Enterprise Risk Management by Many Other Names is Still Enterprise Risk Management David K. Whatley UTH Advisors April 15,2008

Transcription

1 Enterprise Risk Management by Many Other Names is Still Enterprise Risk Management David K. Whatley UTH Advisors April 15,2008 UTH Advisors

2 What is Enterprise Risk Management? Why don t more companies have ERM? What are Risks? What is the Risk Management Process? What is ERM Process? What is Stealth ERM? How did we do ERM at Home Depot? What does Integrated Stealth ERM Look Like? Q & A Introduction UTH Advisors

3 What Is ERM? COSO Definition a process, effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. COSO Enterprise Risk Management Integrated Framework UTH Advisors

4 Arthur Andersen Definition a structured and disciplined approach: it aligns strategy, processes, people, technology and knowledge with the purpose of evaluating and managing the uncertainties the enterprise faces as it creates value. Arthur Andersen 2000 UTH Advisors

5 My Definition A process to coordinate identification and management of all risks facing an organization. DKW 2008 UTH Advisors

6 Why Don t We Have More ERM? Too Complex Too Many Initiatives ROI Hurdle Silos Turf War No Value Proposition UTH Advisors

7 What Are Risks Risks are impediments to achieving business goals Two Types of Risk: Positive = Opportunity Risk Negative = Loss Risk UTH Advisors

8 Classic Risk Management Process Identify Risk Assess Current Risk State Probability Impact Risk Map Current State Determine: Cost/Impact/Benefit of Mitigation Tools Avoid Transfer Balance Manage Risk Map Residual Risk/Mitigated State Cost/Benefit Decision UTH Advisors

9 Enterprise Risk Management Process Risk Identification and Evaluation Built Into All Business Processes Assimilation of Results of Risk Management in Each Business: Assure Risk Management Process is Executed Risk Tolerance Levels Are Appropriate and Uniform Determine Consolidated Risk of Enterprise Measure vs. Level Approved by Board of Directors UTH Advisors

10 Goals of ERM Increase Positive Risk Taking Reduce Negative Risk Occurrence Improve the Bottom Line UTH Advisors

11 Stealth ERM Enterprise Risk Management by Many Other Names is Still Enterprise Risk Management Integrate Risk Considerations into all business processes Position ERM as process/management process improvement that adds value by inserting risk awareness and considered risk decision making into all processes Changes culture by introducing enterprise wide view-- better business planning-- better decisions UTH Advisors

12 Enterprise Risk Management Structure Board of Directors = Overview Process/Sets Risk Level Chief Executive Officer = Chief Risk Officer Senior Leadership Team = Risk Committee Business Processes Include Risk Assessments and Consideration of Risk in Decisions or are Risk Based UTH Advisors

13 COSO Enterprise Risk Management The ERM Components COSO Internal Environment Objective Setting Event Identification Risk Assessment Risk Response Control Activities Information and Communication Monitoring Influences how strategies and goals are set, how activities are structured and how risks are identified, assessed and acted upon Creates a process for setting objectives, ensuring that those objectives are aligned with strategic goals and that those goals are consistent with risk appetite Considers internal and external factors that might affect strategy and achievement of business objectives Focuses on the likelihood and impact of potential events and their effects on objectives Evaluates risks for possible responses and their effects Ensures that risk responses are carried out efficiently via policies and procedures Involves the exchange of relevant data with internal and external parties so that they may identify, assess and respond appropriately to risk Ensures that the components of ERM are applied at all levels UTH Advisors

14 COSO ERM Components At HD ERM Components Internal Environment Objective Setting Event Identification Risk Assessment Risk Response Control Activities Information & Communication Monitoring THD Activities Tone at the Top Sarbanes-Oxley/404 Board of Directors (BOD) SOAR Liability Risk Analysis SOAR SOAR Internal Audit SOAR Internal Audit Liability Risk Analysis Sarbanes-Oxley/404 Corporate Compliance Quarterly Executive Council (QEC) Weekly President s Call SOAR Quarterly Executive Council Activity Deliverable Corporate Governance Entity Level Assessment Strategic Vision Strategic Initiatives Insurance Levels Strategic Initiatives Strategic Initiatives Internal Audit Plan Strategic Initiatives Internal Audit Plan Insurance Levels Attestation of Fin. Reporting effectiveness SOP s Standard Reconciliation Process Strategic Initiative Issue Resolution Management Report Outs Strategic Initiatives Strategic Initiative Issue Resolution UTH Advisors

15 The Home Depot s Risk Areas THD Risk Area Business Leader / Oversight Asset Management EVP Bus. Development/Corp. Operations / REEC Customer Service EVP HD Stores / Store Manager Council Legal EVP Secretary/General Counsel / Compliance Council Human Resources EVP - HR / Leadership Development Compensation Committee Finance/Accounting EVP - CFO / Audit Committee Brand and Image EVP Merchandising/Marketing / Branding Committee Merchandising EVP Merchandising/Marketing / Innovative Council Growth EVP Bus. Development/Corp. Operations / Growth Steering Comm. Information Technology EVP IT/CIO / IT Advisory Council Supply Chain EVP Merchandising/Marketing / Supply Chain Council External Factors CEO / BOD, QEC UTH Advisors

16 Risk Identification and Assessment Processes Corporate Compliance Program Internal Audit Program Risk Management Information Systems Safety Data Claims Cost Data Security Assessments Loss Prevention Product-containing Facilities Corporate Security- Offices/Events/Executives IT Business Risk Assessments Systems Recovery Priorities SOAR Strategic Risks HR Risks Safety Programs Safety Audits Safety Investigations UTH Advisors

17 Home Depot Compliance Program The Home Depot Compliance Program is based upon the three-fold approach of: (1) prevent, (2) detect and (3) respond to potential issues. These three components form a closed-loop cycle that reinforces compliant conduct throughout the Company. UTH Advisors

18 Compliance Structure A Compliance Policy and Guidelines are maintained for each identified risk area of the Company s business Compliance Assurance Mechanisms are included in the SOPs that establish processes for Company conduct Training educates and informs targeted associates about the Company s Compliance Policies & related SOPs UTH Advisors

19 Compliance Reviews Quarterly Reviews: Select policies or functional areas are reviewed quarterly Annual Compliance Reviews: Week-long enterprise-wide policy and functional area review with all Divisions, Subsidiaries and International Businesses UTH Advisors

20 Compliance Review Components Laws/SOP Update New External Standards New Internal Standards Risk Change Assessment Risk Monitoring Process Improvement Progress Incident Update Major incidents are reported, with the investigation details and resolutions Other Updates Government Investigations Training Proposals Budget/Resource Allocations UTH Advisors

21 Risk-Based Compliance Monitoring 2007 Compliance Monitoring Plan Company, Inc. : Safety Dept. 3 rd Quarter METRIC RISK BENCH Q1 Q2 Q3 Q4 YTD TRAFFIC RISK LEVEL MARK LIGHT # of Incidents Low G Sample Risk 1 # of Violations Low G Sample Risk 2 Compliance Metrics: Traffic Lights provide an efficient way of quickly determining the status of each individual risk. UTH Advisors

22 Compliance Process Improvement 2007 Compliance Process Improvement Plan Company, Inc. : Safety Dept. Process Improvements 3 rd Quarter PROCESS IMPROVEMENT ACTION STEP COMPLETION STATUS TRAFFIC LIGHT DATE Process Improvement #1 G Process Improvement #2 G Process Improvements: Any processes/procedures being developed and implemented to improve current operations and mitigate risks. UTH Advisors

23 SOAR Includes Risk Discussions Enhance Core Extend Business Expand Market Customer Satisfaction Differentiated and Innovative Merchandise at Great Value Store Readiness Information Technology New Stores New Formats Home Depot Services Home Depot Direct Home Depot Supply MRO Builder Professional Supply Canada Mexico China Voice of Customer Conversion Store Productivity New Locations New Service Categories New Channels New Businesses New Platforms New Geographies Align SOAR with Strategic Vision UTH Advisors

24 SOAR Strategic Planning Entities DEPARTMENTS #21 #22 #23 #24 & #59 #25 #26 #27E #27L #28 #29 #30 Store Formats OTHER BUSINESSES AHS HD Supply/ ITB PRO / Tool Rental Canada Direct /ebusiness Operations / Stores (Supply Chain) IT Credit FUNCTIONS / OPERATING PLANS Marketing / Store Merchandising Human Resources Legal Finance Real Estate / Construction Merchandising / Divisions UTH Advisors

25 Proposed SOAR Calendar Strategic Planning Operating Plan February March April May June July August September October November December Key Meetings & Events Off-site to finalize plans Set strategic guidance/ Metrics ELT Game Changers SOAR current year Initiative update Progress Review Progress Review SOAR I Strategy Reviews SOAR I Decisions SOAR II Operating Reviews Divisional Reviews Capital & G&A Decisions 06 Plan locked Process Teams designated SOAR I Kick-off Strategic Planning Final Plans Due Targets & guidance set for teams Space Planning Prework Interdepartmental reviews Executive Team SOAR Activity SOAR II Kick-off Merchandising & UTH Advisors 2008 Divisional working 25 sessions

26 ERM Is Culture Not Process ERM processes are just another set of controls unless you get cultural change ENRON! Efficient vs Effective Efficient---Doing Things Right Effective----Doing The Right Things Efficiently Culture of Effectiveness will improve achievement of Business Goals ERM Supports/Drives this culture This is ERM S Value Proposition UTH Advisors

27 Q & A David K. Whatley UTH Advisors dkw02@bellsouth.net

28 2008 Enterprise Risk Management Symposium Practical Implementation Issues Grover Edie 1

29 Implementing Enterprise Risk Management At an Insurance Subsidiary of a Financial Services Organization 2

30 From the Session Description As a firm begins to implement an ERM program, how can it prevent the firm s internal inertia from killing the program in the cradle? Why implement ERM? What is the purpose, the vision, the payback? 3

31 Before You Start Your approach to ERM needs to match your organization s style Approach also needs to reflect what the organization knows about the elements of Risk Management You will likely have to learn a lot, and Educate others along the way 4

32 Tracks of Actions at Subsidiary Following the ERM lead set by Parent Establish a subsidiary ERM Committee Establish subsidiary policies for Operations Risk, Credit Risk, etc. Establish a Risk Adjusted Return on Assets Develop an education plan Begin an evaluation of risks as they relate to an insurance organization 5

33 ERM 2 Enterprise Risk Management Everyone a Risk Manager 6

34 A Company s Risk/Return by Operation Increasing rate of return Maximum return C F A B risk free return Risk threshold D E Increasing risk of venture 7

35 S A G E Expand new products, markets, territories beyond organic growth, including acquisitions Grow organic growth Accomplish the organization s goals Maintain operations Generate an appropriate profit Survival of the organization 8

36 Survival of the Organization Proper reinsurance (or insurance) Licensing issues Adequate capital Proper governance (Sar-Box, SEC, etc.) Business continuity, resumption, etc. Data backup, systems resumption, etc. Etc., etc. 9

37 Considerations in Determining What to Address Likelihood of adverse event Cost of adverse event Is someone already handling the risk? Cost and Effort needed to mitigate the risk How soon would the adverse event happen, if it did? What is management s appetite for risk? 10

38 Additional Considerations Leverage on what Parent has already done Get Subsidiary ERM activities to an acceptable level according to Parent s ERM standards Develop Insurance company specific standards for Subsidiary 11

39 Ins Sub of Financial Svcs Co. Parent company chooses the style Style meets its needs, but might not best meet yours, in some cases Generic risks seem to work fine they do the work, you just ride along with adjustments Risks specific to insurance companies might pose a problem 12

40 Ins Sub of Fin. Svcs Co. - Issues Insurance Fraud not the same as (internal) employee fraud Losses our business, not unexpected events Reinsurance an integral part of our operations Credit Risk reinsurance counterparty risk Market Risk asset/liability matching Balance sheet reserves significant risk 13

41 Enterprise Risks Parent ERM Risks Credit Market Operations Human Resources Information Technology Legal / Regulatory Business Continuity / Disaster Recovery Reputation Ins. Co. Specific Risks Credit counterparty (Reinsurers) Market Asset/Liability matching Underwriting Catastrophic Event Geographic concentration Loss Reserving Unearned Premium Reserving External Fraud Insureds / Providers Regulatory actions 14

42 Example Survey Questions Internal Management Risk Assessment Survey Is there a management oversight process in place to evaluate the effectiveness of controls over financial reporting, including clearly defined management accountability, and is consistent with regulatory requirements (e.g. Sarbanes-Oxley, FDICIA)? AM Best Supplemental Rating Questionnaire For insureds that purchased commercial property coverages, what percentage of those insureds purchased terrorism protection for the property coverages, either as a separate endorsement or already included in the policy? Annual Statement Interrogatories Does the reporting entity have established procedures for disclosure to its Board of Directors or trustees of any material interest or affliction on the part of any of its officers, directors, trustees, or responsible employees that is in conflict or is likely to conflict with the official duties of such person? 15

43 Conclusions 16