IIA / ISACA Joint Meeting December 11, 2012
University of Michigan Dearborn
Enterprise Risk Management: Building the Foundation
Jay R. Taylor, CIA
1
WHAT IS RISK MANAGEMENT?
First, let’s ask…
What is risk?
Risks are the things that, if they
occur, can keep a company from achieving its objectives
4
FOCUS OF RISK MANAGEMENT
Rather than ask “what keeps you up at
night?” …
You should ask,
“What must go right for you to achieve your
objectives?”
5
8
• Create a competitive advantage with a great product launch!
RISK IS ALSO ABOUT OPPORTUNITY
• Be well positioned if external events such as
fuel prices do increase
… or decrease
Or …
ESSENTIAL BUILDING BLOCKS
1. Senior leadership support
2. Framework
3. Risks
4. Scales to evaluate risk
9
10
First – Determine What Senior Management and the Board Wants
• “What are the things that could put us out of business?”
• “Help me see around the corner and identify what I don’t know about already”
• “Do we really do a good job protecting our reputation and how we are perceived in the market?”
The answers will be different for every organization. Examples:
Senior Leadership support for the
program is critical!
Second – Adopt a Framework
COSO ERM Definition
A process, effected by all of the entity’s personnel including the board
of directors and management, applied across the enterprise and in
strategy-setting, designed to identify potential events that may effect
the entity, and manage risk, to provide reasonable assurance
regarding the achievement of entity objectives.
AZ/NZ Standard ERM Definition
The culture, processes and structures that are directed toward
realizing potential opportunities whilst managing adverse effects.
ISO 31000 Risk Management Definition
Risk management is conceived as integral with the organization’s
structures, roles and responsibilities and objectives. It is not an
afterthought to be done when all the real work is finished. It is part
and parcel of regular objective and result driven decision making.
Risk Management is also subjected to the same performance
measurements, monitoring, assurance, review and other
management techniques to track how well objectives are met by
results.
11
12
Third – Determine What Types of Risk to Include in the ERM Program
• Internal / Preventable
• External
• Strategic
Different
strategies are
needed to
address these
13
Types of Risk
• Category I: Internal / Preventable
Examples:
• Breakdowns in routine
operations
• Unauthorized, illegal,
unethical, incorrect or
inappropriate actions
by managers
• Rouge trader How to manage them:
• Active prevention
• Guiding people’s behaviors through
communicating values, company policy
and compliance checking
• Monitoring operational processes
• CSA
• Internal audit
14
Types of Risk
• Category II: External Examples:
• Arise through outside
events
• Often beyond our
influence or control
• Natural and political
disasters
• Major macroeconomic
shifts
How to manage them:
• Active identification
• Focus on mitigation of the impact
• Techniques include:
• DRP
• Scenario Planning & Analysis
• Stress Testing
• War Gaming
15
Types of Risk
• Category III: Strategic Examples:
• Taking on credit risk to
finance a customer
• Drilling in deep water in the
Gulf of Mexico to extract oil
• Risk vs. Opportunity - Design
product portfolio aligned with
competitors and trends
How to manage them:
• Cannot be managed through rule-based models
• Need to reduce the probability that the assumed
risks actually materialize, and
• Improve the company’s ability to manage or
contain the risk events, should they occur
Organizations voluntarily accept some risk
in order to generate superior returns for its
strategy.
WHAT WE DO
1. ERM program defined
2. What we consider a “key” risk
3. Program objectives
4. Risk measurement tools and sample templates
5. Role of the risk officer
6. How we support their management of risk
16
17
Defining Enterprise Risk Management
Enterprise
Risk
Management
(ERM) is
about
facilitating
discussions
about risk:
A process applied in strategy setting
and across the enterprise,
designed to identify potential events that may affect the entity,
and manage risk to be within our risk appetite,
to provide reasonable assurance regarding the achievement of
our business objectives.
So ERM must:
• Take an entity-level portfolio view of risk
• Identify potential events affecting us in either direction (positive or
negative)
• Able to identify too much risk being taken
Ultimately, the program is designed to provide assurance to senior management and
board of directors
18
Defining Key Risks
• A key risk is a risk that could keep GM from achieving its objectives of designing, building and selling the world’s best vehicles at a profit.
• Generally speaking, these risks usually have high or very high potential impact to the company ($1B or more), and can range in likelihood of occurrence from low to very high.
Risk Management Vision and Objectives
Key Objectives:
• Develop a program that is “part of doing business” – integrated with existing management processes
• Key Company Risks are identified, properly assessed and addressed in a timely manner
• Provide objectivity and transparency in assessing risks and mitigation plans
• Develop clear accountability for risk
• Build confidence of key stakeholders
Create a Competitive Advantage
Prepared, Agile and Fast
19
20
Risk Officer Team
Monthly Risk Officer Meeting
Risk Management Team
Treasury Corp Strategy
& Bus Dev Tax
Insurance Risk
Management
GM Asset
Management
Controller’s
GM Financial
Product
Development Communications
Human
Resources
Planning &
Portfolio Public Policy
GPSC Research &
Development
Global
Connected
Consumer
Legal Information
Technology Audit Services
North
America
South
America IO Europe
Objective: Ensure the
organization has the right
structure and tools to
systematically identify, assess,
and effectively manage key
company risks in a continuously
changing environment.
Risk Officer Duties: Will be
discussed in a later presentation
21
Tools for Risk Management
• Tools to identify and capture risk
• Templates to summarize risk definition, inherent and residual risk, ownership and action plan
• Resources to assist management in dealing with their risk
We will discuss:
22
Risk Identification
• Survey of risk officers
– Identify new and emerging risks
– Obtain perceptions of changes in significance (e.g. Top Risks versus others)
– Focus on risk description and inherent risk level
• Tools
– Excel
– Powerpoint
– Other
23
Risk Assessment
• Workshop with all risk officers
– Software:
• Individual risk owner determination
– Action plan and timing
– Residual risk
• Critical - CRO and Board “sense check” the ratings
Inherent Risk – Assessing the Level of Risk
24
Inherent Risk Definition
• Inherent Risk: the level of business risk in the absence of any actions management might take to alter either the risk’s likelihood of occurring, or its impact.
• While there are many types of business risks, typically inherent financial risk measures the potential impact on earnings, cash flow or liquidity.
• Inherent risk levels may change with changes in the economy and other non-controllable factors, and considers the impact, persistence (time period), and velocity (speed of impact if the event is realized), and our response readiness.
Inherent Risk Scale
Rating Definition
1 – Minimal Minimal level of business risk.
2 – Low The inherent risk could at most result in an impact under USD $500 million or produce a relatively minor impact on the
company’s ability to meet strategic goals or execute its priority initiatives.
3 - Moderate The inherent risk could at most allow financial exposure up to USD $1 Billion, or have a moderate negative impact on the
company’s ability to meet strategic goals or execute priority initiatives.
4 - Significant
The inherent risk could result in significant negative consequences as measured by either: Financial impact of USD $1 -
5 Billion; Important impediments to achieving strategic business initiatives; Corporate, brand or reputational risk. Senior
management attention is required to support risk mitigation plans as well as reduce impediments.
5 - Critical Potential for catastrophic, negative impact to the company if financial, strategic or reputational risk is not properly
managed. Financial exposure could exceed USD $5 billion. Senior management and Board attention to these risks is
needed.
Note that the level of inherent risk implies the risk strategies to be employed and the controls and monitoring procedures to be used (e.g., riskier approaches need more monitoring and more control)
Residual Risk – Assessing What Remains
25
Residual Risk Definition
• Residual Risk: the risk that remains after management implements risk mitigation plans.
• The level of residual risk is determined after applying one or more risk management techniques: Avoid, Accept, Reduce, Share or Transfer.
• Risk is a part of doing business. Risk mitigation involves reducing, not eliminating, the likelihood or impact of risks. The goal for any risk is to ensure that the residual risk is at a level acceptable to senior management, and within any defined tolerance level for that risk.
Residual Risk Scale
Rating Definition
1 – Acceptable The implemented mitigation plans provide assurance that the amount of residual risk is minimal and within the
company’s risk tolerance (if defined).
2 – Low The residual risk could at most result in an impact under USD $500 million or produce a relatively minor impact on the
company’s ability to meet strategic goals or execute its priority initiatives.
3 - Moderate The residual risk that remains once mitigation plans have been implemented could at most allow exposure up to USD
$1 Billion, or have a moderate impact on the company’s ability to meet strategic goals or execute priority initiatives.
4 - Significant
While mitigation plans are in place the level of residual risk status could still result in significant negative consequences
as follows: Financial impact of USD $1 - 5 Billion; Important impediments to achieving strategic business initiatives still
exist; or significant corporate, brand or reputational risk still exists. Senior management attention is required to
support risk mitigation plans as well as reduce impediments.
5 - Critical Mitigation plans are either not yet in place or cannot reduce the amount of residual risk to a reasonable level. Potential
for catastrophic, negative impact to General Motors if financial, strategic or reputational risk not properly managed.
Financial exposure could exceed USD $5 billion. Senior management and Board attention to these risks is needed.
Things to Consider when Prioritizing Risks
• Impact
– Important to consider:
• Financial loss
• Strategic impact
• Revenue targets
• Reputation
• Likelihood
– Also consider the time horizon that an event could arise to trigger the risk
• Persistence
– The time period over which the event is dealt with after an occurrence
• Example: The lingering reputational impact of a major recall
• Velocity
– Speed with which the full impact of the event is realized (i.e. required reaction time)
• Example: Sudden change in exchange rates vs. a chronic warranty issue causing customer dissatisfaction
• Response Readiness
– Preparedness to manage/respond to an event or a series of events (including contingency plans)
26
Risk Title Executive Owner:
27
Inherent Risk (before any actions) 4 - Significant
Current Level of Residual Risk 2 - Managed
Residual Risk (after mitigation actions complete) 3 - Moderate
Risk Definition Assessment
Key Events that Trigger Risk Exposure Description of Residual Risk
Risk Mitigation Actions Completed
Responsibility / Due Date
Key Risk Indicators Related Risks / Additional Comments
Once implemented, will risk mitigation actions will reduce exposure to an acceptable level? YES / NO
[Insert approved risk scenario]
1. Insert Event 2. Insert Event 3. Insert Event 4. Insert Event 5. Insert Event
• Financial: • Strategic: • Reputation: • Other:
1. Insert Improvement Opportunity 2. Insert Improvement Opportunity 3. Insert Improvement Opportunity 4. Insert Improvement Opportunity 5. Insert Improvement Opportunity
Name Date Name Date Name Date Name Date Name Date
Insert Key Risk Indicators Insert Related Risks / Additional Comments
Risk Management Template Example
Tools for identifying what is most important
LIK
EL
IHO
OD
IMPACT
Risk Prioritization
Legend
A Liquidity
B Capital Availability
C Reputation
D Competitor
E Equipment Reliability
F Environment
G Regulatory/Compliance
H Knowledge Capital – Training
I Health & Safety
J Raw Material Sourcing
A E
H
I
J
F
G
B
C D
Risk – High Risk – Moderate to High Risk – Moderate
Risk – Low Risk – Low to Moderate Risk – Moderate
Risk – Very High Risk – High Risk – Moderate to High
28
How We Support the Risk Owners’ Management of Risk
• For risk officers:
– Provide orientation and training
– Facilitate discussions in monthly meetings
– Questions at any time
• Provide a range of services, on a “pull” basis:
• Stress Testing
• Scenario Planning & Analysis
• War Gaming
• Other services 29
“Risk management” tools are helping to improve a wide
range of GM decisions on major risks and opportunities
• Game Theory: Analyze issues/negotiations with partners/suppliers/
unions/ governments/dealers where GM actions can affect others’
• War Gaming: Predict market, competitive, and regulatory
environment and draw implications for GM on product or strategy
• Contingency/Scenario Planning: Assess implications of potential
events for current GM decisions and preparations
• Economic Analysis: Improve decisions with better estimates of
marginal revenue and cost
• Lessons Learned: Improve or cement policies and procedures with
“after-action” review and analysis
Example Tool: Risk Management Techniques
• Outsource
• Securitize
• Indemnify
Avoid
Accept
• Divest
• Prohibit
• Stop
• Retain
• Re-price
Reduce
Transfer
• Disperse
• Control
• Respond
• Diminish
• Isolate
• Insure
• Reinsure
• Hedge
• Transfer
• Test
• Improve
• Relocate
• Redesign
• Diversify
• Target
• Screen
• Eliminate
• Self Insure
• Offset
Eliminate risk by preventing exposure to future
possible events from occurring
Maintain the risk at its current level
Implement policies and procedures to lower the
risk to an acceptable level
Shift the risk to a financially capable, independent
counterparty
31
HOW YOU CAN ADD VALUE IN YOUR ORGANIZATION
1. Improve the process
2. Help identify and capture risk information
3. Share risk information to get action
32
33
1 - Can You Help to Improve the Process?
IPPF Standards
(2013)
2100 – Nature of
Work
The internal audit
activity must evaluate
and contribute to the
improvement of
governance, risk
management, and
control processes
using a systematic
and disciplined
approach.
34
2 - Assisting in Risk Identification
• Internal: Audit finding trends; Meetings with company leaders; Changes in the business
• Strategic: CEO speeches; Company announcements; Outside analyst reports; Industry press; Google keyword flagging
• External: Monitoring services; Industry groups; Newspapers and other media; Blogs; Friends
Existing / Known Risks
Emerging and Unknown Risks Continually scan various sources to help identify risk in your organization:
35
Before the oil spill, there were 761 egregious and willful safety citations issued to U.S. oil facilities
CASE STUDY: BRITISH PETROLEUM
Question: How many were issued to
BP?
Why were the signs ignored?
Are you monitoring the signs in your
organization?
760!
36
Risk Capture
• Record the existence of a potential risk – Avoid tendency to
forget
• Facilitates ability to watch the risk change over time
So now that you’ve identified a potential risk …
38
3 –Take Action on Risk Identified • Suggestions:
• Audit managers and directors discuss newly-identified risks with leadership
during periodic update or service line meetings.
• Consider whether data analytics or other research should be performed to
further quantify or understand the risk.
• Risks captured in the database are reviewed when preparing Audit Committee
presentations.
• After elevating a risk -- update the database about the discussion and results.
Getting Action on Emerging Risks Identified by Internal Audit
Emerging Risk
Desig
n
Man
ufa
ctu
re
Sell
Su
pp
ort
Remarks Newly Identified Risks Since Last Meeting Potential Impact Area
Collaboration Tool Risk - Risk of sensitive, confidential, or personally-identifiable information being stored within collaborative or shared work sites such as xxxxx without appropriate access security controls.
a
a
a
a
This issue was identified xxxxx and a comprehensive
xxxxxx to address xxxxxx was begun in xxxx.
A GMAS audit ixxx ss had xxxx to ixxxx appropriate
corrective actions.
XYX Risk - Risk of xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.
a
a
New Issue – several GMAS audits since 2008 have
identified weaknesses in the way xxxxxxxxx xxxxxxx
xxxxxxxxxxx.
GMAS in process of working with management to identify
next steps.
Updates on or Closure of Previously Identified Risks Potential Impact Area
ABC Risk: Risk of someone accessing, corrupting or taking xxxxx ssssssco.
a
a
Discussed with management. Initiatives are in process to
address the risk.
GMAS began an audit in February 2011 .
Below is an example of how potential risks are communicated while we are in the process of gathering information and
evaluating to determine whether further action may be needed.
What is Risk Appetite?
A scale to help determine if we are taking on too much risk when making business decisions.
Without this – how would we know?
Business
Decisions
Our
Appetite
for Risk
44
Defining the Risk Appetite
Risk Appetite is the amount of risk we are willing to accept in to meet our business objectives.
What is Our
Risk Profile?
What is Our
Risk
Capacity
Risk
Tolerance
What is the
risk / return
equation?
Defining
Our Risk
Appetite
Maximum potential
impact the company
can withstand
45
Different Levels of Risk Appetite
The level of risk appetite often varies with the types of risk involved…..
Heath & Safety Matters
Regulations
Laws
Insider Trading
Zero Appetite
Capital expenditures Product launches
Political contributions Acceptance of gifts
Hedging Write-offs
Generally limited to strategic opportunities /
risks at the senior management / Board level
Low to Moderate
Appetite
High Appetite
These types of risks are
typically covered by
existing policies and
procedures defining risk
tolerance (e.g., DOA)
46