Enterprise Risk Management: The Elements, The Players, and The Case for Collaboration. Enterprise Risk Management

Transcription

1 Enterprise Risk Management: The Elements, The Players, and The Case for Collaboration Cole Emerson MBCP CPP KPMG LLP Monday, May 5th 4:00 pm 5:00 pm Enterprise Risk Management What is it? What are the elements? Who are the players? What is the case for collaboration? Business Continuity Management & Risk Management How does BCM contribute to Enterprise Risk Management What are the common goals Managing Risk What is a risk The chance that something will happen (good or bad) that impacts the organization (positively or negatively) Risks are not always bad the risk of production capacity not meeting the demands of a wildly successful product launch 1

2 Business Continuity Management & Risk Management What is risk management in the broadest sense Risk Management is: the methods and processes used to manage those risks, possible events or circumstances that can have negative influence on the Enterprise The Elements of Risk Management ERM Perspective Risk Management ERM Perspective Three forms of risk management Loss avoidance Risk transfer Preparedness 2

3 Loss Avoidance Goal of limiting the frequency and extent of loss events Risk Transfer Goal of alleviating the burden should a loss event occur by transferring part of the risk to a third party e.g. insurance Preparedness Goal of being in a position to restore the state of affairs that prevailed before the onset of a loss as rapidly as possible. 3

4 Impacts Involves the capacity to both avoid and deal with losses To reap the preparedness benefits the following should be taken into account Probability Extent Impact Preparedness In the context of preparedness The question of whether a loss will occur is of less interest than how significantly it would be and what would need to be done were it to occur Managing a loss can only consist in dealing with the consequences and thereby diminishing its significance The ability to accept and make the best of the loss Four Levels Of Impact - Examples Trivial Disruptive Survival threatening Destructive losses 4

5 Trivial May at worst reduce the financial value, but not the functionality, of a system and therefore require no or only minimal countermeasures Disruptive Impairs key functions and hence the performance of the system Primary task of event management is to restore or temporarily replace the functions that have been lost Survival Threatening The system s vital functions are impaired to such an extent that it can no longer maintain itself unaided 5

6 Destructive Natural Social Financial and Economic Technological Systems Goal of Preparedness To keep a system or process operational despite losses To restore to the status quo ASAP To improve on the original state of affairs Fire Example Fire prevention avoiding losses Remaining risk is transferred by means of property and business interruption insurance Preparation involves establishing an emergency and crisis management organization which will ensure that critical business processes can be maintained even if a loss event occurs 6

7 Trade Offs Loss avoidance, risk transfer and preparedness may be traded off against each other Organization well prepared to deal with fire-related losses Can afford to spend slightly less on prevention or may opt for a higher insurance deductible Preparedness May serve both to enhance safety and to reduce a company s expenditures On loss avoidance On costs of risk transfer Risk Strategy Risk strategy determines whether a company places primary emphasis on loss avoidance, risk transfer or preparedness If the strategy demands that no serious losses should, risk management will have to focus on prevention losses 7

8 What s Driving Enterprise Risk Management? More prescriptive NYSE Listing Requirements Audit Committee requirements to discuss policies with respect to risk assessment and risk management Increased regulatory compliance importance, e.g., SOX 404 Leveraging the 404 infrastructure to broaden the definition of risk Recently updated COSO/ERM framework Adverse media coverage reduced market tolerance for surprises Increased complexity and speed of change in business The risk profile of today s global and virtual organization warrants study and more precision ERM is a dynamic process which is focused on protecting an organization s value proposition Operational Risk Management Goal is to Reduce Regulatory Compliance Workplace Violence Robustness Death-on-Site Vendor Management Death-on-Study Records Management Loss of Key Staff Risk Management Loss of Intellectual Property Continuity Management Human Error / Sabotage Health & Safety Mgt Security Breach Quality Management Failure of LAN / WAN Animal Activists Malicious Code Attacks Natural Disaster Loss of Information Fire, Explosion System Integrity Pipe Break, Flooding Loss of data / Hazardous Spill vital records Regulatory Change Inability to recover data Interrupted services Wonderful World of Risks Environment Risk Catastrophic Loss Industry (Weather ) Regulatory Legal Capital Availability Financial Markets Sensitivity Sovereign/Political Shareholder Relations Competitor Operations Risk Customer Satisfaction Human Resources Efficiency Capacity Transportation Performance Gaps Cycle Time Basis Risk Obsolescence Compliance Business Interruption Service Failure Environmental Health & Safety Market Intelligence Processing Technology Supply Consolidation Trademark / Brand Name Integrity Risk Management Fraud Employee Fraud Illegal Acts Unauthorized Use Reputation Reporting & Compliance Regulatory Reporting Financial Reporting Financial Operational Planning and Budget Pricing Accounting Information Information Contract Commitment Financial Reporting/ for Decision Measurement / Modeling Evaluation Making Risk Alignment Taxation Pension Fund Investment Evaluation Strategic Leadership Authority Business Portfolio Transaction & Valuation Performance Measurement Organizational Structure Resource Allocation Planning Life Cycle1 Empowerment Risk Incentives Outsourcing Communications Limit Leadership Authority Innovation Change Readiness Process Risk Financial Risk Price Commodity Basis Interest Rate Financial Instrument Currency Equity Liquidity Cash Flow Opportunity Cost Credit Default Collateral Concentration Counter Party Technology Risk Relevance Integrity Access Availability Infrastructure 8

9 Risk Goes Beyond Regulatory Compliance To Other Aspects of the Business A typical risk profile now shows many more potential risks than three years ago The risk profile needs to look at 1-5 years Energy & 3-5 Years climate 1-3 Years Key: Timeline 3-5 years 1-3 years Now Health Additional risks Corporate responsibility Foreign Competitive Financing risk exchange risk pressures IP Changing market Attract and Management conditions Reputation retain staff Regulatory Demography compliance Natural Financial hazard risk reporting IT networks and Treasury Macroeconomic & Country risk security Major financial risk Management data customer Insurance and transparency Terrorism default coverage Technology Human capital Product Fraud Rising cost of risk liability employee benefits Outsourcing Transfer Bankruptcy & Pensions pricing Physical credit risk Tax asset Off-shoring Emerging Innovation Start-ups, protection markets alliances and Product pipeline acquisitions Commoditization Inflation Business continuity Supply chain Self-reporting relationships Ecological Governance Market risk Human rights Oil prices Geopolitical and security risk Now Source: KPMG LLP (U.K.) s aggregated experience facilitating client risk assessment workshops, 2005 New Challenges New Risks Climate Change Discussed and considered as a major risk by major insurance and reinsurance organizations Site placement and/or expansion a key risk Differing opinions even within the scientific community Terrorism Statistics showed that pre-iraq terrorism was on a decline Discussions and concern about future domestic terrorism Potential lack of consideration and understanding of different cultures New Challenges New Risks Regulatory and Compliance New legislation promoting voluntary certification of corporate business continuity plans position business continuity management (BCM) as a topic of discussion at the board level At some point in time A certification process will be established» Utilizing multiple existing standards 9

10 1d 3f 3a 1e 2b 3c 4d 4g 4b 3b 4f 4c 3g 2c 3h 1a 4h 3j 1b 4j 4e 2a 5c 4i 3d 1f 3e 5a 5b 1c 4a 3i Examples of Enterprise and Operational Risks Enterprise Risk Management External financial event that has broad, global impact and longlasting consequences Heavy dependency on key business relationships (e.g. Business Partner, Air Transportation, Federal Government) Increased risk associated with a heightened legal, compliance and customer advocacy environment Lack of investment on competitive online capabilities US based processes do not align with International market needs or regulations Operational Risk Management External non-financial event that has broad, global impact and long-lasting consequences Risk of data compromise via internal and external intrusion Breakdown in operating procedures & employee responsibilities Loss of key talent & proprietary skills Platform infrastructure and stability Shifting staff support leads to operational error Service disruption caused by outsourcing relationship How Do We Portray Risk Sample Risks (Random Plotting) 1 3j Loss of building, together with key staff or technology infrastructure Catastrophic 12 1c Adverse changes in law and government affecting the company s business model Risk Consequence Major Moderate Minor a Loss of market share or revenue through competition or regulation 5b Introduction of competing products and technologies by other companies 5c Inability to attract and retain key employees 1b Failure to develop global management and information systems Insignificant Remote Unlikely Possible Likely Almost certain 7 8 4d Exposure to litigation related to the company s products/services 3h Deficient products/services provided resulting in loss of reputation Likelihood of Risk Occurrence Key 9 4a Inability to react to changes in overseas legal, economic, or regulatory environment Top Ten Risks Reputation Risks Operating Risks Produce Performance and Regulatory and Quality Risks Compliance Risks Growth and Strategic Risks 10 3i Increased pricing pressure from competitors and/or customers The Players 10

11 Risk Management Organizations What organizations should BCM aligned with to develop EWS Enterprise Wide Synergy Operational Risk Management (ORM) Physical, environmental, security, technology, financial, regulatory, compliance, political, terrorism, war Most closely aligned with BCM related risks Risk Management Organizations Enterprise Risk Management (ERM) Is similar to operational risk management (ORM) but also includes credit risk and market risk. ERM when combined with ORM is the highest level of risk management within the organization ERM and ORM may sometimes be combined under one organization Business Continuity Management Primarily focuses on the risk of an interruption of operations Risk Management Organizations ORM and ERM risks are broader than just interruption of operations Any risk that could disrupt strategic or operational plans 11

12 Risk Ownership & Accountability BCM, ERM and ORM programs make risk accountability highly visible and documented practices Risk management must consider diverse views of risk One manager s opportunity may be another manager s disaster What is not a risk to one group may well be a risk to others In Asia the characters representing the word for risk is also the word for opportunity Risk Ownership & Accountability BCM identifies dependencies on sets of business processes and the interruption consequences associated with those processes BIA identifies dependencies on what sets of technology, infrastructure and applications RA identifies likely threats, vulnerabilities, mitigation options, potential impacts ERM & ORM typically identify organizationally who within the enterprise owns specific sets of risks and has responsibility identify, evaluate and develop appropriate risk mitigation strategies Risk Awareness May Be Critical Case Study 1 Case Study 2 12

13 Risk Awareness Case Study 1 Dockworker Strike US ports locked down for ten days Container ships had to wait in open water for the strike to end Strike followed months of deteriorating relations between the union and Pacific Maritime Association Wal-Mart and Costco recognized the impending threat Took steps to ramp up imports prior to the shut down to minimize risk of being left without stock Increase Sensitivity to Risk Other companies could only wait for the lockdown to end before resuming transportation of their pre-christmas stock First organization to recognize an impending crisis will get: Best price on insurance First bite at alternative partners The best rates on additional facilities Warehousing or shipping Firms lower down the chain: Will have to pay more May find all alternative capacity has been consumed Lack of Awareness Delays Response Note: As time progresses, the information surrounding a given risk event may increase. But as it does, the options available for effective mitigation are bound to reduce. Risk mitigation as with risk itself involves degrees of uncertainty. Taking proactive mitigation policies implies operating under considerable uncertainty, with incomplete indicators. Source: Crisis and Risk Network, Swiss Federal Institute for Technology 13

14 Risk Awareness Case Study 2 In 2000, for example, a minor fire at a semiconductor manufacturing plant in New Mexico operated by Philips, the electronics company, led to very different outcomes for the factory s two main customers, Scandinavian handset manufacturers Nokia and Ericsson Philips initially told its customers that the factory would resume production within a week, but it greatly underestimated the scale of the disruption caused by smoke and debris to the sterile environment required for chip production. In the end, it took many months to restore the factory and resume production Case Study 2 - First in Line Nokia responded to the fire by immediately sourcing other supplies and put pressure on Philips to provide alternative sources of chips from other factories Ericsson, meanwhile, assumed that the fire was a minor technical glitch and waited for normal business to be resumed. By the time it realized the magnitude of the problem, it was too late The company was unable to find alternative supplies and production of its new generation of handsets was severely affected At the end of 2000, Ericsson posted a loss of US$2.34m, much of which could be attributed to the disruption in chip supplies caused by the New Mexico fire First in Line Nokia, meanwhile, went on to increase its share of the handset market from 27% to 30% in the six months that followed the incident The different responses of Nokia and Ericsson to what initially seemed a minor disruption illustrate an important point about the need for businesses to prepare effectively for a wide range of incidents 14

15 Collaboration Where do BCM practices fit into the ERM Picture? Enterprise & Operational Risk Management Analyses conducted by BCM BIA example: Provides impact information to complete the enterprise and operational risk management profiles Provides data to help create a risk profile with threat and impact data by country, city, location, function and line of business Insurance The analyses: Provides impact data by location to assist in a more focused allocation of coverage to high impact locations Can aggregate potential loss information from multiple lines of business by location 15

16 Corporate Security The analyses: Provides security information needed to create an impact profile for each major location Allows security to focus more attention and resources on the highest impact locations Real Estate The analyses: Provides numbers of staff required by critical process and timeframe for relocation if necessary Provides insight into number of seats within nearby company sites that may be made available until more permanent alternate facilities can be found Assuming less time sensitive staff can give up seats to more critical staff Applications The analyses: Associates applications with business processes and business process recovery time objectives Provides business process owners a better understanding of application dependencies Provides IT opportunities for flexible, phased and more cost effective recovery strategies and solutions 16

17 Information Security The analyses: Provides information needed to understand the consequences of shutting down servers, and web applications Risk Model Examples Risk Model Examples Monte Carlo Qualitative Model Semi-quantitative Model Mini Time-Series Model Fate Transport (Process/Health) Model Decision Tree Conversion Legal Model Comprehensive Risk Assessment 17

18 Monte Carlo Model Technique generally used to solve problems for which the definition of specific solution equations to calculate a specific answer is either too complex or too cumbersome to be practical Input array of data points, e.g. frequency, severity, scope, variations, etc. Output probability of occurrence under a broad array of circumstances Legal Model A model that calculates the net benefit of settlement vs. litigation was built to aid in legal decisions Input Net benefit of settlement Net cost of litigation Net cost of settlement Total cost of verdict Output Net benefit of settlement vs. litigation Environmental Health & Safety model Models built to calculate the total environmental, health and safety risk and cost associated with entry by the organization into various countries around the world Input Public perception Government approvals/permits Ecological/cultural parameters Health and safety considerations Evaluation of preexisting damage Output Risk values 18

19 Pipeline Route-Selection Model A comprehensive time-series model was constructed to help a consortium decide which of several routes would be selected to construct a pipeline for a major oil field. Inputs tariffs and other parameters from variables Political concerns Environmental problems Commercial considerations Financial parameters Technical considerations Taxes Output Routes prioritized and ranked Political Models Models constructed to evaluate other countries based on categories of variables. Input Political stability Foreign investment conditions Operating environment Transportation infrastructure Output Comparison of countries on a common scale Capital Project Ranking and Portfolio Mgmt Model calculates Profitability index (PI) Internal rate of return (IRR) Net present value (NPV) Other financial outputs Inputs Project safety and environmental aspects, cost estimates, incentives, discount rates, taxes, maintenance, insurance costs Output Projects are ranked and portfolio managed based on model output 19

20 Qualitative Model Most risk assessment model requires the integration of hard data from real world measurements or forecasts and soft data that are not expressed quantitatively. One approach (of many) to treating qualitative data is to rank-order the qualitative answers in increasing-risk order. New Product Model Research and development organizations generate products and processes, each of which has a commercial value Input Technical considerations Marketing aspects Financial/commercial facets Output Data to prioritize potential new products Fate/Transport Model Model constructed to calculate inhalation exposure. Exposure represented by the average daily does for non-carcinogens and the lifetime average daily dose for carcinogens Input Concentration of chemicals in the air Inhalation rate Bioavailability Exposure duration Exposure frequency Body weight Average lifetime Output Inhalation risk 20

21 Common Success Factors Companies that successfully continue or recover operations practice risk management against a specific risk the risk of disruption to operations They: Identify and assess the potential risks and impacts Validate and measure the necessary controls Take specific actions to mitigate or optimize the risks Prove mitigation and recovery solutions work Monitor the current state of action plans and Are aware and responsive to change Common Success Factors They have: Strong executive and financial commitment Integrated planning to align processes, impacts and risks Processes to protect critical operations Well planned communication strategies They are: Prepared to meet the needs of its clients and customers Regardless of whatever disruption may occur Program Effectiveness BCM, ERM and ORM require the same level of: Strong executive sponsorship Well defined process governance Integrated planning and Accountability, ongoing communications and sharing of information between the groups 21

22 Conclusion Business Continuity Management and other risk related programs such as Security, Information Security, Emergency Response, Crisis Management are all part of the larger Enterprise Risk Management Process Unfortunately many times there is no working relationship-it s a must to establish that relationship Many times the terminology is different even though each are talking about the same thing synchronize the terms The end benefit? -Together the whole is definitely greater than the sum of its parts COLE EMERSON MBCP CPP Director Firmwide Business Continuity KPMG LLP Mr. Emerson serves as the Director of Firmwide Business Continuity. He has direct responsibility or oversight over Emergency Response, Crisis Management, Business Continuity and Disaster Recovery for the United States. Cole has over 30 years of experience in developing and evaluating many aspects of enterprise risk management, including Business Continuity, Crisis Management, Disaster Recovery, Data and Vital Records Management and Project Risk Management for national and international businesses and governments. Background & Qualifications Mr. Emerson received a Bachelor of Science in Business Administration from the University of Redlands and his Master Business Continuity Professional (MBCP) certification one of less than 80 globally - from DRII. The American Society certifies Mr. Emerson for Industrial Security (ASIS) as a Board Certified Protection Professional. Prior to joining KPMG, Cole managed his own firm for 12 years, where he developed and implemented Business Continuity, Crisis Management, and Disaster Recovery programs for Fortune 500 companies. Mr. Emerson has extensive and unique experience utilizing business continuity plans and managing recovery teams in actual major disasters. Contact details chemerson@kpmg.com Office: Cell: