Enterprise Risk Management

ERM provides a framework for risk

management, which typically
involves identifying particular Risk
events or circumstances relevant Identification
to the organization's objectives
(risks and opportunities), assessing Risk
them in terms of likelihood and Evaluation
Assessment
magnitude of impact, determining a
response strategy, and monitoring
progress. ERM
Framework

Monitoring Risk Analysis

By identifying and proactively
addressing risks and opportunities,
business enterprises protect and
creates value for their stakeholders, Implementation
including owners, employees,
customers, regulators, and society
overall.
Difference Between GRC & ERM

Governance Risk and

Compliance (GRC)
Embraces compliance as a separate
activity for each business silo.

Enterprise Risk Management (ERM)

Is concerned with delivering
measurable business value by tying
front line operational activities to goals
across all business units.
Burden of Compliance
Suppresses Risk Taking Activities

Risk taking activities are

not bad if an organization
Many organizations Risk has not been
has established their risk
believe that they must eradicated by regulation
appetite and risk
continue to eliminate risk instead it has been driven
tolerance levels and has
through compliance underground the proper risk controls in
place
Risk Appetite and Risk Tolerance

 Risk Appetite is the manner

in which an organization and
its stakeholders collectively
perceive, assess and treat
risk
 Risk Tolerance requires a
company to consider in
quantitative terms exactly
how much of its capital its
is prepared to put at risk
ERM Is Used for Risk Optimization

 Considering both the upside

and downside outcomes of
risk taking activities

 When threats and

opportunities are better
understood, risk taking is
optimized and managers, in
turn, will make more informed
business decisions

 Improved decision making

enables an organization to
quickly meet emerging
marketplace challenges
Six Step Approach to ERM

1
Risk
Identification

2
6
Risk
Evaluation
Assessment

5 3
Monitoring Risk Analysis

4
Implementation
1. Risk Identification

 The process of taking inventory

of all risks in an organization and
defining the potential risk event,
the causes to that risk event, and
the potential outcome if that risk
event were to occur
 Focus not only on hazard or operational risks,
but also strategic, financial, reputational,
compliance, environmental, human capital
and technology, market, and supply chain
risks
Scope of Risk Identification
Define where the
source of a potential
risk event is coming
Strategic Operational
from; Inside or Outside
the organization.
Establishing risk
categories helps to Risk
identify the sources of Categories
a risk event.

Financial Other
Strategic Risk Categories

Innovation
Risk
Customer
R&D Risk
Risk

Supply
Market
Chain
Risk Strategic Risk

Risks
Partnering Investor
Risk Risk

Planning Brand
Risk Risk
Operational Risk Categories
Financial
Governance
Reporting
Risk
Regulatory Risk
and Legal Fraud Risk
Risk

Sustainability
Emerging Risk
Risk

Communication Technology
Risk Risk

Human Capital Operational

Hazard Risk
Risk Risk
Financial Risk Categories

Financial
Market
Risk
Valuation
Credit Risk
Risk

Hedging Liquidity
Risk Risk
Financial
Risks

Inflation Interest
Risk Risk

Foreign Asset
Investment Risk
Risk
Other Risk Categories

Reputational
Risk

Investment Environmental
Risk Risk

Other

Project Risk Third Party

Risk

Economic
Risk
Identify Subcategories

Hazard Risk Operational Risk Financial Risk Strategic Risk

Safety risk of Human capital risk Credit risk of 35% Sole supplier of a
increased slips, of 25% of of commercial raw material has
trips and falls workforce is loans will default in been acquired by
accidents occurring eligible for the third quarter competitor
in the organization retirement in the
next 5 years
Existing & Emerging Risk
• What new business processes have been
Look not only added to the organization?

at existing • What changes have been made in the

organizational chart?
risks, but also • What are some external risks that could
the emerging impact the organization like economic,
environmental, societal, geopolitical, and
risks to the technological?

organization.
Know Where You Stand

Meet with senior management to define

the strategic goals of your organization

Review the mission and vision

statements of the organization

Define the expectations of internal

and external stakeholders
Don’t Be Conflicted
GlaxoSmithKline – A study in conflicting strategic goals

This conflict caused One of GSK’s strategic

the quality control goals was to sell safe and
of manufacturing to effective prescription
suffer. medication

Case in point – the

Cidra Plant in Puerto
Rico made 20 drugs
Another goal was to
under unhealthy
increase profitability by
conditions that lead outsourcing
to a $750 million manufacturing to other
FDA fine parts of the world
Next Steps

Identify the risk

management objectives to
support the strategic goals
of the organization

Review the Risk Policy of

the organization

Create a SWOT Analysis

(Strengths, Weaknesses,
Opportunities, and Threats)
reviewing the internal and
external content of the
organization
SWOT Analysis
Risk Identification Activities

Structured
Interviews
Brainstorming Uses a risk survey or
Can effectively questionnaire to ask
generate lots of ideas specific questions Top Down / Bottom
of potential risk related to different Up Approach
scenarios that could types of potential risk
take place events facing a
particular risk owner
or risk center
Establish Risk Criteria

Prioritize the
critical risks
Determine critical from greatest
risks in the to least
Risk centers organization.
assigned to
risk owner
Responsibilities
of risk owner

External and internal

parameters for
managing risk in an
organization
Create A Risk Register

Identify a
potential risk
event
Date to review Categorize the
risk risk event

Identify
Risk treatment Create A potential
causes
Risk
Register
What is the Assign risk
financial
owner
impact

Determine the Determine the

consequences likelihood
Sample Risk Register
2

2. Risk Assessment Risk

Assessmen
t

Risk Assessment is
a process to
determine the cause
of the risk event, the Quantitative Root Cause
risk event itself, and Assessment- Analysis- Find
the impact and the Measures the the root cause
value of the of a potential
velocity of the risk impact risk event
event.
 Qualitative Recognizes the source
Assessment- of the risk event
2

Causes of Risk Risk

Assessmen
t

Three Basic
Causes way. so
Physical causes Human causes
A tangible or material People did something
item failed in some wrong or did not do
Brakes stop working on No one check
the Organization
a car condition of the causes
brakes
A system, process
or policy that
people use to make
decisions in doing
their work is faulty.
No procedure for
checking the
maintenance of the
cars

Root Cause Analysis

Fau
The An
Management “5-Whys”
Oversight Barrier
 2
Failure Mode Risk
Parent Assessmen
Effect
Analysis t
Analysis

Fish-Bone
Casual
Diagram or
Factor Tree
Ishikawa
Analysis
Diagram
2

Fault Tree Analysis Risk

Assessmen
t

Very useful in Top event will be placed Symbols provide a

examining the possible at the top of the tree pictorial representation
 conditions that may and all subsequent of the event and how it
lead to a desired or events that lead to the interacts with other
undesired event main event will be events on the tree
placed as branches
2

Example Fault Tree Risk

Assessmen
t
2

Qualitative Analysis Risk

Assessmen
t

Positive Fault Tree Negative Fault Tree

Analysis Analysis
 Will identify the events Constructed to show those
necessary to achieve a top events or conditions that will
desired event for example no lead to a top undesired risk
accident in manufacturing event such as a fire in the
facility manufacturing facility
2

Quantitative Analysis Risk

Assessmen
t

When the likelihood of an event is know

and a probability value has be assigned,
then analysis of these events on a fault
tree will also yield quantitative results.

Financial impact can be added to

each stage of the Fault Tree
Analysis.
 Risk correlation can be demonstrated.

3. Risk Deter
mine
Analysis

Formul
Understand ate
 3 The
Risk Analysis interrelationshi
p of
risk exposures
to
a potential risk
Risk aggregation event
and risk
correlation in an
organization’s risk
portfolio The best risk
strategies for the
organization from
risk assessments
3 3

Sample Analysis Tools

Risk Analysis

A department
uses
Influence Diagrams interdependencie
to analyze the s
interrelationships of risks across
and the
enterprise.
M
Sample Analysis Tools a
k
i
n
A
g
department
uses t
analytic o
tools like
RAPID-Risk m
Assessment a
Process for n
Informed a
Decision- g
e
 risks 3
associated Risk
Analysis
with their
strategic
goals.
Value of Data Analysis 3
Risk Analysis

Data analysis allows for more transparent and defensible decisions.

Contextualizes homeland security threats, showing which are the

most likely and which have the highest impact.

Helps prioritization decisions among terrorism, natural

disasters, cyber, pandemics, and border security hazards.

Provides a performance measure for programs across

the homeland security mission space.

Identifies opportunities for reducing risk exposures of potential risk

events.

Allows for understanding of the impact of combined risk

exposures taking place at the same time.
4. Implementation
4
Implementation

Implementation - incorporating an ERM

structure, practices, and strategies to
fulfill the goals of the organization.
ERM framework
Risk controls
Risk champions and risk centers
Risk communication structure
Crisis management protocol
Business Continuity
ERM Frameworks
4
Implementation

COS
• Focus is to establish ERM goals as part of
the strategic management process. It does
not dive into the details of risk
management approaches and process, but
O addresses threats to the organization and
the need for proper controls.

II
• Rooted in risk management principles and
designed to provide an organized
methodology to evaluate risk exposures
ISO and react to the environment.

31000
Risk Controls 4
Implementation

Management is
responsible for IT Systems Financial &
implementing Operations
appropriate
controls to
reduce risk and Some Areas
to achieve for Risk
operational Controls
objectives.

Property & Assets Safety & Liability

 4
Risk Champions and Risk Centers Implementation

Risk Champions Risk Center

• Accountable for ensuring • A department or unit within

accuracy within their the organization charged with
department or business unit the risk exposures that are
around the identification, related to their duties and
assessment, management and responsibilities
monitoring of risk
• They are the eyes and ears
of risk information for the risk
manager who is in charge of
assessing risk across the
enterprise
• Not necessarily responsible
for performing the actual risk
management activities
 Intuit Case Study
4
Implementation

“When we talk CRO and ERM program office have

about growth ownership and accountability for Intuit’s ERM
strategies for program and drive Intuit’s ERM capabilities
the company,
we talk Ownership and accountability for
deliberately identified risks are shared by executive
about both and business unit level leaders
risks and
Risk communication is not only to report
opportunities”
Janet Nasburg,
progress, but also so that business units
Chief Risk Officer can share and leverage risk knowledge
at Intuit
 4
Risk Communication Structure Implementation

Simple State Complicated Complex Chaotic

System State System State System State System

The event can The event is The event is The event is a

be resolved more difficult to unusual, and dramatic,
through routine resolve than a potentially unforeseen
decisions simple system, critical to the situation that
but it not organization threatens the
unusual organization’s
survival
Me
Crisis Management sag
s to
al
 stakeholders must be 4
clear, Implementation
address the pressing
issues and engage all
the stakeholders to be
diligent in plans of
recovery

Risk communication
becomes a key
component in surviving a
crisis situation
Communication must
demonstrate that senior
management is committed
to maintain an
environment of
Crisis transparency in it decision
making
Management
Elements of Continuity Plan 4
Implementation

Recovery time
Statement of
objectives, resources Task and activities
acceptable level of
needed and potential required
functioning failure points

Supporting
Structure to support documentation and Procedures and
the plan information processes

Describe
Description of interdependencies
personnel duties among the various
and responsibilities departments
5. Monitoring
5
Monitoring

Monitoring involves communication of risk both

upstream and downstream across the organization.
It includes periodic reporting and follow-up on the
risks by various levels of management, risk
committees, and internal auditors

KPIs and KRIs are a valuable way to monitor key

risks linked to improved cash flows and earnings
 Tools Used for Monitoring 5
Monitoring

Governance Enterprise
Balanced Dashboards Risk and Risk
Spreadsheets Scorecards Compliance Management
Software Software

Captures
company’s
strategy by
• Customer
• Internal
Processes
Like risk • Innovation
and Learning
registers
• Financial
 Pictorial Focus on ERM focus
reporting of audit and on software
risks compliance solutions
p
Case Study: Walmart r
o
c
e
s
s
Developed KPI and KRI metrics .
incorporated in a balanced scorecard.

Metrics used to track performance on risk

and to determine the company’s progress
in managing the risk.

Walmart also uses these metrics to

determine the value added by the ERM
 5 Monitoring

6. Evaluation
6
Evaluation

Ascertaining the strengths and

weaknesses of the ERM Risk Optimization / Value
program with regard to the Creation
organization’s strategic goals

Evaluation

Return on Investment ERM’s Role in Governance

Risk Optimization 6
Evaluation

Balance between taking

on too much risk and
Explore various risk-
not taking on enough
risk to explore return outcomes
opportunities for growth

Evaluate risk controls in

place and decide the
best use of financial
resources to provide
needed protection
 Cost of Risk 6
Evaluation

Case Study: University of California

Since 2003-2004 fiscal year, they

Each year have reduced Cost of Risk by
University of $493 million dollars
California holds an
Annual ERM
Summit focused on
their continuous
effort in improving
Reduced the Cost of Risk from
their ERM program $18.46 per $1,000 of operating
by reducing their
Cost of Risk. budget to $13.31 per $1,000 of
operating budget
 Risk Governance 6
Evaluation

Crafting the right Establishing and

Monitoring
Key drivers of relationship providing
potential risks in Developing an
success and between the appropriate
the company’s effective risk
risks in the board and its resources to
culture and dialogue with
company’s standing support risk
incentive management
strategy committees as to management
systems
risk oversight systems

Guidance principles for board risk oversight

National Association of Corporate Directors

report, “Risk Governance: Balancing Risk and
Reward”
Executive Risk Committee 6
Evaluation

The Executive Risk Committee

Provides the Board of Directors with:
“Boards are now finally asking
management about the nature of
A structure that provides the
board with the appropriate the risk information process in
information that defines the place. Boards want to gather
firm’s risk profile information about new or emerging
risks and the extent to which these
risks require a more in-depth
A system that provides an audit analysis. This is being done to
of the effectiveness of the risk ensure future opportunities and
management process threats to the company’s
performance are appropriately
managed”.- John Bugalla, James
Kallman, Chris Mandel and Kristina
A system that affords an
evolving understanding of key Narvaez in The Corporate Board
risks to the company