Upload
proformative-inc
View
194
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Video & Presentation: http://www.proformative.com/resources/video-presentation-taking-enterprise-risk-theoretical-practical Risk management has always been an integral part of business. But over the last two decades, a host of corporate scandals, security threats, recessions and a myriad of other crises have pushed risk management to the forefront of business strategy. Organizations are striving to manage and monitor risks more effectively, but many companies can?t seem to get beyond the theory and practically implement an effective ERM program. Join JetBlue Airways and Granite Consulting Group as they discuss practical ways of implementing ERM and how JetBlue evolved their risk program and created a strategically focused risk evaluation process setting the direction for future risk mitigation and operational improvement. Attendees will learn to go beyond linear "top 10" surveys and to incorporate practical and actionable strategies to implement an effective ERM program. Speakers: Michael Bechara, CPA, CRMA, Managing Director, Granite Consulting Group Inc. Luis Fernandes, CPA, Director of Corporate Audit, JetBlue Airways Presentation delivered at CFO Dimensions 2013 - http://www.cfodimensions.com Track: Governance, Risk, Compliance | Session: 4
Citation preview
1© 2013 Ask, Share, Learn
www.proformative.com
#CFOD13
Crossing the Rubicon – Taking Enterprise Risk from Theoretical to PracticalLuis Fernandes Mike Bechara
jetBlue Airways Granite Consulting Grp.
Director of Internal Audit Managing Director
2© 2013 Ask, Share, Learn
www.proformative.com
#CFOD13
Words of Wisdom
“In theory there is no difference between theory and practice. In practice there is”
3© 2013 Ask, Share, Learn
www.proformative.com
#CFOD13
Theory vs. Reality
Significant ERM development
over time but…
Development has stagnated due to misconceptions about implementation
4© 2013 Ask, Share, Learn
www.proformative.com
#CFOD13
What We Will Learn Today
Reconcile theories to realities
Tips & techniques
Ways to leverage the ERM output
5© 2013 Ask, Share, Learn
www.proformative.com
#CFOD13
ERM in Theory….(The COSO Definition)
1. Enterprise risk management is a process, 2. Effected by an entity’s board of directors, management and other personnel, 3. Applied in strategy setting and across the enterprise4. Designed to identify potential events that may affect the
entity, 5. Manage risk to be within its risk appetite, 6. Provide reasonable assurance regarding the achievement
of entity objectives.
6© 2013 Ask, Share, Learn
www.proformative.com
#CFOD13
ERM in Reality….(Your Average Company)
1. Enterprise risk management is an opaque process, 2. Effected by Driven by the head of internal audit with updates to an
entity’s board of directors, management and other personnel, 3. Applied in Divorced from strategy setting and across the enterprise
corporate office based4. Designed to identify potential events that may affect the entity,
with focus on what has already happened or one or two current “hot” topics
5. Manage risk to be within its risk appetite (amorphous term) 6. Provide reasonable assurance regarding the achievement of entity
objectives which are often excluded from the discussion
7© 2013 Ask, Share, Learn
www.proformative.com
#CFOD13
Theory 1: ERM is a Process
Misinterpretation• If we have an ongoing process that’s
good enough!• Because if we keep studying reports
and data ..that’s the same as actually addressing the risks
Reality• Risk assessment is a prophecy of the
future• You will never identify or predict all
risks….If you could you would be a zillionaire!
• The tale of the Conservative EngineerTips & Techniques• Facilitate the best assessment and
reevaluate periodically• Build risk discussions into
business/financial reviews
8© 2013 Ask, Share, Learn
www.proformative.com
#CFOD13
Theory 2: Effected by Mgt., Board & Others
Misinterpretation• Divorcing risk from the business • “Don’t call us we’ll call you!”• This is a highly complex process
that is irrelevant for most peopleReality• Risks are only relevant when
viewed through the prism of objectives
• We need to understand what we are trying to achieve to identify what is relevant
Tips & Techniques• No one will understand the risks
better than those that face them every day
• Evaluate your risks as they relate to your company’s objectives
9© 2013 Ask, Share, Learn
www.proformative.com
#CFOD13
Tips & Techniques: People
• Where does risk information come from?
• Accounting Data
• Quality Data
• Industry Studies
• People
10© 2013 Ask, Share, Learn
www.proformative.com
#CFOD13
Tips & Techniques: People• Aren't they too subjective and unreliable?
• They face the risks everyday & understand them very well
• People have the ability to make predictions based on future plans
• Historical data analysis assumes the future will look like the past—things don’t happen the same way twice
11© 2013 Ask, Share, Learn
www.proformative.com
#CFOD13
Theory 3: Applied in Strategy Setting
Misinterpretation• Cataloging all risks• False hope of “Total Information
Awareness”• A Risk Universe is only a startReality• We are all adults here• Bad things will happen and we wont care
about most of them• Key is to focus on what mattersTips & Techniques• Use a top down business risk approach
to compliment the bottoms up risk universe approach
• Concentrate on events that disrupt critical goals & strategy
12© 2013 Ask, Share, Learn
www.proformative.com
#CFOD13
Tips and Techniques: Use Multiple Analyses
A business risk approach compliments and strengthens the risk universe by linking risks to objectives to present a more complete risk picture
Interview/survey Management
Identify risks by functional area
Linearly rank risks by likelihood and impact
Mitigate the top vote getters
Understand company objectives/strategy
Interview/survey management
Use analytical tools to identify the key risk patterns linked to
each objective
Mitigate the risks associated with the top
objectives
Busi
ness
Ris
k Ba
sed
Risk
Uni
vers
e
13© 2013 Ask, Share, Learn
www.proformative.com
#CFOD13
Theory 4: Events That May Affect the Entity
Misinterpretation• We only have to assess one risk at a
time• The highest ranked risk is the most
“dangerous”Reality• Simple rankings are a start but are
inadequate by themselves• Negative events are caused by
multiple risk factors• Managing risk requires us to
understand the affect of individual risks manifesting themselves simultaneously
Tips & Techniques• How the risks interrelate to one
another?• How are risks influenced by
priorities?• Would certain risks combine to form
and ever greater threat?
14© 2013 Ask, Share, Learn
www.proformative.com
#CFOD13
Tips & Techniques: Interrelated Risks
Lack of Accounting Experience
Poor Communication
Excessive Overtime
Aggressive Marketing Programs
System Implementations
15© 2013 Ask, Share, Learn
www.proformative.com
#CFOD13
Tips & Techniques: Interrelated Risks
Combination of:1. Aggressive Marketing Programs2. Excessive Overtime3. Poor Communication
Lack of Accounting Experience
System Implementations
16© 2013 Ask, Share, Learn
www.proformative.com
#CFOD13
Theory 5: Manage Risk Within Appetite
Misinterpretation• Risk is mitigated….Its Miller
time!• Once we mitigate risks
beyond a certain level we’re done!
Reality• Risks are like zombies..they
rise again if not monitored• Mitigating risk is an ongoing
effort that takes time but pays big dividends
Tips & Techniques• Get internal Audit involved• Monitor risks over time• Just monitoring risks will
have a positive effect
17© 2013 Ask, Share, Learn
www.proformative.com
#CFOD13
Tips & Strategies
Risk Monitoring Decisions• When is a risk mitigated?• How often do we check
back?• What should we check?
18© 2013 Ask, Share, Learn
www.proformative.com
#CFOD13
Theory 6: Linked to Objectives
Misinterpretation• The voting is over! Let’s mitigate the
“Top 10 risks” and all will be well!• Classic cart before the horse thinkingReality• Companies do not exist to manage risks
they exist to achieve objectives• Would we come home and say, “Honey I
forgot to get the bread from the supermarket…. but I didn’t into an accident!”
Tips & Techniques• When allocating resources for mitigation
prioritize objectives…not risks• Begin allocating resources towards the
mitigating the risks associated with the most important objectives
19© 2013 Ask, Share, Learn
www.proformative.com
#CFOD13
Before: The Traditional AnalysisA Major Airline
• Engaged in a typical risk assessment process
• Identified 31 risks
• Ranked according to Likelihood, Impact and Degree of Control
• Typical approach would be to mitigate starting at the top
• Proceed as much as cost/benefit dictates
• No links to business strategy or objectives
• No related of risks to one another to form risk patterns
Rank Risk Title Risk Description
1 Risk Description
2 Risk Description
3 Risk Description
4 Risk Description
5 Risk Description
6 Risk Description
7 Risk Description
8 Risk Description
9 Risk Description
10 Risk Description
11 Risk Description
12 Risk Description
13 Risk Description
14 Risk Description
15 Risk Description
16 Risk Description
17 Risk Description
18 Risk Description
19 Risk Description
20 Risk Description
21 Risk Description
22 Risk Description
23 Risk Description
24 Risk Description
25 Risk Description
26 Risk Description
27 Risk Description
28 Risk Description
29 Risk Description
30 Risk Description
31 Risk Description
20© 2013 Ask, Share, Learn
www.proformative.com
#CFOD13
After: Business Based AnalysisBusiness Based Approach
• Surveyed the Executive Team on their views of company objectives and risks
• Do you believe the company will achieve Objective 1
• How serious do you believe each risk to be?
• Risks are linked to business objectives
• Risks are grouped into the risk patterns that are most relevant for each objective
21© 2013 Ask, Share, Learn
www.proformative.com
#CFOD13
After: Business Based Analysis
• Risks 21 and 23 were again from the bottom of the list!
• A new risk that threaten this objective was identified through the survey process
• Objective was directly tied to leadership
22© 2013 Ask, Share, Learn
www.proformative.com
#CFOD13
What Uses Does the ERM Output Have?Many, but here is one example……
23© 2013 Ask, Share, Learn
www.proformative.com
#CFOD13
Practical Uses of ERM Data
External: Enhancing Enterprise Value
24© 2013 Ask, Share, Learn
www.proformative.com
#CFOD13
How ERM Can Enhance Enterprise Value
Value
CFO
Influence
Your Company is constantly being valued by investors, lenders, rating agencies, acquisition partners, etc.
Many say the CFO’s #1 job is to guard and enhance enterprise value
To do this we have to understand how outsiders determine valueA quick walk down finance memory lane……
25© 2013 Ask, Share, Learn
www.proformative.com
#CFOD13
Three Valuation Approaches
Determination of Value
Asset
Market
Income
26© 2013 Ask, Share, Learn
www.proformative.com
#CFOD13
Why is the ROR a Big Deal?
Low ROR Equals
A High Valuation
Determination of required rate of return is a key driver of enterprise value!
Main driver of valuation is the rate of return required by investors to invest in your firm
Aka: Discount rate
27© 2013 Ask, Share, Learn
www.proformative.com
#CFOD13
How is the ROR Calculated?
• Common Methods of Calculating ROR– Modified CAPM = Rf + B(RPm) + RPs + RPu– Build Up Method = Rf + RPm+ RPs + Rpu
Risk Free Equity Premium
Size Premium Company Premium
Rf
RPm RPs RPu
28© 2013 Ask, Share, Learn
www.proformative.com
#CFOD13
What Exactly Is RPu?
• What is RPu?– The analyst’s judgment
regarding risks specific to your company
– If he/she deems you risky it will raise the ROR and lower value
– Can also be negative lowering ROR and raising value
No objective source for RPu. It is subjective and based on analyst judgment
29© 2013 Ask, Share, Learn
www.proformative.com
#CFOD13
How Does RPu Tie to ERM?
Company Risk
Premium(ERM)
Management
Competition
Litigation
Customers
Suppliers
Strategy
30© 2013 Ask, Share, Learn
www.proformative.com
#CFOD13
But How Do I Tell the ERM Story?
• Explain the present but focus on the future!
• Explain how risks are being managed & monitored
• Describe how objectives will be achieved
• Ensure they understand that ERM is a management tool not a one time project
• Lengthy explanations of “history”• Presenting risks outside the context
of objectives• Indicating your risk program as
overly scientific or precise • i.e. Risk A = 3.43256
• Lengthy discussions of survey techniques or risk rating systems
• Specific terms like velocity, risk appetite
31© 2013 Ask, Share, Learn
www.proformative.com
#CFOD13
Recap: What We LearnedTheories vs. Realities in successfully implementing an ERM programNo.
Theory Practical Application
1 ERM is a process Build a good process and move forward
2 Effected by the Board. Mgt. and other personnel
Risks should be sourced from and be a part of the business
3 Applied in strategy setting Risks to the Enterprise are not all risks
4 Events that may affect the entity
Risks combine to form patterns
5 Manage risk within appetite Appetite setting is not a one time event
6 Linked to objectives Mitigate risks in the context of objectives
32© 2013 Ask, Share, Learn
www.proformative.com
#CFOD13
What We LearnedAs a result Enterprise Value can increase
Managing Risks down can reduce the ROR
33© 2013 Ask, Share, Learn
www.proformative.com
#CFOD13
Contact Information
Michael Bechara, CPA, CFE, CRMAManaging Director
845.363.6610 Office • 845.282.3899 Cell • 845.230.8739 Fax
[email protected] • www.consultgranite.com
Granite Consulting Group Inc.1511 Route 22 , Suite 322 • Brewster, NY 10509
34© 2013 Ask, Share, Learn
www.proformative.com
#CFOD13Thank You!Crossing the Rubicon – Taking Enterprise Risk from Theoretical to Practical
35© 2013 Ask, Share, Learn
www.proformative.com
#CFOD13
Thank You Sponsors!
PLATINUM
GOLD
SILVER
DIAMOND