.
reporting.
transactional and
functional
policies.
7
RISK IDENTIFICATION
AND RISK ASSESSMENT
RISK MANAGEMENT VS. RISK OVERSIGHT
Risk management is what management does. It Risk oversight is the board’s process for determining
includes identifying, prioritizing, sourcing, managing that the company has a process in place for managing
and monitoring risk that is significant to the execution of its significant risks and that that process is improved
the company’s strategic priorities and achievement of continuously as the business environment changes.
its business objectives and performance goals.
9
KEY TERMS
• Risk Appetite: Risk appetite is the maximum amount of risk an entity is willing to accept in pursuit of value.
− Example: What minimum level of return we are willing to accept to pursue our growth strategy? What is the
maximum level of capital we are willing to put at risk to invest in an emerging market?
• Risk Tolerance: Risk tolerance is the acceptable level of variation relative to the achievement of a specific
objective.
− Example: How much of an increase in steel prices are we willing to accept before we take significant action
(e.g., price increase or alternative materials)?
• Risk Capacity: Risk capacity is the maximum impact an organization can absorb and maintain sustainable
operations.
− Example: What is the minimum level of sales that we can have before we fail?
10
FRAMING THE OVERALL ISSUE
Total Exposure to
Risk
Enhanced
Risk
Comprehensive
Risk Management
Existing Risk
Management Activities
Risk Appetite
Risk Tolerance
Today Time
11
IMPROVING OUR UNDERSTANDING OF THE RISK
Risk Capacity
Absorbed by Invoke Risk
Reserves on Absorbed Management
Balance by Equity and
Sheet Response
Plans
High number of
low-impact events Events that exceed
risk tolerance
Frequency
Focus of Day-to-Day
Management
12
IDENTIFYING RISK
13
RISK MANAGEMENT FOCUSES OF ALL TYPES OF
RISK
Current Risks: These Emerging Risks: These “Black Swan” Risks: These
are risks that the are risks that the company are risks that the company
organization is facing, or has not faced previously could face but would not
has been known to face but could impact the know that they exist.
in the past, and therefore organization going
could re-present forward.
themselves to the
organization.
01 02 03
14
KEY CATEGORIES OF RISK
The risk of one or The risk of one or The risk that cash The risk of
more future events more future events flows and financial noncompliance with
invalidating impairing the risks are not managed laws, regulations and
fundamental effectiveness of the cost-effectively to: internal policies may
assumptions business model for result in penalties,
underlying the creating value for • Maximize cash fines, lost revenues
business strategy and customers and availability. and/or reputation loss.
management’s long- achieving the financial • Reduce the
term outlook and that results expected to uncertainty of
the business model is increase shareholder
value. currency, interest
not effectively aligned
rate, credit and
with the strategy.
other financial
risks.
• Move cash funds
quickly and without
losses of value to
wherever they are
needed most.
15
ADDITIONAL THINGS TO CONSIDER
Risks have different characteristics and require different approaches to assessment and management.
16
ASSESSING RISK
17
THINGS TO CONSIDER WHEN PRIORITIZING RISKS
Impact
• When determining the scale, it is important to consider:
− Financial loss
− Strategic impact
− Revenue targets
− Reputation
Likelihood
• Consider the time horizon in which it is reasonably expected that an event could occur that would trigger the
risk.
Persistence
• The time period over which the event is dealt with after an occurrence.
− Example: The lingering reputational impact of a major recall
Velocity
• Speed with which the full impact of the event is realized (i.e., required reaction time).
− Example: Sudden change in exchange rates vs. a chronic warranty issue causing customer
dissatisfaction
Response Readiness
• The organization’s preparedness to manage/respond to an event or a series of events (including
contingency plans).
− Example: Product recall or terrorist incident
18
HOW DO WE KNOW WHAT IS MOST IMPORTANT?
Risk Prioritization
C D F Environment
B
G Regulatory/Compliance
Knowledge Capital:
H Training
Risk: Low Risk: Low to Moderate Risk: Moderate
I Health and Safety
J Raw Material Sourcing
Likelihood
19
RESPONDING TO AND
MONITORING RISKS
DETERMINING RISK RESPONSE
21
RISK MANAGEMENT TECHNIQUES
• Divest • Target
Avoid
• Prohibit • Screen
Eliminate risk by preventing exposure to future possible events from • Stop • Eliminate
occurring.
• Retain • Self-Insure
Accept
• Re-Price • Offset
Maintain the risk at its current level. •
• Disperse
Reduce
• Test
Implement policies and procedures to lower the risk to an acceptable • Control • Improve
level. • Respond • Relocate
• Redesign
• Diminish • Diversify
• Isolate
• Insure • Outsource
Transfer
• Reinsure • Securitize
Shift the risk to a financially capable, independent counterparty. • Hedge • Indemnify
• Transfer
22
ELEMENTS OF MANAGEMENT AND CONTROL
INFRASTRUCTURE
The six elements of infrastructure is a framework that can be used to identify the components that influence the
operating and control environment (includes concept of multiple lines of defense).
Processes do not People lack the Reports do not Methodologies do Information is not
carry out established knowledge and provide information not adequately available for
policies or achieve experience to for effective analyze data and analysis and
intended result. perform processes. management. information. reporting.
23
ENTERPRISE APPROACH VS. SILO THINKING
The goal of this group is to avoid silo thinking and help bridge
the gaps between the functions and the regions.
24
ASSIGNING ACCOUNTABILITY
25
RISK OWNERSHIP
• Responsibilities, authorities and accountabilities are defined for and articulated clearly so that an individual,
a group or a designated unit is accountable for managing each critical enterprise risk. The accountable
individual, group or unit is considered the “risk owner.”
• The risk owners have the responsibility, authority and accountability to manage the risk.
• Risk owners, at a minimum, must:
− Decide on the risk responses.
− Design the capabilities for managing the risks in accordance with the selected risk response.
− Monitor these capabilities over time to make sure they perform as intended. If gaps are noted, they fix
them on a timely basis.
• Risk owners may elect to outsource the responsibility to build and execute capabilities but that does not
compromise their ownership of the risk.
• The executive committee is responsible for ensuring that appropriate risk owners are designated for each
critical risk and monitor risk owner performance over time.
26
REPORTING AND ONGOING MONITORING
27
DEFINING METRICS THAT MATTER
Lead Indicators
• Key performance indicators
(KPIs) and key risk
indicators (KRIs) should
converge to form a single
basket of key metrics (KMs).
• KMs are measures of Project
Management
performance developed to
monitor progress toward the
achievement of strategy,
mitigation of risks and the
ultimate creation of value for
stakeholders. Equipment
Outcomes EH&S Reputation
Reliability
Lag Indicators
28
MONITOR AND EVALUATE RESULTS
• Reviewing key metrics gives the company the ability to measure the rate of progress it is making toward its strategic
objectives and the mitigation of its critical risks and also includes an ongoing evaluation of risk responses.
• This process determines the effectiveness of integrated business plans and the ultimate creation of value within the
enterprise’s appetite for risk and established strategic boundaries.
Variance
Perspective/KPI Trend Status Period Actual Period Target Variance
Percentage
Profitable Growth
EBIT Margin X% X% X% X%
Combined Ratio X% X% X% X%
Capital Protection
Return on Equity X% X% X% X%
xRoCe X% X% -X% -X%
Lean Organization
Motivated Employees
Retention X% X% X% X%
AM Best Rating A+ A+ 0% 0%
29
ENTERPRISE RISK PRIORITIZATION SCALES
30
RISK PRIORITIZATION SCALES
31