Enterprise Risk Management – Demystified · Enterprise Risk Management: a strategic business discipline that supports the achievement of an organization’s objectives by addressing

Enterprise Risk ManagementEnterprise Risk Management–– DemystifiedDemystified

Charles W. Soucy, CPCU, CLU, ARM

Joe C. Underwood, CPCU, ARM, AIC

October 27, 2010

Agenda

1. What is it?– A formal definition of ERM– How it’s different

2. Why do it?– Driving events– Common motivations; value delivered

3. How to do it?– Common framework– Action steps: easier than you might think– Keep it simple, sustainable, iterative– Foster communication with visuals/dashboards– Ensure follow-through

2© Albert Risk Management Consultants, 2010

ERM: A Formal Definition

Enterprise Risk Management:

a strategic business discipline that supports the achievement of an

organization’s objectives by addressing the full spectrum of its risks

and managing the combined impact of those risks as an interrelated

risk portfolio. Source: Risk and Insurance Management Society,

Inc.

1.Strategic: inextricably linked to the organization’s mission and strategy, which sets risk appetite and tolerance

2.Disciplined: consistent and structured approach to assess and manage risks and improve decision making

3.Full spectrum: addresses all forms of risk: strategic, financial, operational, technological, compliance, hazard, ...

4.Interrelated: risks are interrelated and must be managed as a whole; the whole is different than sum of its parts

3

1 2

3

4

© Albert Risk Management Consultants, 2010

Types of Risk to Consider

4

Note: “Compliance risk” runs throughout


ERM vs. “Traditional” Risk Mgmt

Generally enhanced focus on:

1.Context in which risks are managed– great importance on aligning with overall mission and strategy

– driven from the top (board, exec. mgmt)

– considers all stakeholder interests

– formalizes organization’s risk appetite / tolerance

2.Interrelated nature of risks– risk cannot be effectively managed in silos; “holistic”

– communication across functional domains is essential

– focus on Root-Cause analysis

– need to dissect a risk into its components

3.Accountability and Cultural Alignment


Progression of Events Influencing ERM


Strategic Value

• Business Resiliency and Sustainability

– Uncovering risk and reducing catastrophic blindside potential

– Protecting reputation and brand value

• Improved governance

– Better understanding and articulation of stakeholders’ riskappetite/tolerance

– Improved decision making by encouraging consideration notonly on rewards, but also associated risks.


Tactical Value

• Improved resource allocation

– Prioritizing risk management efforts

– Coordinating the handling of risk throughout theorganization

– Filling gaps and eliminating unnecessary redundancies

• Optimized use of capital

– Moving beyond silos, and tendency to overprotect whenportfolio effects are ignored

– Transferring risk, only when economically wise to do so


Key Characteristics

• Top leadership engagement

• Designated process champion, plus supporters in keydepartments

• Root-cause focus: treat the cause, not the symptom

• Integration within decision making processes andincentive systems

• Ongoing process, iterative in nature


Conceptual Framework

• Ref. Standards– ISO 31000

– AS/NZS 4360

– COSO ERM

– Casualty ActuarySociety

– ASME J100 ‘Riskand Resilience’


Typical ERM Program “Rollout”

1. Establish goals, tolerance levels and common vocabulary

2. Secure top level support and direction

3. Develop risk team

4. Conduct an enterprise-wide risk assessment– Interview or survey staff to develop risk register

– Summarize and visualize

– Invite broad input and critique

5. Establish priorities and assign risk owners

6. Develop improvement plans, weighing cost/benefit

7. Establish accountability systems

8. Monitor and report (throughout)


Sample Risk Attributes

• Cause (Triggers)– Natural catastrophe, terrorism/vandalism, theft, legal action, etc.

• Consequences (Effect on Assets)– Fatalities, injury, monetary loss, interruption of operations, loss of

reputation

• Impact (Severity)

• Likelihood (Frequency/Probability)

• Control Adequacy (Vulnerability)

• Velocity (Time to Impact)– If can see it coming, more mitigation options available

12

Risk Level: Impact x Likelihood x Controls


Tools / Techniques

Step Inputs/Components Tools

1. Establish Context

Organizational Mission, Values, StakeholderInterests, Regulatory and CompetitiveEnvironment, Trends, Strategy, StrategicObjectives, Culture, Financial and Human CapitalResources, Systems, Decision Making Processes

Stakeholder Map,SWOT, etc.

2. Identify Risks What concerns existRisk Interviews,Discussions and Surveys

3. Analyze RisksTriggers, Consequences, Mitigation Factors,Impact, Likelihood, Current Controls, Velocity, etc.

Risk RegisterRisk Register

4. Evaluate Risks Outside Tolerance? If Yes, Prioritize and TreatHeat MapHeat Map (also forMonitoring &Communication)

5. Treat Risks Risk Mitigation Plan and Follow-Through Risk Mitigation Plan


14


Develops answers to key risk Q’s

15

Source: Standard & Poor’s


An ERM Consultant…

• Can:

– Facilitate ERM process onfocused, streamlined andunbiased basis

– Recommend application oftested tools/techniques.

– Highlight lessons learned

– Help avoid common pitfallsor sticking points

– Listen, probe and helpclarify risk issues

• Can’t:

– Own the ERM process;must be owned internally

– Understand “the insider’sview” in the same way thatan actual insider can

– Provide expert opinion onall the company’s specificrisks and treatment options;may need to involve specificarea experts at some point


Concluding Thoughts

• “Chief Risk Officer” must know (i) the riskmanagement process, (ii) the key risks, and (iii) how tocommunicate and collaborate.

• ERM doesn’t have to be extremely complex to offervalue.

• Best to start small and prove value before investingheavily (systems, etc.)


Questions/Comments

Documents

Enterprise Risk Management – Demystified · Enterprise Risk Management: a strategic business discipline that supports the achievement of an organization’s objectives by addressing