1. Enterprise Risk Management:
Practical Implementation
Barry Franklin
Group Managing Director, Americas
Aon Global Risk Consulting
November 2007
2. Discussion Topics
Preliminaries
Defining ERM
ERM drivers
Recent survey results
Defining “Risk”
Balancing diverse views - consistent framework
A value-driven approach to ERM
Implementation challenges
Case studies
3. What is ERM?
ERM is the process by which companies
identify, measure, manage, and disclose
all key risks to increase value to primary
stakeholders while satisfying other
stakeholders.
4. What is ERM?
Process: • A systematic and sustained business process
Measure: • Consistent metrics adopted in an integrated manner across
the organization
Manage: • Focused on enabling management decision making and
enabling exploitation of business opportunities
Disclose: • Enabler of meaningful and transparent disclosure to key
stakeholders
Holistic: • Integrated approach to Financial, Operational, Strategic
and Regulatory risks
Material risks: • Analyzing & quantifying the organization's significant risks
Value: • Balanced perspective on uncertainty, managing threats and
capturing opportunities
Stakeholders: • Focused on delivering the organization's key stakeholder
needs and expectations
5. Related Risk Management Processes
• Enterprise Risk Management (ERM) is often identified
with Strategic Risk Management (SRM) or
Governance, Risk and Compliance (GRC). Common
elements are:
• Process applied consistently across company
• Driven from the top of the organization
• Takes a proactive, forward-looking view
• Considers both risks and rewards
• Integrates risk management into business process
• Assigns clear risk ownership
6. Driving Forces Behind ERM
Enron
Corporate WorldCom
Disasters Adelphia
Banks Mutual Funds
Asset Managers
Energy Firms
Corporations
Best
Enterprise Regulatory
Practices Risk Actions
Management
S.E.C.
Sarbanes-Oxley
Basel II
Treadway Report, US Industry
Turnbull Report, UK Initiatives
Dey Report, Canada
7. Executive Research Key Findings
• Most companies are making some progress
• Greater board and CEO involvement
• More awareness across organizations
• Faster adoption outside of North America
• Few companies have progressed to “advanced” level
• Slower progress than originally expected
8. Key Drivers
Corporate Governance
Requirements
Understand Hard to Quantify
Risks
Regulatory Pressures
Board Request
0.0% 20.0% 40.0% 60.0% 80.0%
2004 2006
Source: The Conference Board
9. Key Objectives 2006
• Ensure risk considered in decision making 83%
• Avoid surprises 85%
• Integrate risk management into corporate processes 70%
• Align risk exposures & mitigation 65%
• Use risk management as competitive tool 36%
Source: The Conference Board
10. Integration into Business Processes
75.0%
Rest of the World
75.0%
53.8%
UK/Europe
65.9%
71.2%
United States/Canada
39.8%
0.0% 20.0% 40.0% 60.0% 80.0%
2004 2006
Source: The Conference Board
11. Building the Process
Business Risk Inventory
Mission Statement
Regular Risk Assessment
Common Risk Languange
0.0% 20.0% 40.0% 60.0% 80.0%
2004 2006
Source: The Conference Board
12. Building the Process
Root Cause Analysis
Individual Risk Ow nership
Regulaar Board Reports
Tolerances
0.0% 20.0% 40.0% 60.0% 80.0%
2004 2006
Source: The Conference Board
13. Risk Management Integration
Internal Audit
Strategic Planning
New Product Development
Product Pricing
0.0% 10.0% 20.0% 30.0% 40.0% 50.0% 60.0% 70.0%
2004 2006
Source: The Conference Board
15. Key Risks - Americas
• Damage to reputation
• Business interruption
• Third party liability
• Distribution or supply chain failure
• Market environment
• Regulatory/legislative changes
• Failure to attract or retain staff
• Technology failure
• Failure of disaster recovery plan
• Loss of data
Source: 2007 Aon Global Risk Management Survey
16. Level of Preparedness
% with written plan in place or have undertaken a formal review of this risk
Damage to Reputation 48%
Business interruption 70%
Third party liability 75%
Distribution or supply chain failure 63%
Market environment 35%
Regulatory/legislative changes 41%
Failure to attract or retain staff 55%
Market risk 56%
Physical damage 77%
Merger/acquisition/restructuring 69%
Failure of disaster recovery plan 65%
Source: 2007 Aon Global Risk Management Survey
17. Business Activity Priorities
Current Priority Priority Ranking –
Business Activities
Ranking Next 2 years
Risk identification, quantification and analysis 1 1
Regulatory compliance and reporting 2 3
Loss control / prevention 3 4
Managing risk on an enterprise-wide basis 4 2
Risk communication – internally with management and operations 5 5
Emergency / contingency planning 6 6
Insurance buying 7 9
Risk financing 8 7
Claims management 9 8
Risk communication – externally with business partners 10 10
Source: 2007 Aon Global Risk Management Survey
18. Responding to Changing Risks
11% 23%
8%
External service/ advisor
32%
29% Benchmarking
46%
Quantitative analysis
Management intuition and experience
22%
42%
29%
19%
Identify major risks Assess probability and Determine limits for
impact insurance
Source: 2007 Aon Global Risk Management Survey
19. Identification of Major Risks
5%
11% 14% 4% 13%
8% 7% Other
19%
18% External service provider/
32%
55% advisor
Business Unit registers or key
45% risk indicator w orksheets
Senior management intuition
55% and experience
42%
23% Board w orkshops or scenario
19% planning
7% 12%
5% 3%
All The Americas Europe Asia/Pacific
Source: 2007 Aon Global Risk Management Survey
20. What is Risk?
• Risk can be defined as the potential harm that may arise from
some present process or from some future event.
• In everyday usage, "risk" is often used synonymously with
"probability", but in professional risk assessments, risk
combines the probability of a negative event occurring with how
harmful that event would be.
• Risk can also be viewed as “volatility from expected.” This
definition captures both the upside and downside of risk.
21. What is Risk?
Financial
• Includes the fluctuating cost of fuel, interest rates and
access to capital
Human Capital
• A growing area of exposure in today’s labor market
including employee selection, retention and
turnover, absenteeism, compensation and labor
relations
Legal / Regulatory
• Incorporates liabilities for employment, defamation and
other allegations, including regulatory change and
governance requirements
22. What is Risk?
Operational
• Includes day-to-day business challenges across all
functional platforms, including the strive for
efficiency, optimal use of outsourcing and business
continuity
Strategic
• Includes organizational planning, such as the strategic
response to changing customer
preferences, competition, reputation/brand, innovation,
etc.
Technology
• Includes system failure, network liability, internet
23. Public Company – View of ERM
• A strategic mechanism for effective risk identification and
containment
• Ensures that business objectives are balanced with:
• Corporate governance initiatives
• Risk mitigation initiatives
• Enhanced and timely business decisions
• Enhanced profitability
• Long-term growth
• Goal to maximize shareholder value for the enterprise as a whole
• Greatly influenced by Sarbanes-Oxley and SEC in the U.S.
24. Private Company – View of ERM
• Short Term:
• Drives structured and disciplined approach to risk
management:
• Provides methodology for measuring business risks
• Increases awareness of risks and potential risks
• Long Term:
• Ability to aggregate risks and benefit from enterprise effects
• Better capital allocation and competitive position
• More effective strategic and operational planning
• Ensures execution of the Core Competency
26. COSO – A Starting Point for ERM
The COSO ERM Framework Consists of
8 Interrelated Components and 4 Objectives
Elements of ERM as outlined in the framework:
• Is a process
• Is effected by people
• Is applied in strategy setting
• Is applied across the enterprise
• Is designed to identify potential events
• Manages risks within risk appetite
• Provides “reasonable assurance”
• Supports achievement of key objectives
Source: COSO ERM Framework
27. Using a Value-Driven Approach
Start with a skilled assessment of your business and
ERM needs to ensure that the approach and outcomes
are well matched to your needs
Evaluate
Risk Process Risk
Identification ERM management
& Prioritization
ERM process
Governance,
Culture and
Disclosure Growth Profitability
ERM outcome - value
Risk
Quantification
Continuity
Risk
Management
Implementation
Risk Response
Solution
28. Evaluate Risk Process
Activities Deliverables
Gather information on current status Current state risk score card
Develop scorecard ranking current program vs.
leading practice Risk maturity benchmark
Develop future vision for ERM program Key ERM goals & objectives
Develop gap analysis using scorecard format and
identify quick-hits ERM performance plan
Conduct executive workshop Alignment on ERM framework / plan
30. Current State Assessment
• Risk management is becoming more complex
• Most companies have a wide-range of risk management activities
underway
ERM
Sarbanes-Oxley
Compliance
Operations
Risk committees
• Unfortunately, many companies lack a coherent vision for risk
management
• Senior management and board members often have differing views of
what information they would like to see from risk management
• Rating agencies are assessing risk management quality as part of
their overall rating process – S&P, Fitch
31. Risk Maturity Benchmarking
Sample Risk Maturity Benchmark
C A P A B IL IT IE S RE S UL T S
M easu res
R I S K M A N A G E DS K E N A B L E D
R isk R i sk S tr a te g y
P e o p le P a r tn e r sh i p s P ro c e sse s R isk H a n d lin g O u tc o m e s
L e a d e rsh ip & P o lic ie s
F u lly e m b e d d e d
L E V E L 5 (= in d a y - t o - d a y
Ex c e l l e n t c a pa bi l ity b u s in e s s
e s ta bli s h e d) p ro ce sse s an d
s tr a te g ie s .
R I
In t e g r a t e d
a p p ro a c h e s to
L E V E L 4 (= m a n a g in g r is k
Em be dde d a n d are
i m p r o vi n g ) im p le m e n t e d
acro ss
b o u n d a r ie s .
F o rm al
R IS K D E F IN E D
L E V E L 3 (=
a p p ro a c h e s to
Im p l e m e n t a t i o n m a n a g in g r is k
c o m pl e te d i n k e y in p la c e a n d
ar eas ) w id e ly
im p le m e n t e d .
F o rm al
a p p ro a c h e s to
L E V E L 2 (= m a n a g in g r is k
Im p l e m e n t a t i o n in p la c e a n d
P la n n e d)
p a r t ia lly
im p le m e n t e d .
R IS K A W A R E
L E V E L 1 (= Aw are n e ss o f
A war en es s / n e e d b u t lit t le
U n de r s ta n di n g ) a c tio n .
D o s e n io r m a n a g e rs s u p p o rt a n d p ro m o t e ris k P ro c e s s D o t h e o r g a n i s a t i o n 's p r o c e s s e s i n c o r p o r a t e
L e a d e r s h ip m a n a g e m e n t? e ffe c t i v e r i s k m a n a g e m e n t ?
es
R is k R is k
32. Maturity: Building Risk Capabilities
Systematically Build and Improve Risk Management Capabilities
Organization
focused
Risks on RM as a
Policies, measured, source of
processes managed and competitive
Process aggregated
established and practices advantage
Capabilities defined and on an and
and enterprise-
are repeating: formalized continuous
characteristic across the wide basis improvement
reliance on
of individuals, people is organization
not of the reduced
organization
Initial Established Uniform Managed Optimizing
RISK
OPPORTUNITY
33. Risk Identification & Prioritization
Activities Deliverables
Risk categorization and scoring criteria Risk hierarchy and criteria
Conduct interviews / surveys Internal risk identification
Benchmark client’s public risk factors External risk identification
Consolidation and aggregation of identified
risks Risk register
Conduct risk workshop Prioritized risk map
36. Risk Quantification
Activities Deliverables
Develop risk scenarios and correlations Risk scenarios
Modeling key risks Individual risk quantification and
prioritization
Aggregate impact of key risk on company’s
Calculate aggregate risk exposures value and financial performance
37. Risk Quantification / Valuation
Step 1 Step 2 Step 3
Develop Risk Develop Baseline Run Model to
Scenarios Valuation Model Quantify Risks
Conduct Build baseline Aggregate risks
interviews with valuation model;
Shock model for
risk experts project financials
each
consistent with
Develop risk risk/scenario
strategic plan
scenarios and
Quantify impact
associated Adapt model to
to value and
financial impact dynamically
other key metrics
accommodate
Gather existing
risks/scenarios, Provide basis for
facts / historical
value drivers and decision-making
data points
key metrics
38. Defining Value – One View
ERM Value Propositions
Improved resource allocation
Keeping resources focused on
Enhanced risk corporate governance those activities that matter most
Increased operational efficiency to the organization
Common and deep knowledge
of critical business and Greater transparency of risk
organizational risks Possible reduction in earnings volatility Structured process to allocate
capital based on those
Optimized capital allocation
businesses that are the most
Improved regulatory standing risky to the organization
Everyone in the organization Enhanced risk reporting
has the ability to define, treat,
Consistent framework for risk
and manage risk in a Provide confidence that risks are
homogeneous fashion Improved compliance being identified and managed in
a constructive fashion
39. Defining Value – Alternate View
Risk Adjusted Income Statement
2008 2009 2010
REVENUE
Sales 642,100 670,965 701,292
Other Operating Revenue 14,482 14,626 14,773
Total Revenue 656,582 685,591 Aggregate Loss Distribution
716,065
OPERATING EXPENSES 0.07
0.06
Salaries, Wages and Benefits 310,667 323,093
0.05 336,017
Supplies and Services 289,850 309,593
0.04 330,750
0.03
Total Operating Expenses 600,517 632,686
0.02 666,767
0.01
0
(LOSS) INCOME FROM OPERATIONS 56,065 52,906
0 5 10 15 49,298
20 25 30 35 40 45
OTHER INCOME (EXPENSE)
Interest and Dividends 28,419 28,704 28,991
Competing Mitigation Strategies
Current State Risk Exposure (16,000) (17,326)
20%
(15,683)
Mitigation Costs (2,784) (2,812)
18%
16%
(2,840)
Mitigation Impact on Current State Risk 14,326 16,532
14%
12%
12,031
Total Other Income (Expense) 23,961 25,098
10%
8%
22,499
6%
4%
NET PRETAX INCOME 80,026 78,003
2%
0%
71,796
-6 -4 -2 0 2 4 6 8 10 12 14 16
40. Value-centric ERM framework
Risk Management
Tactics
Strategy Risk Appetite
Determine
Scenario Portfolio
Development ERM Committee
Effect
Consensus Meeting
Surveys
Enterprise
ERM Risk Exposure
All Key
Model
Risks Risks
(∆Value)
Value
Individual Risk
Risk Identification
Quantification
& Ranking
Process Key: Risk Quantification
Risk Management
41. Sample Output (partial data)
Risk Distribution Report Key Risks
Rank by Value Impact of Worst Case Scenario
Risk: IT External Attack (Risk #4)
Risk Scenario Likelihood Value
Risk 11
1-in-30 year Risk 1
Worst Case -7.5%
event Risk 8
Risk 7
Risk 4
1-in-10 year
Pessimistic -2.4% Risk 9
event
Risk 12
Risk 10
Risk 15
Best Estimate Most Likely ---
Risk 6
Risk 13
Risk 3
1-in-15 year
Optimistic 0.1% Risk 5
event
Risk 14
Risk 2
1-in-50 year
Best Case 0.2% 0.0% -5.0% -10.0% -15.0% -20.0%
event
42. Risk Response Solution
Activities Deliverables
Determine risk tolerance Defined risk tolerance
Identify risk response solution options Risk response solutions
Evaluate and select risk response solution Risk response business case
43. Risk Appetite - One View
Impact of $100
Financial Buffer
FY07 Metrics FY07E Defined Goal million, pre - tax
(RBC)
losses on metric
EPS Growth
25.0% 22.5% - 260 bps $60
(from 2006)
Free Cash
$1,883 $1,400 - $53 million $750
Flow
Operating
40.1% 40.5% - 81 bps $0
Margin
Threshold is
Cash/ Months
not expected to
Operating 8.9 12.0 - 0.11 months
be achieved in
Expense
FY07
Total Debt/CFO 73.6 Not Available +155 bps Not Available
$ in millions Sources: 2007 budget, metric & threshold input
44. Risk Appetite - Alternate View
Value
Enterprise Risk Exposure
Target for
Current State
Future State
Event Probability Probability Is the ERM Committee
Rev Growth comfortable with the
10% decrease in
15% ? current state? If not,
value
Achieving strategic what do they want it to
35% ? be? The answers result
plan goals
in tolerance thresholds
eps Growth 5% increase in eps 5% ?
collectively called Risk
Appetite.
Other
45. Risk Response Solution
Risk Response
Strategies
Terminate Mitigate Transfer Exploit Tolerate
Exit Risk Preventative Financing Solutions Explore the Make a
Area upside of risk conscience
by taking new decision to
Corrective opportunities tolerate the
risk
Insurance
Directive
Capital
Markets
Detective Contractual
Transfer
Hybrid
46. Evaluating Solutions
Increase in Likelihood of
Meeting Risk Appetite
Current
Mitigation
Total Cost
of Risk
Mitigation Option
Being Considered
85%
Risk Tolerance 95%
Increased
Mitigation
Cost
0% 99.9%
Cumulative Probability
47. Evaluating Solutions
Management selects ERM actions that move enterprise
risk exposure towards risk appetite, for example:
Risk Exposure
Pre-Mitigation
Value
Risk Exposure
Post-Mitigation
Value
48. Risk Management Implementation
Activities Deliverables
Develop risk response plan Risk management project plan
Obtain support of risk management leaders Project governance structure
Develop teams and tools Resource allocation, communication and
training
Implement projects Program management
Define metrics and implement monitoring
tools Risk platform and scorecards
49. Risk Management Implementation
ERM Multi-Year Project Plan
2007 2008 2009
Define Risk Strategy Comprehensive Risk Mapping
Develop Cost of Risk Model Technology implementation
Establish Risk Appetite Risk Modeling Expanded Risk Assessment
Evaluate Data Strategy Captive Optimization Portfolio Risk Modeling
Develop Risk Profiling Legacy Claim Projects
Legacy Claim Evaluation Global Optimization
Captive Strategy
M & A Process Evaluation
50. ERM Enabling Technologies
There are a lot of technologies related to risk in general and ERM
– Use a selection process as with any tool/technology
• Analysis: RFI/RFP
• Vendor discussions and “Bake-off” with prototype
• Design: Purchase on trial basis
• Full deployment
54. Governance, Culture and Disclosure
Key Activities Client Deliverables
Develop detailed ERM frameworks and
governance Policies, manuals, committees, roles and
accountabilities
Develop internal risk communication and
awareness program Rollout of communication and awareness
program
Develop external communication strategy Enhanced communication with rating
agencies, equity analysts and regulators
Monitor risk performance against defined
metrics Reporting on KPI’s
Develop continuous improvement process Improvement processes and
accountabilities
55. Governance, Culture and Disclosure
ERM Framework and Governance
Board of Directors
Executive Committee
Chief Risk
COO CFO CIO CLO
Officer
ERM Function
Business Division
Unit A A
Functional,
Business support and Division
Unit B Shared services B
Business Division
Unit C C
Risk Management
Internal Audit
Compliance
56. Governance: Partnership is Key
Board
• Set Policy
• Approve Risk Strategy
• Enforce Correction
• Provide Tone from the Top
Audit Committee
• Establish Policy
• Propose Risk Strategy
• Measure / Monitor
• Report to Board on Key
Matters
ERM Working Group*
• Monitor • Facilitate
• Coordinate • Benchmark
• Educate • Report
Compliance/Ethics
Internal Audit Business/Functional Risk
Owners
• Provide Assurance • Identify Risk • Manage Risk • Act as Functional Risk Owner
• Conduct Risk-Based • Measure Risk • Report & • Manage Legal Risks
Audits • Prioritize Risk Improve • Foster an Ethical Environment
*possibly chaired by CRO
57. Governance, Culture and Disclosure
ERM Project Plan e.g. ERM Manual
Client ABC
Client ABC
Client ABC
58. External Risk Disclosure Analysis
Annual 10-K reports are a primary risk
information source for investors and the public.
• How was this list developed?
• How was the order of the risks determined?
• Were the impacts of these risks quantified?
• How will investors react if an unmentioned risk results in
significant loss of market value?
• How does your list compare to your competitors?
59. Comparative Analysis
• A comprehensive ERM program can ensure that
the10-K risk factor list is complete and in appropriate
order.
• Review the risks listed in the 10-K report
– Is anything missing?
– Are the risks listed in an order that is representative of their
impacts?
– Have these risks been quantified?
How would investors or regulators react if an
unmentioned risk results in significant loss of value?
60. Analyzing Competitors’ Disclosures
Regular review of competitors’ risk disclosures is
vital to:
• Ensure that your risk disclosure is complete
• Keep tabs on changes in the industry environment
61. Comparing Risk Disclosures
Description
Consumer demand and acceptance of services
offered by us
Our ability to achieve and maintain acceptable
cost levels
Fare levels
Actions by competitors
Regulatory matters Strategic
General economic conditions
Review of
Commodity prices
Annual
Reports /
Changing business strategies
Regulatory
Single aircraft type
Filings
Changes to and costs of security procedures
Green = Declared
Cost and availability of aircraft insurance
Red = Not Declared
Terrorist attack
Orange = Not Relevant
International hostilities
Ability to continue as a going concern
Ability to operate pursuant to the terms of the
DIP Financing
Ability to obtain a federal loan guarantee from the
ATSB
62. ERM – Commonly Cited Challenges
• Inability to demonstrate
immediate, quantifiable return on investment
• Internal competition among business units
• Cultural incompatibility
• Limited technology / tools
• Inadequate senior-level support
63. ERM - Critical Success Factors
• Senior management support
• Clearly defined vision
• Regular and open communication among the team
• Realistic expectations regarding timelines and
deliverables
• Sufficient resource allocation for implementation and
follow-through
• Linkage to organizational success factors, strategies
and processes
64. ERM Potential Benefits
Establish Sustainable Competitive • Integrate with business planning and value
Advantage management processes
• Avoid missing key risks and losing vital
opportunities
• Optimize balance between capital preservation
and growth/profit-generation
Manage Risk at a Lower Cost • Minimize risk averse behavior
• Develop cost-effective risk strategies and
solutions
• Eliminate redundant or unnecessary risk controls
Improve Business Performance • Support more informed/proactive risk
management decisions aligned with business
objectives/strategies
• Link to enterprise performance, measurement
and monitoring
• Reduce volatility and prevent surprises
65. ERM Gap Analysis
Phase I Phase II Phase III Phase IV
Information Gathering Setting the Stage Executive Support Implementation
• Conduct interviews / • Develop overall • Obtain support of • Deliver defined
gather information risk management risk management projects
vision leaders
• Identify risk universe • Update progress
• Create risk • Present overall toward overall
• Define and develop management objectives and vision
cost of risk data scorecard / Gap plan to senior
• Measure
• Conduct gap analysis analysis management
performance
• Identify key risk • Develop teams
• Create linkage to
projects / and tools
next steps
activities needed
• Get moving
to achieve risk • Build feedback
management loop to ensure
excellence continued progress
toward goals
• Understand cost /
benefit of
potential risk
management
strategies
66. Risk Management Vision
• Risk management vision transcends the various projects and activities that
comprise risk management within an organization
• In order to define risk management vision, the company must resolve a
series of key questions:
What are the goals of the company’s risk management efforts?
How does the company define risk management excellence?
What is the current state of risk management?
Where are the gaps?
What are the priorities?
How will success be measured?
• In the end, risk management must deliver measurable impact on the
company’s operating performance
67. Key Risk / Performance Indicators
• What are the KRIs?
• How do I get them?
• How often do I get them?
• What do I do with them?
• Foundation understanding of: frequency, source and
meaning
69. Focus on Value
Risk Management
Tactics
Strategy Risk Appetite
Determine
Scenario Portfolio
Development ERM Committee
Effect
Consensus Meeting
Surveys
Enterprise
ERM Risk Exposure
All Key
Model
Risks Risks
(∆Value)
Value
Individual Risk
Risk Identification
Quantification
& Ranking
Process Key: Risk Quantification
Risk Management
70. Case Study #1: Fast Growing Company
• Highly successful, profitable company
• Recent patent litigation surprise created temporary cash and credit
crunch
• Audit committee wanted an overview of key risks facing the
company
• Risk committee was formed to coordinate the effort
• Team conducted interviews with over 50 executives,
supplemented by over 80 surveys
71. Project Objectives
• Has the company identified all its critical risks ?
• Does the company have effective controls for managing its
critical risks?
• Are the risks greater now than they were 12 - 24 months ago
(earnings pressure, continued acquisitions and internal
strategic initiatives)?
• Are these risks within acceptable limits?
• Is the right level of information reported to Senior
Management and the Board?
72. Project Results
• Provided information to senior management and the Audit
Committee
• Developed models for key risks based on potential impact on:
Revenue
EPS
Cash
Reputation
• Examined current and potential risk mitigation opportunities,
including risk transfer and self-funding
• Created a framework for more effective decision-making
regarding supply chain management, site selection and
inventory management
73. Case Study # 2: Manufacturing Company
• Company had a well-developed risk management process
• Top risks for each of the business were routinely assessed and
evaluated
• Due to lack of internal data, limited effort had been made to quantify
the potential impact of events
• Recent supply chain problems had highlighted previous
unmeasured vulnerabilities
• Project team developed customized risk models for the top five risks
of each business unit
74. Project Results
• Delivered working risk models to each business unit
• Risk models were used to develop “underwriting models” for
potential risk transfer / mitigation solutions
• Company expanded the use of existing captive insurance
company and finite risk insurance arrangements to address key
issues
• Event risk maps helped uncover critical decision points that
could substantially alter the overall risk exposure
• Changes were made in supply contracts, inventory levels and
contingent business interruption coverage as a result of the
analysis
75. Case Study #3: Consumer Products
• Fortune 100 consumer products company
• Treasurer and Risk Manager had identified 17 key risks
under their charge
• Company wanted to develop a quantitative approach to
better evaluate risk decisions
• Solution: Risk modeling project to help evaluate the
optimal risk strategy
76. Project Results
• Project focused on the analysis of internal and external risk
data
• Creation of individual and portfolio risk models
• Risk mitigation and transfer alternatives were tested using the
models, resulting in significant changes
• Company was able to demonstrate the value of additional risk
retention and the use of internal funding (via a captive
insurance subsidiary)
• Risk finance and mitigation resources were reallocated to
optimize the company’s risk management efforts
77. Case Study #4: Hospital
• Medium-sized hospital looking to achieve excellence in health care
by surpassing standards set in “The New American Hospital” and
the Malcolm Baldrige National Quality Award
• Key objective: conduct a comprehensive risk assessment
• Project involved:
Interviews with key personnel (management, physicians and
nurses)
Creation of a risk inventory
Benchmarking of current risk management approaches and
quality of care against industry standards and best practices
Evaluation of current risk mitigation methods
78. Hospital ERM Project Results
• Identified and prioritized key enterprise risks
• Recommended improved approaches for risk management
• Opportunities for improvement included:
Implementation of clinical best practices and rapid response
teams to reduce cardiac complication rates
Diversification of services to counteract the impact of
Medicare reform
Contingency planning around key physicians and sole-
source service providers
Improvement of the contract oversight and document
retention process to minimize legal liabilities
79. Case Study #5: Capital One
Capital One signed an "informal memorandum of understanding" with
bank regulators. More than a dozen class actions were filed charging the
credit card issuer with securities fraud for misleading shareholders about
its financial health and its compliance with bank regulations.
Risk management capabilities
designed and implemented across
the organization.
Capital One's stock
plummeted by 39%, falling
from a $50.60 per share close
on July 16 to $30.48 per share
by the close of July 17; a drop
of roughly $4B in market July 2002, 8K filing: the company publicly
value. commits to enhance its enterprise risk
management and internal control
environment.
80. ERM Process: Enhanced Future State
Integrated into Operational Business Processes
Improved Risk Predictability
and Measurement
Line of
ERM Business Risk-Adjusted Decision
Process Operations Making
Risk Metrics
Improved Business
Performance
81. Suggestion: Adopt a Pilot Approach
• Start small and grow big
• Select a locale with engaged management and non-
complex products or customers
• Establish proof of the ERM concept – quicker benefits
• Accomplish process objectives in a shorter timeframe
• Learn from successes/mistakes to roll out the ERM
process across the organization
82. Overview of a Pilot
Review current company and Severity
($ millions)
>100M
H2
S1
Strategic
Legend
S1 – Partnering arrangements
business objectives/risk High Impact
Moderate Impact
50
O5
O1
O3
L1 S2 – Changing industry dynamics
Ope rational
O1 – New initiative
integration/success
management objectives; evaluate
O2 O2 – Business continuity
Low Impact 10
Partial / Full
Mitigation
No / Minimal
H1
O4
O3 – Product quality
O4 – Centralized distribution
O5 – Hazard risk
Establish risk management
current risk management Mitigation 5
T2 T1
H3
S2
F2
Human Capital
H1 – Succession planning
H2 – Turnove r
H3 – Human capital de velopment
options, action plans, etc.
infrastructure and capabilities 2
H2
F1
Legal/Regulatory
L1 – Political pressure around drug
affordability
Te chnology
T1 – Intellectual prope rty
T2 – Information security Risk Definition Current State
Financial
1
• Ability to safeguard proprietary knowledge from a security
F1 – Currency fluctuations Information Technology
breach which could damage financials, brand and reputation Severity
F2 – Commodity prices – Network Security
• Intentional, coordinated and/or hidden sabotage of systems, Level
<5 10 25 50 75 software or processes by internal or external parties
Frequency
Current Metrics Risk Owner(s)
• Number of viruses per month • Chief Technology Officer
• Minutes of downtime per month • IT Department
• Backup processes double checked weekly • Security
Action Plans
Risk Assessment Pilot
Current: Recommended: Estimated Investment:
• Up-to-date Anti-virus and • Intrusion detection and vulnerability • Additional IT staff personnel
Establish criticality of risk and system Firewall protection
• Disaster recovery plans
• Network backup planning
• Software and data backups
detection equipment and software
• Destruction of old hard drives from
redundant computers
• Ensure no single point of failure
• Purchase of intrusion detection and
vulnerability detection equipment
• Continual investment in updating
• Backup Power Supply • Redundant hardware systems software
prioritize; map key risks
September November
Perform facilitated session and/or Summarize data of most
interviews with select internal and significant risks
external experts to identify and
assess risks and risk management
processes Reduce voluntary employee departures by
10% by 2008
Analyze risks for causal factors, 2006
# Departures
effects, and interrelationships 2007
est. 2008
Target
est.
83. Questions to Consider
• Is ERM adding value for your organization?
• Is the ERM effort stalled or is progress being made?
• Are there parallel risk management efforts that fall outside of
the ERM process?
• What can be done to automate portions of the ERM process?
• Are there high impact “drill-down” projects that will deliver ERM
value?
• Is ERM sustainable after the project team has moved on to
other assignments?
84. Barry Franklin, FCAS, MAAA
Aon Global Risk Consulting
312.381.3920
barry_franklin@ars.aon.com