Upload
vothuan
View
221
Download
2
Embed Size (px)
Citation preview
The Interaction of Treasury The Interaction of Treasury and Risk Managementand Risk Managementand Risk Managementand Risk Management
NCSU Enterprise Risk Management InitiativeNCSU Enterprise Risk Management InitiativeJanuary 25, 2008 January 25, 2008
Brian WarrenBrian WarrenDirector Risk ManagementDirector Risk ManagementDirector, Risk ManagementDirector, Risk ManagementMicrosoft CorporationMicrosoft Corporation
AgendaAgenda
A Quick Tour of Microsoft A Quick Tour of Microsoft Microsoft TreasuryMicrosoft Treasury
Life Cycle of a DollarLife Cycle of a DollaryyFinancial Risk ManagementFinancial Risk ManagementBusiness Risk ManagementBusiness Risk ManagementBusiness Risk ManagementBusiness Risk Management
ERM at MicrosoftERM at MicrosoftOperational Risk Management Case StudyOperational Risk Management Case StudyOperational Risk Management Case StudyOperational Risk Management Case Study-- Classification of High Business Impact DataClassification of High Business Impact DataQ&AQ&AQ&AQ&A
Microsoft by the NumbersMicrosoft by the Numbers$60B Revenue*$60B Revenue*$18 B N I *$18 B N I *$18.5B Net Income*$18.5B Net Income*84,600 Employees (and hiring)84,600 Employees (and hiring)Subsidiaries in 103 CountriesSubsidiaries in 103 Countries24 million sq ft of facilities at 565 sites24 million sq ft of facilities at 565 sites24 million sq ft of facilities at 565 sites24 million sq ft of facilities at 565 sites
* Forward looking guidance 1/24/07
Microsoft’s BusinessesMicrosoft’s BusinessesMicrosoft OfficeSharePoint Portal ServerMicrosoft LiveMeeting
Windows VistaWindows VistaWindows Media Center EditionTablet PC
Microsoft Dynamics
Xbox
Windows Live SearchMSNHotmail Xbox
Consumer software and hardwareTV platform
Messenger
Windows Mobile Software
Windows ServerSQL ServerExchange ServerDeveloper Tools
Windows Embedded Device OSWindows Automotive
Developer ToolsMicrosoft Consulting Services
Wh t d ll thi t ?What does all this mean to me?
Microsoft FY 08’ Risk Universe Microsoft FY 08’ Risk Universe
Strategic Financial/ReportingOperations Legal/Compliance
Enterprise Risk ManagementEnterprise Risk Management
Business Model:Vision & DirectionMonetization ModelBrand/Marketing StrategyChannel Strategy
Product Development:Product StrategySoftware DevelopmentProduct Development PartnersProduct Quality/Integrity
Corporate Governance: Board Performance
Governance FrameworkCorporate Citizenship
Planning & Resource Allocation: Operational and Business PlanningBudgeting and ForecastingCapital Expenditure Planning
People:CultureRecruiting & Retention Global Resourcing
Strategic Financial/ReportingOperations Legal/Compliance
Channel StrategyPricing StrategyCompetitive PositioningValue Chain StrategyMeasurement & MonitoringStrategic Investments:M&A
Product Quality/IntegrityProduct SecurityProduct Release3rd Party Subsystems or Functionality IntegrationSales & Marketing:Research and Development
Corporate Citizenship
Legal Compliance: Ethics and Business ConductAnti-CorruptionFraud
Capital Expenditure PlanningOutsourcing Treasury: Cash ManagementHedgingInvestingInsuring
Development and Performance Succession Planning Compensation & Benefits Labor RelationsEmployee CommunicationsM&A
Partner AllianceEcosystem InvestmentsR&D InvestmentsMarket Dynamics:General Macro EnvironmentSocial-Political
Research and DevelopmentMarketingAdvertisingProduct PricingSales and Marketing - Partner ManagementSales Contracting/Customer Pricing
Legal: ContractIP/Source Code ProtectionIP InfringementPiracy/Counterfeiting
InsuringFundingCredit and CollectionsSecurities Lending
Financial Reporting:GAAP Accounting
yOrganizational StructureInformation Technology: Infrastructure Resiliency and AvailabilityData PrivacyData Management, Integrity Social-Political
Technology ChangesTalent AcquisitionCustomer DemandConsumer LifestyleUGC/SharingUse of Mobile vs. PC
g gOrder ManagementPublic RelationsServices:Consulting ServicesCustomer SupportService Partners
Regulatory: Antitrust and Competition LawExport Control and Global Trade Labor Laws and RegulationsSecurities
GAAP AccountingExternal Reporting & DisclosureInternal Control/SOX 404/302Statutory Reporting
Internal ReportingInformation & Reporting Integrity
g g yand QualityInfrastructure SecurityInformation System AccessIT GovernanceBusiness Continuity: Natural Events
Piracy
Business Model Disruptions:"Thin" Client ServicesOpen SourceAd-FundedVi t li ti
Customer Operations
Supply Chain:Manufacturing Planning and Forecasting/Product Availability Vendors/Partners/Contract Execution
SecuritiesEnvironmentData Protection and PrivacyProduct Safety
g g yTax: Tax Strategy and PlanningTax OptimizationTransfer PricingProperty TaxesTax Compliance
Information Technology RecoveryBusiness Process RecoveryCrisis Management
Man Made EventsVirtualizationOEM DisruptionChannel AlienationImportance of S/W H/W Coupling
ProcurementProductionInventory & Capacity ManagementDistribution ChannelsProduct Licensing/SubscriptionsProduct ComplianceS ft Pi
Investor Relations:
Communications
Mergers, Acquisitions & Divestitures:
Corporate Physical Security:Buildings and FacilitiesThreats of Violence
Incidents of TheftLife Safety
Microsoft TreasuryMicrosoft Treasury
Microsoft is generating free cash flow at a Microsoft is generating free cash flow at a $18 /$18 /rate now exceeding $18B / year.rate now exceeding $18B / year.
Investment income is running over $1B Investment income is running over $1B annually, from ~ $21B of managed assets.annually, from ~ $21B of managed assets.FY07 FY07
stock buystock buy--back $27B, back $27B, dividends $3.8B, dividends $3.8B, d de ds $3 8 ,d de ds $3 8 ,acquisitions ~ $1.5Bacquisitions ~ $1.5B
Mandate: provide $1B liquidity within 24Mandate: provide $1B liquidity within 24Mandate: provide $1B liquidity within 24 Mandate: provide $1B liquidity within 24 hours at any time.hours at any time.
Treasury’s Business Model: Treasury’s Business Model: The Lifecycle of the DollarThe Lifecycle of the Dollar
Re en e/
The Lifecycle of the DollarThe Lifecycle of the Dollar
Revenue/Sales Treasury Risk Group
15-FTE
Gl b l C h Change in Cash
Capital Markets Group20-FTE
Global Cash Management &
Treasury Operations15-FTE
World Wide Credit Services68-FTE
Corporate Finance3-FTE
Worldwide Credit ServicesWorldwide Credit Services
Organized into 2 groups:Organized into 2 groups:Windows Online Credit ServicesWindows Online Credit ServicesWWCSWWCS
Maximize Maximize A/R protection, while allowing MS to expand A/R protection, while allowing MS to expand sales and increase market sharesales and increase market shareEvaluate A/R risks and appropriate reservesEvaluate A/R risks and appropriate reservesDevelop tools to anticipate future risksDevelop tools to anticipate future risksMaintain continuous and consolidated information on Maintain continuous and consolidated information on customer financial condition and outstanding credit customer financial condition and outstanding credit balancesbalancesba a cesba a cesProvide creditProvide credit--related expertise and related expertise and servicesservices
Microsoft Finance In The NewsMicrosoft Finance In The News
Global Cash Global Cash Management and Management and Treasury Operations GroupsTreasury Operations GroupsTreasury Operations GroupsTreasury Operations Groups
Settlements in over 100 countries and 25+ currenciesSettlements in over 100 countries and 25+ currencies995 995 bank accounts of which 500+ are managed dailybank accounts of which 500+ are managed dailyActive management of over 30 counterparty Active management of over 30 counterparty relationshipsrelationshipsMonthly transaction volume over $Monthly transaction volume over $40B40By $y $SWIFT Initiative SWIFT Initiative –– cash visibility and optimize cash cash visibility and optimize cash balancebalance
The value of a global centralized treasury functionThe value of a global centralized treasury function
Capital MarketsCapital Markets
•• Capital Capital MarketsMarkets•• Portfolio Portfolio ManagementManagement
•• Liquidity PortfolioLiquidity Portfolio•• Special Purpose PortfolioSpecial Purpose Portfolio•• Special Purpose PortfolioSpecial Purpose Portfolio•• Investment Portfolio Investment Portfolio
•• Strategic Investments Strategic Investments •• Foreign Foreign ExchangeExchange
Risk Risk Group: Group: FinancialFinancial Risk ManagementRisk ManagementFinancial Financial Risk ManagementRisk Management
Twofold Role:Twofold Role:Independent check on portfolio manager risk and performanceIndependent check on portfolio manager risk and performanceIndependent check on portfolio manager risk and performanceIndependent check on portfolio manager risk and performance
Advise portfolio managers on risk from investment choicesAdvise portfolio managers on risk from investment choices
Risk Metrics and Reports:Risk Metrics and Reports:Value At Risk (VAR)Value At Risk (VAR)
Stress Stress TestingTesting
Scenario Scenario AnalysisAnalysis
Counterparty RiskCounterparty Risk
P f R tP f R tPerformance ReportsPerformance ReportsPerformance attribution (allocation vs. selection)Performance attribution (allocation vs. selection)
RiskRisk--adjusted Returnsadjusted ReturnsRiskRisk--adjusted Returnsadjusted Returns
Daily Green Zones ReportDaily Green Zones Report
25
Financial RM Financial RM –– Looking AheadLooking Ahead
Developing advisory capabilitiesDeveloping advisory capabilitiesRisk BudgetingRisk BudgetingPrePre--trade consultationtrade consultation
Testing vendor hosted VaR systemTesting vendor hosted VaR systemComputing and data maintenance is intense,Computing and data maintenance is intense,Computing and data maintenance is intense, Computing and data maintenance is intense, difficult to support indifficult to support in--househouseCorrelation matrices already hosted by vendorCorrelation matrices already hosted by vendory yy y
Business Risk ManagementBusiness Risk ManagementHazard Risk Management:Hazard Risk Management:
Ri k C l i d I (Ri kRi k C l i d I (Ri kRisk Consulting and Insurance (Risk Risk Consulting and Insurance (Risk Financing)Financing)
Cl i I f ti d A l i TCl i I f ti d A l i TClaims, Information and Analysis Team:Claims, Information and Analysis Team:Quantitative Risk Analysis and AssessmentQuantitative Risk Analysis and AssessmentAccounting coordinationAccounting coordinationIT application Product ManagementIT application Product ManagementClaims preparation, submission, pursuitClaims preparation, submission, pursuitRecords managementRecords management
Business Business Risk Risk ManagementManagementclassic risk mapclassic risk map
Risks:Risks: Risks:Risks:PC TheftPC TheftLow Dollar PropertyLow Dollar PropertyContractual ObligationsContractual Obligations
IP Infringement LiabilityIP Infringement LiabilityPrivate AntitrustPrivate AntitrustE&O LiabilityE&O LiabilityOperations Impact DamagesOperations Impact Damagesty
Hig
h
Solution:Solution:Self Insurance (retain the risk)Self Insurance (retain the risk)
Operations Impact Damages,Operations Impact Damages,Product Recall/ReturnProduct Recall/ReturnSolution:Solution:Captive InsuranceCaptive InsurancePr
obab
ilit
( )( ) ppRisks:Risks:Low Dollar CrimeLow Dollar CrimeFiduciary LiabilityFiduciary Liability
Risks:Risks:High Dollar Property,High Dollar Property,Consequential LossConsequential Loss
Pw
Solution:Solution:Self Insurance (retain the risk)Self Insurance (retain the risk)
High Dollar CrimeHigh Dollar CrimeSolution:Solution:33rdrd Party InsuranceParty Insurance
Low
Economic LossHighLow
Enterprise Risk ManagementEnterprise Risk Management
HistoryHistoryRisk Maps circa 1996Risk Maps circa 1996Risk “knowledgebase” prototype circa 1998 Risk “knowledgebase” prototype circa 1998 (RISKS)(RISKS)1999 1999 –– prototype quantitative estimates of top prototype quantitative estimates of top
t i l P/C i kt i l P/C i kmaterial P/C risksmaterial P/C risksCOSO eraCOSO era
20052005 fi t t f h ll Mi ftfi t t f h ll Mi ft2005 2005 –– first assessment of how well Microsoft first assessment of how well Microsoft meets new COSO standardmeets new COSO standard2007 2007 –– current ERM program launchedcurrent ERM program launchedp gp g
Practical ERMPractical ERMFor Microsoft, Risk Resiliency resonatesFor Microsoft, Risk Resiliency resonates
How can I structure my finances to survive a major How can I structure my finances to survive a major disaster or technology disruption?disaster or technology disruption?
Assumes “black swans” existAssumes “black swans” existAssumes black swans existAssumes black swans existResiliency can be obtained via: Resiliency can be obtained via:
Retained risk capitalRetained risk capitalRetained risk capitalRetained risk capitalContingent capital (lines of credit, insurance)Contingent capital (lines of credit, insurance)Agile business structure (low fixed / flexible variable Agile business structure (low fixed / flexible variable g (g (costs)costs)
Gates’ mandate: Keep at least one year of Gates’ mandate: Keep at least one year of OPEX h dOPEX h dOPEX on handOPEX on hand
EnterpriseEnterprise--widewide Risk ManagementRisk ManagementMS executes enterpriseMS executes enterprise--wide risk management wide risk management
by means of distributedby means of distributed subject mattersubject matterby means of distributed by means of distributed subject matter subject matter experts carrying out discrete efforts.experts carrying out discrete efforts.
Office of ERMI thi d l TRG i of ERM
Ops ERMTRG
In this model, TRG is a one expert resource in a matrix ERMresource in a matrix of risk management activity.
LegalIA & Compliance
y
31
Treasury Risk Group’s RoleTreasury Risk Group’s Role
How do we enact our mission of being How do we enact our mission of being ii h i k SME ?h i k SME ?inin--house risk SMEs?house risk SMEs?
Quantify economic impact of loss scenariosQuantify economic impact of loss scenarios
Scalable and repeatable quantitative risk estimates Scalable and repeatable quantitative risk estimates Reports of loss scenariosReports of loss scenarios
Scale to gauge risk materialityScale to gauge risk materialityDecision support for Microsoft Business Groups and the enterpriseDecision support for Microsoft Business Groups and the enterpriseDecision support for Microsoft Business Groups and the enterpriseDecision support for Microsoft Business Groups and the enterpriseValidate adequacy of Microsoft insurance programsValidate adequacy of Microsoft insurance programs
Blue SkyBlue Sky Scenario risk mappingScenario risk mapping
Single event/worst caseSingle event/worst caseAtlas v.1Atlas v.1 Single event/worst case Single event/worst case t ast as
Atlas v.2Atlas v.2 Frequency and severity outputFrequency and severity output
Atlas v.XAtlas v.X Refinement going forwardRefinement going forward
Interviews…Interviews… Nearly 300 interviewsNearly 300 interviews
AlgorithmAlgorithm Catastrophic Risk CategoriesCatastrophic Risk CategoriesBusiness GroupBusiness Group--specific Loss Scenariosspecific Loss ScenariosCommon Cost ElementsCommon Cost Elements
Stochastic behavior modelStochastic behavior model R li bl d tR li bl d t
Validate OutputsValidate Outputs
Stochastic behavior modelStochastic behavior model Reliable dataReliable dataCredible assumptionsCredible assumptions
Atlas Quant MethodsAtlas Quant Methods
Many ‘tools’ to choose fromMany ‘tools’ to choose fromActuarial approachesActuarial approaches
Exposure, Frequency, SeverityExposure, Frequency, SeverityLoss DevelopmentLoss Development
Decision Theory approachesDecision Theory approachesInfluence diagramsInfluence diagramsDecision treesDecision treesMonte Carlo simulationMonte Carlo simulationMonte Carlo simulationMonte Carlo simulation
Six Sigma approachesSix Sigma approachesFailure Modes Effects AnalysisFailure Modes Effects AnalysisFailure Modes Effects AnalysisFailure Modes Effects Analysis
ORM Case StudyORM Case StudyClassification of High Business Impact DataClassification of High Business Impact Data
“Least Privileges Access”“Least Privileges Access”Problem:Problem:
Unanticipated result of internal Unanticipated result of internal SharePoint SharePoint pp“dogfooding”“dogfooding”Proliferation of Proliferation of SharePoint SharePoint sites with no or low sites with no or low access limitationsaccess limitationsDefault when setting up new Default when setting up new SharePoint sites SharePoint sites
‘ ibl t ll’‘ ibl t ll’was ‘accessible to all’.was ‘accessible to all’.Many site owners were not changing access to Many site owners were not changing access to level appropriate for contentlevel appropriate for contentlevel appropriate for content.level appropriate for content.
Microsoft High Business Impact Microsoft High Business Impact (HBI) D t R i t(HBI) D t R i t(HBI) Data Requirements(HBI) Data Requirements
Microsoft must protect the following informationMicrosoft must protect the following informationMicrosoft must protect the following informationMicrosoft must protect the following informationFinancial information (non public)Financial information (non public)Customer dataCustomer dataI t ll t l P tI t ll t l P tIntellectual PropertyIntellectual PropertyPersonnel dataPersonnel data
Microsoft must follow national and international laws and Microsoft must follow national and international laws and l til tiregulationsregulations
GLBAGLBASOXSOXHIPPAHIPPACOPPACOPPACB 1386CB 1386EU directivesEU directivesJapan’s privacy lawsJapan’s privacy laws
HBI Problem StatementHBI Problem StatementPolicy must be enforcedPolicy must be enforced
MSFT D t h dli li i l ifi tiMSFT D t h dli li i l ifi tiMSFT Data handling policy requires classificationMSFT Data handling policy requires classificationFor HBI, encryption requiredFor HBI, encryption required
Repositories have large amounts of data and are Repositories have large amounts of data and are p gp gdistributed globallydistributed globallyRemediation must be efficient and effectiveRemediation must be efficient and effective
Remediation must be automaticRemediation must be automaticRemediation must be automaticRemediation must be automaticRemediation must facilitate business needsRemediation must facilitate business needs
MSFT must be able to demonstrate HBI policy MSFT must be able to demonstrate HBI policy yycompliancecomplianceBeginning State: Controlling Sensitive Data (HBI) ORM Beginning State: Controlling Sensitive Data (HBI) ORM exposure rated “High” and top riskexposure rated “High” and top riskexposure rated High and top risk.exposure rated High and top risk.
Methodology & Deployment Methodology & Deployment PlanPlan
Develop Proof of ConceptDevelop Proof of Concept
Conduct Risk AnalysisConduct Risk AnalysisDesign and BuildDesign and BuildPilot and DeployPilot and DeployPlan to Grow to Service ManagementPlan to Grow to Service Managementgg
MSFT Treasury Support MSFT Treasury Support forforRi kRi k A tA tRisk Risk AssessmentAssessment
Collaboration with MSIT HBI TeamCollaboration with MSIT HBI TeamMSIT, Treasury, LOB, LegalMSIT, Treasury, LOB, LegalSmall data sample evaluated by teamSmall data sample evaluated by teamSmall data sample evaluated by teamSmall data sample evaluated by teamCreated a process modelCreated a process model
Included Exposure, Frequency & SeverityIncluded Exposure, Frequency & Severityp , q y yp , q y yModel Parameter Estimates used to drive Monte Model Parameter Estimates used to drive Monte Carlo simulationCarlo simulationBB Sh P i iSh P i i d i hd i hBase case = Base case = SharePoint sites SharePoint sites created with opencreated with open--access default, and no file scanning.access default, and no file scanning.6 comparison scenarios =6 comparison scenarios = SharePoint sites createdSharePoint sites created6 comparison scenarios 6 comparison scenarios SharePoint sites created SharePoint sites created with limitedwith limited--access as default, and various file access as default, and various file scanning & classification tool optionsscanning & classification tool options
MSFT Treasury Support forMSFT Treasury Support forRi k A tRi k A tRisk AssessmentRisk Assessment
Cost of classification & remediation projectCost of classification & remediation projectCost of classification & remediation project Cost of classification & remediation project estimatedestimatedROI > 600%ROI > 600%ROI > 600%ROI > 600%(Expected Loss / Project Cost > 600%)(Expected Loss / Project Cost > 600%)
Operational issue now cast in business Operational issue now cast in business pptermsterms
Accept Risk Accept Risk –– Take no additional actionTake no additional actionppMitigate Risk Mitigate Risk –– Implement Classification & Implement Classification & Remediation program with expected ROIRemediation program with expected ROI
Classification of High Business Classification of High Business Impact Data FrameworkImpact Data FrameworkImpact Data FrameworkImpact Data Framework
WORKFLOW ENGINE WORKFLOW ENGINE
Business workflowBusiness workflowBusiness workflow Business workflow engine supports IT’s engine supports IT’s business needs and business needs and enables remediationenables remediation
BUSINESS BUSINESS REPORTINGREPORTING
High endHigh end enables remediationenables remediationHigh endHigh endkey metricskey metrics
HBI Classification
ClassificationClassification
Automatic Automatic
Classification &
Remediation Framework
classificationclassificationof all File Share of all File Share (network folders) and (network folders) and Sh P i t SitSh P i t Sit
LOCKDOWN SharePoint SitesSharePoint SitesDOWN
UNSTRUCTUREDHBI Classification HBI Classification
UNSTRUCTURED DATAUnclassified Data or Unprotected Data Workflow EngineWorkflow Engine
CLASSIFY
Classifying Data by classifying SharePoint sites &
S
SCAN
Content monitoring t id tif iti
FileShare; and
Enforcing higher levels of Access controls on HBI and MBI Data
Once information is scanned and properly classified, it is audited based upon flexible content t i i li ito identify sensitive
content
APPLY RULES
key words and REMEDIATE
the automated
transmission policies
HBI MBI LBIy
phrases will be identified and weighted based upon information classification requirements that
di t t d b
the automated service will detect and remediate all HBI and MBI files across all managed
are dictated by regulatory, industry and Microsoft Security standards
.
gMicrosoft accessible digital assets
Solutions AdoptedSolutions AdoptedAll File Shares and SharePoint sites classified within 30 days or locked All File Shares and SharePoint sites classified within 30 days or locked down.down.B d t b d d ill b t ti ll dB d t b d d ill b t ti ll dBroad access groups cannot be used and will be automatically removed.Broad access groups cannot be used and will be automatically removed.
Anonymous Anonymous Guest Guest EEEveryone Everyone NTNT\\Authenticated UsersAuthenticated Users
HBI sites will not be permitted to have group access (Active Directory or HBI sites will not be permitted to have group access (Active Directory or Security groups (Groups will be removed automatically)Security groups (Groups will be removed automatically)Security groups (Groups will be removed automatically).Security groups (Groups will be removed automatically).HBI Data must be encryptedHBI Data must be encryptedHBI Reporting and KPI’s allow demonstration of complianceHBI Reporting and KPI’s allow demonstration of compliance
Data ScannedData ScannedData ScannedData ScannedFrequency of ScanningFrequency of ScanningNumber of HBI Detections by LOB, user, etc.Number of HBI Detections by LOB, user, etc.Average days to remediationAverage days to remediation
E d St t C t lli S iti D t (HBI) ORM t d “L ”E d St t C t lli S iti D t (HBI) ORM t d “L ”End State: Controlling Sensitive Data (HBI) ORM exposure rated “Low”.End State: Controlling Sensitive Data (HBI) ORM exposure rated “Low”.
FeedbackFeedback“The risk management team provided tremendous value to the HBI LPA program at several levels having an independent reviewseveral levels. … having an independent review of our processes and methodology was very helpful. It provided valuable feedback that we incorporated into our planning and implementation of the project. The economic analysis done helped drive towards the right y p gsolution, and gave information to our management helping in their decision as well. Having the economic data to back up the riskHaving the economic data to back up the risk versus benefit is extremely helpful in deciding on the right approach. In addition, it was a very
fvaluable learning opportunity for the entire team. “
brianwar@microsoft [email protected] 703- 5339
© 2005 Microsoft Corporation. All rights reserved.© 2005 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.