1

Finance Is Risky Business

Managing Your Company’s Risk Appetite

Cathy Hauslein, VP-ControllerSusser Holdings Corp.

2

What is Risk Management

• Risk Management is the process of analyzing exposure to risk and determining how best to handle such exposure.

• Enterprise Risk Management (ERM) seeks to strategically consider the interactive effects of various risk events with the goal of balancing an enterprise’s portfolio of risks to be within the stakeholders’ appetite for risk.

3

Strategic Risk Management Characteristics

1. Alignment with a commitment to ethically create shareholder value – focus on the upside of risk.

2. Use of a holistic approach that is broad enough to encompass the spectrum of entity-wide activities needed to achieve an organization’s strategy.

3. Approach must be capable of identifying and evaluating events and forces of change – must be a continual, ongoing process.

4

Evaluating Strategic Business Risk

1. Understand the entity’s key strategies that are designed to preserve and create stakeholder value.

2. Identify the risk-how poorly a strategy will perform if the ‘wrong’ scenario occurs.

3. Define an overriding risk management goal-what is the entity’s risk appetite.

5

There is nothing more crucial to the success of ERM efforts in an organization than an informed and supportive culture.

6

Risk Management Process

• Context• Risk Assessment

– Risk Identification– Risk Analysis– Risk Evaluation

• Risk Treatment• Monitoring and Review• Communication and Consultation• Recording the Risk Management Process

7

Risk Management Process

• Context– The organization-wide risk appetite is

formulated and the risk management environment of the organization is defined.

– Context looks at the laws, market, economy, culture, regulations, technology, natural environment, stakeholders’ needs, issues, and concerns.

– Main output of context is the risk criteria to be used to determine the acceptability of risks.

8

Risk Management Process

• Risk Assessment– Risk Identification – Types of Risks to be

Evaluated

9

Types of Risk to be Evaluated

• Shareholder value risk• Financial reporting risk• Governance risk• Customer and market risk• Operations risk• Innovation risk

• Brand risk• Partnering risk• Supply chain risk• Employee engagement

risk• R&D risk• Communications risk

10

Risk Management Process

• Risk Assessment– Risk Analysis – To provide the decision maker

with sufficient understanding of the risk that they are satisfied they have sufficient knowledge about the risk to make decisions on risk treatment and acceptance.

– Risk Evaluation – Comparing residual risk after risk treatment (Impact) against the risk criteria (Likelihood).

11

Risk Evaluation

12

Risk Management Process• Risk Treatment – Identification, selection

and implementation of control options.• Monitoring and Review – Key to the

continuous improvement of risk management.– Key Risk Indicators (KRI’s)

• Human Resource• Information Technology• Finance• Legal/Compliance• Audit

13

Risk Management Process

• Communication and Consultation – Extensive communication among team members and consultations with other experts in the organization.

• Recording the Risk Management Process – Provide for traceability of decisions, continuous improvement in risk management, data for other management activities, and legal and regulatory requirements.

14

Questions?