Keith Cureton VP Global Compliance & Ethics | ERM · Internal Audit UPS Audit Committee Risk Committee Board Of Directors Organizational Chart ... C-Suite Corporate Governance VP

Enterprise Risk Management 2016Confidential, unpublished property of UPS. Do not distribute - limited solely to authorized personnel.

Conversations

AFERM SummitNovember 8, 2016

Keith CuretonVP Global Compliance & Ethics | ERM


Why A Conversation

2


“Enterprise Risk Management is a process, effected by an

entity’s board of directors, management and other

personnel, applied in a strategy setting and across the

enterprise. It is designed to identify potential events that

may affect the entity, and manage risk to be within its risk

appetite, to provide reasonable assurance regarding the

achievement of entity objectives.”

and talk about them!

COSO Defines ERM as:

3


UPS Around The World

4


ERMCompliance & Ethics

Internal Audit

UPS Audit Committee

RiskCommittee

Board Of Directors

Organizational ChartAssurance Structure

Enterprise Risk Governance Committee

Management Committee

Enterprise Risk Council

i

5


• VP Domestic Operations • VP Engineering • VP Finance & Accounting • VP Human Resources • VP Information Technology • VP International Operations• VP Legal & Public Affairs • Director Program Management Group • VP Public Relations • VP Risk Management • VP Sales / Marketing • VP Security • VP Strategy

Co-Chaired by: Chief Legal OfficerChief Audit Officer


6


(ERC)


We Establish Risk Management Programs.We use appropriate processes to identify, manage, and mitigate the inherent risks that affect our business.

Through our centralized Risk Management Department, we maintain the expertise needed to analyze and insure exposures of risk to our company’s financial position, reputation, and ability to operate.

Additionally, we use enterprise risk management and business continuity programs to safeguard our company against significant risks we cannot completely insure.

Policy Book

7


Governance Of Our Company

The board reviews periodic assessments from the Company’s ongoing enterprise risk management process that are designed to identify potential events that may affect the achievement of the Company’s objectives.

Board’s Role in Risk Oversight

UPS PROXY STATEMENT

erssi

Our board is responsible for overseeing our risk management.

8


• Having the right conversation?

The Key to Success?

9


10

What to do with an 800 Pound Gorilla?

10


Frederick the Great 1712 -1786

“It is pardonable to be

defeated, but never to be

surprised.”

Risk Mantra

11


• The problem is with what we know!

Old Truth

New Truth

ThinkOur Greatest Challenge

12


anagement 2016

5

6

4

2

3

1

Conversation

Context

Measurement

Solution

Awareness

Follow -up

InformationA Good Conversation

13


anagement 2016

5

6

4

2

3

Context

Measurement

Solution

Awareness

Follow -up

• Specific• Measurable• Aligned• Realistic• Timely

Information

Business EnvironmentOrganizational Strategy

ERM

Understand Objectives

ERM Framework Summary

14


Risk Targets Correlated to Controls & Authorities at the Functional & Process Levels

Risk LimitsThresholds to ensure that variation from expected outcomes will be consistent with the risk target, but will not exceed the risk appetite/tolerance – defines process level controls and management authorities and should reflect risk limits

Risk TargetThe optimal level of risk that the organization desires to take to achieve specific business objectives and operate within its appetite/tolerance for risk – defines the balance between risk and reward - risk target is based on the management’s desired returns, the role of risk to achieve those returns and capability to manage the risk/reward profile

Risk AppetiteThe broad-based aggregate amount of risk a company is willing to accept in pursuit of its mission, vision, business objectives and strategic goals - directly related to an entity’s risk capacity as well as its culture, desired level of risk, risk management capability and business strategy

Risk ToleranceThe specific maximum applicable to each category of risk regarding the magnitude of risks that the organization is willing to take to achieve its strategy and objectives - set such that the aggregation of risk tolerances ensures the organization operates within the risk appetite

Risk CapacityThe broad based amount of risk a company is able to accept in pursuit of its mission, vision, business objectives and overall strategic goals - directly related to an entity’s capital, liquidity and external stakeholder influence

C t l & A th iti t th Ft F ti l & PF L lt C l t d ttRi k T

Adapted from - Institute of Actuaries of Australia Risk Appetite

Capital

Strategic GoalsAggregate Risk Level

Strategic ComplianceOperations Financial

Risk Appetite Correlated to Risk Categories

Risk/Reward BalanceRisk Tolerance Correlated to Business Plans and Metrics

Security

CorporateGov ernance Strategy Responsibility/

Sustainability InformationTechnology

Operations, Engineering

Legal & Public Affairs

Sales & Marketing

Finance & Accounting

Ethics & Compliance OtherHuman

Resources

Defining Risk Appetite & Tolerance

15


anagement 2016

5

6

43

Measurement

Solution

Awareness

Follow -up


Information


ERM


• Strategic • Operational • Reporting• Compliance

Context

ves

Identify & Categorize


16


Enterprise Risk - Management

Enterprise - Risk Management

Which Is it?

17


District Risk PortfolioRisks that may pose a significant impact at the District or Country level

Regional Risk PortfolioRisks that may pose a significant impact at the Region / Business Unit level

RISK RISK Risk Risk RISK RISK Risk RISK

Risk Risk RISK RISK Risk Risk

RISK Risk Risk Risk

RISK Risk Risk Risk

Risk Risk Risk

Risk Risk Risk

Risk RISK Risk Risk

Risk Risk

Risk Risk

RiskEnterprise Risk PortfolioRisks that are material to the Enterprise and monitored at the Corporate level

Risk

RRisk

k

k

Risk

RISK

RISK

RISK Risk

R

Risk Risk

RISK RISK

RISK RISK

Mitigation

Risk: Management Retention

Mitigation

Risk: Terrorism


Risk & Compliance Committees

Examples:

Risk Response

Risk Governance

18

Illustrative


Terrorism

UPS Enterprise Risk and Control Framework

Ethics & Compliance

VP

Compliance

C-Suite

VP

Sales & Marketing

C-Suite

Operations/Infrastructure

VP


C-Suite

VP

InformationTechnology

C-Suite

VP

Human Resources

C-Suite

Operations

C-Suite

Strategic

VP

C-Suite

CorporateGovernance

VP

C-Suite

VP

C-Suite

VP

Strategy

C-Suite

VP


Reporting

C-Suite

UPS RiskCategories

COSO Framework

MCSponsor

ERCSponsor

Communications / Brand Management

Compliance Monitoring &

Reporting

Ethical Culture “Tone at the

Top”

Compliance Structure &

Oversight

Regulatory Compliance

Compliance Policies &

Procedures

Compliance Communication

& Training

Addressing Allegations

Compliance Program

Assessment

Records & Information

Management

Risk Sub-categories

Occupational Health & Safety

HR ResourcePolicies &

Procedures

Talent Pipeline/Recruitment

Performance &Compensation

Health & Welfare Benefits

Retirement & Pension

Programs

Training and Development

Company Culture

Retention / Succession

Diversity

Architecture

Global Business Services

I.T. RecordsManagement

Technology Licensing

I.T. Asset Management

I.T. Business Continuity

Management

I.T. ChangeManagement

I.T. Contracting & Outsourcing

Privacy and DataProtection

I.T. Operations

I.T. Physical & Environmental

Security

I.T. ProblemManagement

I.T. Project Management

Competition / Antitrust

Contract Management

GovernmentInvestigations

Intellectual Property (IP)

Labor &Employment

Issues

Laws and Regulations

Litigation & Dispute

Resolution

Privacy and Security Laws

Union Labor/ Workforce Issues

Facilities andEquipment Market Research

Customers

Competition

Marketing Strategy

MarketingPrograms

Revenue Management /

Pricing

Product Development

E-Commerce/Internet Strategy

Sales Strategy

Customer Relations/ Customer Support

Customer Technology

EnvironmentalConcerns

Energy Management

Operational Security

Operational Planning

OperationsManagement

Asset Utilization

Operational Reporting

OperationsPerformance Management

Distribution &Warehousing

Social Media

Communication(Employee/ Customer)

Branding &Reputation

Advertisements & Sponsorships

Philanthropy

Sustainability Programs

SocialConcerns

Public Relations


Board Effectiveness

Risk Oversight & Management

Audit Quality

External Fraud

Business Continuity(Crisis Mgt.)

EconomicConditions

GeopoliticalConcerns

Technology Strategy

Vision, Mission,and Values

IndustryTrends

Organization Structure

Third Party/Joint Venture

Strategy Communication

GrowthStrategy

BusinessConcentration

Mergers/Acquisitions/Divestitures

Scenario Planning

Business Model

Customer Credit Policy

Credit Rating

Financial AssetInvestment

Commodity Price Impact

Compliance w/Accounting

Standards

Financial Statement Fraud

Accounting Processes

Business Information &

Analysis

CapitalManagement

Planning/Budgeting/Forecasting

Taxation

Procurement

Insurance and Hedging

Investor Relations

Aviation SecurityAcquisition Integration

Public Affairs

GovernmentUncertainty

VP

Fleet Management (Ground / Air)

Security / Sustainability

Board Structure& Senior Leadership

Illustrative

Confidential, unpublished property of UPS. Do not distribute - limited solely to authorized personnel.


Terrorism


Ethics & Compliance

VP

Compliance

C-Suite

VP

Sales & Marketing

C-Suite


VP


C-Suite

VP


C-Suite

VP

Human Resources

C-Suite

Operations

C-Suite

Strategic

VP

C-Suite

CorporateGovernance

VP

C-Suite

VP

C-Suite

VP

Strategy

C-Suite

VP


Reporting

C-Suite

UPS RiskCategories

COSO Framework

MCSponsor

ERCSponsor



Reporting


Top”


Oversight



Procedures


& Training


Compliance Program

Assessment


Management

Risk Sub-categories



Procedures





Programs


Company Culture


Diversity

Architecture






Management




I.T. Operations


Security




Contract Management



Labor &Employment

Issues



Resolution




Customers

Competition

Marketing Strategy

MarketingPrograms


Pricing

Product Development


Sales Strategy


Customer Technology


Energy Management




Asset Utilization




Social Media




Philanthropy


SocialConcerns

Public Relations


Board Effectiveness


Audit Quality

External Fraud


EconomicConditions


Technology Strategy


IndustryTrends




GrowthStrategy



Scenario Planning

Business Model


Credit Rating




Standards




Analysis

CapitalManagement


Taxation

Procurement


Investor Relations


Public Affairs


VP




CM

Et“

CS

C

C

CCo

C

A

M

erationsrformance

anagement

Top 5 Input Areas - 2015

1. Domestic legislation 2. 3.

4.

5.

et R

stom

arketrat

arkeogr

eveagePrici

rodelop

ommet S

s St

er Rmer

ustochno

sion,ues

C

C

S

Top 5 Input Areas - 2016

1.

2.

3.

4.

5.

Illustrative



Terrorism


Ethics & Compliance

VP

Compliance

C-Suite

VP

Sales & Marketing

C-Suite


VP

C-Suite

VP


C-Suite

VP

Human Resources

C-Suite

Operations

C-Suite

Strategic

VP

C-Suite

CorporateGovernance

VP

C-Suite

VP

C-Suite

VP

Strategy

C-Suite

VP


Reporting

C-Suite

UPS RiskCategories

COSO Framework

MCSponsor

ERCSponsor



Reporting


Top”


Oversight



Procedures


& Training


Compliance Program

Assessment


Management

Risk Sub-categories



Procedures





Programs


Company Culture


Diversity

Architecture






Management




I.T. Operations


Security




Contract Management



Labor &Employment

Issues


Resolution




Customers

Competition

Marketing Strategy

MarketingPrograms


Pricing

Product Development


Sales Strategy


Customer Technology


Energy Management




Asset Utilization




Social Media




Philanthropy


SocialConcerns

Public Relations


Board Effectiveness


Audit Quality

External Fraud


EconomicConditions


Technology Strategy


IndustryTrends




GrowthStrategy



Scenario Planning

Business Model


Credit Rating




Standards




Analysis

CapitalManagement


Taxation

Procurement


Investor Relations


Public Affairs


VP




Terrorism


Ethics & Compliance

VP

Compliance

C-Suite

VP

Sales & Marketing

C-Suite


VP

C-Suite

VP


C-Suite

VP

Human Resources

C-Suite

Operations

C-Suite

Strategic

VP

C-Suite

CorporateGovernance

VP

C-Suite

VP

C-Suite

VP

Strategy

C-Suite

VP


Reporting

C-Suite

UPS RiskCategories

COSOFramework

MCSponsor

ERCSponsor

Communications / Brand Management Brand ManagementBrand Management

ComplianceMonitoring &

Reporting

Ethical Culture“Tone at the

Top”

ComplianceStructure &

Oversight

RegulatoryCompliance

CompliancePolicies &

Procedures

ComplianceCommunication

& Training


ComplianceProgram

Assessment


Management

Risk Sub-categories



Procedures





Programs

Training andDevelopment

Company Culture


Diversity

Architecture

Global BusinessServices



I.T. AssetManagement


Management




I.T. Operations


Security


I.T. ProjectManagement


ContractManagement


IntellectualProperty (IP)

Labor &Employment

Issues


Resolution




Customers

Competition

Marketing Strategy

MarketingPrograms


Pricing

ProductDevelopment


Sales Strategy


CustomerTechnology


Energy Management

OperationalSecurity

OperationalPlanning


Asset Utilization

OperationalReporting

OperationsPerformanceManagement


Social Media

Communication(Employee/eCustomer)


Philanthropy

SustainabilityPrograms

SocialConcerns

Public Relations


BoardEffectiveness


Audit Quality

External Fraud

BusinessContinuity(Crisis Mgt.)

EconomicConditions


Technology Strategy


IndustryTrends




GrowthStrategy



Scenario Planning

Business Model


Credit Rating



Compliancew/Accounting

Standards

FinancialStatement Fraud


BusinessInformation &

Analysis

CapitalManagement


Taxation

Procurement


Investor Relations


Public Affairs


VP

Fleet Management(Ground / Air)


Board Structure& Senior LeadershipSustainability

Reporting

Bill SmithLaws and Regulations

Legal & Public Affairs GovernanceSMERisk Owner

John Davis

Steve Johnson

Legal Oversight Committee




Illustrative


anagement 2016

5

6

4Solution

Awareness

Follow -up


Information


ERM



Context

ves


Assess & Profile

• Impact • Likelihood

Measurement


22


Risk Rating Matrix Likelihood of Risk Occurring

Impact if Risk Occurred

Value Likelihood Description5 Very High Event has occurred in last 12 months, or; >75% chance of occurring within five to 7 years.

4 High Event has occurred in last 24 months, or; 50-75% chance of occurring within five years.

3 Medium 20-50% chance of occurring within five years.

2 Low 10-20% chance of occurring within five years.

1 Very Low <10% of occurring within five years.

Value Impact Mission Finance Operations

5 Very High(Severe)

Severely impacts our ability to achieve UPS Mission

Results in a single year financial impact >$XXX MM, with ongoing impact

Severelydisrupts enterprise-wide customer service or operations reliability; or impacts brand long term

4 High(Significant)

Significantly impacts our ability to achieve UPS Mission

Results in a single year financial impact greater than $XXX MM and less than $XXX MM, with some ongoing impact

Significantly disrupts enterprise-wide customer service or operations reliability; or impacts brand long term

3 Medium(Moderate)

Moderately impacts our ability to achieve UPS Mission

Results in a single year financial impact greater than $XX MM and less than $XXXMM, with some ongoing impact

Moderate impact on enterprise-wide customer service or operations reliability; or impacts the brand for a limited period of time

2 Low(Minor)

Minor impact on our ability to achieve UPS Mission

Results in a single year financial impact greater than $XX MM and less than $XX MM, with some ongoing impact

Limited disruption of customer service or operations reliability, limited impact on brand

1 Very Low(Insignificant)

Insignificant impact on our ability to achieve UPS Mission

Results in a single year financial impact <$XX MM, and little ongoing impact

Minimal disruption of customer service or operations reliability, no impact on brand


Illustrative


anagement 2016

5

6

Awareness

Follow -up


Information


ERM



Context

ves


Assess & Profile


MeasurementDevelop / Ensure

Response

• Take• Treat• Transfer• Terminate• Transparency

Solution


24


How much influence do we have over the risk occurring?

What can be done to reduce the impact of the risk event, if it occurs?

Can the risk be prepared for and /or recovered from?

Is this risk within our risk appetite and /or tolerance?

Risk Assessment ModelTake Treat Transfer Terminate

ImpactLikelihood

Prevention of risk occurrence

Reductionin risk severity

Recovery from risk event

Preparedness Discontinue

Determineif in risk Appetite

Is this risk able to be viewed & understood?

Would the risk be taken if it was visible to all stakeholders

Transparency

Copyrighted Material – do not reproduce or distribute with out written permission of United Parcel Service

Risk Response

25


6Follow -up


Information


ERM



Context

ves


Assess & Profile



Response


SolutionSolution

Communicate• Senior Management• Enterprise Risk Council• Risk Owners• Business Leaders

Awareness


26


Corporate Committees• Information Security Council• Business Continuity Committee• Finance Committee• Legal Risk Committee• Security Committee

Country BRCC

Region BRCC

Business Risk & Compliance Committees

District BRCC

International

Region BRCC

Domestic US

District BRCC

Corporate Functions, Business Units, Risk Committees

ERM Survey Responses

BenchmarkingCurrent Conditions

ERM Program• ERM is a process that identifies, evaluates and prioritizes enterprise

level risk. • It confirms ownership of risks, ensuring accountability and

mitigation activities are in motion.• ERM enhances visibility and transparency to the highest

organizational levels.• ERM does not own risk or replace the management of risks.

Enterprise Risk Governance Committee

(ERGC)

Five Management Committee Members

Risk Committee of the Board of

Directors

UPS Board of Directors

Statutory oversight of risk assessment and risk management. Oversees evaluation of major financial risks.

Oversees the adequacy and effectiveness of the company’s ERM program, including the identification of risks and evaluation process.

Responsible for overseeing management of enterprise risks.

ERM Structure

Senior Functional and Business Unit Representatives

AuditCommittee of the Board of

DirectorsEnterprise Risk

Council (ERC)

Enterprise Risk Owners

27


Mark Twain 1835 -1910

“The thing long expected takes the form of the unexpected when at last it comes.”

Risk Recognition (Oblivious to the Obvious)

28


Preventable Strategic External

Risk Statement: There is a risk that current legislation will require all delivery vehicles, operating within major city limits, to be electric powered by 2019.

Risk Category Sub-Category MC Sponsor ERC Sponsor Risk Owner

Operations / Engineering Fleet Management C-Suite VP – ERC Member VP Public Affairs VP Engineering

Risk Contributor(s) Control(s) / Mitigation Function Status L I Planned Completion

Proposed climate change legislation to lower large city carbon emissions

- Establish relationships with key legislators to ensure Company concerns are addressed.

Public Affairs

Executed - - --

- Public Affairs to develop impact and response plan to include potential alternative legislation or time extension for implementation of current regulations.

On-going 1 - Q4-2018

Limited alternatives to current delivery methods in large metro areas

- Current engineering study to identify and / or create alternative delivery options. Engineering Planned - 0.4 Q4-2017

Increased cost of alternative vehicles due to supply and demand challenges

- Current program in place to identify and purchase alternative fuel powered vehicles.

AutomotiveOn-going - - --

- Establish with automotive industry priority vender relationships for the purchase of new vehicles. Planned - 0.4 Q4-2018

- Investigate acquisition project to acquire production plant to retrofit current vehicles. Engineering Planned - 0.2 Q4-2018

- Develop capital budgeting proposal and assess overall impact. Finance Planned - - Q1-2017

Current RatingTier 2

Comments:

Tier 1Target Rating

IllustrativeRisk Profile



Current Tier 2 -A

B

C

D

E

F

G

H

I

J

K

L

M

N

O

P

Q

R

Current Tier 1 -1 legislation requiring electric

powered vehicles

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19Likelihood

Impa

ct

VL L M H VH

VLL

MH

VH

VL L M H VH

VLL

MH

VHUPS Consolidated Risk Profile

7

M

T

L

I

B 9

14 1611

SM R

A

35 6

8

R Q

19K

7

19

10

S

13

3 18

D

J

S

P 13 11

9 15K

D CL H

I

F

H

17

11 12

N

E

V

G

7 4

-ctric

N - N

SS O

V U

7

114 16

7

5

1

13

2

1777

1


Illustrative



Information


ERM



Context

ves


Assess & Profile



Response


SolutionSolution

Communicate• Senior Management• Enterprise Risk Council• Risk Owners• Business Leaders

Awareness

Monitor• Assurance / Insurance• Governance & Oversight

Follow -up


31


The central value of an ERM program is found in its ability to

provide an organization with a systemic awareness of

potential risk events. It does not generate intelligence, it is a

consumer of information provided by all parts of the

organization and it all begins with a conversation.

Final Thoughts

32

Enterprise Risk Management 2016Confidential, unpublished property of UPS. Do not distribute - limited solely to authorized personnel. Confidential, unpublished property of UPS. Do not distribute - limited solely to authorized personnel.

AFERM SummitNovember 8, 2016

Keith CuretonVP Global Compliance & Ethics | ERM

Documents

Keith Cureton VP Global Compliance & Ethics | ERM · Internal Audit UPS Audit Committee Risk Committee Board Of Directors Organizational Chart ... C-Suite Corporate Governance VP