Enterprise Risk Management by Many Other Names is Still Enterprise Risk Management David K. Whatley UTH Advisors April 15,2008 UTH Advisors 2008 1
What is Enterprise Risk Management? Why don t more companies have ERM? What are Risks? What is the Risk Management Process? What is ERM Process? What is Stealth ERM? How did we do ERM at Home Depot? What does Integrated Stealth ERM Look Like? Q & A Introduction UTH Advisors 2008 2
What Is ERM? COSO Definition a process, effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. COSO Enterprise Risk Management Integrated Framework. 2004 UTH Advisors 2008 3
Arthur Andersen Definition a structured and disciplined approach: it aligns strategy, processes, people, technology and knowledge with the purpose of evaluating and managing the uncertainties the enterprise faces as it creates value. Arthur Andersen 2000 UTH Advisors 2008 4
My Definition A process to coordinate identification and management of all risks facing an organization. DKW 2008 UTH Advisors 2008 5
Why Don t We Have More ERM? Too Complex Too Many Initiatives ROI Hurdle Silos Turf War No Value Proposition UTH Advisors 2008 6
What Are Risks Risks are impediments to achieving business goals Two Types of Risk: Positive = Opportunity Risk Negative = Loss Risk UTH Advisors 2008 7
Classic Risk Management Process Identify Risk Assess Current Risk State Probability Impact Risk Map Current State Determine: Cost/Impact/Benefit of Mitigation Tools Avoid Transfer Balance Manage Risk Map Residual Risk/Mitigated State Cost/Benefit Decision UTH Advisors 2008 8
Enterprise Risk Management Process Risk Identification and Evaluation Built Into All Business Processes Assimilation of Results of Risk Management in Each Business: Assure Risk Management Process is Executed Risk Tolerance Levels Are Appropriate and Uniform Determine Consolidated Risk of Enterprise Measure vs. Level Approved by Board of Directors UTH Advisors 2008 9
Goals of ERM Increase Positive Risk Taking Reduce Negative Risk Occurrence Improve the Bottom Line UTH Advisors 2008 10
Stealth ERM Enterprise Risk Management by Many Other Names is Still Enterprise Risk Management Integrate Risk Considerations into all business processes Position ERM as process/management process improvement that adds value by inserting risk awareness and considered risk decision making into all processes Changes culture by introducing enterprise wide view-- better business planning-- better decisions UTH Advisors 2008 11
Enterprise Risk Management Structure Board of Directors = Overview Process/Sets Risk Level Chief Executive Officer = Chief Risk Officer Senior Leadership Team = Risk Committee Business Processes Include Risk Assessments and Consideration of Risk in Decisions or are Risk Based UTH Advisors 2008 12
COSO Enterprise Risk Management The ERM Components COSO Internal Environment Objective Setting Event Identification Risk Assessment Risk Response Control Activities Information and Communication Monitoring Influences how strategies and goals are set, how activities are structured and how risks are identified, assessed and acted upon Creates a process for setting objectives, ensuring that those objectives are aligned with strategic goals and that those goals are consistent with risk appetite Considers internal and external factors that might affect strategy and achievement of business objectives Focuses on the likelihood and impact of potential events and their effects on objectives Evaluates risks for possible responses and their effects Ensures that risk responses are carried out efficiently via policies and procedures Involves the exchange of relevant data with internal and external parties so that they may identify, assess and respond appropriately to risk Ensures that the components of ERM are applied at all levels UTH Advisors 2008 13
COSO ERM Components At HD ERM Components Internal Environment Objective Setting Event Identification Risk Assessment Risk Response Control Activities Information & Communication Monitoring THD Activities Tone at the Top Sarbanes-Oxley/404 Board of Directors (BOD) SOAR Liability Risk Analysis SOAR SOAR Internal Audit SOAR Internal Audit Liability Risk Analysis Sarbanes-Oxley/404 Corporate Compliance Quarterly Executive Council (QEC) Weekly President s Call SOAR Quarterly Executive Council Activity Deliverable Corporate Governance Entity Level Assessment Strategic Vision Strategic Initiatives Insurance Levels Strategic Initiatives Strategic Initiatives Internal Audit Plan Strategic Initiatives Internal Audit Plan Insurance Levels Attestation of Fin. Reporting effectiveness SOP s Standard Reconciliation Process Strategic Initiative Issue Resolution Management Report Outs Strategic Initiatives Strategic Initiative Issue Resolution UTH Advisors 2008 14
The Home Depot s Risk Areas THD Risk Area Business Leader / Oversight Asset Management EVP Bus. Development/Corp. Operations / REEC Customer Service EVP HD Stores / Store Manager Council Legal EVP Secretary/General Counsel / Compliance Council Human Resources EVP - HR / Leadership Development Compensation Committee Finance/Accounting EVP - CFO / Audit Committee Brand and Image EVP Merchandising/Marketing / Branding Committee Merchandising EVP Merchandising/Marketing / Innovative Council Growth EVP Bus. Development/Corp. Operations / Growth Steering Comm. Information Technology EVP IT/CIO / IT Advisory Council Supply Chain EVP Merchandising/Marketing / Supply Chain Council External Factors CEO / BOD, QEC UTH Advisors 2008 15
Risk Identification and Assessment Processes Corporate Compliance Program Internal Audit Program Risk Management Information Systems Safety Data Claims Cost Data Security Assessments Loss Prevention Product-containing Facilities Corporate Security- Offices/Events/Executives IT Business Risk Assessments Systems Recovery Priorities SOAR Strategic Risks HR Risks Safety Programs Safety Audits Safety Investigations UTH Advisors 2008 16
Home Depot Compliance Program The Home Depot Compliance Program is based upon the three-fold approach of: (1) prevent, (2) detect and (3) respond to potential issues. These three components form a closed-loop cycle that reinforces compliant conduct throughout the Company. UTH Advisors 2008 17
Compliance Structure A Compliance Policy and Guidelines are maintained for each identified risk area of the Company s business Compliance Assurance Mechanisms are included in the SOPs that establish processes for Company conduct Training educates and informs targeted associates about the Company s Compliance Policies & related SOPs UTH Advisors 2008 18
Compliance Reviews Quarterly Reviews: Select policies or functional areas are reviewed quarterly Annual Compliance Reviews: Week-long enterprise-wide policy and functional area review with all Divisions, Subsidiaries and International Businesses UTH Advisors 2008 19
Compliance Review Components Laws/SOP Update New External Standards New Internal Standards Risk Change Assessment Risk Monitoring Process Improvement Progress Incident Update Major incidents are reported, with the investigation details and resolutions Other Updates Government Investigations Training Proposals Budget/Resource Allocations UTH Advisors 2008 20
Risk-Based Compliance Monitoring 2007 Compliance Monitoring Plan Company, Inc. : Safety Dept. 3 rd Quarter METRIC RISK BENCH Q1 Q2 Q3 Q4 YTD TRAFFIC RISK LEVEL MARK LIGHT # of Incidents Low 0 0 0 0 0 G Sample Risk 1 # of Violations Low 0 0 0 0 0 G Sample Risk 2 Compliance Metrics: Traffic Lights provide an efficient way of quickly determining the status of each individual risk. UTH Advisors 2008 21
Compliance Process Improvement 2007 Compliance Process Improvement Plan Company, Inc. : Safety Dept. Process Improvements 3 rd Quarter PROCESS IMPROVEMENT ACTION STEP COMPLETION STATUS TRAFFIC LIGHT DATE Process Improvement #1 G Process Improvement #2 G Process Improvements: Any processes/procedures being developed and implemented to improve current operations and mitigate risks. UTH Advisors 2008 22
SOAR Includes Risk Discussions Enhance Core Extend Business Expand Market Customer Satisfaction Differentiated and Innovative Merchandise at Great Value Store Readiness Information Technology New Stores New Formats Home Depot Services Home Depot Direct Home Depot Supply MRO Builder Professional Supply Canada Mexico China Voice of Customer Conversion Store Productivity New Locations New Service Categories New Channels New Businesses New Platforms New Geographies Align SOAR with Strategic Vision UTH Advisors 2008 23
SOAR Strategic Planning Entities DEPARTMENTS #21 #22 #23 #24 & #59 #25 #26 #27E #27L #28 #29 #30 Store Formats OTHER BUSINESSES AHS HD Supply/ ITB PRO / Tool Rental Canada Direct /ebusiness Operations / Stores (Supply Chain) IT Credit FUNCTIONS / OPERATING PLANS Marketing / Store Merchandising Human Resources Legal Finance Real Estate / Construction Merchandising / Divisions UTH Advisors 2008 24
Proposed SOAR Calendar Strategic Planning Operating Plan February March April May June July August September October November December Key Meetings & Events Off-site to finalize plans Set strategic guidance/ Metrics ELT Game Changers SOAR current year Initiative update Progress Review Progress Review SOAR I Strategy Reviews SOAR I Decisions SOAR II Operating Reviews Divisional Reviews Capital & G&A Decisions 06 Plan locked Process Teams designated SOAR I Kick-off Strategic Planning Final Plans Due Targets & guidance set for teams Space Planning Prework Interdepartmental reviews Executive Team SOAR Activity SOAR II Kick-off Merchandising & UTH Advisors 2008 Divisional working 25 sessions
ERM Is Culture Not Process ERM processes are just another set of controls unless you get cultural change ENRON! Efficient vs Effective Efficient---Doing Things Right Effective----Doing The Right Things Efficiently Culture of Effectiveness will improve achievement of Business Goals ERM Supports/Drives this culture This is ERM S Value Proposition UTH Advisors 2008 26
Q & A David K. Whatley UTH Advisors 404-217-5720 dkw02@bellsouth.net
2008 Enterprise Risk Management Symposium Practical Implementation Issues Grover Edie 1
Implementing Enterprise Risk Management At an Insurance Subsidiary of a Financial Services Organization 2
From the Session Description As a firm begins to implement an ERM program, how can it prevent the firm s internal inertia from killing the program in the cradle? Why implement ERM? What is the purpose, the vision, the payback? 3
Before You Start Your approach to ERM needs to match your organization s style Approach also needs to reflect what the organization knows about the elements of Risk Management You will likely have to learn a lot, and Educate others along the way 4
Tracks of Actions at Subsidiary Following the ERM lead set by Parent Establish a subsidiary ERM Committee Establish subsidiary policies for Operations Risk, Credit Risk, etc. Establish a Risk Adjusted Return on Assets Develop an education plan Begin an evaluation of risks as they relate to an insurance organization 5
ERM 2 Enterprise Risk Management Everyone a Risk Manager 6
A Company s Risk/Return by Operation Increasing rate of return Maximum return C F A B risk free return Risk threshold D E Increasing risk of venture 7
S A G E Expand new products, markets, territories beyond organic growth, including acquisitions Grow organic growth Accomplish the organization s goals Maintain operations Generate an appropriate profit Survival of the organization 8
Survival of the Organization Proper reinsurance (or insurance) Licensing issues Adequate capital Proper governance (Sar-Box, SEC, etc.) Business continuity, resumption, etc. Data backup, systems resumption, etc. Etc., etc. 9
Considerations in Determining What to Address Likelihood of adverse event Cost of adverse event Is someone already handling the risk? Cost and Effort needed to mitigate the risk How soon would the adverse event happen, if it did? What is management s appetite for risk? 10
Additional Considerations Leverage on what Parent has already done Get Subsidiary ERM activities to an acceptable level according to Parent s ERM standards Develop Insurance company specific standards for Subsidiary 11
Ins Sub of Financial Svcs Co. Parent company chooses the style Style meets its needs, but might not best meet yours, in some cases Generic risks seem to work fine they do the work, you just ride along with adjustments Risks specific to insurance companies might pose a problem 12
Ins Sub of Fin. Svcs Co. - Issues Insurance Fraud not the same as (internal) employee fraud Losses our business, not unexpected events Reinsurance an integral part of our operations Credit Risk reinsurance counterparty risk Market Risk asset/liability matching Balance sheet reserves significant risk 13
Enterprise Risks Parent ERM Risks Credit Market Operations Human Resources Information Technology Legal / Regulatory Business Continuity / Disaster Recovery Reputation Ins. Co. Specific Risks Credit counterparty (Reinsurers) Market Asset/Liability matching Underwriting Catastrophic Event Geographic concentration Loss Reserving Unearned Premium Reserving External Fraud Insureds / Providers Regulatory actions 14
Example Survey Questions Internal Management Risk Assessment Survey Is there a management oversight process in place to evaluate the effectiveness of controls over financial reporting, including clearly defined management accountability, and is consistent with regulatory requirements (e.g. Sarbanes-Oxley, FDICIA)? AM Best Supplemental Rating Questionnaire For insureds that purchased commercial property coverages, what percentage of those insureds purchased terrorism protection for the property coverages, either as a separate endorsement or already included in the policy? Annual Statement Interrogatories Does the reporting entity have established procedures for disclosure to its Board of Directors or trustees of any material interest or affliction on the part of any of its officers, directors, trustees, or responsible employees that is in conflict or is likely to conflict with the official duties of such person? 15
Conclusions 16