Leveraging an organization s current risk management to create a sustainable ERM program Thursday, January 15, 2015 Augustine Doe Ron Marx
AGENDA Pg 1 Pg 2 Pg 3 Pg 4 Pg 5 Pg 6 Pg 7 Pg 8 Pg 9 Pg 10 Pg 11 Pg 12 Pg 13 Pg 14 Pg 15 Pg 16 Pg 17 Cover page Agenda Potential risks airports experience Benefits organizations with ERM experience Best practices for transitioning from traditional risk management to ERM Leverage the airport s existing risk management How to create a sustainable ERM program for an airport How Outsource Risk Management ERM approach compares to others Distill the many risks to arrive at top-tier enterprise-wide risks How to report top-tier enterprise-wide risks Map top-tier enterprise wide risks on risk heat map to prioritize risk treatment Generate risk register to track ongoing risk management and monitoring Create risk dashboards to monitor risk management s performance Establish risk tolerance policy to convey acceptable risk thresholds Draft formal risk appetite statement to communicate the airport s risk strategy Questions Contact information 2
Potential risks airports experience!"#$%&'()*+&,-+."/0,(%(#*+!1232+!"#$%&"'(")*+,"&"-.&'/+$*".(, 41,&,/1&%+!123+ 5&6"'*+&,-+7&8&)-+!1232+ 7$9&,+!123+ :;")&<(,&%+!123+ 5')&'"#1/+!123+ 0(1),'*"*2('("), 3*44("2(%,5*"6+$"2,!'/+&7((,48$++,4(), 9"6:4)%$*+,*.;&", >??,.5*"2(4, 0(.+$"(,$",*$%,)%*#(+, >:(+,5*"6+$"2, @*):%$"2,A&%8B&%.(,?2$"2,$"B%*4)%:.):%(, >%*:6C()5$.4, #$&+*;&", G(2:+*)&%7,.5*"2(4, 0*)*,/%$#*.7C+&44, 0*)*,/%&)(.;&", M74)('4,B*$+:%(, M<P,*"6,<MQ?, %(2:+*;&"4,!'/+&7'("),+*A4, *"6,%(2:+*;&"4,!.&"&'$.,6&A"):%", D%&:"6,&/(%*;&"4,!'/+&7((,%(.%:$)'("), >:(+,/%$.(,#&+*;+$)7, 9"#(4)'("), '*"*2('("), /%&.(44, G(#(":(,.&".(")%*;&", N*/$)*+,B:"6$"2, *#*$+*1$+$)7, N&4),.&")*$"'("), *"6,1:62(;"2, >$"*".$*+,%(4(%#(4, 3*44("2(%,)(%'$"*+, 5*H*%64, <..:/*;&"*+,5(*+)5, *"6,4*B()7, K(%%&%$4',*"6,E%(C (L/+&4$&", G()(";&",&B,8(7, +$.("4(6,/(%4&""(+, I(*",A&%8B&%.(,?$%E(+6,&/(%*;&"4, 4*B()7,?$%+$"(,4(%#$.(, 6(2%*6*;&", J:4$"(44,.&";":$)7, /+*""$"2, <=-*$%/&%),/*%8$"2,.&'/(;;&",?$%+$"(4C&/(%*)&%4, A$)56%*A$"2, F(2*;#(,/:1+$.$)7, <1)*$"$"2,/+*""$"2,.&"4(")4,?$%+$"(,6('*"64,!'/+&7((,4.%(("$"24,?$%/&%),4(.:%$)7, <:)4&:%.$"2,4)%*)(27, 3*"6('$., O"&A+(62(,)%*"4B(%, N&")%*.;"2,/%&.(44,!"#$%&"'(")*+, %(+(*4(,?6#(%4(,A(*)5(%, *"6,"*):%*+,.*)*4)%&/5(, R&%8/+*.(,$"S:%$(4,?14(")(($4', N&"4)%:.;&",&B,"(A, )(%'$"*+,&%,B*.$+$;(4, G(5*1$+$)*;&",&B, %:"A*7C*/%&", F(2*;#(,$'/*.),)&, %(/:)*;&", I*"6,B&%,B:):%(, *(%&"*:;.*+,"((64, J:4$"(44,6$#(%4$)7, 3
Benefits organizations with ERM experience Do organizations with mature risk management practices outperform their peers financially? Ernst & Young study suggests YES Mature risk management drives financial results Findings: companies with more mature risk management practices generated the highest growth in revenue, EBITDA and EBITDA/EV Compound annual growth rates 2004 11* by risk maturity level 20.3% 16.8% 10.6% 9.5% 8.3% 7.4% Top 20% Middle 60% Bottom 20% 4.1% 2.5% 2.1% Revenue * 2011 YTD reported as of 18 November 2011. EBITDA EBITDA/EV 2013 Ernst & Young Turning risks into results 4
Best practices for transitioning from traditional risk management to ERM Senior management must set the tone for implementing ERM - you may have to educate them about ERM Leverage the organization s existing risk management and don t reinvent the wheel Understand organization culture align incentives to behaviors Do not try to do too much at once implement ERM in reasonable phases Must measure risk in order to effectively manage and monitor it Phase 1 Identify Risks 12-18 Weeks Phase 2 Assess Risks 13-19 Weeks Phase 3 Monitoring/ Reporting 12-18 Weeks 5
Leverage the airport s existing risk management Where you are not the leader of the risk management team, advocate for ERM and work with other business departments to create the ERM program You have overall knowledge of the organization You are the repository for exposure information and loss data Gain knowledge of your business continuity, emergency response and disaster recovery You have the ability to prioritize risk based on probability and impact You have the contacts throughout the organization Leverage your risk management knowledge and experience to move ERM forward 6
!"#$%&"'(")*+,"&"- <=-*$%/&%),/*%8$"2, 0(1),'*"*2('("), 3*44("2(%,5*"6+$"2,!'/+&7((,48$++,4(), 9"6:4)%$*+,*.;&",.&'/+$*".(,.&'/(;;&",?$%+$"(4C&/(%*)&%4, >??,.5*"2(4, 0(.+$"(,$",*$%,)%*#(+, >:(+,5*"6+$"2, @*):%$"2,A&%8B&%.(,?2$"2,$"B%*4)%:.):%(, A$)56%*A$"2, >%*:6C()5$.4,?$%E(+6,&/(%*;&"4,!.&"&'$.,6&A"):%", D%&:"6,&/(%*;&"4,!'/+&7((,%(.%:$)'("), F(2*;#(,/:1+$.$)7, #$&+*;&", 4*B()7, 3*44("2(%,)(%'$"*+, G()(";&",&B,8(7,?$%+$"(,4(%#$.(, <1)*$"$"2,/+*""$"2, G(2:+*)&%7,.5*"2(4, >:(+,/%$.(,#&+*;+$)7, 5*H*%64, +$.("4(6,/(%4&""(+, 6(2%*6*;&",.&"4(")4, 9"#(4)'("), <..:/*;&"*+,5(*+)5, J:4$"(44,.&";":$)7, 0*)*,/%$#*.7C+&44, '*"*2('("), I(*",A&%8B&%.(,?$%+$"(,6('*"64, *"6,4*B()7, /+*""$"2, /%&.(44, G(#(":(, K(%%&%$4',*"6,E%(C 0*)*,/%&)(.;&",!'/+&7((,4.%(("$"24,?$%/&%),4(.:%$)7, <:)4&:%.$"2,4)%*)(27,.&".(")%*;&", (L/+&4$&", N*/$)*+,B:"6$"2, F(2*;#(,$'/*.),)&, M74)('4,B*$+:%(, 3*"6('$., O"&A+(62(,)%*"4B(%, N&")%*.;"2,/%&.(44, *#*$+*1$+$)7, %(/:)*;&", M<P,*"6,<MQ?, N&4),.&")*$"'("),!"#$%&"'(")*+, N&"4)%:.;&",&B,"(A, I*"6,B&%,B:):%(, R&%8/+*.(,$"S:%$(4, %(2:+*;&"4, *"6,1:62(;"2, %(+(*4(, )(%'$"*+,&%,B*.$+$;(4, *(%&"*:;.*+,"((64,?6#(%4(,A(*)5(%,!'/+&7'("),+*A4, G(5*1$+$)*;&",&B, >$"*".$*+,%(4(%#(4, *"6,"*):%*+,?14(")(($4', J:4$"(44,6$#(%4$)7, *"6,%(2:+*;&"4, %:"A*7C*/%&",.*)*4)%&/5(, CONFIDENTIAL Financial Impact How to create a sustainable ERM program for an airport Risk Assessment Risk Governance TOOLS =('",<&%+>1);()'+!1232?+5&9;%"+!"#$%&'()*+&,-+ 5&6"'*+&,-+7&8&)-+ 41,&,/1&%+!123+ 7$9&,+!123+ :;")&<(,&%+!123+ 5')&'"#1/+!123+."/0,(%(#*+!1232+!1232+ Leverage an organization s existing risk management and enterprise business objectives or goals to conduct an enterprise risk assessment that identifies and measures the organization s enterprise risks Build an organization s risk committee (including drafting the risk committee s charter) or leverage the organization s existing risk governance structure RISK COMMITTEE Financial Impact of Risk TOP-TIER ENTERPRISE-WIDE RISKS Operational Impact of Risk Probability of Risk HIGHLIGHTS Ranking of Risk Name of Risk Description of Risk Consolidate the identified enterprise risks into enterprise-wide risks Use the probability and financial and operational impacts of each enterprise-wide risk to prioritize the risks and distill the prioritized enterprise-wide risks to material enterprise-wide risks Work with the risk committee to document the key elements of each material enterprise-wide risk and populate these elements in the corporate risk register Work with the risk committee to design a risk appetite statement and draft a risk tolerance policy Probability of Risk HIGH LOW 5.5 5.0 4.5 4.0 3.5 3.0 2.5 2.0 1.5 1.0 0.5 0.0 0.0 0.5 1.0 1.5 2.0 2.5 3.0 3.5 4.0 4.5 5.0 5.5 LOW RISK HEAT MAP H2 O1 HC2 F3 Map material enterprise-wide risks on a corporate risk heat map Stress test material enterprise-wide risks, develop business continuity plans to manage material enterprise-wide risks and revise corporate risk register with new enterprise-wide risks insights Develop risk dashboards for specific material enterprise-wide risks Generate a Value-at-Risk (VaR) report to quantify the impact of a specific loss event on a key performance indicator IT1 HC1 H1 F2 C1 HIGH F1 How Risk is Currently Monitored How Risk is Currently Managed Risk Owner Financial Impact of Risk RISK REGISTER HIGHLIGHTS Types of Risk Populate material enterprise-wide risks in a corporate risk register Description of Risk Key Drivers of Risk Probability of Risk Upload risk governance reports into a risk reporting and management information system Risk Assessment Risk Governance TOOLS RISK APPETITE STATEMENT RISK TOLERANCE POLICY Minimum Limits HIGHLIGHTS Risk Dashboard Liquidity Risk Increasing bad debts and aging receivables continue to impair our ability to generate enough liquidity to defray ongoing policyholder liabilities OWNER Mr. X Review contract with Customer Y Sell receivable to third party at a (largest aging receivable) discount Overall Risk Magnitude Degree of Control Management Strategy High Medium Monitor / Mitigate Current Mitigation Responses UPLOAD RMIS BUSINESS UNITS ACCEPTABLE RISKS UNDESIREABLE RISKS Monitoring Metrics Maximum Limits VaR Report 20% probability of a 30% or greater decline in underwriting profits Mean -70% -30% +25% (Mean) +50% 7
How OutsourceRM ERM approach compares to others OutsourceRM Approach Identify, measure and determine material enterprise-wide risks that potentially impact an organization's strategy, goals and initiatives ( material to strategic direction approach). Distill material risks to those that impact the key drivers of the organization s business. Other Approaches Identify and measure all risks that potentially impact an organization and its business units ( boil the ocean approach). Provide an inventory of risks that are endemic to an organization s industry. Apply an in-house ( actionable ) perspective to create the performance measurement tools that senior leadership and members of the board would use to effectively manage and monitor enterprise-wide risks. Generate key performance indicators (KPIs), key risk indicators (KRIs), acceptable thresholds and corrective actions for each material enterprise-wide risks to communicate at the high-level how material risks that impact an organization s key business drivers are being managed. Develop risk management and monitoring tools from a consultant's viewpoint. Generate KPIs, KRIs and acceptable thresholds for all risks thereby muddying senior management s ERM focus and making ERM overwhelming. 8
Distill the many risks to arrive at top-tier enterprise-wide risks Leverage the organization s business information (including goals, strategies, initiatives, etc.) and risk management to create an enterprise risk assessment (ERA) questionnaire Use the ERA questionnaire to conduct the ERA interviews Consolidate risks Determine enterprise-wide risks based on enterprise weights Prioritize enterprise-wide risks based on probability and impact Arrive at top-tier enterprise-wide risk 9
Company XYZ s top-tier enterprise-wide risks Ranking Description of Risk Probability Financial Impact 1 Inability to consistently manage debt may negatively impact our 5 5 liquidity and prevent us from completing runway rehabilitation 2 Threat of and actual terrorism may significantly reduce air travel and 4 5 impact landing fee revenues 3 Where we are unable to contain costs within budget we may not be able to acquire land for future aeronautical needs 4 4 4 Data loss may expose us to privacy breaches which may negatively impact our reputation 4 3 5 Inability to consistently comply with FAA changes may result in 3 4 non-compliant operations 6 Where we are unable to consistently execute our people strategy we would continue to experience high turnover and poor ground 3 3 operations 7 Increased workplace injuries may hurt our reputation and prevent us from hiring quality staff 3 2 8 70 percent of our landing fees come from Delta airlines and in the event Delta experiences reputational incidents that reduce its passengers and 2 2 flights we may experience a significant decline in our revenues 9 Adverse weather and earth movement may impact airline traffic volume and decrease our revenues 2 1 10 Where we are unable to replace our aging infrastructure we may experience severe accidents 1 1 Operational Impact Borrow money to pay operating expenses at higher interest rate Unable to complete runway rehabilitation Decline in revenue Inability to effectively manage debt Increase debt Inability to expand aeronautical operations Airlines/operators withdrawing Decline in the number of flights that land Increase costs resulting from fines and stipulations Reduce landing fee revenues Increased operating expenses due to use of expensive temporary staff Poor handling of travelers and therefore low customer satisfaction score Rise in operating expenses Employee absenteeism Significant reduction in revenue Inability to meet debt obligations Increase operating costs Reduce targeted revenues Increase in severity and frequency of insurance claims 10
Risk heat map: sample Probability of Risk LOW HIGH 5.5 5.0 H1 F1 4.5 4.0 IT1 F2 3.5 3.0 HC2 HC1 C1 2.5 2.0 H2 F3 1.5 1.0 O1 0.5 0.0 0.0 0.5 1.0 1.5 2.0 2.5 3.0 3.5 4.0 4.5 5.0 5.5 LOW HIGH Financial Impact Very High Risk F1 H1 Inability to consistently manage debt may negatively impact our liquidity and prevent us from completing runway rehabilitation Threat of and actual terrorism may significantly reduce air travel and impact landing fee revenues High Risk F2 Where we are unable to contain costs within budget we may not be able to acquire land for future aeronautical needs IT1 Data loss may expose us to privacy breaches which may negatively impact our reputation C1 Inability to consistently comply with FAA changes may result in non-compliant operations HC1 Where we are unable to consistently execute our people strategy we would continue to experience high turnover and poor ground operations Moderate Risk HC2 Increased workplace injuries may hurt our reputation and prevent us from hiring quality staff Number 1 2 3 4 5 Low Low to Moderate Moderate Moderate to High High Low Moderate Risk F3 H2 Low Risk O1 Probability/Financial Impact Key Meaning of Probability Probability in Percentages Range of Financial Capacity < 5% 5% to 15% 15% to 30% 30% to 50% > 50% 70 percent of our landing fees come from Delta airlines and in the event Delta experiences reputational incidents that reduce its passengers and flights we may experience a significant decline in our revenues Adverse weather and earth movement may impact airline traffic volume and decrease our revenues Where we are unable to replace our aging infrastructure we may experience severe accidents $0 - $7,000,000 $7,000,000 - $12,000,000 $12,000,000 - $20,000,000 $20,000,000 - $40,000,000 Over $40,000,000 11
Generate risk register to track ongoing risk management and monitoring snapshot of the key aspects of information technology (IT1) risk in the risk register KEY ASPECTS OF RISK Risk Name Description of Risk Risk Owner(s) Key Drivers of Risk Probability of Risk Potential Financial Impact of Risk Potential Operational Impact of Risk Key Performance Indicators (KPIs) Key Risk Indicators (KRIs) Risk Control/Mitigating Measures Actions Required Data loss/privacy Data loss may expose us to privacy breaches which may negatively impact our reputation Chief Technology Officer (First name, Last name) Vendor security Employee security practices Hackers 4 (Moderate to High: 35% to 50% chance of occurring) 3 ($12 million to $20 million) Airlines/operators withdrawing Decline in the number of flights that land Number of vendors reviewed for data security compliance by IT per month Number of unsuccessful hacking attempts per month Number of hacking threats per month Number of successful threats per month Number of employee non-compliance with IT security practices per month IT Security Policy Vendor IT security SLAs Firewalls Data encryption Implement IT security management and controls by February XX, 20XX Implement software that monitors emails real time by March XX, 20XX 12
Risk dashboard: samples Current Value Policy Minimum Policy Maximum Decreasing RBC 460% 400% 530% Update Overall Status Actions Required and Corrective Actions Subsidiary results, losses and cost overruns continue to negatively impact our RBC = (TAC / ACL RBC) OWNER Head of Finance Head of Finance to develop policies and procedures for Finance sign-off on new On July 9, 2014, policies and initiatives that require an investment of over $200,000 procedures for Finance sign-off Board and Management to revisit corporate governance of subsidiary operations to was completed and discussed provide appropriate oversight and controls with New Business Development Head of Finance to develop reports that track intercompany balances and budget variances Reports that track intercompany balances expected to be completed by July 10, 2014 Acceptable Level Concern Level Brand-Making and Reputational Risk Current Value Policy Minimum Policy Maximum 99.6% 95% 100% Actions Required and Corrective Actions Update Overall Status Unacceptable Level Experience reputational incidents that tarnish our brand image (Health of brand = Customer Satisfaction (CSAT) score) Work with Head of HR to refine Employee Expense Reimbursement approval process and Terms of Employment policy Continue to monitor brand image real time using Street Smart Research Develop and implement transparent communication messaging that conveys to the public how company is managing reputational incidents On June 27, 2014 completed refining expense reimbursement approval process Conduct Street Smart Research in July 2015 OWNER Head of Communications 13
Risk tolerance policy: sample Description of Risk Key Risk/ Performance Indicators (KRIs/KPIs) Minimum Threshold Maximum Threshold Risk Owner Underwriting health insurance in post-aca market Quarterly loss ratio 75% 90% Head of Actuary Data loss and privacy breaches Total number of successful hacking attempts per month 35 60 Head of IT Brand-making and reputational incidents Customer satisfaction (CSAT) score 95% 100% Head of Communications Decreasing RBC Quarterly ratio (%) of TAC / ACL RBC 400% 530% Head of Finance Comprehensive people strategy Monthly employee turnover (voluntary) 10% 25% Head of Human Resources IT unable to support operations Monthly systems uptime 200 hours 350 hours Head of IT Inability to accomplish risk-based audit Total monthly hours available to audit 600 hours 750 hours Head of Audit and/or Risk Management Regulatory non-compliance Number of regulatory warnings 10 20 Head of Legal or Risk Management Subsidiary cost overruns Subsidiary budget variance $200,000 $400,000 Head of Finance Substantial increase in Workers Compensation reserves Percentage change in WC reserves 3% monthly 8% monthly Head of Audit and/or Risk Management Declining investment portfolio Monthly change in value of portfolio 3% monthly 7% monthly Head of Finance Decreasing COBRA benefits Percentage change in COBRA benefits administered 5% monthly 8% monthly Head of Business Unit 14
Formal risk appetite statement: sample This Formal Risk Appetite Statement is drafted solely for the purpose of providing Company XYZ, its subsidiaries and affiliates guidance on how to manage enterprise-wide risks. No statements made herein bind Company XYZ, its subsidiaries and affiliates to any contemplated contracts or agreements. Company XYZ, its subsidiaries and affiliates reserve the right to change any statements made herein with or without notice to any third parties. Risk Elements Our Assertions Additional Support Guiding Statement Brand-making and reputation Capital Adequacy Contribution to Surplus Network Provider Penetration Operational Risk Parameters Human Resources Risk Parameters Company XYZ is an insurance company that exists for the benefit of its policyholders. We protect our brand, maintain adequate capital, run sustainable subsidiary and affiliate operations, carry-out core operations and leverage our market share to ensure we return value to our policyholders. Brand protection and enhancements: We strive to proactively avoid any situation or action that has the potential to unnecessarily impair our brand and reputation. This involves ensuring our employees, business partners and policyholders are committed to our values and that their actions and behaviors reflect these values. We believe this is what would allow us to take appropriate actions to preserve the strength of our brand and reputation in the areas of corporate compliance, customer privacy, corporate information security, governance and positive public image. Risk-based capital: We will strive to grow to an RBC level appropriate to the risk of our core operations to ensure our sustainability in our market. (1) Controlled subsidiaries: Controlled subsidiaries are expected to manage their businesses and operations with the best interest of the shareholder and other appropriate stakeholders in mind. This expectation includes analysis and understanding of the risks associated with business initiatives to be undertaken by the controlled subsidiary. Further, controlled subsidiaries should comply with defined agreements (e.g. inter-company agreements, dividend policies, etc.) and governance processes as established with their shareholder. (2) External Portfolio risk: Must contemplate the risk profile of our controlled subsidiaries, the risk profile of our core business and Company XYZ's capital position. Income/earnings: In order to remain viable in our market, we target an annual operating margin of 5% across all core operations. Product segments (both core and non-core) are expected to have a positive contribution to RBC. Provider reimbursements: We will maintain adequate market share to provide the best value to our policyholders. We target no less than 50% of aggregate California health care providers' private payer revenue. Contract management and bid and proposal review: No projects or bids will be pursued without appropriate review and analysis based on defined governance processes, which should include an assessment of material risks and financial impact. Human Capital: We will ensure Company XYZ has identified key talent and leadership to develop new leaders through defined succession plans and development. We will maintain the resources and tools to attract, develop and retain the employees necessary to fulfill our mission. Vision and Mission Statements Employee Expenses Reimbursement Policies Employment Policies Investment Policy Intercompany Agreements and Dividend Policies with Subsidiaries Human Resources Policies 15
QUESTIONS 16
CONTACT INFORMATION Augustine Doe OutsourceRM adoe@outsourcerm.com (949) 466-6968 Ron Marx Marsh Ron.Marx@marsh.com (858) 552-3710 17