1

Enterprise Risk ManagementLessons, Trends & Laws

Paul L. Walker

Feb. 26th, 2004

2

Lessons from the Field

3

ERM Definition

• ERM is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events, that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.– COSO Fall 2003

4

There are knowns, known unknowns, and unknown

unknowns. Author unknown

5

Strategic Risk: Value Collapse in The Fortune 1000

• Studied Fortune 1000 between 1993-98

• Ten percent of the Fortune 1000 lost over 25% of shareholder value within a one-month period. Even after two years, the Value Collapse 100 had not recovered.

• Most of these losses can be attributed to ___________ risk.

6

Strategic Risk: Value Collapse in The Fortune 1000

24

12

76

4

21

2

11

7 76

3 3

0

5

10

15

20

25

% of Top 100

Cost Overrun

Accounting Problems

PoorManage-

ment

Supply Chain Issues

Competi-tive

Merger Problem

Wrong Products

Pricing Pressure

CustomerLosses

R&D &

Other

Demand Shortfall

Regulation

Strategic58%

Operational31%

Finan-cial6%

Foreign Economic

Issues

High Input

Prices & Interest

60

70

80

90

100

110

120

130

140

150

160

0 2 4 6 8 10 12 14 16 18 20 22 24

Sto

ck P

rice

Gro

wth

Ind

ex

Months after Initial Drop

S&P 5001

Value Collapse

1002

Source: Mercer Value Growth Database, Mercer analysis.Note: 1S&P 500 index is the sum of the S&P indexes corresponding to time period for each of the 100 companies. suffering stock drops.2Data was not available for all companies for all 24 months after the stock drop (e.g., for stock drops in the last two years. Where data was not available, companies were excluded from that month for both the 100 companies. index and the S&P 500 index.

7

The ERM Process

Monitor Act Assess Risks

Identify RisksSet Objectives

8

The Management Challenge: Four Barriers to Strategy Execution

Only 5% of the workforce understands

the strategy

The Vision Barrier

The People Barrier

Only 25% of managers have goals/incentives

linked to strategy

The Management Barrier

85% of executive teams spend less than one hour per month discussing long-term strategy

The Resource Barrier

60% of organizations don’t link budgets to strategy

9 of 10 companies

fail to executestrategy

9

10

Enterprise Risk M anagem entEnterprise Risk M anagem ent

BusinessVision

BusinessO bjective

RiskFram ew ork

IdentifyR isk

Universe

RiskW orkshop

Control &Action

W orkshop

M onitorEvaluateM anage

M arket Sha re

R espect Individual

Service to C ustom er

Strive for E xcellen ce

Expans io n O pportunity

Distributio n

C usto mer Service

R etentio n

Develop ment

Leadership

Categorize R isk

Standard Framew ork

R eference

Survey Stakeho lders

C omp ile Data

Share D ata

Schedule W orkshop

C ross Divis io na l

Discussio ns

Add itio nal R isk

Prior it ize R isk

Evaluate R isk

Existing Co ntro ls

D efic ienc ies

Actio n P lan

Respo nsibility

Actio n and T imeline

M o nitor Progress

Address Gaps

R eport R esults

Wal-Mart’s ERM Process

11

Company Perspective

• “I think the point to risk management is not to try and operate your business in a risk-free environment. It’s to tip the scale to your advantage. So it becomes strategic rather than just defensive.”Peter Cox, CFO, United Grain Growers Ltd.

12

Risk Identification TechniquesInternal interviewing and discussion:

• interviews• questionnaires• brainstorming• Self-assessment and other facilitated workshops• SWOT analysis (strengths, weaknesses, opportunities, and threats)

External sources:

• comparison with other organizations• discussion with peers• benchmarking• risk consultants

Tools, diagnostics and processes:

• checklists• flowcharts• scenario analysis• value chain analysis• business process analysis• systems engineering• process mapping

AICPA, Managing Risk in the New Economy, p. 9

13

Business Risk Model TM -- A Common Language

Competitor Sensitivity Shareholder Relations Capital Availability

Catastrophic Loss Sovereign/Political Legal Regulatory Industry Financial Markets

Operations RiskCustomer Satisfaction

Human ResourcesProduct Development

Efficiency Capacity

Performance GapCycle Time

SourcingCommodity Pricing

Obsolescence/ShrinkageCompliance

Business InterruptionProduct/Service Failure

EnvironmentalHealth and Safety

Trademark/Brand Name Erosion

Empowerment RiskLeadershipAuthority

LimitPerformance Incentives

Communications

Financial RiskCurrency

Interest RateLiquidity

Cash Transfer VelocityDerivativeSettlement

Reinvestment/RolloverCredit

CollateralCounterparty

Information Processing/Technology Risk

AccessIntegrity

RelevanceAvailability

Integrity RiskManagement Fraud

Employee FraudIllegal Acts

Unauthorized UseReputation

OperationalPricing

Contract CommitmentMeasurement

AlignmentCompleteness and Accuracy

Regulatory Reporting

FinancialBudget and Planning

Completeness and AccuracyAccounting Information

Financial Reporting EvaluationTaxation

Pension FundInvestment EvaluationRegulatory Reporting

StrategicEnvironmental ScanBusiness Portfolio

ValuationMeasurement

Organization StructureResource Allocation

PlanningLife Cycle

The Economist Intelligence Unit, Managing Business Risk, p. 15

Environment Risk

Process Risk

Information for Decision-Making Risk

14

Risk ManagementAssessing Impact and Likelihood of Occurrence

10

10

Low Likelihood of Occurrence High

MinorDisturbance

Catastrophic

Impact onAchievementof Objectives(Significance)

Adapted From The Economist Intelligence Unit, Managing Business Risk, p. 30 and Deloitte & Touche, Perspectives on Risk, p. 13

Inspect/Correctand

Monitor

Prevent at the

Source

ControlUnnecessary;

Continue to Assess

Monitorand

Investigate

1

4th QuartileLow Impact

Low Likelihood

3rd QuartileLow Impact

High Likelihood

2nd QuartileHigh Impact

Low Likelihood

1st QuartileHigh Impact

High Likelihood

15

??

?

?

?

?

Impact

Frequency

16

E-BusinessRisk Map

1/5/00

Significance High/Low=6 High/Medium=8 High/High=9Organizational Structure IT Infrastructure Pricing AccuracyCommunications - Internal/External Litigation Accounting Controls

High IT Data Integrity Content Accountability System Integration E-business owner Hidden Costs Third Party Communications Credit Risk Hacking Due Diligence Risk

Margin ProtectionCompetitivenessProfitability Measurement

Medium/Low=3 Medium/Medium=5 Medium/High=7

AuthorityRegulatory - State Differences Points of Failure

Medium Code of Conduct Regulatory ResponseComplex Process/Systems

Business Exit Strategy External Data IntegrityResource Allocation - IT & HR

Employee Privacy Intellectual PropertyCustomer Privacy Unauthorized IntermediaryTechnology Contract Terms

Transparent IntermediaryAlliances & CompetitionOrder Fulfillment

Low

Low/Low=1 Low/Medium=2 Low/High=4Qualify Customer Default Strategy

Low Medium High

Likelihood

17

Instructions

1. Please list the key processes within your area of responsibility (e.g., the six to eight major activities performed within your function).

2. For each of these key processes, please list the:

a. risks that could impede the processb. factors that contribute to the riskc. management activities, or controls, that are or should

be in place to mitigate the risk

3. Please list the objectives for your area of responsibility (no more than ten key objectives that if attained would ensure success in your area).

4. Please assess the overall readiness within your area of responsibility to seize opportunities and manage risks.

18

Key Process

KEY PROCESS RISKS:CONTRIBUTING FACTORS:

MANAGEMENT ACTIVITIES:

Consequences:

Experienced Risks:

19

Objectives for Your Area of Responsibility

Please list the objectives for your area of responsibility (no more than ten key objectivesthat if attained would ensure success in your area).

20

Risk ReadinessUse the following categories to assess the overall readiness within your area of responsibility to seize opportunities and manage risks using the scale at the bottom of the page:

Management Environment VL L M H VHe.g., ethical values, HR policies, accountability, trust, proper resources

Risk Assessment VL L M H VHe.g., objectives clear, risks identified, measurement indicators, monitoring of environment

Management Activities VL L M H VHe.g., policies practiced, expectations and scope, decisions by right people, integrated control processes, timely decisions

Information / Communication VL L M H VHe.g., communication processes, relevant information, coordination ofdecisions, plans communicated, information needs reassessed

Monitoring VL L M H VHe.g., performance monitored, assumptions challenged, follow upprocesses, periodic reporting on risk management and control

VL = Very Low L = Low M = Medium H = High VH = Very High

What is your level of concern with respect to the overall ability of your area of responsibility to seize opportunities and manage risks? Please circle the most appropriate response:

21

Making Enterprise Risk Management Pay Off

• Barton, Shenkir and Walker

• Published by the Financial Executive Institute in 2001 and by the Financial Times in 2002

22

Case-Study Companies in FERF Study

Study Company Industry Revenues1 Employees

Chase Manhattan Corp.2 Financial Services $22,982 74,800

Dupont Chemical $26,918 94,000

Microsoft Corp. Technology $19,750 31,575

United Grain Growers, Ltd. Agriculture C$1,832 1,600

Unocal Corp. Energy $6,057 7,550

1Most recent fiscal year in millions of U.S. dollars (except for United Grain Growers which is in millions of Canadian dollars).

2J.P. Morgan Chase & Co. as of December 31, 2000.

23

Main Reasons Involved in ERM

• Shareholder value, shareholder value and shareholder value

• Known unknowns and unknown unknowns:– Number and complexity of risks– Avoid debacles

24

Lessons From Case Study Companies

• No single approach

• Identify risks enterprise-wide– Look for integration, value and consistency

25

More Lessons

• Assess and measure risk- Maps, rankings, lists- Can be quantitative or qualitative

• Driving risk awareness throughout organization

• Risk champions

26Note: All loss amounts are in millions of dollars.

1.10

1.00

0.90

0.80

0.70

0.60

0.50

0.40

0.30

0.20

0.10

0.00$0.00 $6.18

Annual Loss Amount

Prob-abilitythatAnnualLosswillExceedAmountShown

Sample RiskGain/Loss Probability Curve

90% - $0.30

80% - $0.48

70% - $0.68

60% - $1.13

50% - $1.15

40% - $1.50

30% - $1.98

20% - $2.73

10% - $4.28

27

Actual Revenues VersusRisk Corrected Revenues

1980

1981

1982

1983

1984

1985

1986

1987

1988

1989

1990

1991

1992

1993

1994

ActualDistribution

RiskCorrection

Distribution

Risk CorrectedRevenues

ActualRevenues

28

Goal of Risk Management at Dupont

Distribution after Risk ManagementInherent

Distribution

Earnings

29

Natural Gas9%

Ethane4%

Cyclohexane5%

Corn2%

Soybeans2%

Anticipated Local Currency Margins

46%

Floating Rate Debt32%

Notional Amount at Risk= $5 billion

Where’s the volatility?

30

The Volatility

• Natural Gas 46%

• Corn 18%

• Interest Rates 20%

• Euro 12%

• JPN Yen 9%

31

Earnings at Risk by Risk Factor

Total DuPont EaR by Risk Category(100% = $35 million)

Commodity Prices

Foreign Exchange

InterestRates

32%51%

17%

0%

5%

10%

15%

20%

25%

30%

35%

Chemicals Precious Metals Natural Gas Agriculture Other Commodities

Commodity Contribution toEaR by Major Commodity

(100% = $16 million)

0%

5%

10%

15%

20%

25%

30%

35%

Euro Yen Mexican Peso Canadian $ Other Currencies

Foreign Exchange Contribution toEaR for Major Currency

(100% = $26 million)

32

Earnings at Risk Hedge Effectiveness Comparisons

-$40

-$30

-$20

-$10

$0

$10

$20

$30

$40

Business Unit 1 Business Unit 2 Business Unit 3 Business Unit 4 Total DuPont DiversificationBenefit

"Natural" Earnings at Risk

With Hedging Earnings at Risk

Earnings at RiskContribution(millions of dollars)

33

Expected Earnings and EaR for Budget Year 2000

$0

$10

$20

$30

$40

$50

$60

$70

Janu

ary

Feb

ruar

y

Mar

ch

Apr

il

May

June

July

Aug

ust

Sep

tem

ber

Oct

ober

Nov

embe

r

Dec

embe

r

Expected Earnings Earnings at Risk

$ MillionsSummary by Month

0%

5%

10%

15%

20%

25%

$545Equals the earnings

Corresponding to the95% CI

$125EaR equals the

difference

$670Equals the expectedOr budgeted earnings

Earnings($ millions)

Distribution or AnnualizedEarnings Outcomes

34

Probability Assessment of Earnings OutcomesIllustration

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

25%

20%

15%

10%

5%

0%$545

Level of earningscorresponding with EaR

$640 $670Expected

or budgeted earnings

Earnings($ millions)

Interpretation: There is a 30% chance thatdue to all risks (although this analysis could beproduced for each risk, or SBU) earnings willfall below $640 million for the year.

Probabilityof a SpecificOutcome

CumulativeProbability

35

Earnings Variability by Key Factor

-0.90 -0.80 -0.70 -0.60 -0.50 -0.40 -0.30 -0.20 -0.10 0.00 0.10 0.20 0.30 0.40 0.50 0.60 0.70 0.80 0.90 1.00

Total (not additive)

Pension – OPEB

Sales Volume

Prices

Environmental

Fuel Cost

Transmission Congestion

Interest Rates

Plant Availability

GDP

(Cents per share)

36

Risk, Quantification and Gap Analysis

37

Weather 1 1 1 1 1 1 1 1 3 1 1 1 1 1 1 1 1 1 20

Basis/Price Risk 1 1 2 1 2 1 1 1 1 1 1 1 1 2 1 1 1 2 22

Foreign Exchange 2 1 2 1 2 1 2 1 1 1 1 1 1 1 1 2 1 2 24

Regulatory Risk CWB, Transportation

1 1 1 1 1 1 1 1 2 2 2 1 1 3 1 2 2 1 25

Inventory 1 1 2 1 1 2 1 2 1 2 1 3 1 1 1 2 1 1 25

Transportation 1 1 1 1 2 2 1 1 2 2 1 1 1 1 2 2 2 1 25

Major Property (e.g., terminals)

1 2 3 1 1 1 1 1 2 1 2 1 2 1 1 1 1 3 26

Credit/Receivables 2 2 2 1 2 2 2 1 1 1 1 1 1 1 2 2 2 2 28

EDP System Failure 1 2 3 1 2 2 1 1 2 1 1 2 2 2 2 1 2 1 29

Leverage (debt/equity) 1 2 2 2 1 2 2 1 2 1 1 1 2 1 1 2 2 3 29

Customer/Supplier/Finance Counterparty

2 2 3 1 1 2 2 2 1 2 1 2 1 1 1 1 2 2 29

Data accuracy 2 2 3 2 1 2 2 1 2 2 1 1 1 1 2 1 3 1 30

Interest Rate 2 2 3 1 2 2 2 1 2 1 2 1 2 1 2 2 1 3 32

Business Interruption 3 3 2 1 1 2 2 2 2 2 1 1 2 1 1 2 1 3 32

Spoilage/Disease 1 1 1 1 3 3 3 2 1 2 2 2 2 1 1 3 1 2 32

Strategic Planning 2 3 2 2 1 1 1 1 2 1 1 3 2 2 2 2 3 2 33

Environmental 3 2 2 2 1 3 2 2 1 2 2 2 2 1 1 2 2 1 33

Process Compliance/Execution

3 2 2 2 1 2 2 1 2 1 1 1 2 1 2 3 3 3 34

38

The Gap (source MMC 2003)

1.0

2.0

3.0

4.0

5.0

6.0

7.0

8.0

9.0

1.0

2.0

3.0

4.0

5.0

6.0

7.0

8.0

9.0Management Effectiveness

Inherent Risk

HighRisk

Moderateto High

Risk

ModerateRisk

Low toModerate

Risk

Low Risk

High ManagementEffectiveness

Moderateto High

ManagementEffectiveness

ModerateManagementEffectiveness

Low toModerate

ManagementEffectiveness

Low ManagementEffectiveness

Compliance

IT Security

Human Resource

Shareholder Relations

Environmental

Business Continuity

Management Succession

Financial Reporting

Counter-Party Settlement

Product Liability

CommunicationHazard

39

“Those who live only by the numbers may find that the computer has simply replaced the oracles to whom people resorted in ancient times for guidance in risk management and decision making.”

Peter Bernstein, Against The Gods: The Remarkable Story of Risk

40

Enterprise Risk Management: Pulling it all Together

• Walker, Shenkir and Barton

• Published by the IIA in 2002

41

Case-Study Companies in IIA Study

1,244,000$193,300RetailingWal-Mart Stores Inc.

6,800$9,200Oil & Gas OperationsUnocal Corp.

386,000$184,600ManufacturingGeneral Motors Corp.

13,800$7,000Electric UtilitiesFirstEnergy Corp.

61,000C$5,900Postal DeliveryCanada Post Corp.

EmployeesRevenues1IndustryCompany

1Most recent fiscal year ending on or before September 30, 2001, in $ millions U.S. (except Canada Post Corp., which is in Canadian dollars).

42

Elements of Effective Risk Management

• C-level support and CAE leadership

• Link to value (the CFO challenge)

• Changes in internal auditing

• Ownership vs. facilitation

• Risk integration

• Risk Infrastructure

• Corporate Governance

43

• I will show the committee the risk maps, which identify the top risks for each division, and give them an example of the action plans under development. I will also describe how the monitoring process works, and the manner in which we will link action plans and metrics to shareholder value. – John Lewis, Chief Audit Executive, Wal-Mart

44

BoardReporting Audit

CommitteeReporting

Risk Champions

ManagementAccountability

Internal AuditFollow-up

Volume and

Frequency of

Information

ManagementFollow-up

Change inAudit Approach

Chief RiskOfficer

ERM

ERM CommitteeERM & Corporate

Governance

45

Functional Assessments of Risks, Controls,

& Objectiveswith VPs &

Management teams

Functional Assessments of Risks, Controls,

& Objectiveswith VPs &

Management teams

Corporate Risk/Control

Objectivesassessment

session with top 100

Executives

Discussion of results

with Management

Executive Committee

Corporate Risk/Control

Objectivesassessment

session with top 100

Executives

Discussion of results

with Management

Executive Committee

AnnualAudit Opinion

andAudit Plan

AnnualAudit Opinion

andAudit Plan

Risk MgmtProcessUpdates

AuditResults

ConsultingProjects

ActionPlans

Follow-up

DAREResults

CrossFunctional

IssuesAnalysis

Board StrategicPlanningSession

Board StrategicPlanningSession

Canada Post’s ERM Process

46

Reporting to the Board of Directors

• Top risks identified.

• Assessment of top risks.

• Most challenging objectives.

• Control effectiveness (over time).

• Outstanding action plans.

47

Ri sk 1

Ri sk 2

Ri sk 3

Ri sk 4

Ri sk 5

Ri sk 6

Ri sk 7

Ri sk 8

Ri sk 9

Ri sk 10

Ri sk 11

Ri sk 12

Ri sk 13

Ri sk 14

Ri sk 15

Ri sk 16

Ri sk 17

Ri sk 18

Low High

48

Corporate Control Effectiveness

1 2 3 4

A1

A2

A3

A4

A5

B1

B2

B3

B4

C1

C2

C3

C4

C5

D1

D2

D3

D4

D5

D6

Purpose

2.5

Commitment

2.2Monitor/Learn

2.4

Capability

2.4

1= Not very effective2= Somewhat effective3= Substantially effective4= Very effective

49

Achievability of Objectives

1

2

3

4

Ach

ieva

bilit

y

1 2 3 4 5 6 7 8 9 10 11

50

FUNCTIONAL RISK ASSESSMENT SUMMARY 2000 / 2001

51

Key Governance Questions Relating to ERM (source MMC 2003)

Reporting

Execution

Strategy

Policy

• Is there a process for assessing risk and capabilities?

• Is Board advising on “mission-critical” risks?

• Is opportunity-seeking behavior balanced with risk-taking?

• Are boundaries and limits adequately defined ?

• Is there a process for reporting risk and performance?

• Does the organization structure support risk reporting?

• Are key risks managed?

• Are capabilities effective?

• Is risk-sensitive culture in place?

52

Trends

53

How would you characterize the status of your ERM framework?

(Tillinghast-Towers Perrin, 2000)

% of Respondents

9%

22%

20%

38%

11%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Complete ERM framework

Partial ERM framework

Planning to implement framework

Investigating concept

No framework and no plans

54

Will ERM help you address this business issue?

% of Respondents Selecting “Yes”

85%

68%

69%

50%

64%

63%

62%

67%

55%

57%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Earnings growth

Revenue growth

Earnings consistency

Technology costs

Return on capital

Regulatory change/compliance

People costs

Expense control/reduction

Product pricing

Capital management/allocation

55

Which of the following risks are included in your internal audit plan?

% Indicating Each Risk

12%

49%

83%

88%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Financial risks

Operational risks

Strategic risks

Other

56

Adoption is wide (Economist and MMC, 2001)

• 33% of Asian companies have adopted some form of ERM

• 34% of North American companies are implementing some form of ERM

• Europeans are ahead in adoption (53%)

57

ERM can improve their P/E ratio and cost of capital

• 84% believe there is a link between ERM and P/E and cost of capital

58

Communicating ERM to investors is beneficial

• More than 50% believe there is something to gain by communicating their ERM efforts to the investment community

59

Non-traditional risks

• Executives report that their most significant risks are not the traditional finance or insurance risks

• These are also among the most poorly managed risks.

60

Risks Should Drive the Audit Committee Agenda

• Risk Oversight– “…making sure that management has instituted

processes to identify, and bring to the board’s attention, the major risks the enterprise faces.”

• Report of the NACD Blue Ribbon Commission

• “Risk Oversight-Board Lessons for Turbulent Times”

61

Based on Management’s Risk Assessment Process

• Audit Committees should focus on:– Accountability for, and

– Effectiveness of• Management’s Risk Assessment Process

• Controls Related to Risks– Source: KPMG’s Audit Committee Institute

62

Audit Committee Involvement (per 2003 proxies of Fortune 100)

0

10

20

30

40

50

60

70

80

90

100

HaveCharter

SomeRisk Mngt

List of BusRisks

Fin RisksOnly

Nothing Disc withIA

Disc withEA

63

Advanced ERM Co’s (PWC’s Global CEO

Survey, 2004)

• Have significantly higher benefits, for example– 74% of advanced co’s report that ERM helps

create value (compared to 39% of nonadvanced)

64

Commitment: ERM as a Priority

• 39% of CEOs agree

• 38% of Boards agree

65

The Laws

66

Laws and Key Documents

• Turnbull and the UK

• Kontrag and Germany

• South Africa and the King Report

• Australia and New Zealand Standard

• Sarbanes-Oxley?

67

Math

• ERM Compliance + Ad hoc procedures = Survival

• ERM Process + Focus on Value + Corporate Governance = SUCCESS

68

Summary: Why Enterprise Risk Management?

1. ______________

2. ______________

3. ______________

69

Company Perspectives

• “Enterprise risk management is a great, great process. I could not say more about it.”Mario Pilozzi, Wal-Mart Canada COO

• “An organization cannot shrink its way to greatness it must grow and one of the keys to successful growth is excellent risk management.”Jacqueline Wagner, GM General Auditor

70

Company Perspectives

• “The approach we have taken in financial risk and business risk is to try to quantify what we can and not necessarily worry that we are unable to capture everything in our measurement.”George Zinn, director of corporate finance, Microsoft Corp.

71

Company Perspectives

• “What we have is a control process now. We don’t have a value creation process. That’s what we’re trying to do.”Susan Stalnecker, Treasurer, DuPont Co.

Questions and Answers

73

“The past seldom obliges by revealing to us when wildness will break out in the future.”

Peter Bernstein

Against the Gods: The Remarkable Story of Risk