Taking Enterprise Risk from Theoretical to Practical

1© 2013 Ask, Share, Learn

www.proformative.com

#CFOD13

Crossing the Rubicon – Taking Enterprise Risk from Theoretical to PracticalLuis Fernandes Mike Bechara

jetBlue Airways Granite Consulting Grp.

Director of Internal Audit Managing Director



#CFOD13

Words of Wisdom

“In theory there is no difference between theory and practice. In practice there is”



#CFOD13

Theory vs. Reality

Significant ERM development

over time but…

Development has stagnated due to misconceptions about implementation



#CFOD13

What We Will Learn Today

Reconcile theories to realities

Tips & techniques

Ways to leverage the ERM output



#CFOD13

ERM in Theory….(The COSO Definition)

1. Enterprise risk management is a process, 2. Effected by an entity’s board of directors, management and other personnel, 3. Applied in strategy setting and across the enterprise4. Designed to identify potential events that may affect the

entity, 5. Manage risk to be within its risk appetite, 6. Provide reasonable assurance regarding the achievement

of entity objectives.



#CFOD13

ERM in Reality….(Your Average Company)

1. Enterprise risk management is an opaque process, 2. Effected by Driven by the head of internal audit with updates to an

entity’s board of directors, management and other personnel, 3. Applied in Divorced from strategy setting and across the enterprise

corporate office based4. Designed to identify potential events that may affect the entity,

with focus on what has already happened or one or two current “hot” topics

5. Manage risk to be within its risk appetite (amorphous term) 6. Provide reasonable assurance regarding the achievement of entity

objectives which are often excluded from the discussion



#CFOD13

Theory 1: ERM is a Process

Misinterpretation• If we have an ongoing process that’s

good enough!• Because if we keep studying reports

and data ..that’s the same as actually addressing the risks

Reality• Risk assessment is a prophecy of the

future• You will never identify or predict all

risks….If you could you would be a zillionaire!

• The tale of the Conservative EngineerTips & Techniques• Facilitate the best assessment and

reevaluate periodically• Build risk discussions into

business/financial reviews



#CFOD13

Theory 2: Effected by Mgt., Board & Others

Misinterpretation• Divorcing risk from the business • “Don’t call us we’ll call you!”• This is a highly complex process

that is irrelevant for most peopleReality• Risks are only relevant when

viewed through the prism of objectives

• We need to understand what we are trying to achieve to identify what is relevant

Tips & Techniques• No one will understand the risks

better than those that face them every day

• Evaluate your risks as they relate to your company’s objectives



#CFOD13

Tips & Techniques: People

• Where does risk information come from?

• Accounting Data

• Quality Data

• Industry Studies

• People



#CFOD13

Tips & Techniques: People• Aren't they too subjective and unreliable?

• They face the risks everyday & understand them very well

• People have the ability to make predictions based on future plans

• Historical data analysis assumes the future will look like the past—things don’t happen the same way twice



#CFOD13

Theory 3: Applied in Strategy Setting

Misinterpretation• Cataloging all risks• False hope of “Total Information

Awareness”• A Risk Universe is only a startReality• We are all adults here• Bad things will happen and we wont care

about most of them• Key is to focus on what mattersTips & Techniques• Use a top down business risk approach

to compliment the bottoms up risk universe approach

• Concentrate on events that disrupt critical goals & strategy



#CFOD13

Tips and Techniques: Use Multiple Analyses

A business risk approach compliments and strengthens the risk universe by linking risks to objectives to present a more complete risk picture

Interview/survey Management

Identify risks by functional area

Linearly rank risks by likelihood and impact

Mitigate the top vote getters

Understand company objectives/strategy

Interview/survey management

Use analytical tools to identify the key risk patterns linked to

each objective

Mitigate the risks associated with the top

objectives

Busi

ness

Ris

k Ba

sed

Risk

Uni

vers

e



#CFOD13

Theory 4: Events That May Affect the Entity

Misinterpretation• We only have to assess one risk at a

time• The highest ranked risk is the most

“dangerous”Reality• Simple rankings are a start but are

inadequate by themselves• Negative events are caused by

multiple risk factors• Managing risk requires us to

understand the affect of individual risks manifesting themselves simultaneously

Tips & Techniques• How the risks interrelate to one

another?• How are risks influenced by

priorities?• Would certain risks combine to form

and ever greater threat?



#CFOD13

Tips & Techniques: Interrelated Risks

Lack of Accounting Experience

Poor Communication

Excessive Overtime

Aggressive Marketing Programs

System Implementations



#CFOD13

Tips & Techniques: Interrelated Risks

Combination of:1. Aggressive Marketing Programs2. Excessive Overtime3. Poor Communication

Lack of Accounting Experience

System Implementations



#CFOD13

Theory 5: Manage Risk Within Appetite

Misinterpretation• Risk is mitigated….Its Miller

time!• Once we mitigate risks

beyond a certain level we’re done!

Reality• Risks are like zombies..they

rise again if not monitored• Mitigating risk is an ongoing

effort that takes time but pays big dividends

Tips & Techniques• Get internal Audit involved• Monitor risks over time• Just monitoring risks will

have a positive effect



#CFOD13

Tips & Strategies

Risk Monitoring Decisions• When is a risk mitigated?• How often do we check

back?• What should we check?



#CFOD13

Theory 6: Linked to Objectives

Misinterpretation• The voting is over! Let’s mitigate the

“Top 10 risks” and all will be well!• Classic cart before the horse thinkingReality• Companies do not exist to manage risks

they exist to achieve objectives• Would we come home and say, “Honey I

forgot to get the bread from the supermarket…. but I didn’t into an accident!”

Tips & Techniques• When allocating resources for mitigation

prioritize objectives…not risks• Begin allocating resources towards the

mitigating the risks associated with the most important objectives



#CFOD13

Before: The Traditional AnalysisA Major Airline

• Engaged in a typical risk assessment process

• Identified 31 risks

• Ranked according to Likelihood, Impact and Degree of Control

• Typical approach would be to mitigate starting at the top

• Proceed as much as cost/benefit dictates

• No links to business strategy or objectives

• No related of risks to one another to form risk patterns

Rank Risk Title Risk Description

1 Risk Description

2 Risk Description

3 Risk Description

4 Risk Description

5 Risk Description

6 Risk Description

7 Risk Description

8 Risk Description

9 Risk Description

10 Risk Description

11 Risk Description

12 Risk Description

13 Risk Description

14 Risk Description

15 Risk Description

16 Risk Description

17 Risk Description

18 Risk Description

19 Risk Description

20 Risk Description

21 Risk Description

22 Risk Description

23 Risk Description

24 Risk Description

25 Risk Description

26 Risk Description

27 Risk Description

28 Risk Description

29 Risk Description

30 Risk Description

31 Risk Description



#CFOD13

After: Business Based AnalysisBusiness Based Approach

• Surveyed the Executive Team on their views of company objectives and risks

• Do you believe the company will achieve Objective 1

• How serious do you believe each risk to be?

• Risks are linked to business objectives

• Risks are grouped into the risk patterns that are most relevant for each objective



#CFOD13

After: Business Based Analysis

• Risks 21 and 23 were again from the bottom of the list!

• A new risk that threaten this objective was identified through the survey process

• Objective was directly tied to leadership



#CFOD13

What Uses Does the ERM Output Have?Many, but here is one example……



#CFOD13

Practical Uses of ERM Data

External: Enhancing Enterprise Value



#CFOD13

How ERM Can Enhance Enterprise Value

Value

CFO

Influence

Your Company is constantly being valued by investors, lenders, rating agencies, acquisition partners, etc.

Many say the CFO’s #1 job is to guard and enhance enterprise value

To do this we have to understand how outsiders determine valueA quick walk down finance memory lane……



#CFOD13

Three Valuation Approaches

Determination of Value

Asset

Market

Income



#CFOD13

Why is the ROR a Big Deal?

Low ROR Equals

A High Valuation

Determination of required rate of return is a key driver of enterprise value!

Main driver of valuation is the rate of return required by investors to invest in your firm

Aka: Discount rate



#CFOD13

How is the ROR Calculated?

• Common Methods of Calculating ROR– Modified CAPM = Rf + B(RPm) + RPs + RPu– Build Up Method = Rf + RPm+ RPs + Rpu

Risk Free Equity Premium

Size Premium Company Premium

Rf

RPm RPs RPu



#CFOD13

What Exactly Is RPu?

• What is RPu?– The analyst’s judgment

regarding risks specific to your company

– If he/she deems you risky it will raise the ROR and lower value

– Can also be negative lowering ROR and raising value

No objective source for RPu. It is subjective and based on analyst judgment



#CFOD13

How Does RPu Tie to ERM?

Company Risk

Premium(ERM)

Management

Competition

Litigation

Customers

Suppliers

Strategy



#CFOD13

But How Do I Tell the ERM Story?

• Explain the present but focus on the future!

• Explain how risks are being managed & monitored

• Describe how objectives will be achieved

• Ensure they understand that ERM is a management tool not a one time project

• Lengthy explanations of “history”• Presenting risks outside the context

of objectives• Indicating your risk program as

overly scientific or precise • i.e. Risk A = 3.43256

• Lengthy discussions of survey techniques or risk rating systems

• Specific terms like velocity, risk appetite



#CFOD13

Recap: What We LearnedTheories vs. Realities in successfully implementing an ERM programNo.

Theory Practical Application

1 ERM is a process Build a good process and move forward

2 Effected by the Board. Mgt. and other personnel

Risks should be sourced from and be a part of the business

3 Applied in strategy setting Risks to the Enterprise are not all risks

4 Events that may affect the entity

Risks combine to form patterns

5 Manage risk within appetite Appetite setting is not a one time event

6 Linked to objectives Mitigate risks in the context of objectives



#CFOD13

What We LearnedAs a result Enterprise Value can increase

Managing Risks down can reduce the ROR



#CFOD13

Contact Information

Michael Bechara, CPA, CFE, CRMAManaging Director

845.363.6610 Office • 845.282.3899 Cell • 845.230.8739 Fax

[email protected] • www.consultgranite.com

Granite Consulting Group Inc.1511 Route 22 , Suite 322 • Brewster, NY 10509



#CFOD13Thank You!Crossing the Rubicon – Taking Enterprise Risk from Theoretical to Practical



#CFOD13

Thank You Sponsors!

PLATINUM

GOLD

SILVER

DIAMOND