Research paper

profilekumar_469
implementing-enterprise-risk-management.pdf

www.it-ebooks.info

www.it-ebooks.info

Additional Praise for Implementing Enterprise Risk Management

“Educators the world over seeking to make the management of risk an integral part of management degrees have had great difficulties in providing their students with a definitive ERM text for their course. The Standards and associated Handbooks helped, but until the arrival of Implementing Enterprise Risk Management: Case Stud- ies and Best Practices, there has been no text to enlighten students on the application of an effective program to manage risk across an enterprise so that objectives are maximized and threats minimized. Fraser, Simkins, and Narvaez have combined with a group of contributors that represent the cream of risk practitioners, to pro- vide the reader with a clear and concise journey through the management of risk within a wide range of organizations and industries. The knowledge, skills, and experience in the management of risk contained within the covers of this book are second to none. It will provide a much needed resource to students and practition- ers for many years to come and should become a well-used reference on the desk of every manager of risk.”

—Kevin W. Knight AM, chairman, ISO/TC 262—Risk Management

“The authors—Fraser, Simkins, and Narvaez—have done an invaluable service to advance the science of enterprise risk management by collecting an extensive num- ber of wonderful case studies that describe innovative risk management practices in a diverse set of companies around the world. This book should be an extremely valuable source of knowledge for anyone interested in the emerging and evolving field of risk management.”

—Robert S. Kaplan, senior fellow, Marvin Bower Professor of Leadership Development, emeritus, Harvard University

“Lessons learned from case studies and best practices represent an efficient way to gain practical insights on the implementation of ERM. Implementing Enterprise Risk Management provides such insights from a robust collection of ERM pro- grams across public companies and private organizations. I commend the editors and contributors for making a significant contribution to ERM by sharing their experiences.”

—James Lam, president, James Lam & Associates; director and Risk Oversight Committee chairman, E∗TRADE Financial Corporation;

author, Enterprise Risk Management—From Incentives to Controls

“For those who still think that enterprise risk management is just a fad, the varied examples of practical value-generating uses contained in this book should dispel any doubt that the discipline is here to stay! The broad collection of practices is insightful for students, academics, and executives, as well as seasoned risk man- agement professionals.”

—Carol Fox, ARM, director of Strategic and Enterprise Risk Practice, RIMS

“Managing risk across the enterprise is the new frontier of business management. Doing so effectively, in my view, will be the single most important differentiating factor for many enterprises in the twenty-first century. Implementing Enterprise Risk Management: Case Studies and Best Practices is an innovative and important addition to the literature and contains a wealth of insight in this critical area. This book’s integration of theory with hands-on, real-world lessons in managing enterprise risk provides an opportunity for its readers to gain insight and understanding that could otherwise be acquired only through many years of hard-earned experience.

www.it-ebooks.info

I highly recommend this book for use by executives, line managers, risk managers, and business students alike.”

—Douglas F. Prawitt, professor of Accounting at Brigham Young University, and Committee of Sponsoring Organizations (COSO)

Executive Board member

“The real beauty of and value in this book is its case study focus and the wide variety of firms profiled and writers’ perspectives shared. This will provide readers with a wealth of details and views that will help them chart an ERM journey of their own that is more likely to fit the specific and typically customized ERM needs of the firms for whom they toil.”

—Chris Mandel, senior vice president, Strategic Solutions for Sedgwick; former president of the Risk Management Society

and the 2004 Risk Manager of the Year

“Implementing Enterprise Risk Management looks at many industries through excel- lent case studies, providing a real-world base for its recommendations and an important reminder that ERM is valuable in many industries. I highly recommend this text.”

—Russell Walker, Clinical associate professor, Kellogg School of Management; author of Winning with Risk Management

“The body of knowledge in Implementing Enterprise Risk Management continues to develop as business educators and leaders confront a complex and rapidly chang- ing environment. This book provides a valuable resource for academics and prac- titioners in this dynamic area.”

—Mark L. Frigo, director, Strategic Risk Management Lab, Kellstadt Graduate School of Business, DePaul University

“The management of enterprise risk is one of the most vexatious problems con- fronting boards and executives worldwide. This is why this latest book by Fraser, Simkins, and Narvaez is a much needed and highly refreshing approach to the sub- ject. The editors have managed to assemble an impressive list of contributors who, through a series of fascinating real-life case studies, adroitly help educate readers to better understand and deal with the myriad of risks that can assault, seriously maim, and/or kill an organization. This is a ‘how to’ book written with the ‘risk management problem solver’ in mind. It provides the link that has been missing for effectively teaching ERM at the university and executive education levels and it is an exceptional achievement by true risk management advocates.”

—Dr. Chris Bart, FCPA, founder and lead faculty, The Directors College of Canada

“The Institute of Risk Management welcomes the publication of this highly practi- cal text which should be of great interest to our students and members around the world. Implementing Enterprise Risk Management brings together a fine collection of detailed case studies from organizations of varying sizes and working in differ- ent sectors, all seeking to enhance their business performance by managing their risks more effectively, from the boardroom to the shop floor. This book makes a valuable contribution to the body of knowledge of what works that will benefit the development of the risk profession.”

—Carolyn Williams, technical director, Institute of Risk Management

www.it-ebooks.info

IMPLEMENTING ENTERPRISE RISK MANAGEMENT

www.it-ebooks.info

The Robert W. Kolb Series in Finance provides a comprehensive view of the field of finance in all of its variety and complexity. The series is projected to include approximately 65 volumes covering all major topics and specializations in finance, ranging from investments, to corporate finance, to financial institutions. Each vol- ume in the Kolb Series in Finance consists of new articles especially written for the volume.

Each volume is edited by a specialist in a particular area of finance, who develops the volume outline and commissions articles by the world’s experts in that partic- ular field of finance. Each volume includes an editor’s introduction and approx- imately thirty articles to fully describe the current state of financial research and practice in a particular area of finance.

The essays in each volume are intended for practicing finance professionals, grad- uate students, and advanced undergraduate students. The goal of each volume is to encapsulate the current state of knowledge in a particular area of finance so that the reader can quickly achieve a mastery of that special area of finance.

www.it-ebooks.info

IMPLEMENTING ENTERPRISE RISK MANAGEMENT

Case Studies and Best Practices

Editors

John R.S. Fraser Betty J. Simkins Kristina Narvaez

The Robert W. Kolb Series in Finance

www.it-ebooks.info

Cover Design: Wiley Cover Image: © iStock.com/clauiad

Copyright © 2015 by John R.S. Fraser, Betty J. Simkins, Kristina Narvaev. All rights reserved.

Published by John Wiley & Sons, Inc., Hoboken, New Jersey. Published simultaneously in Canada.

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600, or on the Web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions.

Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.

For general information on our other products and services or for technical support, please contact our Customer Care Department within the United States at (800) 762-2974, outside the United States at (317) 572-3993 or fax (317) 572-4002.

Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included with standard print versions of this book may not be included in e-books or in print-on-demand. If this book refers to media such as a CD or DVD that is not included in the version you purchased, you may download this material at http://booksupport.wiley.com. For more information about Wiley products, visit www.wiley.com.

Library of Congress Cataloging-in-Publication Data:

ISBN 978-1-118-69196-0 (Hardcover) ISBN 978-1-118-74576-2 (ePDF) ISBN 978-1-118-74618-9 (ePub)

Printed in the United States of America. 10 9 8 7 6 5 4 3 2 1

www.it-ebooks.info

To Wendy, my wonderful wife and my inspiration, and to my parents who instilled in me a lifelong thirst for learning.

—John Fraser

To my husband (Russell) and our family: sons and daughters- in-law (Luke & Stephanie and Walt & Lauren), daughter and son-in-law (Susan & Jason), and our youngest daughter (April). Thank you for your love, support, and encouragement!

—Betty Simkins

I would like to thank my husband and four children for support- ing me on my journey of writing two chapters and co-editing this book. I would also like to thank the Risk and Insurance Manage- ment Society for supporting me during my educational years and providing great workshops and conferences on enterprise risk management.

—Kristina Narvaez

www.it-ebooks.info

www.it-ebooks.info

Contents

Foreword xiii

1 Enterprise Risk Management Case Studies: An Introduction and Overview 1 John R.S. Fraser, Betty J. Simkins, and Kristina Narvaez

PART I Overview and Insights for Teaching ERM 17

2 An Innovative Method to Teaching Enterprise Risk Management: A Learner-Centered Teaching Approach 19 David R. Lange and Betty J. Simkins

PART II ERM Implementation at Leading Organizations 37

3 ERM at Mars, Incorporated: ERM for Strategy and Operations 39 Larry Warner

4 Value and Risk: Enterprise Risk Management at Statoil 59 Alf Alviniussen and Håkan Jankensgård

5 ERM in Practice at the University of California Health System 75 Grace Crickette

6 Strategic Risk Management at the LEGO Group: Integrating Strategy and Risk Management 93 Mark L. Frigo and Hans Læssøe

7 Turning the Organizational Pyramid Upside Down: Ten Years of Evolution in Enterprise Risk Management at United Grain Growers 107 John Bugalla

ix

www.it-ebooks.info

x Contents

8 Housing Association Case Study of ERM in a Changing Marketplace 119 John Hargreaves

9 Lessons from the Academy: ERM Implementation in the University Setting 143 Anne E. Lundquist

10 Developing Accountability in Risk Management: The British Columbia Lottery Corporation Case Study 179 Jacquetta C. M. Goy

11 Starting from Scratch: The Evolution of ERM at the Workers’ Compensation Fund 207 Dan M. Hair

12 Measuring Performance at Intuit: A Value-Added Component in ERM Programs 227 Janet Nasburg

13 TD Bank’s Approach to an Enterprise Risk Management Program 241 Paul Cunha and Kristina Narvaez

PART III Linking ERM to Strategy and Strategic Risk Management 251

14 A Strategic Approach to Enterprise Risk Management at Zurich Insurance Group 253 Linda Conrad and Kristina Narvaez

15 Embedding ERM into Strategic Planning at the City of Edmonton 281 Ken Baker

16 Leveraging ERM to Practice Strategic Risk Management 305 John Bugalla and James Kallman

PART IV Specialized Aspects of Risk Management 319

17 Developing a Strategic Risk Plan for the Hope City Police Service 321 Andrew Graham

18 Blue Wood Chocolates 335 Stephen McPhie and Rick Nason

www.it-ebooks.info

CONTENTS xi

19 Kilgore Custom Milling 363 Rick Nason and Stephen McPhie

20 Implementing Risk Management within Middle Eastern Oil and Gas Companies 377 Alexander Larsen

21 The Role of Root Cause Analysis in Public Safety ERM Programs 397 Andrew Bent

22 JAA Inc.—A Case Study in Creating Value from Uncertainty: Best Practices in Managing Risk 427 Julian du Plessis, Arnold Schanfield, and Alpaslan Menevse

23 Control Complacency: Rogue Trading at Société Générale 461 Steve Lindo

24 The Role of VaR in Enterprise Risk Management: Calculating Value at Risk for Portfolios Held by the Vane Mallory Investment Bank 489 Allissa A. Lee and Betty J. Simkins

25 Uses of Efficient Frontier Analysis in Strategic Risk Management: A Technical Examination 501 Ward Ching and Loren Nickel

PART V Mini-Cases on ERM and Risk 523

26 Bim Consultants Inc. 525 John R.S. Fraser

27 Nerds Galore 529 Rob Quail

28 The Reluctant General Counsel 535 Norman D. Marks

29 Transforming Risk Management at Akawini Copper 539 Grant Purdy

30 Alleged Corruption at Chessfield: Corporate Governance and the Risk Oversight Role of the Board of Directors 547 Richard Leblanc

www.it-ebooks.info

xii Contents

31 Operational Risk Management Case Study: Bon Boulangerie 555 Diana Del Bel Belluz

PART VI Other Case Studies 559

32 Constructive Dialogue and ERM: Lessons from the Financial Crisis 561 Thomas H. Stanton

33 Challenges and Obstacles of ERM Implementation in Poland 577 Zbigniew Krysiak and Sl̄awomir Pijanowski

34 Turning Crisis into Opportunity: Building an ERM Program at General Motors 607 Marc S. Robinson, Lisa M. Smith, and Brian D. Thelen

35 ERM at Malaysia’s Media Company Astro: Quickly Implementing ERM and Using It to Assess the Risk-Adjusted Performance of a Portfolio of Acquired Foreign Companies 623 Patrick Adam K. Abdullah and Ghislain Giroux Dufort

About the Editors 649

Index 651

www.it-ebooks.info

Foreword

Enterprise Risk Management is an evolving discipline focused on a com-plex and still imperfectly-understood subject. In such a situation, science isadvanced best by collecting data from multiple, independent sites. A rich set of observations educates the field’s scholars and practitioners and provides the foundation for them to develop descriptive and normative theories as well as cod- ified best practices about the subject.

The authors—Fraser, Simkins, and Narvaez—have done an invaluable service to advance the science of enterprise risk management by collecting an extensive number of wonderful case studies that describe innovative risk management prac- tices in a diverse set of companies around the world. This book should be an extremely valuable source of knowledge for anyone interested in the emerging and evolving field of risk management. We should be grateful to the editors and to each chapter author for expanding the body of knowledge for risk management professionals and academics.

Robert S. Kaplan Senior Fellow, Marvin Bower Professor of Leadership Development, Emeritus

Harvard University

xiii

www.it-ebooks.info

www.it-ebooks.info

CHAPTER 1

Enterprise Risk Management Case Studies An Introduction and Overview

JOHN R.S. FRASER Senior Vice President, Internal Audit, and former Chief Risk Officer, Hydro One Networks Inc.

BETTY J. SIMKINS Williams Companies Chair of Business and Professor of Finance, Oklahoma State University

KRISTINA NARVAEZ President and Owner of ERM Strategies, LLC

Businesses, business schools, regulators, and the public are now scrambling to catch up with the emerging field of enterprise risk management.

—Robert Kaplan (quote from Foreword in Fraser and Simkins, 2010)

Most executives with MBA degrees were not taught ERM. In fact, there are only a few universities that teach ERM. So some business school graduates are strong in finance, marketing, and management theory, but they are limited in terms of critical thinking, business acumen, and risk analysis skills.

—Paul Walker1

THE EVOLUTION OF ENTERPRISE RISK MANAGEMENT Over the past two decades enterprise risk management (ERM) has evolved from concepts and visions of how risks should be addressed to a method- ology that is becoming entrenched in modern management and is now increasingly expected by those in oversight roles (e.g., governing bodies and regulators). As Felix Kloman describes in his chapter “A Brief History of Risk Man- agement,” published in Fraser and Simkins (2010), many of the concepts go back a very long time and many of the so-called newly discovered techniques can be

1

www.it-ebooks.info

2 Implementing Enterprise Risk Management

referenced to the earlier writings and practices described by Kloman. However, it is only from around the mid-1990s that the concept of giving a name to manag- ing risks in a holistic way across the many operating silos of an enterprise started to take hold. In the 1990s, terms such as integrated risk management and enterprise- wide risk management were also used. Many thought leaders, for example, those who created ISO 31000,2 believe that the term risk management is all that is needed to describe good risk management; however, many others believe that the latter term is often used to describe risk management at the lower levels of the organiza- tion and does not necessarily capture the concepts of enterprise-level approaches to risk. As a result, the term ERM is used throughout this book.

As ERM continues to evolve there is still much discussion and confusion over exactly what it is and how it should be achieved. It is important to realize that it is still evolving and may take many more years before it is fully codified and practiced in a consistent way. In fact, there is a grave danger now of believing that there is only one way of doing ERM. This is probably a mistake by regula- tors who have too eagerly seized some of these concepts and are trying to impose them when the methods are not fully understood, and in some cases the require- ments are unlikely to produce the desired results. As Fraser and Simkins (2010) noted in their first book on ERM: “While regulatory interest can force ERM into companies, if not done well, it can become another box-ticking exercise that adds little value.”3

The leading and most commonly agreed4 guideline to holistic risk manage- ment is ISO 31000. However, it should be mentioned that in the United States the COSO 2004 Enterprise Risk Management–Integrated Framework has been the dominant framework used to date. Many organizations are currently adopting one or the other of these frameworks and then customizing them to their own context.

WHY THE NEED FOR A BOOK WITH ERM CASE STUDIES? Following the success of the earlier Enterprise Risk Management: Today’s Leading Research and Best Practices for Tomorrow’s Executives by Fraser and Simkins (2010), we found through our own teaching experiences, and by talking to others, that there was an urgent need for a university-level textbook of ERM case studies to help educate executives, risk practitioners, academics, and students alike about the evolving methodology. As a result, Fraser and Simkins, together with Kristina Narvaez, approached many of the leading ERM specialists to write case studies for this book.

Surveys have also shown that there is a dire need for more case studies on ERM (see Fraser, Schoening-Thiessen, and Simkins 2008). Additionally, surveys of risk executives report that business risk is increasing due to new technologies, faster rate of change, increases in regulatory risk, and more (PWC 2014). As Paul Walker of St. John’s University points out in the opening quote of the 2014 American Pro- ductivity & Quality Center (APQC) report on ERM, “Most executives with MBA degrees were not taught ERM. In fact, there are only a few universities that teach ERM. So some business school graduates are strong in finance, marketing, and

www.it-ebooks.info

ENTERPRISE RISK MANAGEMENT CASE STUDIES 3

management theory, but they are limited in terms of critical thinking, business acu- men, and risk analysis skills.” Learning Centered Teaching (LCT), as discussed in Chapter 2, is an ideal way to achieve this. Using LCT and the case study approach, students actively participate in the learning process through constructive reflective reasoning, critical thinking and analysis, and discussion of key issues. This is the first book to provide such a broad coverage of case studies on ERM.

The case studies that follow are from some of the leading academics and prac- titioners of enterprise risk management. While many of the cases are about real-life situations, there are also those that, while based on real-life experiences, have had names changed to maintain confidentiality or are composites of several situations. We are deeply indebted to the authors and to the organizations that agreed so kindly to share their stories to help benefit future generations of ERM practition- ers. In addition, we have added several chapters where we feel the fundamentals of these specialized techniques (e.g., VaR) deserve to be understood by ERM stu- dents and practitioners. Each case study provides opportunities for executives, risk practitioners, and students to explore what went well, what could have been done differently, and what lessons are to be learned.

Teachers of ERM will find a wealth of material to use in demonstrating ERM principles to students. These can be used for term papers or class discussions, and the approaches can be contrasted to emphasize different contexts that may require customized approaches. This book introduces the reader to a wide range of con- cepts and techniques for managing risks in a holistic way, by correctly identifying risks and prioritizing the appropriate responses. It offers a broad overview of the various types of ERM techniques, the role of the board of directors, risk tolerances, profiles, workshops, and allocation of resources, while focusing on the principles that determine business success.

Practitioners interested in implementing ERM, enhancing their knowledge on the subject, or wishing to mature their ERM program, will find this book an abso- lute must resource to have. Case studies are one of the best ways to learn more on this topic.

This book is a companion to Enterprise Risk Management: Today’s Leading Research and Best Practices for Tomorrow’s Executives (Fraser and Simkins 2010). Together, these two books can create a curriculum of study for business students and risk practitioners who desire to have a better understanding of the world of enterprise risk management and where it is heading in the future. Boards and senior leadership teams in progressive organizations are now engaging in building ERM into their scenario-planning and decision-making processes. These forward- looking organizations are also integrating ERM into the business-planning pro- cess with resource allocation and investment decisions. At the business unit level, ERM is being used to measure the performance of risk-taking activities of employees.

As these case studies demonstrate, ERM is a continuous improvement process and takes time to evolve. As can be gleaned from these case studies, most firms that have taken the ERM journey started with a basic ERM language, risk identification, and risk-assessment process and then moved down the road to broaden their pro- grams to include risk treatments, monitoring, and reporting processes. The ulti- mate goal of ERM is to have it embedded into the risk culture of the organization and drive the decision-making process to make more sound business decisions.

www.it-ebooks.info

4 Implementing Enterprise Risk Management

SUMMARY OF THE BOOK CHAPTERS As mentioned earlier, the purpose of this book is to provide case studies on ERM in order to educate executives, risk practitioners, academics, and students alike about this evolving methodology. To achieve this goal, the book is organized into the following sections:

Part I: Overview and Insights for Teaching ERM Part II: ERM Implementation at Leading Organizations Part III: Linking ERM to Strategy and Strategic Risk Management Part IV: Specialized Aspects of Risk Management Part V: Mini-Cases on ERM and Risk Part VI: Other Case Studies

Brief descriptions of the contributors and the chapters are provided next.

PART I: OVERVIEW AND INSIGHTS FOR TEACHING ERM The first two chapters provide an overview of ERM and guidance on ERM educa- tion. As we have pointed out, education on ERM is crucial and more universities need to offer courses in this area. Our conversations with many ERM educators and consultants highlight how extremely challenging it is to achieve excellence in ERM education.

Chapter 2, “An Innovative Method to Teaching Enterprise Risk Manage- ment: A Learner-Centered Teaching Approach,” offers insights and suggestions on teaching ERM. This chapter covers the concept of flipping the classroom with learner-centered teaching (LCT), distinguishes it from traditional lectures, and describes how it can be used in teaching ERM. The LCT approach emphasizes active student participation and collaboration on in-class activities such as case studies versus the traditional lecture approach. This chapter provides several examples as to how LCT can be applied in teaching ERM, utilizing Fraser and Simkins’ (2010) book. David R. Lange and Betty J. Simkins, both experienced ERM educators, team together to write this chapter. David Lange, DBA, is an Auburn University Montgomery (AUM) Distinguished Research and Teaching Professor of Finance. He has received many prestigious awards for both research and teaching from the University and from several academic associations. He has taught many courses in the area of risk management and has consulted in a significant num- ber of individual and class insurance–related cases in both state and federal court. Betty Simkins, PhD, the Williams Companies Chair of Business and Professor of Finance at Oklahoma State University, is coeditor of this book.

PART II: ERM IMPLEMENTATION AT LEADING ORGANIZATIONS Part II is a collection of ERM case studies that give examples of how ERM was developed and applied in major organizations around the world. Note that there is no perfect ERM case study and the objective is for readers to assess what they believe was successful or not so successful about these ERM programs.

www.it-ebooks.info

ENTERPRISE RISK MANAGEMENT CASE STUDIES 5

The first case study in this book describes ERM at Mars, Inc. Larry Warner, who is the former corporate risk manager at Mars, Inc. and now is president of Warner Risk Group, describes the ERM program at the company in Chapter 3. Mars is a global food company and one of the largest privately held corporations in the United States. It has more than 72,000 associates and annual net sales in excess of $33 billion across six business segments—Petcare, Chocolate, Wrigley, Food, Drinks, and Symbioscience. Its brands include Pedigree, Royal Canin, M&M’s, Snickers, Extra, Skittles, Uncle Ben’s, and Flavia. With such complex business oper- ations, Mars recognized the importance of providing its managers with a tool to knowledgably and comfortably take risk in order to achieve its long-term goals. Mars business units use its award-winning process to test their annual operating plan and thereby increase the probability of achieving these objectives.

The case study in Chapter 4 entitled “Value and Risk: ERM in Statoil” was writ- ten by Alf Alviniussen, who is the former Group Treasurer and Senior Vice Pres- ident of Norsk Hydro ASA, Oslo, Norway, and Håkan Jankensgård who holds a PhD in risk management from Lund University, Sweden. Håkan is also a for- mer risk manager of Norsk Hydro. In this case study, the authors discuss ERM at Statoil, one of the top oil and gas companies in the world, located in Norway. In Statoil, understanding and managing risk is today considered a core value of the company, which is written into the corporate directives and widely communicated to employees. ERM is thoroughly embedded in the organization’s work processes, and its risk committee has managed the transition from a “silo”-mentality to pro- moting Statoil’s best interests in areas where risk needs to be considered.

Chapter 5, called “ERM in Practice at University of California Health Systems,” is written by their former Chief Risk Officer (CRO), Grace Crickette, who is now the Senior Vice President and Chief Risk and Compliance Officer of AAA Northern California, Nevada, and Utah. The University of California’s (UC) Health System is comprised of numerous clinical operations, including five medical centers that support the clinical teaching programs for the university’s medical and health sci- ence school and handle more than three million patient visits each year. ERM plays an important role at the UC Health System and assists the organization in assess- ing and responding to all risks (operational, clinical, business, accreditation, and regulatory) that affect the achievement of the strategic and financial objectives of the UC Health System.

The descriptive case study in Chapter 6, written by Dr. Mark Frigo from DePaul University and Hans Læssøe, the Strategic Risk Manager of the LEGO Group, provides a great example of integrating risk management in strategy devel- opment and strategy execution at the LEGO Group, which is based on an initiative started in late 2006 and led by co-author Hans Læssøe. The LEGO methodology is also part of the continuing work of the Strategic Risk Management Lab at DePaul University, which is identifying and developing leading practices in integrating risk management with strategy development and execution.

United Grain Growers (UGG), a conservative 100-year-old Winnipeg, Canada- based grain handler and distributor of farm supplies, was an ERM pioneer. Chap- ter 7 called “Turning the Organizational Pyramid Upside Down: Ten Years of Evo- lution in Enterprise Risk Management at United Grain Growers” analyzes the ERM program at United Grain Growers 15 years later. When UGG announced that it had implemented a new integrated risk-financing program in 1999, it received a great deal of attention in the financial press. CFO magazine hailed the UGG

www.it-ebooks.info

6 Implementing Enterprise Risk Management

program as “the deal of the decade.” The Economist characterized it as a “revo- lutionary advance in corporate finance,” and Harvard University created a UGG case study. While most outside attention focused on the direct financial benefits of implementing the program (protection of cash flow, the reduced risk-capital required, and a 20 percent increase in stock price), scant attention was given to the less tangible and therefore less measurable issues of governance, leadership, and corporate culture—the conditions that enabled such innovation. It was a combi- nation of a collaborative leadership open to new ideas, a culture of controlled risk taking, and active risk oversight by the board that produced a strategic approach to UGG’s risk management process. This chapter is written by John Bugalla, who is the principal of ermINSIGHTS.

John Hargreaves has written Chapter 8 titled “Housing Association Case Study of ERM in a Changing Marketplace.” He has a mathematics degree from Cambridge University and six years strategy consultancy experience at KPMG. This case study features four real-life charitable housing associations in England and Wales, each with a different strategy and risk environment. Simple yet prac- tical tools to assist in risk identification and prioritization are also presented. This case study has two main aims. The first is to help develop an understanding of the importance of ERM in a charitable context, showing that modern charities are often very active organizations that face significant risks. Second, the case aims to illustrate the need for a close relationship between risk assessment and strategy development, particularly in sectors where objectives are defined in social as well as economic terms. Each of the four cases has a different perspective and challenges the student or practitioner to identify and assess the risk and develop possible risk treatments for each.

Chapter 9, “Lessons from the Academy: ERM Implementation in the Univer- sity Setting,” was written by Anne E. Lundquist. She is pursuing a PhD in the Educational Leadership program at Western Michigan University with a concen- tration in Higher Education Administration. This chapter explores the unique aspects of the University of Washington’s (UW) risk environment, including how leadership, goal-setting, planning, and decision-making differ from the for-profit sector. The lack of risk management regulatory requirements, combined with cul- tural and environmental differences, helps explain why there are a limited number of fully evolved ERM programs at colleges and universities. The second half of the chapter explores the decision to adopt and implement ERM at UW, including a description of early decisions, a timeline of how the program evolved, a discus- sion of the ERM framework, and examples of some of the tools used in the risk management process. It traces the evolution of the UW program as well as demon- strates decisions that administrators made to tailor ERM to fit the decentralized culture of a university.

The case study in Chapter 10, “Developing Accountability in Risk Manage- ment: The British Columbia Lottery Corporation Case Study,” demonstrates how ERM was successfully implemented in a Canadian public sector organization over a 10-year period. Jacquetta Goy, author of this chapter, was the Senior Manager, Risk Advisory Services at British Columbia Lottery Corporation and was respon- sible for establishing and developing the ERM program. Currently, Jacquetta is the Director of Risk Management at Thompson Rivers University, Canada. This case study focuses on initiation, early development, and sustainment of the ERM

www.it-ebooks.info

ENTERPRISE RISK MANAGEMENT CASE STUDIES 7

program, highlighting some of the barriers and enablers that affected implemen- tation. This case study includes a focus on developing risk profiles; the role of risk managers, champions, and committees; and the development of effective risk evaluation tools. The approach to ERM has evolved from informal conversations supported by an external assessment, through a period of high-level corporate focus supported by a dedicated group of champions using voting technology to an embedded approach, where risk assessment is incorporated into both opera- tional practice and planning.

Chapter 11, “Starting from Scratch: The Evolution of ERM at the Workers Com- pensation Fund,” describes the evolution of a formal ERM program at a midsize property casualty insurance carrier. This chapter is authored by Dan Hair, the CRO of the Workers Compensation Fund. In this chapter, the motivations of executive management and the board of directors in taking existing strategic risk manage- ment discussions to a higher level are reviewed. The step-by-step actions taken by the company to develop the ERM program are explained in chronological order. External resources used are also commented upon. The chapter concludes with a discussion of striking an ongoing balance between program rigor, documentation, and business needs.

Chapter 12, “Measuring Performance at Intuit: A Value-Added Component in ERM Programs,” shows how Intuit, maker of Quicken, QuickBooks, and Turbo- Tax, is committed to creating new and easier ways for consumers and businesses to tackle life’s financial chores, giving them more time to live their lives and run their businesses. This case study shows how Intuit, a global company, is exposed to a wide range of customer-related and operational risks. Understand- ing the risk landscape enables Intuit to formulate and execute strategies to address potential pitfalls and opportunities. The author, Janet Nasburg, is Chief Risk Offi- cer at Intuit. Janet is responsible for driving Intuit’s ERM capability, ensuring that the company appropriately balances opportunities and risks to achieve optimal business results. Before Intuit, Janet spent 16 years in various finance roles at Visa, and has more than 30 years of risk management and finance experience.

Chapter 13 describes TD Bank’s ERM program and how it has been developed to reinforce the risk culture and ensure that all stakeholders have a common under- standing of how risks are addressed within the organization. This is achieved by identifying the risks to TD Bank’s business strategy and operations, determining the types of risk it is prepared to take, establishing policies and practices to gov- ern risks, and following an ERM framework to manage those risks. This chapter is co-authored by Paul Cunha and Kristina Narvaez. Paul Cunha is Vice President, Enterprise Risk Management at TD Bank. During his career at TD Bank, he has spent time in risk management, internal audit, retail banking, commercial bank- ing, and corporate and investment banking. Kristina Narvaez is the president and owner of ERM Strategies, LLC, and is co-editor of this book.

PART III: LINKING ERM TO STRATEGY AND STRATEGIC RISK MANAGEMENT Part III of this book demonstrates the link between ERM and strategy in what is now being called strategic risk management (SRM). SRM represents an important evolution in enterprise risk management, shifting from a reactive approach to a

www.it-ebooks.info

8 Implementing Enterprise Risk Management

proactive approach in dealing with the large spectrum of risks across the organi- zation. These case studies view their risk-taking activities in a strategic way, not only to protect the organization’s value and assets, but also to be able to capture new value that is in alignment with the strategic goals of the organization.

Zurich Insurance Group, the case study in Chapter 14, demonstrates the link between ERM and strategy. Zurich is a global insurance carrier and is exposed to a wide range of risks. Zurich recognizes that taking the right risks is a necessary part of growing and protecting shareholder value. It is careful not to miss valu- able market opportunities that could attract the best talent and investor capital, but must also balance the growth opportunities with the reality that it is operating in a complex world economy. This chapter is co-authored by Linda Conrad, Director of Strategic Business Risk Management at Zurich and Kristina Narvaez, president and owner of ERM Strategies, LLC and co-editor of this book. Linda leads a global team responsible for delivering tactical solutions to Zurich and to its customers on strategic issues such as business resilience, supply chain risk, ERM, risk culture, and total risk profiling.

Chapter 15, “Embedding ERM into Strategic Planning at the City of Edmon- ton,” is written by Ken Baker, who is their ERM Program Manager. This study examines the process used by the City of Edmonton in Alberta, Canada, to estab- lish its strategic ERM model. After examining several existing frameworks, the City decided on a framework based on the ISO 31000 risk management standard, but customized to suit the City’s needs. During the process, administration had to weigh factors common to any large organization, as well as those specific to governments in general and municipalities in particular. The chronicling of this process may assist those in similar organizations to more successfully implement their own ERM and SRM programs.

Chapter 16 describes a brief history of the evolution of enterprise risk management and describes a new and innovative approach (value mapping) to measuring the potential value by taking risks. This chapter also provides a model for incorporating the ERM process into strategic planning. John Bugalla, Principal of ermINSIGHTS and author of Chapter 7, and James Kallman, a finance professor at St. Edward’s University, co-author this chapter. John’s experience includes 30 years in the risk management profession serving as Managing Director of Marsh & McLennan, Inc., Willis Group, Plc., and Aon Corp., before founding ermINSIGHTS. James teaches courses in finance, statistics, and risk management.

PART IV: SPECIALIZED ASPECTS OF RISK MANAGEMENT Part IV of the book captures unique aspects of ERM so that the reader can learn about the many broad applications, including insights into managing specific types of risk. This part starts with a case study in Chapter 17 of the challenges of risk management within a typical police department. This case is followed by eight additional chapters addressing other intriguing aspects of risk management.

Andrew Graham reveals the complex and challenging aspects of risk manage- ment in Chapter 17, “Developing a Strategic Risk Plan for the Hope City Police Ser- vice.” This fictional case study was developed based on many years of teaching risk management to police forces. The setting is a medium-sized but growing city that

www.it-ebooks.info

ENTERPRISE RISK MANAGEMENT CASE STUDIES 9

is facing many issues, including changes in demographics, traffic issues, budgetary challenges, and so on. The student is required to act as a consultant who has been hired by the chief of police to assist him in briefing the Police Services Board and the mayor in understanding the most critical risks to their objective of having a best- in-class police service for their citizens. Andrew Graham researches, teaches, and writes on public-sector management, financial management, integrated risk man- agement, and governance at Queen’s University School of Policy Studies, Canada, as well as a variety of international and Canadian venues. Andrew had an exten- sive career in Canada’s criminal justice system and has taught and worked with police services and police boards and commissioners in a variety of ways for the past 10 years.

Chapter 18, “Blue Wood Chocolates,” is designed to facilitate discussion of the implementation of an ERM framework, corporate governance issues, and com- modity risk management. The situation that this fictional company faces is typi- cal of many midsize companies that have performed satisfactorily in the past but are exposed, often unknowingly, to major potential risks and do not have the internal governance and risk management structures to identify, quantify, and manage such risks adequately. In particular, this case illustrates commodity and foreign currency exposures, and challenges the student to investigate the specifics of hedging such positions. Rick Nason, PhD, CFA, and Stephen McPhie, CA, coau- thored this chapter. Rick is an associate professor of finance at Dalhousie Univer- sity, Canada, and is also a founding partner of RSD Solutions, a risk management consultancy firm. His coauthor, Stephen McPhie, CA, is a partner of RSD Solu- tions Inc. and has also held various positions in the United States, Canada, and the United Kingdom with a major Canadian bank.

Foreign exchange (FX) risk management is one of the greatest financial risks a company faces when expanding globally. Chapter 19, “Kilgore Custom Milling,” illuminates the myriad of issues that arise when hedging FX risk, such as faced by a midsize original equipment manufacturer (OEM) operating in the automobile industry. Kilgore Custom Milling (a fictional company) needs to develop a hedg- ing strategy to manage its foreign exchange risk for a new contract and decide what type of derivatives to use, what size of hedge to implement, and how the com- pany’s financial risk management fits in with its overall ERM process. Rick Nason and Stephen McPhie, coauthors of Chapter 18, team together again to explore the complex and challenging issues that many companies face with FX risk.

ERM is currently of very high interest to companies operating in the Mid- dle East, an area that presents unique challenges for implementation. Alexander Larsen captures this scenario in Chapter 20, “Implementing Risk Management within Middle Eastern Oil and Gas Companies.” This case study is based on real- life examples of Middle Eastern oil and gas companies and captures the challenges of implementing risk management in the Middle East. Alexander Larsen holds a degree in risk management from Glasgow Caledonian University and is a Fellow of the Institute of Risk Management. He has over 10 years of experience across a wide range of sectors, including oil and gas, construction, utilities, finance, and the public sector. Alexander has considerable expertise in training and working with organizations to develop, enhance, and embed their ERM.

Public safety organizations are increasingly adopting sophisticated enterprise governance and risk management techniques as a means of managing their

www.it-ebooks.info

10 Implementing Enterprise Risk Management

programs and expenditures. Root cause analysis can provide these agencies with detailed insights into the problems and issues they face, and provide them with the information they need to make informed decisions on risk management. Chapter 21, “The Role of Root Cause Analysis in Public Safety ERM Programs,” explores these issues by presenting six common root cause analysis techniques that are applied in a public safety or law enforcement environment. The chapter author, Andrew Bent, is a practicing risk manager with a large Canadian inte- grated energy company and was previously in charge of ERM for one of Canada’s largest municipal police services.

Chapter 22, “JAA Inc.—A Case Study in Creating Value from Uncertainty: Best Practices in Managing Risk,” provides extensive details about ERM implementa- tion in a fictional international organization and discusses topics including gover- nance structure, the processes, and the various tools used. The case is built on the principles and guidance of ISO 31000 and the implementation guidance created by The Australian and New Zealand Hand Book HB 436. This case emphasizes the roles of the heads of the internal audit function and the risk management func- tion. The three coauthors of this chapter have extensive experience in risk man- agement. Julian du Plessis, Head of Internal Audit at AVBOB Mutual Assurance Society, South Africa, has over eight years of financial sector experience. Arnold Schanfield is a Principal with Schanfield Risk Management Advisors LLC, and is an internal audit and risk professional with diversified industry expertise. Alpaslan Menevse is currently the Risk Officer at Sekerbank T.A.S., which has in excess of 310 branches in Turkey. He has 28 years of experience in information systems, both as an academic and as a practitioner.

A book on ERM case studies is not complete without some coverage of risk management failures. One of the most famous failures involving opera- tional risk is discussed in Chapter 23, “Control Complacency: Rogue Trading at Société Générale.” In January 2008, Société Générale uncovered €49 billion of unauthorized equity positions at its Paris head office, which cost €4.9 billion to unwind. Using an interactive format, this case study analyzes the origins, actors, causes, and consequences of this notorious control breakdown and derives risk management lessons from it in the areas of corporate governance, controls, com- pliance, systems, technology, and reputation risk. The author, Steve Lindo, Princi- pal, SRL Advisory Services, has many years of experience in ERM and provides a thorough and fascinating coverage of this disaster.

Value at risk (VaR) is one of the most widely used techniques to measure financial risks, particularly in the area of investment portfolios. However, it is a technique that has not been fully understood by many risk managers. In Chapter 24, “The Role of VaR in Enterprise Risk Management: Calculating Value at Risk for Portfolios Held by the Vane Mallory Investment Bank,” VaR is described along with its underlying assumptions, advantages, and disadvantages. Several exam- ples for single assets are detailed for both the dollar and percentage VaR estimation methods. The main focus of this case study is a tutorial on calculating VaR for port- folios of assets using the covariance approach utilized in portfolio theory. Allissa A. Lee coauthored this case study with Betty J. Simkins. Allissa is an assistant professor of finance in the College of Business Administration at Georgia South- ern University. She has published several academic articles and also worked in the mortgage industry for MidFirst Bank. Betty, coeditor of this book, is the

www.it-ebooks.info

ENTERPRISE RISK MANAGEMENT CASE STUDIES 11

Williams Companies Chair of Business and Professor of Finance at Oklahoma State University.

Chapter 25, “Uses of Efficient Frontier Analysis in Strategic Risk Manage- ment,” covers an advanced analytical technique, efficient frontier analysis (EFA), where complex property and casualty risk profiles are being considered. This chap- ter provides insights into risk portfolio volatility, pricing, and insurance layering efficiency using EFA and is applied to a risk portfolio that presents catastrophic loss potential within the context of strategic risk management. This chapter’s coau- thors are Ward Ching, who is Vice President, Risk Management Operations, at Safeway Inc., and Loren Nickel, who is Regional Director and Actuary, Actuarial and Analytics Practice, at Aon Global Risk Consulting. Both authors have extensive experience in property and casuality risk management and share their expertise in this specialized topic of ERM.

PART V: MINI-CASES ON ERM AND RISK Mini-cases are a very powerful and highly useful resource in teaching ERM and can be easily utilized in short time periods such as a one-hour class segment. This part fills this gap in the education literature on ERM and includes six fictional mini- cases that have been developed by leading risk practitioners who draw from the wealth of their experiences in various applications of risk management.

Chapter 26, “Bim Consultants Inc.,” is based on a real event in which a company was faced with an important strategic acquisition decision. All names and data have been changed for confidentially reasons. The purpose of the case is to illustrate the complexity of making strategic decisions and how greed and ego can cause a firm to change strategy that may put the business at risk. The author, John Fraser, Senior Vice President, Internal Audit, and former Chief Risk Officer of Hydro One Networks Inc., is also coeditor of this book. Fraser is currently an adjunct professor at York University, Canada, and a member of the faculty of the Directors College. He is a recognized authority on ERM and has written extensively on the topic.

Chapter 27, “Nerds Galore,” is based on a fictitious small services company that appears to be on the verge of a major downturn. The focus of the case study is human resources–related risks, and the exercise is to conduct a risk assessment to aid in making the decision on whether to proceed with a major human resources strategy. This case study could be used as the basis for an actual risk workshop sim- ulation with students role-playing various positions on the management team. Rob Quail, the author of this case study, draws on his extensive experience as Director of ERM at Hydro One Networks Inc., and provides an excellent mini-case to illu- minate ERM applications.

Can a company have a successful ERM program that does not involve a key function, such as the legal department? And if not willing to participate, how do you convince this department to commit to ERM? The reader is challenged with tackling this crucial issue in Chapter 28, “The Reluctant General Counsel.” This mini-case is about the implementation of ERM at a software company and illus- trates the challenges faced when the general counsel of the company has reser- vations and is not willing to support the implementation. The author, Norman Marks, CPA, CRMA, has been chief audit executive of major global corporations

www.it-ebooks.info

12 Implementing Enterprise Risk Management

for over 20 years, and is highly regarded in the global profession of internal audit- ing. Furthermore, he is a prolific blogger about internal audit, risk management, governance, and compliance.

Chapter 29, “Transforming Risk Management at Akawini Copper,” describes how the approach to managing risk can be transformed and enhanced in a com- pany. The case study is based on a hypothetical mining company, Akawini Copper, that has recently been acquired by an international concern. It draws on the practi- cal concepts of ISO 31000 to show how a weak approach to risk management can be enhanced to be more robust and comprehensive by following a logical framework and transformation plan. The author, Grant Purdy, has worked in risk manage- ment for more than 35 years, across a wide range of industries and in more than 25 countries. Grant is coauthor of the 2004 version of AS/NZS 4360 and also of AS/NZS 5050, a standard for managing disruption-related risk, and has also writ- ten many risk management handbooks and guides.

Richard Leblanc, PhD, who is a governance lawyer, certified management con- sultant, and Associate Professor of Law, Governance, and Ethics at York Univer- sity, draws on his extensive experience in board of director effectiveness when writing Chapter 30, “Alleged Corruption at Chessfield: Corporate Governance and the Risk Oversight Role of the Board of Directors.” Richard has advised regula- tors on corporate governance guidelines, and, as part of his external professional activities, has served as an external board evaluator and governance adviser for many companies, as well as in an expert witness capacity in litigation concerning corporate governance reforms. This case deals with the inner workings of a large organization’s board of directors, including allegations of alleged corruption and self-dealing, and provides the reader with a captivating application of risk man- agement shortcomings in governance and internal controls.

Diana Del Bel Belluz, president and founder of Risk Wise, Inc., draws on her experience in operational risk when writing Chapter 31, “Operational Risk Man- agement Case Study: Bon Boulangerie.” This mini-case provides the opportunity for students to discuss and present their knowledge of operational risk. It describes the challenges and opportunities faced by a fictional bakery business in a small city. The bakery’s owner has decided to expand the business for greater rewards, but in doing so is faced with a number of operational challenges. Additional infor- mation on the steps of operational risk management is available in Chapter 16 in Fraser and Simkins (2010). Diana has many years of consulting experience in ERM, and advances the practice of ERM through her thought leadership as an educator, conference organizer, speaker, and author of ERM resources.

PART VI: OTHER CASE STUDIES Many risk management lessons can be learned from the financial crisis of 2008, and we begin this part with a chapter addressing this topic: Chapter 32, “Con- structive Dialogue and ERM: Lessons from the Financial Crisis.” In this chapter, Tom Stanton eloquently examines the critical distinctive factors between success- ful and unsuccessful firms in the crisis and refers to the presence or absence of these factors as constructive dialogue. Successful firms managed to create produc- tive and constructive tension between those in the firm who wanted to do deals or offer certain financial products and services and those who were responsible for

www.it-ebooks.info

ENTERPRISE RISK MANAGEMENT CASE STUDIES 13

limiting risk exposures. Instead of simply deciding to do a deal or not, successful firms considered ways to hedge risks or otherwise reduce exposure from doing the deal. Thomas H. Stanton is a Fellow of the Center for Advanced Governmen- tal Studies at Johns Hopkins University, a director of the Association of Federal Enterprise Risk Management, a former director of the National Academy of Public Administration, and a former member of the federal Senior Executive Service.

An important objective in this book is to provide global coverage about ERM by including insightful applications in various countries. Poland, after the transi- tion into the free market economy in 1989, became open to knowledge and transfer of the best practices from around the world. Chapter 33, “Challenges and Obstacles of ERM Implementation in Poland,” draws on years of research, both formal and informal, and documents the country’s first approaches to ERM implementation. The successes, challenges, and weaknesses are described and provide a valuable lesson for other countries, regions, or even organizations in how they might go about implementing ERM. Two experts on ERM implementation in Poland teamed together to write this chapter. Zbigniew Krysiak, PhD, is an associate professor of finance at the Warsaw School of Economics in Poland. He is the author or coau- thor of more than 100 publications, intended both for practitioners and for the aca- demic community, concerning finance, risk management, financial engineering, and banking. His coauthor, Sl̄awomir Pijanowski, PhD, is president of the POL- RISK Risk Management Association in Poland, where he is responsible for devel- opment of good risk management practices for the Polish market. He is coauthor of the Polish book titled Risk Management for Sustainable Business published by the Polish Ministry of the Economy and has many other accomplishments in the area of risk management.

Chapter 34 entitled “Turning Crisis into Opportunity: Building an ERM Pro- gram at General Motors” was written by leaders of ERM at GM—Marc Robinson, Lisa Smith, and Brian Thelen. This case study chronicles the ground-up implemen- tation of ERM at General Motors Company (GM), starting in 2010 after it emerged from bankruptcy. While GM recognizes that its ERM is a work in progress, there have been important successes both in improving the management of risk and making better business decisions. Critical to these successes has been a clear strate- gic vision on adding value for the business leaders that are the true risk owners, unique decision tools such as game theory, and a continuous improvement mind- set, including robust lessons learned. The study describes the lessons learned dur- ing implementation and some of the unique approaches, tools, and techniques that GM has employed. Examples of senior management reporting are also included.

The last case study in the book is also extremely insightful because it provides an excellent example of an ERM application at a company in Asia. The authors demonstrate in Chapter 35 how Astro, a Malaysia-based media company, uses ERM to grow through international acquisitions, and how it implements enter- prise risk management not only to ensure sound risk management by its foreign subsidiaries and joint ventures, but also to make better risk/return decisions on its portfolio of direct investments. Both authors are authorities on ERM imple- mentation globally. Ghislain Giroux Dufort is President of Baldwin Risk Strate- gies Inc., a consulting firm advising boards of directors and management teams on risk governance and ERM and has over 25 years of experience. Patrick Adam Kanagaratnam Abdullah is the Vice President of ERM for Astro Overseas Limited

www.it-ebooks.info

14 Implementing Enterprise Risk Management

(AOL), Malaysia. He specializes in the implementation of ERM practices across AOL’s investments and has over 21 years of experience in various areas of risk management.

CONCLUSION As outlined above, the case studies and specialized topic chapters in this book present an impressive coverage of new information on enterprise risk manage- ment, and all chapters are written by leading ERM experts globally. To our knowledge, this is the first book to be published that provides such comprehensive coverage of ERM case studies. We hope you find this book a valuable resource in your education and/or implementation of ERM. We welcome your comments and suggestions. Answers to the end-of-chapter questions and detailed teaching notes to most cases are available to instructors at www.wiley.com.

NOTES 1. See the 2014 American Productivity & Quality Center Report. 2. ISO 31000 was issued by the International Standards Organization in 2009. For a descrip-

tion refer to Chapter 7 of Fraser/Simkins by John Shortreed. 3. Fraser/Simkins, 15. 4. ISO 31000 has been agreed to by about 25 major countries of the international community

as the guideline for risk management.

REFERENCES American Productivity & Quality Center (APQC). 2014. APQC Report. www.apqc.org/. Fraser, John, and Betty J. Simkins, eds. 2010. Enterprise Risk Management: Today’s Leading

Research and Best Practices for Tomorrow’s Executives. Hoboken, NJ: John Wiley & Sons. Fraser, John, Karen Schoening-Thiessen, and Betty J. Simkins. 2008. “Who Reads What Most

Often? A Survey of Enterprise Risk Management Literature Read by Risk Executives.” Journal of Applied Finance 18:1 (Spring/Summer).

PWC (PricewaterhouseCoopers). 2014. Risk in Review: Re-Evaluating How Your Company Addresses Risk. www.pwc.com/us/en/risk-assurance-services/publications/risk-in- review-transformation-management.jhtml.

ABOUT THE EDITORS John R.S. Fraser is the Senior Vice-President, Internal Audit, and former Chief Risk Officer of Hydro One Networks Inc., Canada, one of North America’s largest elec- tricity transmission and distribution companies. He is a Fellow of the Institute of Chartered Accountants of Ontario, a Fellow of the Association of Chartered Cer- tified Accountants (U.K.), a Certified Internal Auditor, and a Certified Informa- tion Systems Auditor. He has over 30 years of experience in the risk and control field mostly in the financial services sector, including areas such as finance, fraud, derivatives, safety, environmental, computers, and operations. He is a member of the Faculty at the Directors College for the Strategic Risk Oversight Program, and has developed and teaches a master’s degree course entitled Enterprise Risk

www.it-ebooks.info

ENTERPRISE RISK MANAGEMENT CASE STUDIES 15

Management in the Masters in Financial Accountability Program at York Univer- sity where he is an adjunct professor. He is a recognized authority on enterprise risk management and has co-authored several academic papers on ERM. He is co- editor of a best-selling university textbook released in 2010, Enterprise Risk Man- agement: Today’s Leading Research and Best Practices for Tomorrow’s Executives.

Betty J. Simkins, PhD, is Williams Companies Chair of Business and Professor of Finance at Oklahoma State University. Betty received her PhD from Case Western Reserve University. She has had more than 50 publications in academic finance journals. She has won awards for her teaching, research, and outreach, including the top awards at Oklahoma States University: Regents Distinguished Research Award and Outreach Excellence Award. Her primary areas of research are risk management, energy finance, and corporate governance. Betty serves on the edi- torial boards of nine academic journals, including the Journal of Banking and Finance; is past coeditor of the Journal of Applied Finance; and is past president of the East- ern Finance Association. She also serves on the Executive Advisory Committee of the Conference Board of Canada’s Strategic Risk Council. In addition to this book, she has published two others: Energy Finance and Economics: Analysis and Valuation, Risk Management and the Future of Energy and Enterprise Risk Management: Today’s Leading Research and Best Practices for Tomorrow’s Executives (co-edited with John Fraser). Prior to entering academia, she worked in the corporate world for Cono- coPhillips and Williams Companies. She conducts executive education courses for companies globally.

Kristina Narvaez is the president and owner of ERM Strategies, LLC (www.erm- strategies.com), which offers ERM research and training to organizations on vari- ous ERM-related topics. She graduated from the University of Utah in environmen- tal risk management and then received her MBA from Westminster College. She is a two-time Spencer Education Foundation Graduate Scholar from the Risk and Insurance Management Society and has published more than 25 articles relating to enterprise risk management and board risk governance. She has given many presentations to various risk management associations on topics of ERM. She is an adjunct professor at Brigham Young University, teaching a business strategy course for undergraduates.

www.it-ebooks.info

www.it-ebooks.info

PART I

Overview and Insights for Teaching ERM

www.it-ebooks.info

www.it-ebooks.info

CHAPTER 2

An Innovative Method to Teaching Enterprise Risk Management A Learner-Centered Teaching Approach

DAVID R. LANGE Distinguished Research and Teaching Professor of Finance, Auburn University Montgomery

BETTY J. SIMKINS Williams Companies Chair of Business and Professor of Finance, Oklahoma State University

Learner-centered teaching (LCT), commonly referred to as “flipping the class-room” (Shibley and Wilson 2012), is an alternative to the traditional teacherlecture (TL). With LCT, students actively participate in the pedagogical pro- cess and take increased responsibility for learning through constructive reflective reasoning. Where with TL content is covered, content in LCT is used as a “means to learning” (Weimer 2002). LCT is ideally suited for content provided in lists, tables, charts, and exhibits, and particularly so if these are in the form of topic overviews, flowcharts, or summaries. The case method espouses similar student- engaged learning processes by promoting critical thinking and analysis, creating discussion of conflicting issues and requiring a decision (Bean 2011). LCT ampli- fies and broadens student learning from cases. Hence, the case studies in this book are ideal for teaching enterprise risk management (ERM) using LCT.

The chapter is presented in three sections. The first section clarifies the concept of flipping the classroom with LCT, distinguishing LCT from a TL, and why the growing LCT movement should be joined. The second section considers the what, Weimer’s (2002) Learner Centered Teaching “Five Key Changes to Practice,” a definitive paradigm for changing pedagogy to LCT from a TL. A final section, the appendix, provides examples of how, using content to utilize LCT in an enterprise risk management (ERM) course at Auburn University Montgomery. The examples are from Enterprise Risk Management: Today’s Leading Research and Best Practices for Tomorrow’s Executives (Fraser and Simkins 2010), which opportunely provides ERM content in the supporting formats. The LCT examples are provided in

19

www.it-ebooks.info

20 Implementing Enterprise Risk Management

Exhibit 2.1 TL versus LCT

Bloom (1956) Anderson and Krathwohl (2001) Expanded

� Knowledge � Comprehension � Application � Analysis � Evaluation � Synthesis

� Remember: Recognize, recall � Understand: Interpret, explain � Apply: Calculate, solve � Analyze: Distinguish, relate � Evaluate: Critique, test � Create: Hypothesize, devise

� Memorize, recollect, retain � Comprehend, realize, apprehend � Compute, estimate, determine � Examine, explore, study, associate � Assess, appraise, review, comment � Speculate, theorize, postulate, offer,

imagine, assume, suggest

contrast to TL approaches, and include learning notes expanding the how of examples.

LEARNER-CENTERED TEACHING: THE WHY Flipping the classroom refers to Bloom’s Cognitive Learning Taxonomy (1956), a commonly accepted identification of levels of learning (Anderson and Krathwohl 2001; Bean 2011; Shibley and Wilson 2012), and thus an easily identifiable model with which to distinguish LCT from TL. Exhibit 2.1 has inverted Bloom’s taxon- omy to illustrate flipping the classroom. In a TL, the teacher normally progresses through the taxonomy starting with imparting knowledge:

� Knowledge: covering content with PowerPoint presentations, lecturers, and so on

� Comprehension: offering alternative descriptions and definitions, followed by a question of “What does this mean in your own words?”

� Application: solving problems step-by-step, demonstrating necessary calcu- lations, and solving homework problems replicating calculations

� Analysis: comparing and explaining results from different problems � Evaluation: questioning validity of assumptions, processes, and textbook

sections on weaknesses in the model � Synthesis: concluding with summaries and overviews

We may recognize the TL approach from our own experience or through class- room observation of peers.

To further illustrate the levels of learning, Anderson and Krathwohl’s (2001) revision of Bloom’s taxonomy is included in the center column of Exhibit 2.1. The third column contains an expanded list of active learning for additional clarification.

Learner-Centered Teaching

In LCT, content is used as a means to learning (Weimer 2002). Envision a learning process in which students compute a financial problem, examine different points of view, review and comment on an article, or postulate explanations for survey

www.it-ebooks.info

AN INNOVATIVE METHOD TO TEACHING ENTERPRISE RISK MANAGEMENT 21

results. The knowledge (content) is discovered and used by the students in the learning process. Content in LCT is used as a means to learning (Weimer 2002), not presented and covered as in the context of a TL. In effect, as the examples will demonstrate, LCT enters Bloom’s Cognitive Learning Taxonomy through the higher levels of application, analysis, evaluation, and synthesis.

Why LCT?

A primary explanation for education moving toward LCT is based on learning research that supports “more active, inductive instruction” (Smart, Witt, and Scott 2012). Increased student engagement, strengthened team-based skills, personal- ized student guidance, focused classroom discussion, and faculty freedom are sev- eral benefits of the growing LCT pedagogical adoption (Millard 2012). In a review of pedagogical literature with courses adopting LCT, Wright (2011, p. 96) found college teachers believe “a more effective learning environment” was provided, and “students tended to respond positively.” A smaller study by Wohlfarth et al. (2008) acknowledged the need for further research and offered strong qualitative student support of LCT’s importance in assisting learning.

There are several other reasons why LCT should be adopted. In a paper apply- ing 29 components to benchmark the degree of LCT implementation, Blumberg and Pontiggia (2011) note the importance of LCT in their institutions’ faculty devel- opment workshops, the implications for assessments and accreditation, and poten- tial student admission promotional material. Yang (2010, p. 80) offers a globaliza- tion justification to adopt LCT, the need to “encourage students to actively partici- pate in the discussion, and the need for students to fully express their views,” even if it is counter to student cultural behavior.

Poor teaching experience with the TL is another supporting reason for LCT. The prepared TL covering knowledge, with students attempting to retain and simultaneously comprehend key points, may appear more as a sermon, speech, homily, or oration. Instructors, from their own experience or through classroom observation of peers, may relate to the “picture of somewhat lifeless students sit- ting passively in classrooms, with glazed eyes, some struggling to stay awake in dimmed classrooms as an instructor shared key concepts . . . using slides” (Smart, Witt, and Scott 2012, p. 393).

The educational goal is to engage students to become active versus passive learners by promoting critical thinking and “emphasizing inquiry” (Bean 2011, p. 38). LCT’s flipped classrooms focus on critique, assess, hypothesize, and speculate, the higher levels of Bloom’s Cognitive Learning Taxonomy. The base levels of knowl- edge and understanding may be assigned before class (Shibley and Wilson 2012).

FIVE KEY CHANGES TO PRACTICE THE WHAT Weimer’s Learner Centered Teaching (2002) “Five Key Changes to Practice” is a definitive paradigm for changing pedagogy to LCT. This section describes each of these “Five Key Changes to Practice,” which are:

1. The Balance of Power 2. The Function of Content

www.it-ebooks.info

22 Implementing Enterprise Risk Management

3. The Role of the Teacher 4. The Responsibility for Learning 5. Evaluation Purpose and Process

Consideration of the five steps with each of the LCT ERM examples paradoxi- cally resembles the TL approach. Therefore, instructors are encouraged to appraise their current pedagogy and associate the respective LCT changes to practice with their course. To assist your movement to LCT, Weimer’s (2002) Part Two, “Imple- menting the Learner-Centered Approach,” includes discussions of responding to resistance from students and faculty, taking a developmental approach in convert- ing students from passive to active learners, and making LCT work based on prin- ciples of successful instructional improvement. Appendixes in Weimer (2002) offer suggestions for the syllabus and learning log (Appendix A), handouts for devel- oping learning skills (B), and a recommended reading list (C). Blumberg (2009) provides an extensive step-by-step guide to adopting LCT.

The Balance of Power

The LCT classroom is more democratic than the TL, where sequencing, con- tent, and information flow are one-way: professor to student. With LCT, stu- dents actively participate in the learning process and are likely to alter its direc- tion by connecting to prior tangential or experiential knowledge. Generally, the teacher retains the responsibility for selecting the course content, learning goals, and itinerary, though even these may include student input. Regardless, with LCT, the learning path taken, the direction of course discussion, and practical exam- ples are at the very least influenced, and more likely chosen, by the student; thus “power is shared” (Weimer 2002).

LCT often includes case studies, small group discussions or assignments, and/or designating a student to be a group discussion leader on a rotating basis. Power sharing is not easy for teachers accustomed to a TL approach. But LCT power sharing has several benefits. Students are more active, engaged, interested, and motivated, and less passive and disconnected (Weimer 2002, p. 31). It is easier for a student to hide in a class of 30, 50, or 100 than in a group of five students. It should be noted that the student discussion leader is equally asked to “share the power,” and there are potential “tough spots for running a risk management workshop”—nonparticipation and dominators (Fraser and Simkins 2010, p. 169).

The Function of Content

With LCT, content is used in the learning process, not covered in the context of the TL. This does not infer that the content, base knowledge, is not covered. It sim- ply means that students do not first memorize the base knowledge for later recall. Instead, students constructively examine, explore, review, and assess content. It is extremely interesting to see students strongly arguing for the most important step in an ERM process even when there may not actually be a hierarchy. Creating and defending an argument for the most important step, what risk stands out, or what is the most challenging step requires a cognitive reasoning process and a subtle incorporation of base knowledge and linkage to previously learned material—the

www.it-ebooks.info

AN INNOVATIVE METHOD TO TEACHING ENTERPRISE RISK MANAGEMENT 23

LCT version of content coverage. With LCT, the content learning process “develops learning skills” and “promotes self-awareness of learning,” and students “experi- ence it firsthand” (Weimer 2002, p. 51–52).

The amount of content covered is a possible concern for those more inclined toward a TL. However, contrary to expectations, experience suggests that more content is covered, not less, as students explore and assess content versus memorization.

As shown in the Appendix, Example #10, Chapter 18: “Managing Financial Risk,” is a good illustration of more coverage. The TL approach gives an example of the trade-offs, costs, and benefits of hedging with futures contracts, often start- ing with a simple natural hedge. Here, the student records the respective payoffs to long and short positions when prices change. Students memorize the transactions and expect to replicate the steps with different numbers, and maybe even a dif- ferent futures contract for a challenging TL course. With LCT, students first view a short video about futures markets (www.cmegroup.com/), and then review the listing of available futures contracts, selected quotes, and specifications. LCT sce- narios in which futures contracts could be applied quite often begin with weather futures, as students’ curiosity is awakened when they imagine rain, snow, and tor- nadoes, not the TL farmer and cereal producer with corn futures. With LCT, stu- dents first suggest, appraise, and associate scenarios with futures contracts, and then calculate payoffs given the contract specifications. As noted previously, the LCT teacher needs to be prepared to assist with any futures calculation.

A second example in the Appendix of expanded content is Example #13, Chapter 23: “Academic Research on Enterprise Risk Management.” In a TL course, students would memorize the articles and the findings of each, with the goal of restating the findings on an exam. With LCT, critiquing, appraising, and theorizing often lead to discussions of hypotheses. For example, why is there an expected rela- tionship between ERM and “organizational slack” or “asset opacity” (Fraser and Simkins 2010, p. 426)? This level of hypothetical discussion is considerably beyond “Who found what?”

The Role of the Teacher

Perhaps the most difficult change in moving to LCT for a teacher accustomed to the TL is that lectures are replaced with individual student learning, small group discussions, or other group activities. The teacher’s role is that of a moderator, tour guide, and/or facilitator of learning. This role is a necessary part of LCT, not an option; the teacher “must move aside, often and regularly” (Weimer 2002, p. 74).

Serving as guide extends to after groups (or individuals) report their sugges- tions, hypotheses, comments, explorations, or computations. It is very tempting to return to the TL, the “sage on the stage,” with corrections, conclusions, or examples. A moderator or facilitator would ask: Was your group in agreement? What issues did you differ on? What do you believe is the lesson here, the point to be learned? Does anyone else have a different solution or computation?

Granted, the teacher’s workload may be more, not less. We often prepare, or receive with the textbook, a series of very structured lecture slides, “talking PowerPoints,” demonstrating what and how much we know about the topic. Our thorough, insightful, wise lecture is interrupted only by the proverbial

www.it-ebooks.info

24 Implementing Enterprise Risk Management

unanswered inquiries of: Does anyone have any questions? Is this clear? Do you understand?

It is quite another task to be able to guide constructive explorative reasoning and learning. It is not that LCT is without structure; it is that the LCT learning struc- ture is flexible, fluctuating, adjustable, and often unpredictable. Weimer (2002, pp. 83–91) offers the following seven principles:

1. Teachers do learning tasks less. 2. Teachers do less telling; students do more discovering. 3. Teachers do more design work. 4. Faculty do more modeling. 5. Faculty do more to get students learning from and with each other. 6. Faculty work to create climates for learning. 7. Faculty do more with feedback.

The “Useful Facilitation Tips” for running a risk management workshop (Fraser and Simkins 2010, p. 169) may serve a dual purpose as student content and LCT advice:

� Inquire. Ask open-ended questions, such as “Why?” Ask participants to speak not just on behalf of themselves but about what they think others might be thinking. Ask for the contrary view: “What are some of the argu- ments against this?” Ask for evidence: “How do you know?”

� Restate. Summarize or paraphrase what you have just heard. Summarize the key points and then ask someone to add to them or comment on them or contradict them.

� Provoke. State extreme views that you might have heard or imagined on the subject under discussion. Encourage healthy debate.

� Use silence. After asking a question that gets no immediate response, it is extremely tempting to fill the silence by talking more or restating the ques- tion. Don’t. Wait through the silence. If you wait long enough, someone will speak.

� Get out of the way. If a good animated discussion starts to happen that is directly on topic and there is available time, try to “blend in with the fur- niture.” Walk to the side of the room or sit down. Let the students run with it. Wait for the discussion to peter out or drift off topic before again making your presence felt.

� Don’t overexplain. The authors’ experience is that the more participation (and less explanation or lecturing) there is in a workshop agenda, the more engaged the participants will be. Avoid lengthy descriptions of the steps to be taken or the underlying theory. Tell them the bare bones of what they need to do for the next step in the process, and then let them learn by doing.

The Responsibility for Learning

Teachers remain responsible for creating a learning environment, but students take responsibility for learning (Weimer 2002). Many of the example questions, exercises, and activities provided in the appendix were created by students in the

www.it-ebooks.info

AN INNOVATIVE METHOD TO TEACHING ENTERPRISE RISK MANAGEMENT 25

ERM course. Students on a rotating basis provide discussion questions and serve as small group moderators. Student small group moderators are encouraged to have every student engage in the discussion process, limiting individual students who may try to dominate, and motivating timid students. Engaged students accept the linkage between their actions and learning. Misbehavior is better corrected by peers who see that learning is being prevented than by teacher retribution.

Students are also responsible for contributing to course content, further engag- ing their interest and ownership of the responsibility for learning. For example, in the Appendix, the tornado incident at the truck yard in LCT Example #6, Chapter 13: “Quantitative Risk Assessment in ERM,” was found by a student. The student was delighted to share the discovered risk example, as other students accepted a challenge to find additional videos of the incident or similar catastrophic events. The whistle-blowing websites and information in LCT Example #12, Chapter 20: “Legal Risk Post-SOX and the Subprime Fiasco,” were also found by students. The content served as a basis for spirited group discussions on whistle-blowing. Con- sider the benefit of 30 students searching and exploring the web for current content versus the teacher presenting a few selected sites in a TL. Avoid the classic student statement, “That seems like a good example, but I cannot quite relate to it. It was before I was born.”

Evaluation Purpose and Process

It reasonably follows that LCT also results in a change in evaluation procedures, essentially orienting the evaluation process to promote learning. LCT does not reduce the importance of evaluations and the structural value of course grades. LCT does alter the focus of evaluations to learning, as grades do not necessarily reflect the desired higher-level learning, especially if exams only measure recall and rote memorization of base knowledge.

It is not a straightforward change for evaluations to emphasize learning. Accordingly, Weimer (2002) considers the opportunities in greater detail:

� As a foundation to reduce the stakes and stress of the exam, provide review sessions, make sure exams reflect covered content, offer multiple opportu- nities, or have exams taken as a group.

� For papers, suggest appropriate paper topics, and clearly state academic cov- erage expectations.

� Develop participation through both self and peer assessment. � Utilize review sessions at the end of classes and prior to exams as learning

exercises, allowing groups to summarize important content and topics that are expected to be on the exam.

� Avoid returning to the TL in the review, however tempting and accidentally reverted to it may be.

� Continue LCT into the postexam review by encouraging students to sup- port answers they argue are correct, citing content or their reasoning pro- cess. How often, when a student states that answer C seems to be correct, we respond with “Sorry, B is the only correct answer.” Imagine the different response of “Why do you think C is correct?” Place the emphasis on learning, and we may sometimes discover that answer C may also be correct.

www.it-ebooks.info

26 Implementing Enterprise Risk Management

CONCLUSION Overall, movement toward LCT may not be as large a pedagogical change as one may be concerned about, and case study teaching is a type of LCT. The goals of the TL generally rely on Bloom’s (1956) original taxonomy or Anderson and Krath- wohl’s (2001) meta cognitive revision—striving for evaluation and synthesis. Pro- grams to improve critical thinking and active learning through writing (Bean 2011) also cite Bloom’s taxonomy. So the TL and LCT approaches both have the desired educational cognitive learning theory goals of evaluation and synthesis.

Top-down instruction and hands-on methods of learning have been around for some time, emphasizing why, what, and then how. This pedagogy has included preparing students for learning, activating relevant knowledge, gaining students’ attention, aids to understanding, promoting meaningful processing, and direct- ing and maintaining attention (Steinberg 1991). In essence, when evaluation and synthesis are achieved, students know the why and the what, which leads to how. Knowing only how, including knowledge, comprehension, and application, does not necessarily lead to evaluation and synthesis.

If we want to increase student engagement, strengthen team skills, and use content for learning rather than covering content for recall, LCT offers pedagogical advantages over the TL.

We want students to examine, explore, study, associate, assess, appraise, review, comment, speculate, theorize, postulate, offer, imagine, assume, suggest, and hypothesize. Observing student success is extremely rewarding and encouraging, good reasons to create a learner-centered environment versus a teacher-dominated lecture.

QUESTIONS 1. Which of Maryellen Weimer’s classic Learner Centered Teaching (2002), “Five Key Changes

to Practice” do you feel is the most important and/or challenging? Why? (a) The Balance of Power (b) The Function of Content (c) The Role of the Teacher (d) The Responsibility for Learning (e) Evaluation Purpose and Process

2. Given the importance of globalization, how would you approach adopting LCT even if it is counter to your student’s cultural behavior?

3. What techniques and/or guidelines do you envision to change your role as a teacher, to “step out of the way” of learning and serve as a moderator, not a “sage on the stage” or lecturer?

4. How do you plan to introduce and orient your students to LCT? Do you have specific concerns about student response and their acceptance of responsibility for learning?

APPENDIX: LCT ERM EXAMPLES FROM THE HOW This appendix provides several LCT examples along with the related TL alterna- tives for an ERM course that has been conducted at Auburn University Mont- gomery (Alabama) since 2010. All examples and page number references apply to Enterprise Risk Management: Today’s Leading Research and Best Practices for Tomor- row’s Executives, co-edited by John Fraser and Betty J. Simkins (2010). Learning

www.it-ebooks.info

AN INNOVATIVE METHOD TO TEACHING ENTERPRISE RISK MANAGEMENT 27

notes (LN) include pedagogical suggestions and course experiences. The follow- ing LCT examples are generally small group discussions, but LCT often includes reading assignments or problems that may be done prior to the actual class meeting (Shibley and Wilson 2012). In each example, TL begins with the traditional teacher lecture on the topic (such as using PowerPoint slides to speak to the students and cover the material, etc.). LCT starts with the students.

While reviewing the examples, imagine the possible implications of Weimer’s (2002) “Five Key Changes to Practice” described in this chapter where the process has been flipped. Most importantly, notice how content is covered but not in a tra- ditional lecture context where the teacher presents the information. Rather, content is used as a means of learning. Additional examples of LCT for business communi- cation courses are contained in Smart, Witt, and Scott (2012). Wright (2011) offers an insightful pedagogical literature review of Weimer’s “Five Key Changes to Practice.”

Example #1. Chapter 2: A Brief History of Risk Management

TL: Risk management “spans the millennia of human history” (page 19). Cover the list of significant milestones in a series of PowerPoint slides and explain the contribution of each to the development of ERM.

LCT: Review the List of Contributions (pages 22–27) and suggest the three most significant milestones in the development of ERM. Comment on why your group chose these milestones. Was the group generally in agreement? If not, what were the other selected milestones?

LN: Groups generally differ on the top three milestones, usually based on dif- ferent themes: economic events, creation of professional organizations, contributions and development of risk management theory, or possibly legislative actions. The list of significant milestones small group exercise provides an early and substantial insight into LCT. Rather than memorize, recall, and explain, the students are asked to review, suggest, and comment—all higher levels of Bloom’s Cognitive Learning Taxonomy. It is most rewarding to see stu- dents argue about the top three, supporting their choices by associating or assessing the impact of milestones on the development of risk manage- ment. There may not even be a top three, and even if there is, the teacher has a postgroup selection opportunity to guide the discussion or note the differences in theme the groups selected.

Example #2. Chapter 3: ERM and Its Role in Strategic Planning and Strategy Execution

TL: Cover the List of 11 Tenets of the Return-Driven Framework (pages 37–38). LCT: Appraise the list of risk categories for the greatest risk (pages 41–42).

� Shareholder value risk � Financial reporting risk � Governance risk

www.it-ebooks.info

28 Implementing Enterprise Risk Management

� Customer and market risk � Operations risk � Innovation risk � Brand risk � Partnering risk � Supply chain risk � Employee engagement risk � Research and development (R&D) risk � Communication risk

LN: The textbook presentation states that “the framework encourages think- ing about these risk categories” (page 41). With LCT, students should be encouraged to do so, and in the learning process incorporate the 11 tenets.

TL: A “genuine asset” is . . . (page 38). LCT: Create a list of “genuine assets” for a company of your choice. LN: A simple create exercise includes recognize, apprehend, and determine. The

teacher may facilitate clarifications and corrections by guiding subsequent classroom discussion in examining, critiquing, and exploring the different lists of “genuine assets.”

Example #3. Chapter 5: Becoming the Lamp Bearer—The Emerging Roles of the Chief Risk Officer

TL: The chief risk officer has four major roles: (1) compliance champion, (2) modeling expert, (3) strategic controller, and (4) strategic adviser. In the first role . . . (pages 75–81).

LCT: Reviewing Exhibit 5.1 (page 80), distinguish the roles of strategic controller and adviser. Postulate which role of the chief risk officer is the most important.

LN: Postulating requires memorization, comprehension, distinguishing, and appraisal.

Example #4. Chapter 8: Identifying and Communicating Key Risk Indicators

TL: Key risk indicators are an ERM tool that . . . (page 129). LCT: Distinguish key risk indicators from key performance indicators.

Suggest the key risk indicator practical applications that are most impor- tant to achieve the organizational strategy of the company you work for, a company chosen by your group, or the university.

LN: The facilitator role is often needed on this topic, as key risk indicators may be confused with or closely aligned with key performance indicators.

Example #5. Chapter 11: How to Prepare a Risk Profile

TL: The Risk Map is a graphic representation of a Risk Profile and in this case contains eight risks (page 173). The first risk is . . .

www.it-ebooks.info

AN INNOVATIVE METHOD TO TEACHING ENTERPRISE RISK MANAGEMENT 29

There are eight steps to create a Risk Profile (pages 177–186). Step 1: Schedule interviews and gather background information. Step 2: Prepare the interview tools. Step 3: Summarize the interview findings. Step 4: Summarize the risk ratings and trends. Step 5: Draft the Top 10 Risk Profile. Step 6: Review the Draft Risk Profile. Step 7: Communicate the Risk Profile with the board or a board

committee. Step 8: Track the results.

LCT: Appraise the benefit of a Risk Profile and Risk Map. Suggest which step is the most challenging in preparing a Risk Profile. Comment on why your group selected this step. Create a Top 10 Risk Profile for the company you work for, your university, or your school.

Example #6. Chapter 13: Quantitative Risk Assessment in ERM

TL: This chapter discusses risk assessment and risk quantification . . . (page 219).

LCT: Explore information related to the Schneider Truck Yard Tornado Damage in Dallas, Texas, on April 3, 2012. This results in a large number of videos and news stories. Assess where this event would be placed in a Risk Map. Comment on how the event may be viewed in a statistical analysis. Now speculate on your reaction if you have just received a phone call stating, “All of the trailers and tractors in your Dallas Hub have been destroyed.” See Exhibit 13.3 of Fraser and Simkins (2010, p. 224).

LN: The video of tractor trailers flying through the air is striking. This is a learning opportunity to consider the ERM of “tail events” and “known unknowns.”

Example #7. Chapter 14: Market Risk Management/Credit Risk Management

TL: Looking at the Taxonomy of Market Risk and Credit Risk (page 240): The first market risk is . . . . The next one is . . . . The third one is . . . . The first credit risk is . . . . The next one is . . . . The third one is . . . .

LCT: Distinguish between market risk and credit risk. Reviewing the different types of risk, assess which risk is most striking and noteworthy. Comment on why your group chose this risk.

Example #8. Chapter 16: Operational Risk Management

TL: This chapter illustrates the answers to fundamental questions, including (page 280): � What is operational risk? Why should you care about it? � Is risk all bad?

www.it-ebooks.info

30 Implementing Enterprise Risk Management

� How do you assess operational risks, particularly in a dynamic business environment?

� Why do you need to define risk tolerance for aligned decision making? � What can you do to manage operational risk? � How do you encourage a culture of risk management at the operational

level? � How do you align operational risk management with enterprise risk

management? First, let’s answer the question of “What is operational risk?”

LCT: Using Exhibit 16.2, The Bow Tie Model (page 291), provide an analysis of a current news event. This is reprinted as Exhibit 2.2 in this chapter.

LN: The current news event may be any risk event, from explosions to traffic wrecks, bankruptcies to product recalls, flood damage to tornado damage, information leaks to software failures. The analysis answers the questions, and the content is used as a means to learning.

TL: “The 5 Whys is a question-asking method that can be used to explore the cause-and-effect relationships underlying a particular risk event or prob- lem” (page 294).

LCT: Continue your current news event analysis by exploring with at least five whys.

LN: There are always current risk events in the news, most of which can be searched for, often including videos. As an example, a recent class chose a wreck between a church bus and a truck on an expressway. At first, it appeared that the group’s risk event selection was a direct adoption of the textbook example—a fatal accident (page 294). However, the student-engaged whys expanded quickly, as follows: Why did the wreck occur? Bus crossed median of expressway after tire blew out. Why did the tire blow out? Poor bus maintenance, bad tire, debris on roadway. Why was there poor bus maintenance? Expenses limited by budget. Why was the driver not able to control the bus? Young, inexperienced volunteer. Why was the driver an inexperienced volunteer? Previous older, experi- enced driver quit driving given his age. Newer driver only needs to pass commercial driver’s license (CDL) exam and drives no more than twice per week, rarely on the expressway. Why did the bus cross the median? No safety barrier in place. Why was there no safety barrier in place? State had added several hundred miles of wire or concrete median barrier, but this section of expressway had lower priority based on wreck history. Why wasn’t topology and shallow median considered? Engineering expertise more expensive. Why were individuals seriously injured? Lack of personal restraints. Why were there no personal restraints? Not required, expensive option. Why are personal costs not given greater weight in budgeting?

www.it-ebooks.info

AN INNOVATIVE METHOD TO TEACHING ENTERPRISE RISK MANAGEMENT 31

Outcome Values Negative Outcomes Positive Outcomes

O u

tc o

m e

Li ke

lih o

o d

H ig

h P

ro ba

bi lit

y Lo

w P

ro ba

bi lit

y

Exhibit 2.2 The Bow Tie Model

Example #9. Chapter 17: Types of Risk

TL: “Distinguishing between beta and alpha risk can be difficult” (page 304). Beta risk is . . . . Alpha risk is . . . .

LCT: Reviewing Exhibit 17.1, Value Implications of Risk Appetite Change, distin- guish between beta and alpha risk. This is reprinted as Exhibit 2.3 in this chapter.

LN: Distinguishing requires recognizing, comprehending, and determining. Defini- tion recall does not. Difficult material may necessitate additional teacher facilitation and at the same time offer another student learning opportu- nity for discovery.

Example #10. Chapter 18: Managing Financial Risk

TL: Cover Exhibit 18.1, Examples of Contracts Traded on Major U.S. Futures Exchanges (page 322). Cover cases on currency risk, interest rate risk, and commodity price risk (page 323–325). Identify financial question of “Does Hedging Affect Firm Value?” (page 327).

LCT: Explore the available futures contracts on www.cmegroup.com: � Agriculture � Energy � Equity index � Foreign exchange (FX) � Interest rates � Metals � Options

www.it-ebooks.info

32 Implementing Enterprise Risk Management

Capital requirement

Alpha (value creation)

D C

A B

Beta

Zeta (value loss)

Risk

Return

Efficient frontier for business portfolio

A = Current position B = Value destruction—uncompensated risk C = Target position—no value change D = True value creation

Exhibit 2.3 Value Implications of Risk Appetite Changes

� Over-the-counter (OTC) market � Real estate � Weather Select a specific futures contract of interest to your group under Products & Trading, Products (for example, EUR/USD under FX). Review the quotes and the contract specifications for your selected futures contract. Suggest a scenario where your selected futures contract could be applied. Critique the financial issue of “Does Hedging Affect Firm Value?”

LN: Students are engaged by explore, review, suggest, and apply versus covering three examples they have already read. Note that the teacher may need to facilitate the estimation of the selected futures contract’s payoff, which may be any of those available, not just the three prepared text examples. Every class to date has had at least one group select a weather futures contract. Content is used in the learning process.

Example #11. Chapter 19: Bank Capital Regulation and Enterprise Risk Management

TL: Economic capital is . . . Cover Exhibit 19.4 (page 344). This is reprinted as Exhibit 2.4 in this chapter.

LCT: Distinguish minimum capital requirements from economic capital. Assess the impact of a “black swan” event on the expected loss and confi- dence level. Appraise the effect of Asset Price Liquidity under a Panic, Exhibit 17.6 (page 312), on the expected loss. Offer an economic outcome scenario that includes the black swan event and panic.

LN: This obviously refers to the subprime crisis (pages 89–90, 346, 351, 360– 361), economic crisis (page 32), and Troubled Asset Relief Program (TARP)

www.it-ebooks.info

AN INNOVATIVE METHOD TO TEACHING ENTERPRISE RISK MANAGEMENT 33

Expected Loss

Fr eq

ue nc

y of

L os

s

Confidence Level

Economic Capital

Amount of Loss (increasing to the right)

Exhibit 2.4 Economic Capital Source: Robert L. Burns, “Economic Capital and the Assessment of Capital Adequacy,” Supervisory Insights, Federal Deposit Insurance Corporation, Winter 2004.

(pages 11 and 303), along with related topics discussed elsewhere. The intent is to not repeat (cover) the knowledge, but rather to build on (use) the knowledge the students are likely to have already seen, if not experienced.

Example #12. Chapter 20: Legal Risk Post-SOX and the Subprime Fiasco

TL: Whistle-blower protection is . . . (pages 357–358, 363). LCT: Assume you find yourself in a position to be a whistle-blower.

Speculate as to the trade-offs involved if you’re the whistle-blower. LN: Google “whistle-blowers SOX.” In other areas of ERM, students, especially

working MBAs, may be able to provide examples of loss experiences, miti- gation efforts, and risk management. To avoid overly personal discussion, whistle-blowing may be better approached by referring to publicly avail- able information and examples. Discussion of successful and unsuccessful whistle-blowing protection under SOX is very enlightening and productive, while avoiding overly per- sonal disclosure.

Example #13. Chapter 23: Academic Research on Enterprise Risk Management

TL: The first article is . . . ; it found . . . (pages 422–438). LCT: Critique the article(s) your group was assigned.

Appraise the article(s) and survey findings. Theorize about one or more of the findings.

www.it-ebooks.info

34 Implementing Enterprise Risk Management

LN: Reading the findings of the academic research is a recall, memorization, and possible comprehension learning activity. Creating a hypothesis or theory as to why growing firms, for example, are more likely to appoint a CRO (page 427) leads to an inductive learning discussion.

Example #14. Chapter 10: How to Plan and Run a Risk Management Workshop; Chapter 22: Who Reads What Most Often?

TL: Cover respective chapters without any link. LCT: Review the findings on the use of consultants in Chapter 22 (page 394).

Imagine your group is an ERM consulting firm. Suggest techniques, approaches, and tools that could be used to respond to the survey results in Chapter 22.

LN: This is an example of one of many instances where topic coverage can be linked to further group discussion.

REFERENCES Anderson, Lorin W., and David R. Krathwohl, eds. 2001. A Taxonomy for Learning, Teach-

ing, and Assessing—A Revision of Bloom’s Taxonomy of Educational Objectives. New York: Longman Press.

Bean, John C. 2011. Engaging Ideas: The Professor’s Guide to Integrating Writing, Critical Think- ing and Active Learning in the Classroom. 2nd ed. San Francisco: Jossey-Bass, A Wiley Imprint.

Bloom, Benjamin S. 1956. Taxonomy of Educational Objectives: The Classification of Educational Goals. New York: David McKay.

Blumberg, Phyllis. 2009. Developing Learner-Centered Teaching: A Practical Guide for Faculty. San Francisco: Jossey-Bass, A Wiley Imprint.

Blumberg, Phyllis, and Laura Pontiggia. 2011. “Benchmarking the Degree of Implementa- tion of Learner-Centered Teaching Approaches.” Innovative Higher Education 36 (Novem- ber), 189–202.

Fraser, John, and Betty J. Simkins, eds. 2010. Enterprise Risk Management: Today’s Leading Research and Best Practices for Tomorrow’s Executives. Robert W. Kolb Series in Finance. Hoboken, NJ: John Wiley & Sons.

Millard, Elizabeth. 2012. “5 Reasons FLIPPED Classrooms Work.” University Business 15:11 (December), 26–29.

Shibley, Ivan A., Jr., and Timothy D. Wilson. 2012. “The Flipped Classroom: Rethinking the Way You Teach.” Magna Online Seminars, Magna Publications, August 23.

Smart, Karl L., ChristineWitt, and James P. Scott. 2012. “Toward Learner-Centered Teaching: An Inductive Approach.” Business Communication Quarterly 75:4, 392–403.

Steinberg, Esther R. 1991. Computer-Assisted Instruction: A Synthesis of Theory, Practice and Technology. Hillsdale, NJ: Lawrence Erlbaum Associates.

Weimer, Maryellen. 2002. Learner Centered Teaching. San Francisco: Jossey-Bass, A Wiley Imprint.

Wohlfarth, DeDe, with Graduate Students Daniel Sheras, Jessica L. Bennett, Bethany Simon, Jody H. Pimental, and Laura E. Gabel. 2008. “Student Perceptions of Learner-Centered Teaching.” Insight: A Journal of Scholarly Teaching 3, 67–74.

www.it-ebooks.info

AN INNOVATIVE METHOD TO TEACHING ENTERPRISE RISK MANAGEMENT 35

Wright, Gloria Brown. 2011. “Student-Centered Learning in Higher Education.” International Journal of Teaching and Learning in Higher Education 23:3, 92–97, www.isetl.org/ijtlhe/.

Yang, Xiaomei. 2010. “The Globalization and Localization of ‘Learner-Centered’ Strategy for an International Horizon.” Asian Social Science 6:9, 78–81.

ABOUT THE CONTRIBUTORS David R. Lange, DBA (University of Kentucky), is an Auburn University Mont- gomery (AUM) Distinguished Research and Teaching Professor of Finance. He has received many prestigious awards for both research and teaching from the Univer- sity and from several academic associations. In 2012, he received the Academy of Economics and Finance (AEF) Fellow Award in recognition of extraordinary con- tributions and achievements to the AEF’s mission of advancing teaching, research, and service. David was the Lowder-Weil Professor and Chair of the Applied Life Insurance Education and Research Program, and a frequent presenter in the AEF Teacher Training Program. He has taught classes in commercial risk management and insurance, enterprise risk management, financial valuation, and investments and portfolio management. He has also consulted in a significant number of indi- vidual and class insurance-related cases in both state and federal court. Profes- sionally, David has served as the Eastern Finance Association executive director and VP-finance, as well as program chair and president for both the Academy of Financial Services and the Academy of Economics and Finance.

Betty J. Simkins, PhD, is Williams Companies Chair of Business and Professor of Finance at Oklahoma State University. Betty received her PhD from Case Western Reserve University. She has had more than 50 publications in academic finance journals. She has won awards for her teaching, research, and outreach, including the top awards at Oklahoma State University: the Regents Distinguished Research Award and the Outreach Excellence Award. Her primary areas of research are risk management, energy finance, and corporate governance. She serves on the edito- rial boards of nine academic journals, including the Journal of Banking and Finance; is past co-editor of the Journal of Applied Finance; and is past president of the Eastern Finance Association. She also serves on the Executive Advisory Committee of the Conference Board of Canada’s Strategic Risk Council. In addition to this book, she has published two others: Energy Finance and Economics: Analysis and Valuation, Risk Management and the Future of Energy and Enterprise Risk Management: Today’s Lead- ing Research and Best Practices for Tomorrow’s Executives. Prior to entering academia, she worked in the corporate world for ConocoPhillips and Williams Companies. She conducts executive education courses for companies globally.

www.it-ebooks.info

www.it-ebooks.info

PART II

ERM Implementation at Leading Organizations

www.it-ebooks.info

www.it-ebooks.info

CHAPTER 3

ERM at Mars, Incorporated ERM for Strategy and Operations

LARRY WARNER President, Warner Risk Group

This case study outlines the development of Mars, Incorporated’s EnterpriseRisk Management (ERM) program, from its initial phases in early 2003through the spring of 2012. The views expressed in this case study are those of the author, and may not be those of Mars, Incorporated (Mars). Additionally, as with any ERM program, Mars’ program has continued to evolve since 2012.

Throughout this case study, I have used first names for a number of key indi- viduals who contributed to the success of program. (Please note all names have been changed.) In speaking with other ERM practitioners, such early adopters of an ERM program typically help contribute to an ERM program’s development, evolution, and success. In this case study they helped spread and embed the pro- cess in their business units and in other units as they took on new roles. Most of the major improvements in the evolution of this program resulted from working with these individuals to address the needs of their business units. By identifying these players’ involvement in the early stages of the program and their subsequent roles, the case study reader should gain an understanding of the importance of and the need to cultivate relationships with these early adopters.

MARS’ ERM HISTORY In essence, Mars’ ERM program began with the company’s inception by Forrest Mars.1 Historically, the leadership at Mars had a serious commitment to risk man- agement. ERM represented one natural evolution from these practices.

In conjunction with the transition to nonfamily management in the early 2000s, the corporation established challenging growth, earnings, and cost targets. In order to achieve these objectives, the company undertook a number of key initiatives to ensure the achievement of these objectives. ERM became one of these.

In 2002, Roger, the CFO at the time, and I sat down and discussed how an ERM program might help better manage the business. We recognized that we lacked the experience to implement such a program on our own, and asked two of our existing service providers with ERM practices to make proposals as to how they might

39

www.it-ebooks.info

40 Implementing Enterprise Risk Management

assist us in this project. As Roger put it, “We need someone to transfer knowledge to Larry.”

One vendor pushed for a Committee of Sponsoring Organizations (COSO) structure. The other suggested we develop a program that leveraged Mars’ unique strengths. As a large, privately held, decentralized company, we agreed that the latter better met our needs.

At this point, we decided that we wanted to develop ERM and not what one might call an “enterprise compliance management” (ECM) program. This repre- sented a critical decision in Mars’ ERM development.

To kick things off, we took a risk management survey of the 15 or so managers on Mars’ global management team. We spent a couple of hours personally com- pleting the survey with David, who was to become the president of Mars at the beginning of 2003. This was a critical move in the development of the program, as we gained an understanding of his views on risk management and how we might develop the ERM program.

Following the survey, we recognized the need to gain an even broader under- standing of how the associates (Mars does not have employees) in the business viewed risk. We decided to conduct risk assessment workshops for a function (Service & Finance), geography (Canada), and product group (European Sugar). Working with our consultants, we selected a gap analysis methodology. In gap analysis, you evaluate the inherent risk (impact and likelihood) with limited con- trols (e.g., buying commodities at spot cost as opposed to with futures contracts) against management effectiveness.

We had the first workshop with the global finance team during our corporate meetings in the summer of 2003. The ERM team had a major win during this ses- sion. At the time, Mars was undertaking a substantial investment. During the ses- sion, the consensus of the group was that we, Mars, had undertaken a too aggres- sive time frame to be successful. By the next day, the corporation announced a change in the rollout of the project.

During the session, the CFOs of Europe and the United States both commented on how beneficial this workshop had been. This was critical for two reasons. First, it generated buy-in from additional senior management. Second, the CFO of Europe, Oscar, would soon be named the new CFO of Mars upon Roger’s retirement.

We began calling discoveries like the one in the global finance team’s work- shop the “known unknowns,” because many of the participants knew and/or were concerned about the issue before the meeting; however, it had never risen to such a level that it was formally brought forward to the group. We developed a sce- nario that explained such discoveries and how they could help the business. For example, two management team members have dinner after work. They discuss an issue that concerns them; however, for some reason this issue does not arise during team meetings, perhaps because they do not believe they have adequate expertise to challenge the group’s thinking, or one team member was so passion- ate about the issue that everyone else deferred. Over the years, we found that these “known unknowns” frequently held the key to a business’s success. In training workshop facilitators, we held identifying known unknowns as a major key to suc- cessful workshops.

In Canada, the general manager asked us to help his team evaluate their newly finalized strategy and provide an additional day of action planning based on our

www.it-ebooks.info

ERM AT MARS, INCORPORATED 41

findings. While the workshop did not turn up any major known unknowns, the participants felt the process enabled them to evaluate properly the risks with their strategy and make enhancements that would increase the likelihood of success.

Our final assessment with European Sugar had a major win, as it delayed a major product launch. The workshop identified key doubts in the potential success of the new product and its distinct format. The product team was tasked to return to the next management team meeting to address the issues identified in the risk assessment.

The participants in all three workshops deemed them successful and provided senior management with positive feedback. The ERM team also had major learn- ings. First, the workshops revealed a common risk aversion among most associates. To enable the company to grow faster, senior management knew that units had to take on more risk. Based on the initial success of our risk assessments, senior man- agement felt that ERM would be one tool to enhance growth.

The second major discovery revolved around the workshops themselves. To determine management effectiveness, we had asked participants to base their anonymous votes on limited controls (e.g., buying commodities at spot as opposed to with futures contracts). Universally, we received push-back, as the company had a control mind-set as one of its basic tenets. As such, the importance of control had become ingrained within all associates over many years.

Failure and Retrenchment

Based on the success of our three pilot workshops, we received the go-ahead to develop a full-scale ERM process. In early 2004, we put together a multifunctional, global team, supported by our consultant, to develop an ERM program. Over the next five months, we held monthly meetings to rough out a program. Three of the regional presidents acted as our advisers.

In June we presented our program, including a unit to pilot its implementa- tion, to the Mars management team. At the end of the presentation, David, Mars’ president, looked at us and stated that this looked like a major software transition, and we had done that once and were not going through that again. The rest of the management team agreed. David looked at me and said, “Larry, I know you can scare people when it comes to risk. I want you to take your team and develop a process that will generate a risk discussion mentality for the units. I want you to work with several of our larger units—China, Russia, Australia, and Europe.” He asked us to begin in China in three weeks and build the process around our annual operating planning process.

I believe it is important to note here that ERM is an evolutionary process. I believe that having our first approach rejected ultimately led to our successful development of a more practical, less complex approach. Looking back, I doubt that our initial approach would have worked at Mars due to its complexity.

PHASE 2—SUCCESS There were three components of the proposal that were well received, which we kept with minor revisions and additions. First, our basic tenets for

www.it-ebooks.info

42 Implementing Enterprise Risk Management

development still existed, but we now had better clarity. Senior management clearly sought:

� A methodology to determine what is actually achievable by business units in the context of corporate performance objectives

� To improve alignment and accountability around the pursuit and execution of each business unit’s goals and objectives

� To foster a risk discussion mentality among business unit management teams

� A mechanism that enables managers to knowledgably and comfortably take risks in order to achieve growth goals that exceed overall market growth

� A tool to objectively track performance

Our original mission statement remained: “The objective of ERM is to provide the company with a proven, sustainable framework to proactively understand and deal with complex business risks, both tangible and intangible, existing and emerg- ing, across the entire organization.” This statement became the guideline against which we evaluated the development and evolution of the program.

Senior management also agreed with the major principles for the design of an ERM process:

� Create value. � Leverage the company’s unique strengths. � Work with existing organizational structure. � View risk as opportunity. � Encourage alignment and accountability.

While these represented great tenets to develop a program, we basically were where we had begun six months before, working with a clean slate.

While “create value” seems obvious, we did not know where this would take us as we began building a new program following our unsuccessful initial attempt. However, we had better clarity regarding senior management’s view of what was needed. Understanding and meeting the needs of senior management provided the keystone for the development of our program.

From the company’s perspective, “unique strengths” meant privately held and decentralized. Senior management similarly made working within an exist- ing organizational structure equally straightforward. They wanted the ERM team to build the ERM process into the annual operating plan without adding any staff. We were to use regional Service & Finance Staff Officers to assist us.

Based on our findings of risk aversion in our initial workshops, we knew that viewing risk as an opportunity meant a cultural shift. Finally, we understood that encouraging alignment and accountability meant a process that enabled unit man- agement teams to align and agree to the objectives they could legitimately achieve within the constraints of the risks identified in the ERM process. We found that these two things went hand in hand. By developing alignment around the risks to a unit’s operating plan and the optimal risk treatments, the ERM process would enable business units (BUs) to take on more risk to enhance their opportunities and capabilities for growth.

www.it-ebooks.info

ERM AT MARS, INCORPORATED 43

On the Monday three weeks after our presentation to the management team, our consultant, his two assistants, and I were blankly looking at each other across a table in a meeting room in the China office outside of Beijing. We had no idea what we should do. We decided interviewing everyone on the China management team might generate some ideas.

Based on the unit’s 2005 operating plan and these interviews, we developed a template that we thought captured their input. Each sheet reflected an initiative of the operating plan (e.g., grow Brand X 5 percent in 2005 and deliver operating plan profit). The template looked quite simple. It had a header for the objective with a block for a score next to it and two columns underneath—risks on the left and risk treatments on the right. (We initially used the term mitigation; however, at an ERM conference, one of the audience members pointed out that mitigation did not coincide with our stated objectives. Instead risk treatment better reflected “viewing risk as an opportunity.”) We spent several days filling the templates with the risk and risk treatments, which the business unit managers had identified with their 10 key initiatives for 2005.

We provided the templates and additional background in a preread package to allow the participants to prepare in advance of the workshop.

We started the workshop by having the management team force rank the initia- tives from 1 to 10 (or the total number of initiatives which they had). We compiled the results and projected them onto the screen, discussing the differences and/or alignment among the votes. We then asked them to agree or change the prioriti- zation, thereby beginning the alignment process. (This became the initial item in all future workshops.) Understanding the differences in rankings led the partici- pants to understand others’ views of importance, and in some cases gain a better understanding of the actual operating plan objectives.

We took the initiative voted as the top priority and began the workshop. We reviewed the definition of the initiative, and the management team edited and aligned behind the final definition. We then validated and added risks and then risk treatments. When we, the facilitators, sensed we had captured the major risks and risk treatments, we moved to an anonymous vote on the probability of success- fully achieving the objectives, using a scale of 1 to 9, with 1 representing 10 percent or less, 2 representing 20 percent, and 9 representing 90 percent or more. Voters would take into consideration the things they could control, their unit’s capabili- ties and resources, potential competitor activities, and so on.

When the votes appeared on the screen, we found them generally spread across a range of 4 to 5 on the scale (e.g., 3, 4, 5, 6, and 7). As facilitators, we led a discussion as to why someone might vote a 3 and others a 7. We found that hav- ing the lower-voting participants lay out their reasoning led to better discussions. The higher-voting team members would attempt to address the concerns raised by the lower-voting participants. Over time the facilitators could sense alignment in the room and have the participants take a second anonymous vote. The sec- ond vote’s results generally aligned around two numbers or were centered on one number with one or two outliers above and below the center vote.

The first workshop went exceedingly well. We then headed to Australia for our second workshop. This was a critical test for two reasons. First, one of the Mars regional presidents, who advised us throughout the initial ERM development process, participated. Second, our senior consultant had to go back to the United

www.it-ebooks.info

44 Implementing Enterprise Risk Management

States, so his two assistants were to help me build and facilitate the workshop— one as a co-facilitator and the other as the editor of the workshop templates and operator of the voting technology and workshop. Here again we had a successful workshop.

Our next workshop took place in Russia. We had several major learnings from this workshop. First, when you have a very strong and charismatic general man- ager (GM), it is important for the facilitators to ensure that the entire management team participates. To this end, we pulled the GM aside and requested that he with- hold his comments to the end. We would go to him to wrap things up. It became a common practice for facilitators to ask GMs to “work with us” to ensure that all team members participated, and to allow the GMs to wrap up with comments before the final vote. It was a way for facilitators to better control the process and to make sure the known unknowns became visible.

At one point the GM stopped the session and stated, “This process helps you focus on what’s important.” This became a mantra of our ERM process.

As Russia had gone through several currency issues in the 10 years the unit had been in operation, the GM and CFO asked for us to build a template of how it could effectively handle a currency crisis. We did as requested, and the management team felt they identified the actions they needed to take in the event of such an occurrence.

This activity may seem minor, but it highlights two key points that ultimately contributed to the ERM program’s success. First, business units have unique needs and frequently need help in maximizing the use of ERM. By ensuring that the pro- gram had some flexibility, units were more likely to leverage its benefits. Second, we learned to constantly try new things. Many of our evolutionary improvements to the process resulted from requests or suggestions from individual units.

Our final workshop in the 2004 pilot took place with a subgroup of the Euro- pean management team. Known to only a few key members of this team and a few senior managers at the corporate level, Mars had begun the initial phases of a major project. The Regional Staff Officer of Service & Finance (S&F) lobbied the Regional President of Europe to have our new ERM process validate their work. Here again we tried a new activity with them in the workshop. This enabled them to identify the low, high, and most likely outcome of their key objectives, based on an analysis of the risk involved. While this activity was helpful, they advised us that the template that we had used in the other workshops proved the most beneficial to them.

Based on the success of this workshop, the Regional President of Europe asked us to perform three workshops, one in each of the countries that would be partici- pating in the project.

During the interview process in one of the countries, it became clear to us that they had not progressed to the point needed to launch their project. We advised the European management team of this. The general managers of the two units in this country were not only greatly appreciative but also became two of the biggest advocates of ERM in each role they subsequently held within the business.

The participants in all three countries found this process better enabled them to prepare for implementation. They identified critical risks and solutions that enabled them to successfully achieve their objectives.

Ben, the new Regional S&F Staff Officer from Europe, cofacilitated each of these workshops with me. (Through this work, Ben became a major supporter of

www.it-ebooks.info

ERM AT MARS, INCORPORATED 45

ERM as he progressed to become the CFO of the company’s largest segment.) As the program developed, several of our earliest participants in the program (facili- tators and management team members) became our biggest advocates. This acted to increase the “pull” of the program through the business as opposed to corporate needing to “push” it through.

GLOBAL ROLLOUT Based on the feedback from the workshops and the support of the two regional presidents, the next phase was to move forward with a global rollout of the ERM program.

For 2005, we targeted 17 units for workshops to assess the risks of their 2006 Operating Plans. China, Australia, Russia, and virtually every general manager from the seven units in the European project asked to be included in the rollout.

Here again our design principles were reaffirmed. Management believed the process created value, helped units become less risk averse (view risk as an oppor- tunity), and encouraged alignment and accountability among the participants. Our remit to work within the annual operating plan reaffirmed “work within an exist- ing organizational structure.”

Many companies would find their planning process similar to Mars. Busi- ness units begin developing their annual plans nine to 12 months before Jan- uary 1, based on their long-term strategies within the context of the broader seg- ment and corporate strategies. They receive input from their segment management teams. Mars has six segments: Chocolate, Drinks, Food, Petcare, Symbioscience, and Wrigley. Late in the year they present their plan to management. ERM repre- sents one component of their presentations.

For the rollout, the ERM team developed formalized interview templates. Although we always interviewed the GM first, the team began to have joint inter- views with the GM and S&F head (CFO), who acts as the GM’s copilot. We found that these joint interviews provided much more detail and reduced the number of other business unit (BU) team members we had to interview. The workshops were time consuming to build, each taking approximately one person-week, or more for larger, more complex units. Any time savings proved beneficial, as the team had very limited resources. It also represented an evolutionary step in our process.

The ERM team entered the process with only three facilitators skilled in our new process—our consultants (Bill and Greg) and me. As we wanted to internalize the process, we had to train an adequate number of internal facilitators. Optimally, two facilitators would run a workshop with one operator, the person responsible for operating the voting technology, updating the templates as we spoke, and keep- ing notes.

These ERM workshops require atypical facilitation skills. A facilitator needs a great deal of knowledge of the business, good facilitation skills, and the ability to challenge participants. We found over time that some people, recognized as good facilitators for most activities, proved ineffective in ERM workshops as they lacked the ability to aggressively challenge the management teams from an operational or strategic perspective.

Oscar instructed both regional and functional S&F staff officers, who reported to him, to support us. (Regional S&F staff officers support the Mars CFO in the region, while functional staff officers oversee specific functions—e.g., Treasury,

www.it-ebooks.info

46 Implementing Enterprise Risk Management

Risk, Control, Strategy, etc.) Oscar directed the regional S&F staff to help us sched- ule the sessions and to act as our cofacilitators in their regions. Several nonregional S&F staff officers and George, who worked for me, were also to be trained and act as facilitators. All of these associates had the requisite skill set to be effective in the ERM workshops. The use of S&F staff officers to assist us reaffirmed both “work within an existing organizational structure” and “leverage unique strengths.”

We kicked off the rollout the first two weeks of August, conducting workshops at our three U.S. units—Food, Snackfood, and Petcare. All three were successful and we identified serious risks or (better said) opportunities for each plan. We trained George and Elizabeth (the Staff Officer of Strategy) during the Food and Snackfood workshops.

The votes at U.S. Petcare revealed a lack of alignment around the probability of success of several key initiatives to their plan. The GM complained that the team had just spent two weeks, including an off-site planning session, making major additions and revisions to the plan, but no one had raised the issue, which arose during the workshop; however, we pointed out that the intent of the ERM process was to identify these issues prior to the implementation of the operating plan. This would enable units to address these issues in time to increase the likelihood of success.

The following week, Elizabeth ran the Mexican workshop, training the regional staff officer and Jim, her direct report. In the meantime, I went to Asia for the China, Japan, and three Australian workshops. In Asia, the point of early supporters played a key role in our success. Mars China had found great value in our initial workshop and began to use the program as a key component of its operational and strategic planning process.

The new general manager in Japan had participated in the pilot workshop in Canada and in the UK project workshop as one of the GMs. He was keen to use ERM as a tool to help his team reinforce their growth and market position.

In Australia, we began the following week with our Snackfood unit. It was the first day on the job for the general manager, who was new to Mars. He felt the workshop proved quite beneficial as not only did he become familiar with his direct reports, but he gained an understanding of the issues confronting the busi- ness, which he felt would have otherwise taken months to learn.

In Australia, we had a major learning: We needed a process to ensure follow- up on issues identified during the workshops. John, the CFO for Australia with operational responsibility for the petcare unit, noted that in his preparation for the workshop he reviewed the output from the prior year. The team had actually identified their major risk for 2005 and the treatments to address this issue. Unfor- tunately, they had not used the prior year’s solutions, and had not met their targets for the issue. John became one of the biggest advocates and supporters of ERM as he moved on to CFO of the Russia unit and then U.S. Chocolate.

REPORTING Ultimately we conducted 18 unit workshops, one for our quant group, and a cor- porate one. At the end of the process we reviewed all of the output. We recog- nized the need for categorizing the differences between the votes to report risk using a color key for risk profiles (see Exhibit 3.1). In reviewing the voting scores,

www.it-ebooks.info

ERM AT MARS, INCORPORATED 47

Score

7.5 and greater

7.0 to 7.4

6.0 to 6.9

In cr

ea se

d pr

ob ab

ili ty

o f

ac hi

ev em

en t a

nd /

or in

cr ea

se d

le ve

l

of m

an ag

em en

t

ef fe

ct iv

en es

s

5.0 to 5.9

5.0 and less

Color

Green

Blue

Yellow

Orange

Red

Exhibit 3.1 Color Key for the Risk Profile Score

it appeared that five groupings existed. We had some actuaries review the data as well, and they came up with the same results.

Companies frequently like to use three colors in their corporate dashboards; however, most experts seem to agree that risk is not so cut-and-dried, and recom- mend four or five risk categorizations. As a workshop facilitator, one can gener- ally detect why a score was blue and not green. In discussions challenging such a vote, facilitators frequently heard general managers or other participants speak very clearly as to why an initiative is blue and not green.

Following the addition of risk categories, the ERM team developed a summary report, in priority order, consisting of each initiative, its definition, and each initia- tive’s risk profile (see Exhibit 3.2). These were compiled by region and submitted to the Mars management team and the regional management teams, along with the complete workshop reports.

Although senior managers reviewed these reports, it was too early in the pro- cess for them to understand fully the potential of ERM. This was highlighted in Jan- uary 2007 during my annual review with Oscar. David, Mars’ president, entered the “fishbowl” room quite perturbed at one of the largest units. The unit had advised of a significant surprise at year-end, which had an impact on the over- all business’s year-end results. David looked at me and asked whether this issue had arisen during my new process. I advised him that the unit had raised this as a potential issue, which could adversely impact them entering the new year. They

www.it-ebooks.info

48 Implementing Enterprise Risk Management

.

Exhibit 3.2 Summary Report

asked me to get them a copy of the complete report, and I took this to mean they had read but not kept the original.

The unit’s ERM workshop output had the issue as a “red” in their submission. While both David and Oscar agreed that they expected some units to have initia- tives with a red risk profile, they would not accept a unit to have a red issue and not address it or communicate the potential impact as appropriate. This became a basic tenet of the ERM process. This incident also proved a major win for ERM, as David became extremely interested in the quarterly updates, which began shortly thereafter.

To ensure that units used ERM throughout the year and communicated their views on risk to senior management, we developed an ERM dashboard template. This included the initiatives in priority order, the risk profile of each initiative for each quarter (beginning with the workshop in Q3), the risk profile trend—stable, improving, or declining—and a comment column for providing a view for year- end (see Exhibit 3.3). This became an excellent tool for communicating for several reasons. First, units that did not do so already had to review their risks and risk treatments quarterly. This helped them to have a risk mentality mind-set, which David had given us as a goal at the beginning. Second, senior managers could quickly identify units that were struggling with issues. For the first couple of years of the program, David would meet with the corporate controller, to review the

www.it-ebooks.info

ERM AT MARS, INCORPORATED 49

,

.

Exhibit 3.3 Quarterly Update

quarterly reports. Finally, it provided units with a tool to communicate to man- agement that things were on track, although the first or second quarter sales may not have appeared that way.

An excellent example of the latter point occurred the first year we used the reporting template. In a large market where the company had a strong number three position, the unit’s reported sales appeared to fall below its plan at the end of the first, second, and third quarters of 2006.

I had facilitated the unit’s workshop. As their two main competitors, which had a significant share of the market, planned to front-end load their activities (e.g., advertising, consumer promotions, trade discounts, etc.) into the first and second quarter, the unit decided to focus the vast majority of its activities into the second half, especially the fourth quarter. Each quarter the unit reported its key brands as having green risk profiles. Each quarter, Oscar had me contact and challenge the unit CFO on this point. Each quarter the unit CFO responded that the unit had back-end loaded its activity set into Q3 and Q4, and I confirmed to Oscar that this had been the case in the workshop as well. In the end, the unit delivered about 105 percent of its planned sales, and the ERM Quarterly Report gained a great deal of credibility.

One thing that we noted from both the pilot year and the launch year was that participants did not always seem to vote on the same thing on an initiative. For example, an objective may read, “Maintain market leadership while achieving growth and profitability targets.” A unit might have 35 percent market share, and it could hold market leadership at 25 percent. One participant may vote low because she believes market share will fall to 32 percent while another participant votes high because this will still represent market leadership. Similarly, divergent votes

www.it-ebooks.info

50 Implementing Enterprise Risk Management

.

.

.

.

.

.

.

.

.

.

.

.

Z.

.

.

Exhibit 3.4 Targets

on achieving growth and profitability may result as different participants vote on gross sales versus net sales, and earnings versus margins.

To resolve this problem, we changed the process for the 2007 Operating Plan workshops, conducted in Q3 of 2006, and all future workshops. We required units to specify measurable targets within each objective (see Exhibit 3.4).

Units could do this for all initiatives, including intangible ones. For instance, associate engagement targets would include specific numerical scores for the units and follow-up percentage targets for management. Similarly, “Have the right peo- ple for the right jobs” would become “Have one person for each critical job in the unit’s succession plan.” These objectives would have measurable targets by which the unit could report progress throughout the course of the year.

2007 OPERATING PLAN WORKSHOPS In 2006, we made two major changes. We added a strategic component to the work- shop. We also pushed most of the workshop development to the units.

In terms of a strategic component, we added a column to the existing workshop template that held the activities the unit needed to undertake to successfully imple- ment its long-term strategic objectives. The strategic component proved unsuc- cessful for three major reasons. First, we found that units without a completed

www.it-ebooks.info

ERM AT MARS, INCORPORATED 51

long-term strategy did not find this worthwhile. Second, the shift from the operat- ing plan in the morning to the strategic plan in the afternoon proved too mentally taxing. Workshop participants tend to be less effective late in the afternoon due to the mental focus required in the workshop, and the transition to the longer- term view in the afternoon seemed to make this afternoon lapse worse. Finally, we found the extra column in the strategic template unnecessary. Units preferred to use the standard workshop template for both operational and strategic issues. For all future strategic workshops, we used only the standard template.

For the 2006 Operating Plan workshops, we found it very time consuming for facilitators to build each individual workshop. To build each workshop, the two facilitators interviewed the general manager, the unit CFO, and several other unit management team members. They would then take the unit’s key operating plan objectives and compile the templates by adding the risks and risk treatments based on their interpretation of the interviews. Between the interviews and the workshop compilation, it could take as much as a person-week to build a workshop. As facil- itators typically had very senior positions, this did not represent an effective use of their time. This time-consuming process would greatly limit the number of work- shops that we could have, unless we could find a better solution.

At this time, the company was moving to increasingly standardized planning tools. The units could use these tools to develop their own workshops, with mini- mal guidance and support of the workshop facilitators. This aligned well with our objective to simplify the workshop development process and aided us in push- ing much of the workshop development to the unit. We developed a PowerPoint presentation that outlined the process, as summarized in Exhibit 3.5.

This new approach greatly reduced the time to build a workshop. By having initiative owners confirm the definition of the objectives, adding what they viewed as the major four or five risks and risk treatments, we not only reduced the time necessary to build a workshop, but we also improved the quality of the workshops. The latter was achieved because the facilitators no longer had to interpret what they had heard in the workshop. Instead, the actual owners populated this data, which the management team validated in the workshop. This had the additional benefit of increasing the ownership of the process within the unit.

TECHNOLOGY When the ERM program began in 2003, the ERM team consciously did not select a technology solution. The company did not want a technology solution to drive the process. By 2007, the program had developed to the point that we needed tech- nological support. First, we moved from using Word to Excel. This enabled us to develop a comprehensive Excel tool for workshop development and data capture. Second, we selected a software vendor whose product could most closely adapt to our process.

The Excel tool greatly streamlined the process for building workshops. It made it easier to define initiatives and for users to build individual templates in prepa- ration for workshops. More importantly, it enabled workshop operators to revise and add information to the templates more easily during workshops. This enabled workshop participants and operators to focus better on the process.

www.it-ebooks.info

52 Implementing Enterprise Risk Management

Exhibit 3.5 Sample Planning Process

# Activity Timing

1 The unit CFO provides the facilitators with the key operating planning documents, standard planning documents, and so on.

2 The facilitators hold a teleconference with the unit’s GM and CFO to identify relevant operating plan initiatives and strategic risks from last year’s assessment and add new operating plan initiatives and strategic risks.

1.25 to 1.5 hours

3 The facilitators prepopulate the workshop template with initiative definitions, based on the interview, the planning documents provided, and output from the prior year.

1.5 hours

4 Facilitators send the prepopulated workshop template to the unit CFO.

5 The unit CFO forwards each template to the unit’s Management Team and to the individual initiative owner.

6 Initiative owners confirm the initiative definition, including key metrics, adds four to five risks, and adds four to five risk treatments.

0.5 to 1 hour per initiative

7 The unit CFO consolidates the templates and forwards them to the facilitators and the unit GM.

1 hour

8 One facilitator has a review with the unit GM and/or CFO of the workshop template to validate the input and identify any key points.

30 minutes

9 The unit CFO distributes the final workshop template to the unit’s Management Team as a preread package.

10 Workshop. 8 hours

The software resulted in two major improvements in the process. First, it enabled units to update their risk profiles into a system. It also provided more flexibility than previously available using Word.

Data capture and reporting represented the other major improvements pro- vided by the software. Using the Excel tool following each workshop, we cat- egorized each initiative and risk by function (e.g., Service and Finance, Sales, Marketing, etc.). Similarly, we categorized these using the risk definitions, which the initial working group had developed.

AGGREGATION The company historically had very well-defined ranges of risk that it would take on in the areas of currencies, commodities, insurance, and so on. It had compre- hensive reporting that aggregated such financial risks. Although these areas were well managed at the regional, segment, or corporate level, their role frequently influenced decisions at the business unit level.

While companies can easily aggregate these types of financial risks, the ERM process presented other types of information. The output of the ERM workshops

www.it-ebooks.info

ERM AT MARS, INCORPORATED 53

produced both qualitative and quantitative data, as well as tangible and intangible risks. These included operational, supply chain, and human resources risks.

To aggregate these risks and identify emerging risks for regional, segment, and corporate management teams, the ERM team had two methodologies—human review and technology. In the early years, the ERM team would review all of the workshop output and summarize the three or four key themes for the corporate management team. In some cases, they would delegate the review of this informa- tion to the individual(s) responsible for the issue. In two cases, the ERM team led a short workshop with the corporate management team on one or two of the critical issues identified.

In many of the early workshops, the ERM team was surprised to find so many human resources issues across the world. Frequently, these rose to be near the top of the list in priority for many units. Bringing these out in workshops enabled the units to view these from the perspective of risk to the business. On a corporate, aggregated basis, this gave leadership a different perspective (i.e., risk) from which to view the issue, and over time how their initiatives worked to improve the risk at the corporate and unit levels.

Once the company moved to segments from regions, the ERM team aggregated the output from the individual units in the segment and conducted workshops with the segment management teams, to help them identify the key issues con- fronting their business in the coming year. These included themes and emerging risks identified across the entire business, but focused on their impact on the indi- vidual segment. This was done in conjunction with their overall planning activities, bringing risk into their evaluation process. Some segments found this quite useful in helping them to allocate resources and identify action plans to improve the like- lihood of the segment’s success in the upcoming year. Segments that found this helpful held these workshops annually.

In aggregating the risks in the workshops, we considered such issues as these:

� The number of business units impacted � The number of associates impacted � The number of business processes or functions impacted � The impact on our consumers and customers � The potential impact to our brands

This methodology worked very well with difficult-to-quantify risks. It also helped to identify emerging risks. The overall process identified issues that might be a nuisance in individual markets but when viewed on an aggregated basis had a potential impact on the segment or corporation as a whole.

The software solution provided another opportunity for aggregation. As workshop teams had categorized the initiatives and risks by both function and risk definition, we could run reports or aggregation by business unit; by geography (country, region, corporate); by corporate function (S&F, Sales, Compliance, Mar- keting); and so on. Once the system had three years of data, it could provide com- parisons by year, segment, region, and business unit. This enabled the preparation of summary reports, aggregating the issues identified and changes by year, thus allowing the identification of emerging risks, such as the increasing importance of

www.it-ebooks.info

54 Implementing Enterprise Risk Management

commodity pricing and availability. The reports provided a summary analysis of the data for the segments, which used this to supplement their ERM work.

Unfortunately, we lost our back-office support for these reports after the first year of developing the capability. As such we were unable to run these reports on an ongoing basis thereafter. The learning for others is to ensure that you select software that your team has the capabilities to fully utilize.

TEMPLATE EVOLUTION Over the years our template evolved. Some changes resulted from observations made by facilitators. Others came from participants, either during workshops or from periodic global surveys.

During a workshop, facilitators attempt to limit the number of risks and risk treatments to 10 to 15 each (as many as 20 for very large units). However, having so many risks and risk treatments can lead to clarity without perspective.

The initial template simply listed risks and risk treatments in two columns, without referencing which risk treatments applied to the individual risks. The ERM team found that referencing the risk(s) that the individual risk treatments addressed provided better clarity as to the process. Furthermore, this approach helped to better identify the most critical risks and risk treatments. To leverage this opportunity, participants had to identify the three or four most critical risks, defined as those most likely to adversely impact the initiative. They did the same for the three or four most critical risk treatments (i.e., those most likely to lead to success). This led to more robust voting, as participants had a perspective on the impact and likelihood that the most critical risk would occur, as well as the effectiveness of the most critical risk treatments in aiding the team to achieve its objectives.

Initially, when units identified key actions that they believed would increase the likelihood of success, they were included in the summary reports. However, the ERM team discovered that the failure to assign accountability for the activity frequently led to it not getting done. (I have heard this same issue arise in other companies’ programs.) Consequently, an “Action Plan” section was added to the bottom of the template. This improved the results; however, in one workshop the unit asked if they could assign each risk treatment to an individual. This worked very well.

Through experimentation it was found that adding both a responsible party and a completion date added to the robustness of the process. Typically, units would assign the tasks to either management team members or their direct reports. This helped identify situations where one associate or group had too many activ- ities to address properly those things needed to achieve an initiative’s objec- tives. More important, as the workshop progressed through the day, it frequently became clear that a unit might not have the bandwidth to complete all of their tasks in the time frame allotted. This led to changing deadlines and moving resources around the business in order to improve the likelihood of successfully achieving both individual initiatives as well as overall operating plan objectives. Exhibit 3.6 shows how a completed template from a workshop would appear.

www.it-ebooks.info

ERM AT MARS, INCORPORATED 55

Template for input in Workshops

Initiative

# Risks Risk Ref #

Action Plan

Risk Treatment Risk Treatment Owner

Greener Green

Due Date

Risk 1 Risk 2 Risk 3 All

1,3,6,8,9,10

1,2,3,4,5,8

3,4,8

2,7,8 5,8 9,10

3,6,7,8 Risk 4 Risk 5 Risk 6 Risk 7 Risk 8

Risk Treatment 1 B. Spinard

B. Spinard B. Spinard

L. Warner

L. Warner

L. Warner

G. Smith End Q4 2011

End Q4 2011

Q3 2012

Q4 2012

Ongoing

Q1 2012 June 2012 May 2012

G. Smith

Risk Treatment 2 Risk Treatment 3 Risk Treatment 4 Risk Treatment 5 Risk Treatment 6 Risk Treatment 7 Risk Treatment 8

Risk 9 Risk 10

1 2 3 4 5 6 7 8 9 10

Exhibit 3.6 Mars ERM Template

SPECIAL SITUATIONS The ERM team found that engaging key early supporters on an ongoing basis had mutually beneficial results for both. Most of the evolutionary improvements and best practices occurred as a result of these activities.

One major European unit sought to improve their growth rate. In 2006 Pete became the CFO, and in early 2007, Susan became general manager of this unit. Pete had participated in the initial South African workshop as well as his new unit’s 2007 Operating Plan workshop. Susan had played the key role in having the ERM team involved in the 2004 European project.

To turn the business around, Susan and Pete wanted ERM to play a key role in the unit’s growth program. They wanted to hold a series of ERM workshops to support the development of their program. The output would be built into and be monitored on an ongoing basis by their project management office (PMO). Over a period of 18 months, the unit held both the normal operating plan workshops as well as strategic ones. In order to increase the buy-in to the strategy by the entire business, they held a two-day workshop involving both the management team and their direct reports. This totaled approximately 30 associates. These associates were divided into several groups to conduct risk assessments of the proposed new strategies and to identify new activities and risk treatements that would improve the likelihood of achieving success. The output included changes to brands that the unit could best leverage. The process also developed support from multiple levels of the business, as they had an active voice in the process. This program of workshops contributed to the unit’s successful achievement of its performance objectives.

In 2007 the company acquired a U.S.-based entity. About a year later Pete became the new CFO and Maria became the general manager. Maria had been

www.it-ebooks.info

56 Implementing Enterprise Risk Management

general manager of Australia during the first ERM session in 2004, and has been a strong supporter of ERM ever since. They decided to use a similar approach to the one Pete had helped create in Europe, adding additional objectives. In addition to using ERM to assist in the development and stress testing of a comprehensive busi- ness strategy, they wanted to use ERM to assist in evaluating talent, embedding a new culture, and obtaining support from multiple layers of the business from their leadership team, the top 30 or so associates within the business. Over two and a half years, the unit held numerous workshops, both operational and strategic, to help them formulate their strategy and achieve their overall objectives.

Don had been the CFO for the first Australian Food workshop in 2005. In 2007, he became CFO of Japan. He used ERM to evaluate the unit’s strategy. In this case, the unit had the brand manager for each brand come into the room, present the brand’s strategy, and act as an equal member with the management team members in evaluating the likelihood of the brand successfully achieving its objectives. Here again, multilevel participation enhanced the buy-in within the business.

In 2010, Don became CFO of Petcare Asia/Pacific. Like Don, Richard, the GM of the business, had been a long-term supporter of ERM. They decided to use ERM with the regional management team to increase the probability of achieving their objectives. Over a two-year period, we held a series of ERM workshops to help support their development and evolution of their strategy. This included their brand portfolio, asset investment program, individual market investment, asso- ciate development, and so on. In addition to the standard workshop, we helped them with scenario planning to identify risk treatments for competitor activity, regulatory issues, and the like. In their meetings where no workshop was held, Don led the review of the risk profile, and the team voted on the risk profile of each strategic objective.

This team also took the standard template a step further. They categorized the risks and risk treatments by categories within each template. They added a fifth column that specified the actual activity. These were given to either the func- tional head of the region or the functional team underneath them responsible for the activity set—for example, Sales, Marketing, or Supply (i.e., manufacturing and distribution). The respective teams then provided periodic updates as part of the regional management team’s risk profile update process.

The team found this approach beneficial for the team. As their objectives became “Green” and had been achieved, they developed new templates to reflect their updated strategies.

MAJOR ACQUISITION When Mars made a major acquisition of a global confectionery company, the early supporters of ERM at Mars played a key role in the adoption of ERM at the acquired company. Jim, one of our original facilitators, took on a high-level role within the acquired business’ U.S. operations. At his urging, the U.S. GM agreed to have an ERM workshop for the 2009 Operating Plan in early 2009. This workshop was well received within the acquired business.

The GM of European Sugar, during our current state assessment workshop in 2003, had been a key supporter of ERM in various senior roles within Mars. When

www.it-ebooks.info

ERM AT MARS, INCORPORATED 57

he became a senior manager within the acquired company’s European operations, he introduced ERM in this region. Here again the process was well received.

Lee, the S&F Staff Officer for Mars in Asia, who had observed the first work- shop in China and overseen the process in the region thereafter, discussed ERM with Michael, the acquired company’s CFO of Asia. Michael was so intrigued by the process that he had us conduct a 2010 Operating Plan workshop for his largest unit in the region. Following our first workshop, Michael advised us that he had found the process robust, and complementary to their other activities. As such he asked us to conduct additional workshops for the other major markets in his region.

Within two years, we were conducting annual operating plan workshops at business units representing the same high percentage of the acquired company’s global sales that we achieved at Mars.

CONCLUSION In 2010, Mars received the Corporate Executive Board’s “Force of Ideas Award” for ERM. It was the first recipient in this category. The award was based on the view that Mars had successfully embedded ERM into its business model and that other companies had adopted its process.

The key factors in the success of ERM at Mars include:

� We ensured we aligned the program with the approved principles. � We focused on achieving our operational and strategic objectives. We did

not address compliance. We left that to the associates responsible for com- pliance, and assisted them in using our tools as appropriate.

� We focused on evolution and not revolution. As a result, the program had a continuous improvement process.

� Flexibility and not rigidity contributed to the program’s results. By assisting units in developing the workshops and updating processes that best met their needs, the program had a demand for services as opposed to a push. Furthermore, many of the evolutions of the program directly resulted from unit requests.

� The process proved to be a good identifier of talent and an opportunity for associate development for the business.

� The ERM team never overpromised what it could deliver. Instead, we set realistic objectives on our rollout and obtained senior management support throughout.

� The ERM team engaged and conducted periodic surveys of the business units, the Mars management team, and the Mars board’s advisers.

QUESTIONS 1. What represents the key success factors of the program? 2. What improvements would you make? 3. Does this represent an effective risk management program? If not, what is missing? 4. Would this program work for a publicly traded corporation of similar size? 5. How important do you view alignment and accountability among a management team?

www.it-ebooks.info

58 Implementing Enterprise Risk Management

NOTE 1. For information on Mars’ history, see www.mars.com/global/about-mars/history.aspx.

ABOUT THE CONTRIBUTOR Larry Warner is President of Warner Risk Group, which provides ERM and risk management consulting services. He has almost 30 years of experience in design- ing and building risk management programs in asset conservation, safety, insur- ance, and enterprise risk.

Prior to establishing Warner Risk Group in 2012, Larry served as Staff Officer of Risk Management for Mars, Incorporated (including Wrigley), based in McLean, Virginia. At Mars, Larry had global responsibility for developing and coordinating Mars’ enterprise risk management activities, directing Mars’ global asset conserva- tion program, managing Mars’ global property and casualty insurance programs and claims, coordinating the auditing of Mars’ safety programs, and overseeing the placement of its global benefit insurance programs. The Corporate Executive Board awarded Mars its 2010 Force of Ideas Award for Risk Management for its embedding ERM into performance management.

Before joining Mars in 1989, Larry was Assistant Risk Manager at Texas Instru- ments. He has a BS in geography and an MBA in risk management and corporate finance, both from the University of Georgia. He is a frequent speaker at national risk conferences and contributor for such organizations as the American Strategic Management Institute, the Conference Board, the Corporate Executive Board, and the Risk and Insurance Management Society.

www.it-ebooks.info

CHAPTER 4

Value and Risk Enterprise Risk Management at Statoil

ALF ALVINIUSSEN Independent Consultant, Norway

HÅKAN JANKENSGÅRD Researcher, Department of Business Administration and Knut Wicksell Centre for Financial Studies, Lund University, Sweden

The enterprise risk management (ERM) approach to managing a company’srisks promises many benefits. A reading of the literature on the subject willtell you that ERM, among other things, will reduce the frequency of sur- prises, lead to better allocation of resources, improve risk response decisions, and reduce costly duplication of risk management activities (e.g., COSO 2004).

Many companies are finding out that these benefits don’t always materialize easily. It turns out that implementing a holistic, enterprise-wide approach to risk management often challenges the organizational status quo. Powerful individuals and business units face a potential loss of autonomy and are asked to comply with new reporting requirements. “The way we’ve always done things around here” is no longer good enough, it may seem.

In companies where change is resisted, ERM is at risk of becoming an island, an isolated process whose outputs and opinions are largely ignored by decision makers. These so-called ghost ERM programs contribute little or nothing at all to enterprise value. In this chapter we use the experience of Statoil, a Norwegian oil and gas producer, for lessons about how to overcome these organizational chal- lenges and make the potential benefits of ERM become reality.

At Statoil, understanding and managing risk are today considered core values. This principle has been duly integrated into the organization, and is inscribed in steering documents as well as in a booklet handed out to all employees, describing core values, corporate governance, the operating model, and corporate policies. The company has developed a sophisticated approach to ERM that centers on the principle of value creation. ERM is thoroughly embedded in the business units’ way of doing things, and it appears to enjoy the wholehearted support of Statoil’s executive officers and board of directors.

Statoil has, in other words, managed to make ERM into something that makes a real difference. To gain insights about the success factors behind this outcome,

59

www.it-ebooks.info

60 Implementing Enterprise Risk Management

we will investigate how Statoil has dealt with the four main general tasks that fall on executives responsible for ERM: (1) make sure that there is an adequate process for identifying, managing, and reporting risks throughout the company; (2) act as a support function to business units in this work; (3) detect and counteract risk management decisions that are suboptimal for the company as a whole; and (4) analytically aggregate risks to support decision making concerning the com- pany’s total risk profile. The first two sections outline the history of ERM in Statoil, and the guiding principles that underpin it.

ERM AT STATOIL: A BRIEF HISTORY Headquartered in Stavanger, Norway, Statoil is one of the world’s top 10 oil and gas producers. In 2012, the company had revenues of 706 billion Norwegian krone, NOK (approximately 120 billion U.S. dollars, USD). In the same year, it had over 23,000 employees worldwide and produced 2,004 million barrels of oil equivalents per day. Known for its operational excellence, Statoil is the global leader in offshore oil production below water depths of 100 meters.

The company has a 40-year history as part of the Norwegian oil bonanza. Orig- inally Statoil was the state-controlled company in the Norwegian model of retain- ing both publicly and privately owned exploration companies. The privately held company Saga Petroleum was acquired by the partly state-owned conglomerate Norsk Hydro in 2000. Norsk Hydro in turn merged its oil and gas division into Statoil in 2007. Statoil is now by far the largest producer on the Norwegian conti- nental shelf.

In 2001, Statoil’s shares were listed on the Oslo and New York stock exchanges. In early 2013, its market capitalization exceeded 80 billion USD. While the Norwe- gian state still owns 67 percent of the company, it operates independently of the state on strictly commercial principles.

After having sold its downstream and petrochemical businesses over the past few years, Statoil is today heavily focused on upstream activities (i.e., exploration and development of oil and gas reserves). Its three business areas focusing on development are divided according to geographical regions (Norway, Interna- tional, and the United States, with the latter being much smaller). In addition, it has four more business areas focusing on marketing, technology, exploration, and strategy.

ERM in Statoil got under way in 1996. Petter Kapstad, who has a background in banking, had been asked to systematize the management of risk in the finance department, which previously had been carried out in a fragmented and uncoor- dinated way. The result of Petter’s work was that the risks managed by the finance department were measured and managed as a portfolio of risks with central over- sight. The then CEO of Statoil, Harald Norvik, realized that the same principles could be applied to the whole company, and that there would be benefits to Statoil from managing its risks in an integrated way. Again, Petter was trusted with the task of leading the company in this direction.

While Statoil’s executive officers were generally positive to the idea behind ERM, they still demanded to know “What is in it for us?” An important part of the answer to this question came from a project group that investigated the costs and benefits to Statoil from various financial transactions, mostly hedging and foreign

www.it-ebooks.info

VALUE AND RISK 61

exchange (FX) transactions going on in the company. Petter and his group were able to show that the number of transactions was staggeringly high, and that they were mostly based on a silo thinking that made no sense at all as seen from the cor- porate perspective. And, crucially, these transactions were not harmless or mere annoyances. They came at a substantial cost and seriously complicated the com- pany’s accounting as well as the management of exposures. This struck the senior executives as unacceptable. ERM had demonstrated the economic justification it needed. A clear mandate was given.

Early on in the project, Petter met and started working with Eyvind Aven, who shared the same vision of an enterprise-wide approach to risk management. Impor- tantly, Eyvind had a background in economic analysis, which complemented Pet- ter’s experience from trading units. This fact made them bilingual in the sense that they knew the specific terminology and ways of doing things that were prevalent both in the company’s high-profile trading units, as well as in its headquarters. Their ability to speak complementary languages and not being viewed as outsiders was to prove very useful, as many tough decisions lay ahead with people who had an interest in preserving the status quo.

An important early milestone in the implementation of ERM came in 1999, when the Risk Committee, a cross-disciplinary advisory body on risk, was formed. The idea behind creating this committee was to obtain a forum to which people could put proposals and general risk issues for analysis and recommendations. From the very beginning, the committee has been chaired by the chief financial officer (CFO). Its main task is to advise the executive managers and the CFO on risk issues, and is not part of the formal decision process. It consists of a broad range of professionals with different backgrounds, such as the head of strategy, the heads of the main trading units, the chief controllers of different business units, and the head of internal control, in addition to the head of the risk department who is responsible for the agenda and calling for meetings.

In 2000, the risk department was formally set up (headed by Petter Kapstad), and started work on developing a common methodology on risk, as well as con- tinuing the work on developing the company’s consolidated risk model that had been initiated two years earlier. The risk department, furthermore, has the overall responsibility for insurance and the captive insurance company. In 2005, the first enterprise-wide risk mapping process was rolled out.

ERM FOUNDATIONS In the early stages of the project, it was decided that Statoil would not simply imple- ment one of the existing blueprints for ERM. Nor did Petter and Eyvind want it to be, or it would be seen as another control function.1 They had something else in mind. They wanted a framework that made sense to Statoil, and that centered on the two basic goals of the company: to create value and to avoid accidents. Keep- ing people and the environment safe are the first priority and supersede any other objective.2 Beyond those basic objectives, however, risks are to be managed in a way that maximizes the value of the company. This insight has a number of impli- cations, which are explored in this section.

To begin with, the focus on value affects the very way risk is defined in Statoil. According to Statoil’s philosophy, which is widely communicated internally,

www.it-ebooks.info

62 Implementing Enterprise Risk Management

risk encompasses not only downside risk but also upside potential. This philos- ophy has even found its way into the corporate directives of the company, which state that “risks shall be identified and analyzed, including both upside and down- side impact.” On this dimension, existing off-the-shelf ERM frameworks were con- sidered too oriented toward regulatory compliance and risk avoidance. The Sta- toil philosophy instead recognizes that risk taking is unavoidable, even necessary, to create value for shareholders.3 What matters is that the risks are well enough understood and found acceptable, given their downside risk and upside poten- tial. Reflecting this thinking, the risk maps in Statoil have been developed to show probability and impact not only for the downside, which is the most common way of constructing these maps, but for the upside as well (see Exhibit 4.1).

Statoil’s risk map captures both upside potential and downside risk for any given risk factor. On the x-axis is the probability of occurrence. On the y-axis is the impact figure, measured as the pretax impact on earnings (USD millions). Note that the impact is measured relative to the forecasted value of earnings. All reported risks will be considered twice in the map. The first is its potential contribution to upside potential (to be entered above the line), and the second is its contribution to downside risk (to be entered below the line). These two points are a summary, or synthesis, of the entire range of potential outcomes for the risk factor in ques- tion. For example, the risk factor denoted Risk A in the exhibit has a 5 percent probability that the outcome will be somewhat better than expected. However,

Risk A

200

50

10

11

1 2

3

4

5

6

7

8

–1

–10

–50

–200

1% 5% 10%15% 25% 50% 75% Probability

Im p

ac t

C at

eg o

ry Risk Map for XXX Nov.8, 2011USD Million

5,000

1,000

–1,000

–5,000

P re

ta x

Im p

ac t

Exhibit 4.1 Risk Map

www.it-ebooks.info

VALUE AND RISK 63

Upstream

Refining

Methanol

Market

Crude oil

Fuel oil Gas oil Jet kero Gasoline Naphtha

Methanol

Currency and interests

Accidents Catastrophes HSE risks Project risk Production risk Reservoir risk Country risks Tax risks

Market risks

Operational risks

T h

e ri

sk s

th at

m at

te r

Crude oil

Natural gas

NGL LPG

Downstream

Dry gas

Exhibit 4.2 Statoil’s Value Chain

there is a 10 percent probability of a fairly significant loss relative to the forecast (USD 200 million). For this particular risk, the downside risk is larger than the upside potential.

As already mentioned, value creation is the basic guiding principle for ERM in Statoil. That is demonstrated by the emphasis the company puts on viewing risks in a value chain perspective. In the corporate directives it is written that the com- pany’s approach is to “identify, evaluate, and manage risk related to the value chain to support achievement of our corporate objectives” (original emphasis). Statoil’s value chain is outlined in Exhibit 4.2, showing how its main activities progress from upstream (oil exploration and development) to downstream (petroleum refine- ment) to market (selling its products into various global markets).

Statoil’s value chain consists of three main stages: the exploration and devel- opment of oil and gas reserves (upstream); the refinement of hydrocarbons into various petroleum products (downstream); and the selling of crude oil, gas, and refined products into different markets. The most important risks (“the risks that matter”) have been divided into two categories: market risks and operational risks.

What difference does the value chain perspective make? First, it serves as a clear signal to everybody involved (i.e., Statoil’s employees and other stakehold- ers) that value creation is the metric being pursued through ERM, and it is the impact on Statoil’s performance that ultimately counts. Statoil’s thinking on this issue is that if ERM is limited to managing risks related to goal achievement in var- ious business units, the result will be “satisficing” rather than value maximizing.4

Another important benefit of the value chain perspective relates to the fact that the large number of risks identified in the risk map can make it challenging

www.it-ebooks.info

64 Implementing Enterprise Risk Management

to understand what is really going on. By sorting the risks into a value chain, one can more easily see the bigger picture and, through the lens of the company’s business model, see how the different risk categories hang together. In other words, the value chain perspective allows Statoil to rework the knowledge about risk contained in the risk maps into something that is more analytically and logically coherent.

The concept of core risks further underlines the central role of value creation as a guiding principle for ERM in Statoil. To understand this concept, we need to go back to 2001, when the company’s shares were listed.5 During the listing process, there were investors looking for arguments as to why they should invest in Statoil. Recognizing that investors were entitled to information about what exposures they were getting when they invested in Statoil shares, the company formulated the idea of core risks, understood as the risk exposures that an investor would expect, and even desire, to have from buying Statoil shares (the most important of which was the exposure to oil and gas prices). The core risks are owned by the CEO of the company and are coordinated centrally in the organization. One of the prac- tical consequences of this is that trading mandates throughout the company have been substantially restricted and placed under central scrutiny. At the end of the day, this should increase the transparency and predictability of the risk exposures obtained by investing in Statoil shares, which lowers the risk premium investors attach to the company and hence also its cost of capital (Jankensgård, Hoffman, and Rahmat 2013).

ERM PROCESSES IN STATOIL TODAY So far we have discussed the history of ERM in Statoil and the guiding principles underpinning it. We now turn to the more practical issues of what tasks execu- tives need to address for ERM to work in practice and for its potential benefits to be realized. The first two tasks, covered in this section, are making sure there are adequate processes in place for managing risks throughout the organization, and acting as a support function to the business units as they go about this.

Let us dispel a potential misunderstanding. ERM does not imply that all risks should be managed, or owned, centrally in a company. While some risks certainly are managed centrally in Statoil (its core risks, as discussed in the previous section), the business areas are responsible for managing the large majority of the risks that arise in their lines of business.

Just because a business area has been designated the owner of a particular risk, however, doesn’t mean that sound management of this risk automatically follows. Corporate management needs to ensure that risk management in the business units is of sufficient quality. Corporate management also has a legitimate right to be informed about the main risks in each business unit and what is done about them. These considerations lead us to what for many is the bread and butter of ERM, namely the process of identifying, mitigating, and reporting risks. For brevity, we will refer to this as the “risk mapping process.”

In Statoil, the risk mapping process follows a quarterly rhythm, which is the frequency at which the business units are required to update their risk maps. This is not just a numbers exercise. The units are expected to provide discussions and justifications for their assumptions, and explain what their policy on each main

www.it-ebooks.info

VALUE AND RISK 65

risk is. As part of the company’s quarterly review meetings,6 they also meet with top management to discuss the status with regard to major risks. These two facts— providing written justifications and actually meeting with representatives of top management and the risk department—go a long way toward ensuring the quality of the outputs of this process (the probability-impact estimates). Since the business units know this lies ahead, they have every reason to do a good job preparing and thinking through their estimates of risks (and their mitigation actions). It also counteracts any tendency to think along the lines that “this risk certainly exists, but it surely will not happen during my time in office, so I will just do nothing.”

The risk department, in turn, writes a brief in response to the business units’ risk maps, which is sent to executive management. Statoil’s board of directors is also briefed on the risk profile on a quarterly basis, and they receive a condensed version of the risk map prepared by the risk department.

The risk department is not only a supervisor of the risk mapping process. It also provides support to business areas and helps spread best practices. It has the expertise and resources to assist business units in multiple ways from advice on how to manage a particular credit risk to suggesting a methodology for quantifying a certain market risk.

A useful example of the role of the risk department as a resource available to support business areas in their commercial activities comes from country risk. Statoil’s risk department has, in collaboration with consultancy firm IHS Global Insight, developed a deep expertise in this area, which is of particular importance to a company active in many of the world’s most risky countries. This effort has resulted in a large internal knowledge base on country risk, as well as a stan- dardized methodology for evaluating country risk as part of new investment pro- posals. The business areas are able to draw on these resources, and work with the risk department to reach the appropriate policies for each country and new investment.

In the risk mapping process, rigorous quantification of probability and impact has been considered essential to make the risk maps useful to support decision making. Quantification brings a focus on the financial bottom line of the company, and makes it possible to compare different risks in a meaningful way. What one person would label a large risk may well be a small one to someone else, depending on references.

OPTIMIZING TOTAL RISK The two tasks related to ERM discussed so far, the risk mapping process and the role of adviser to the business areas, are conceptually straightforward. The third, avoiding risk management decisions that are suboptimal for the company as a whole, is less so. To increase the understanding of the issue, we will discuss several practical examples in this section.

In Statoil, avoiding suboptimal decisions is also known as “optimizing total risk.” Optimization of total risk has been unyieldingly pursued by the ERM team, with several tangible benefits for the company. The value metric that underpins ERM in Statoil implies that it is the perspective of the company as a whole that should rule in practical situations where different individuals and business units may have differing views on how to proceed.

www.it-ebooks.info

66 Implementing Enterprise Risk Management

A straightforward example of possible suboptimal behavior concerns foreign exchange (FX) risk management. Consider a situation where one business unit is selling into a market where the product is quoted in U.S. dollars, and another unit is sourcing material priced in the same currency. Whereas each unit may have an incentive to manage its own exposure, what counts for the company as a whole is the net of these exposures. Lacking a central policy, risk could be overmanaged to the extent that managers of business units use FX derivatives to cover exposures that would cancel out from the perspective of the company. Apart from the burden- some accounting that derivatives cause, there are also significant direct costs from such overmanagement of risk. Statoil calculates that if two business areas simul- taneously cover a USD 10 million exposure (by no means a large hedge by Sta- toil’s standards), it would incur transaction costs of around NOK 180,000 (assum- ing a USD/NOK exchange rate of 6 and a bid-ask spread of 30 basis points). Since ERM was implemented, Statoil has withdrawn the ability of business units to set their own policy with regard to FX derivative usage. Besides avoiding the trans- action costs just mentioned, a centralized FX derivative policy entails a number of other advantages, such as business units focusing on their core activities and an increased ability to coordinate the derivative policy with other corporate policies; see Jankensgård (2013) for a detailed discussion.

Our second example of potential suboptimization concerns the hedging of oil and gas exposures. Prior to ERM, business units used to have fairly generous man- dates to hedge their exposures to these market prices. This created a potential prob- lem from the perspective of the company as a whole. Besides complicating the assessment of net exposures on the corporate level, the business units were basing their hedging decisions on criteria that were disconnected from the goal of maxi- mizing value. What drove a unit’s decision to hedge was instead a desire to lock in prices when they were above the price that was assumed when targets were set for the year, but to leave them unhedged otherwise. If the business plan had assumed an oil price of $100 and it later climbed to $115, the unit could use a derivative con- tract to lock in this level, which ensured it would beat the target and could collect a bonus for the year. As mentioned earlier, these mandates have been gradually reined in and subjected to strict limits set centrally in the organization.

A third example of a business unit optimizing its own risk/return with the result being suboptimal decisions for the company overall comes from Statoil’s captive insurance unit. Previously this unit sought to justify its existence as a stand- alone unit by showing robust profits. In so doing, it benefited greatly from the implicit guarantee provided by Statoil’s credit rating and strong balance sheet. From the perspective of ERM, this is incorrect. Rather, the captive should be a tool for Statoil in optimizing total risk. Today the captive does this. The insurance pol- icy of Statoil now targets the things that matter: the really big risks related to busi- ness continuation. That is, the insurance program focuses on the risks that really could throw Statoil off course, and ignores (i.e., self-insures) the lesser risks that ultimately have no significance for Statoil’s ability to meet its overall objectives.

TOTAL RISK OPTIMIZATION: LESSONS LEARNED Optimizing total risk may sound simple in principle. Indeed, it is one of the supposed core principles of ERM. ERM texts routinely contain phrases like “avoid

www.it-ebooks.info

VALUE AND RISK 67

duplicating costly risk management activities” and emphasize this as one of the main benefits of ERM (as opposed to a silo or decentralized approach to risk management).

In reality, optimizing total risk is not so easily achieved. A key reason for this is that it threatens the established way of doing things. Powerful units and individ- uals may have little interest in conforming to ERM because it reduces their auton- omy and requires a change in how they work. Some deeply rooted habits may need to change. As a result, many will resist, which may prevent an ERM program from lifting off the ground.

Consider also the way the ability to manage risk hangs together with the sys- tem for performance measurement used by the company. Let’s say a business unit is evaluated on its earnings before interest and taxes (EBIT). Since the unit is responsible for its own result, it seems only reasonable that it should have the freedom to manage the risk exposures related to it. However, this conflicts with the legitimate goal of headquarters to centralize management of FX risk or other core risks (e.g., oil prices) given the substantial benefits of a centralized approach (as discussed earlier). Hence, we have a conflict between the desire to central- ize risk management and the way the company measures the performance of its business units.

So how do you succeed in making the ERM mind-set take root despite these potential problems? A few factors stand out in Statoil. For example, the company has ensured that key performance indicators (KPIs) and balanced scorecards that the company uses to evaluate its business units are, to the extent possible, unaf- fected by the centrally managed core risks we introduced earlier. This is a very important principle, because it resolves many of the potential conflicts of interest that could arise from centralizing risk management. As mentioned, energy prices and exchange rates could greatly impact the company (e.g., its EBIT), which could create incentives for the business units to manage these risks. In Statoil, however, the performance measures used have been designed to exclude the impact of these external factors. This means that the company achieves central management of these risks but largely avoids the discontent that could result from business units having to live with large risk exposures.

Beyond established KPIs and scorecards, work has also been done to make taking the best decision for Statoil the normal and expected thing for an employee. Obvious though the foregoing may sound, many units are, for often quite under- standable reasons, very focused on meeting their own targets and consequently do not see beyond the border of their unit. The ERM team has, however, sought to make it part of anyone’s job description to think in terms of Statoil’s net benefit. People have been made aware that this is expected of them.

Another success factor in this regard has been to spend significant amounts of time beforehand thinking about what the ERM should ultimately look like, and why. Petter and Eyvind call this “doing one’s homework.” Having a coherent set of arguments ready to defend a particular measure meant to optimize Statoil’s total risk has made it much easier to stand firm when people resisted change.

The Statoil experience also illustrates the importance of getting the Risk Com- mittee right. If not done the right way, such a committee will continue in old tracks and look at risks in a silo fashion. Attendance will be low and the committee’s utter- ances will carry little weight. If done right, however, it will develop into an effective

www.it-ebooks.info

68 Implementing Enterprise Risk Management

ERM champion whose recommendations are widely respected and translated into action.

The Statoil Risk Committee today is indeed a guardian of Statoil’s best inter- ests in matters related to risk. It effectively functions as an ERM filter in which difficult questions are voiced and resolved. Policies that were earlier set in isola- tion in a particular department now have to pass through the Risk Committee. For example, Statoil’s FX policy is prepared by the finance department, but needs to be thoroughly discussed and supported in the Risk Committee.

A useful example of the committee’s role in resolving issues related to total risk optimization comes from the process of setting performance KPIs and score- cards for business units (as discussed earlier). Wrongly formulated targets are seen as a threat to total risk optimization, because they may encourage a behav- ior that runs counter to this goal. The Risk Committee counteracts such ten- dencies by checking if a particular target makes sense and is compatible with Statoil’s overall best interests, a loop that in Statoil is referred to as “pressure test- ing” the targets.

What accounts for Statoil’s success in turning the Risk Committee into an ERM champion? The importance of having the unwavering support of key individuals in the executive team cannot be overstated here. Moreover, setting up an interest- ing agenda with a certain content of education (especially in the early days of the program) seems to have been a key success factor for the Statoil Risk Committee. The Statoil experience also shows that the committee should remain a specialist forum, and that one should stay away from attempts to integrate it with top man- agement. Ultimately the Risk Committee needs to remain an advisory body, not an executive one, though it needs to carry enough status to be seen as the real arbiter on risk-related issues in the company.

RISK AGGREGATION Developing risk maps and assembling the risk register produces a lot of informa- tion about risks, in qualitative as well as in quantitative terms. The simple fact that these processes are in place provides some reassurance that the risks are recog- nized and given proper attention. This is a goal in and of itself.

While in many ways essential to an ERM program, risk maps are largely static devices that don’t allow codependencies between risks to be taken into account in any meaningful way. As a straightforward example, consider the relationship between the oil price and the USD/NOK exchange rate. Given the oil depen- dency of the Norwegian economy, this exchange rate tends to be sensitive to the price of oil, which is quoted in USD. Over the decades, this has provided Norwe- gian oil companies with a natural hedge: A lower oil price tends to weaken the Norwegian krone, as less oil revenue needs to be converted into NOK. Such dynamic relationships are hard to capture in a risk map, yet they are highly rel- evant to the risk management strategies of these companies.

Nor do the risk maps easily translate into an overall estimate of the uncertainty in the firm’s future performance, as expressed through financial bottom lines such as earnings, liquidity, or balance sheet ratios. These shortcomings of the risk maps bring us to the fourth task facing the executives responsible for an ERM program: aggregating the firm’s portfolio of risks into some indicator, or metric, that can

www.it-ebooks.info

VALUE AND RISK 69

guide the company’s executive team (and board of directors) in matters related to the firm’s overall risk profile.

Alviniussen and Jankensgård (2009) argue that most ERM programs today are detached from the analytical work of predicting and managing the firm’s financial position. Not taking into account the firm’s financial situation means that, despite the ERM effort to identify and quantify risks, an estimate of aggregate risk con- tinues to elude companies implementing ERM. In the enterprise risk budgeting (ERB) approach proposed by these authors, the risk register is integrated with the firm’s financial planning process to generate risk-adjusted forecasts of important enterprise-level indicators of performance and financial health.

To address the concerns voiced in the previous paragraph, companies need to take a more analytical and quantitative approach to risk management. In practical terms this implies building a model that combines the company’s many different risks into a probability distribution for some bottom line considered important, such as earnings or its debt-to-assets ratio. From such a probability distribution, summary risk statistics can be obtained—for example, the loss in earnings associ- ated with a certain probability (this measure is known as earnings at risk). Gen- erally, this approach requires some form of simulation methodology (e.g., Monte Carlo simulation).

Statoil’s corporate risk model, briefly introduced earlier in this chapter, is based on these principles. It contains a sophisticated methodology for estimating the amount of variability in the firm’s main risk exposures, based on historical time series, as well as estimates of the tendency of these risks to co-vary. It lets the user select an output from a list and, within a few minutes’ time, obtain a probability distribution for this variable. Moreover, the user can learn what the probability dis- tribution would look like under an alternative course of action. For example, the model allows the user to overlay the probability distribution for net income with a second distribution that takes into account a certain risk management strategy (e.g., buying put options covering a certain fraction of the company’s net exposure to the oil price). Such an overlay is illustrated in Exhibit 4.3.

Statoil’s risk model allows the company to produce a probability distribution for various financial parameters considered important, such as earnings or return on assets employed. The obtained probability distribution can be used to derive summary risk statistics of the company’s overall risk. In this graph, the base case outcome distribution (the darker line) for net income is compared with what it would look like if the company implemented a large-scale hedge of the oil price (the lighter line). The values of net income on the x-axis have been deliberately hidden. The vertical dashed line represents the value of net income associated with the 5th percentile of the probability distribution, a measure commonly referred to as net income at risk (or earnings at risk).

THE FRONTIERS Part of the philosophy of ERM in Statoil is never to lean back and consider the job done. While the progress in achieving the necessary buy-in for new approaches is gradual and sometimes slow, the frontiers are pushed ever forward. Decision mak- ers around the company need to have their worldviews challenged, as the thinking goes, and to be provoked into new ways of looking at things.

www.it-ebooks.info

70 Implementing Enterprise Risk Management

0

0.005

0.01

0.015

0.02

0.025

0.03 Statoil Portfolio with Oil Hedge

Fr eq

ue nc

y of

O cc

ur re

nc e

(% )

Exhibit 4.3 Comparing Different Risk Profiles

One area where work is currently being done is giving the concept of risk appetite a content that is meaningful to Statoil. Risk appetite is commonly con- strued as the amount of risk exposure a company is willing to retain in order to pur- sue the upside potential it considers appropriate and desirable. True to its tradition of quantifying risk, Statoil frames risk appetite in terms of several quantitative risk measures. The variable, return on capital employed (ROCE), is one of the perfor- mance indicators that Statoil considers useful in this regard since it sums up the net effect of a large number of risk exposures. Risk appetite in Statoil is about formulat- ing, for a given upside, how large of a potential shortfall, or tail risk, Statoil is will- ing to accept in terms of a particular performance indicator; see Jankensgård (2010) for a discussion about constructing shortfall risk measures in an ERM context.

Another area where Statoil is pushing the frontiers concerns the relationship between ERM and strategy. As part of this project, the ERM team has developed estimates of how different strategic paths would contribute to different risk cate- gories, such as reservoir risk, implementation risk, market risk, or risks related to health, safety, and environment. Depending on which strategic path is considered, the composition of the company’s overall portfolio of risk would gradually shift in a particular direction (see Exhibit 4.4). This initiative is about clarifying the nature of this impact and making senior decision makers aware of the consequences of their strategic decisions.

This graph illustrates how different strategic paths would, if implemented by management and the board of directors, impact the overall composition of Statoil’s portfolio of risks. Each bar represents a strategic path, and the shadings indicate the relative importance of different types of risk (country risk, market risk, imple- mentation risk, and so on). The y-axis shows the expected risk (probability/impact)

www.it-ebooks.info

VALUE AND RISK 71

Risk Specifications—Segments

Impl. Impl.Impl.Impl.Impl. Impl.

Impl.

Impl.

Market MarketMarket Market

Market Market

Market

Market

Coun. Coun. Coun.

Coun. Coun.Coun.

Coun.

Coun.

HSE

HSE HSE

HSE

HSE

HSE

HSE

Impl.

Impl. Impl. Impl. Impl.

Impl.Impl. Impl.

Market

Market Market

Market Market

MarketMarket

Market

Coun.

Coun. Coun.

Coun. Coun.

Coun.Coun.

Coun.

HSE

–300

–250

–200

–150

–100

–50

0

50

100

150

200

Strategic path 8Strategic path 7Strategic path 6Strategic path 5Strategic path 4Strategic path 3Strategic path 2Strategic path 1

R is

k F

ig ur

e in

U S

D M

ill io

n

Strategic Paths

Exhibit 4.4 ERM and Strategic Risk

associated with each strategic path on both the upside and the downside. Note that certain risk categories appear on both the upside and the downside, and that these impacts need not be equally large. This asymmetry is at hand also for market risk, due to differences in marginal taxation across different income levels for oil compa- nies. In the final decision making, the risk profile of each strategy path would have to be compared with the estimated investment outlays and the expected return on investment (not shown in the graph).

CONCLUSION In Statoil, understanding and managing risk is today considered a core value of the company that is written into the corporate directives and widely communicated to employees. ERM is thoroughly embedded in the organization’s work processes, and its Risk Committee has managed the transition from a silo mentality to pro- moting Statoil’s best interests in areas where risk needs to be considered. The com- pany has introduced the concept of core risks, which are the risk exposures that the company needs to manage consistently vis-à-vis its investors and which therefore require central management. In several areas where risk management used to be pursued in a silo fashion, based on incentives existing locally in the organization, risk is now optimized from the perspective of the company as a whole. ERM in

www.it-ebooks.info

72 Implementing Enterprise Risk Management

Statoil is not a control function aimed at minimizing risk, but dedicated to the goal of maximizing enterprise value given both downside risk and upside potential.

Achieving these outcomes is by no means trivial, because it challenges the organizational status quo and forces people to think and act differently with regard to risk. Statoil’s success in achieving these outcomes is largely explained by the diligent work of a few key individuals, who consistently over many years have pursued a risk management program that maximizes the value of the company as a whole, as well as the strong support of the executive officers and directors. The ERM program has involved changing people’s attitudes toward risk, and making Statoil’s enterprise value the metric that people are ultimately expected to pursue. It has also involved thoughtfully changing the performance evaluation systems in ways that address the potential conflicts of interest that result from centralizing risk management.

QUESTIONS 1. Why might it be in a firm’s best interest to centralize the management of some risks but

not others? 2. Describe why the organizational status quo might lead to resistance to ERM implemen-

tation. How can this potential resistance be overcome? 3. How do you succeed in making sure that the risk committee really turns into an ERM

champion, as opposed to continuing in a silo mentality? 4. What are the costs and benefits of integrating the ERM risk register in the firm’s financial

model to obtain “risk-adjusted” financial forecasts? 5. What are the key financial risk factors that a company could encounter? 6. What should limit Statoil’s capacity to invest in profitable new oil projects, that is, take

on new risks? 7. For which risk factors would it be advisable to use Monte Carlo simulation to quantify

the distribution of outcome? 8. In what cases would it be relevant for an oil company to consider effects of correlation

between risk factors in quantifying risk?

NOTES 1. This is not to suggest that internal audit has been excluded from the ERM process. On

the contrary, internal audit has been strongly supportive of ERM and has contributed valuable resources to it.

2. This is underscored by the fact that the risks related to health, safety, and environment are the responsibility of a separate corporate function (Corporate Safety).

3. Statoil’s internal communication puts it this way: “We live by taking risks.” 4. The term satisfice was introduced by the American researcher and Nobel laureate Herbert

Simon in 1956. It refers to a decision-making strategy that seeks to achieve an acceptable outcome, as opposed to the optimal outcome, which requires expending more time and effort.

5. Statoil’s shares were simultaneously listed on the New York Stock Exchange. 6. The quarterly review meetings are occasions in which top management meets with busi-

ness areas to discuss the unit’s performance vis-à-vis previously agreed targets. This refers to the unit’s overall financial performance as well as specific key performance

www.it-ebooks.info

VALUE AND RISK 73

indicators. Risk is therefore only one of several issues on the agenda for these quarterly reviews.

REFERENCES Alviniussen, A., and H. Jankensgård. 2009. “Enterprise Risk Budgeting: Bringing Risk Man-

agement into the Financial Planning Process.” Journal of Applied Finance 19, 178–192. COSO. 2004. Enterprise Risk Management—Integrated Framework. New York: Committee of

Sponsoring Organizations of the Treadway Commission. Jankensgård, H. 2010. “Measuring Corporate Liquidity Risk.” Journal of Applied Corporate

Finance 22, 103–109. Jankensgård, H. 2013. “Does Centralization of FX Derivative Usage Impact Firm Value?”

European Financial Management, forthcoming. Jankensgård, H., K. Hoffman, and D. Rahmat. 2013. “Derivative Usage, Risk Disclosure, and

Firm Value.” Financial Management Association Europe Conference Paper.

ABOUT THE CONTRIBUTORS Alf Alviniussen is former Group Treasurer and Senior Vice President of Norsk Hydro ASA, Oslo, Norway. After 42 years in the company holding leading posi- tions within the group treasury and corporate finance, including responsibility for risk management and financial planning, he is now acting as an independent con- sultant.

Håkan Jankensgård holds a PhD in risk management from Lund University, Sweden. He is the former risk manager of Norsk Hydro and has more than 10 years’ experience in advising companies on their risk management strategies. He is cur- rently a researcher in corporate finance at the Department of Business Administra- tion and Knut Wicksell Centre for Financial Studies, Lund University.

www.it-ebooks.info

www.it-ebooks.info

CHAPTER 5

ERM in Practice at the University of California Health System GRACE CRICKETTE Senior Vice President and Chief Risk and Compliance Officer, AAA Northern California, Nevada, and Utah; former Chief Risk Officer, University of California

The University of California’s Health System is comprised of numerous clini-cal operations, including five medical centers that support the clinical teach-ing programs of the university’s medical and health sciences schools and handle more than three million patient visits each year. The medical centers pro- vide a full range of health care services in their communities and are sites for the development and testing of new diagnostic and therapeutic techniques. Collec- tively, these centers comprise one of the largest health care systems in the world.

The University of California Office of the President’s Office of Risk Services is responsible for developing and implementing enterprise risk management (ERM) systemwide, identifying and developing strategies to minimize the impact of risk, developing a center of excellence for managing risk, reducing costs, and improving safety by executing new ideas and strategic plans in a rapid manner in support of the university’s mission of teaching, research, public service, and patient care.

THE ENTERPRISE RISK MANAGEMENT PROGRAM The University of California (UC) System began an ERM initiative as a natural progression of making the decision to adopt the Committee of Sponsoring Organi- zations (COSO) Internal Control—Integrated Framework in 1995, and in that same year UC’s vice chancellors for business and finance accepted an internal audit rec- ommendation to adopt COSO as the Internal Control Integrated Framework for the university. In 2004, COSO’s inclusion of enterprise risk management into its model led to the hiring of a chief risk officer (CRO) tasked with implanting enterprise risk management.

The chief risk officer, who had previously implemented ERM for a publicly traded company, set out to learn about the operations and culture of the university and identify what ERM activities were already in place and where there were gaps, and what would be the best approach for implementing ERM. Visits were made

75

www.it-ebooks.info

76 Implementing Enterprise Risk Management

to all of the campuses and medical centers, and leaders from various departments and disciplines were gathered together and asked: How do you know if you are doing well? What data do you have to let you know how you are doing? Leadership clearly was able to articulate their objectives and the risks that could impact those objectives, but the data for measuring and monitoring were not timely and were primarily ad hoc, annual, and manual. The information gathered through these meetings was critical for understanding and developing the key performance indicators (KPIs) that would later become an important component of the ERM program. (See What Is a KPI?)

What Is a KPI?

Generally, strategic or operating plans will identify the critical success factors and key goals of an organization. Critical success factors are the areas that the organization must focus on and do well in to satisfy customer/client needs. An example may be “meeting client expectations.” KPIs are derived from crit- ical success factors and define these critical success factors into more meaning- ful criteria. For example, the critical success factor of “improve productivity” might have KPIs such as cost, service quality, cycle time, streamlining of pro- cesses, and reduced duplication and/or rework.

How often can KPIs be updated?

KPIs can be updated as frequently as the data they are drawn from is updated. Some examples: Claims information, daily Payroll information, monthly Construction scheduling, quarterly

How is improvement measured with KPIs?

Improvement is measured by looking at ratios between time periods relative to risk. For example, in the area of workers’ compensation:

Recordable rate = Number of injuries relative to the hours worked

Next, an ERM panel was formed to develop an ERM strategy. The ERM panel included management representatives from the Office of the President, the campuses, and the health system. The CRO along with the ERM panel recognized that, given the complexity of the university’s operations and the general decen- tralization of services and information, technology would need to be leveraged to identify, manage, and monitor risks. The overall strategy was to develop a data warehouse that could manage information already being collected by various groups, existing programs, and initiatives throughout the system—an enterprise risk management information system (ERMIS). Once consolidated in a single

www.it-ebooks.info

ERM IN PRACTICE AT THE UNIVERSITY OF CALIFORNIA HEALTH SYSTEM 77

location, the data could then be used to analyze processes, risks, and controls systemwide.

As the ERMIS was being developed, the CRO commissioned a cost of risk study to be able to measure and monitor success of the ERM program. The first Risk Summit was held with more than 100 attendees, and the charge was given to the attendees to reduce the cost of risk by 16 percent in 24 months. How? At the summit the program Be Smart about Safety (BSAS) was launched, which was the first of many initiatives focused on preventing and managing risk. The uni- versity not only met this charge, but exceeded it by meeting the target in only 18 months.

Leveraging Technology to Support ERM

UC continues to develop the ERM information system (ERMIS), a flexible and dynamic system, to give campus stakeholders at multiple levels the information they need to make business decisions in a timely and effective manner. The ERMIS essentially “democratizes” information, in that it has the ability to provide key data and reports to personnel at all levels and locations of the university. As the data integrated has become richer and its use more widespread, the value of the ERMIS has grown in creative ways.

The ERMIS started with simple risk assessment tools and expanded to include:

� Dashboard reporting on major areas of risk � Control and accountability tracking platform � Risk mitigation and monitoring tools � Survey capabilities

All of these tools can be used independently or interdependently, allowing for:

� Better quantitative analysis capabilities � Improved analytical and reporting capabilities � Support for leading risk governance and compliance processes � Systemwide visibility, with local flexibility � Scalability without additional burden on UC staff

While the ERMIS dashboard system is prepopulated with some KPIs, UC con- tinues to work with each location to develop KPIs that are helpful to supporting the location’s own initiatives. ERM groups find the ERMIS to be an important tool for identifying and understanding risks. The system will also support the monitor- ing of internal controls and accountability, providing valuable information to the controllers and internal auditors. These capabilities lower the overall cost of risk (oftentimes associated with day-to-day operations) across the institution.

The creation of automated reports within the ERMIS increases workforce effi- ciency. Redundancy is reduced by the creation of automated reports made read- ily available to those with a need to know. Instead of having the same or similar reports being developed and maintained without the benefit of shared knowledge at different divisions, departments, schools, campuses, medical centers, and other

www.it-ebooks.info

78 Implementing Enterprise Risk Management

ERM Process

Monitor Risk Control and Mitigation Report to Management

Quantify Risks

Identify Risks

Audit Risks

Risk Management Summary Reporting

High-Level Stakeholders

Define Analyze Control/Monitor Evaluate

Exhibit 5.1 ERM Process

locations, the ERMIS enables sharing of analyses and information easily and effi- ciently across multiple different locations. (See Exhibits 5.1 and 5.2.)

Creating a Risk-Aware Culture

The foundation of the University of California’s enterprise risk management pro- gram is to have people actively manage their various risks—everyone is a risk man- ager! One key to creating a culture where everyone is a risk manager is to give them tools that meet their specific needs. That means developing different tools, work groups, and initiatives, but delivering them in a cohesive and integrated manner. Also, how can we create personal ownership for identifying, managing, and moni- toring risk? A group of forward-thinking people at UC Davis came up with a solu- tion, and the My Managed Risk portal was born!

The My Managed Risk (MMR) portal was designed as an entry point to the services and resources provided by the Office of Risk Services. It serves as a cen- tralized location for authorized users to access enterprise risk management–related tools and information. The portal allows users direct access to their authorized ERM applications, as well as the ability to view content related to the ERM Solu- tion Set, and at the same time to stay informed of up-to-date news and articles directly related to enterprise risk management. The streamlined design also pro- vides an efficient way for users to search within the MMR portal in order to retrieve contents of interest quickly. (See Exhibit 5.3.)

Health System Specialized Programs

The UC Health System participates in and benefits from all of the tools and pro- grams that come under the umbrella of ERM, but, in keeping with delivering the right tools to the right people, UC continues to develop programs specific to health care.

www.it-ebooks.info

ERM IN PRACTICE AT THE UNIVERSITY OF CALIFORNIA HEALTH SYSTEM 79

Exhibit 5.2 ERMIS Dashboard Samples

Dashboard Name Description

CFO Division AIM: Actionable Information for Managers

Promote positive administrative behavior at the campus level via campus-by-campus comparisons. Results are indicative of business/operational performance and are within Chancellor’s realm of control.

Financial Accounting Count of hand-postings, direct deposits, electronic W-2 and payments, CFR reports, and percentage of transaction not cleared.

Financial Services and Controls

Connexxus participation, travel spend, and savings. Purchase card expenditures, administrative efficiency, and incentives.

Procurement Services Systemwide procurement savings, procurement spend under management, and percentage of transactions processed electronically by location.

External Finance, UC Bond Debt

Provides visibility and trending on UC bond debt by location.

Medical Quality Extends medical quality reporting data to support risk management activities.

Travel Incidents, Calls, Claims

To correlate and report data from all travel insurance and travel agencies for UC students and staff traveling throughout the United States and world (anticipated).

UCSF PD Early Warning System Report

Provides UCSF PD leadership the ability to track and identify patterns of multiple staff complaints/investigations/incidents.

UC Travel Dashboard— Connexxus

Tracks campus adoption of the Connexxus travel system and actual savings for campuses that utilize Connexxus.

Waste Diversion Contains results of the annual waste diversion campus survey. Allows for comparison of recycling/waste diversion between campuses.

Human Capital Dashboard

Provides human resources–related correlations by department and reason description by utilizing enrollment, FTEs, head count, hours, EPL claims, employee separation/retirement, OSHA rates, and harassment prevention training.

Safety Index Dashboard Provides safety-related loss and exposure correlations by department and cause description by utilizing the following elements: WC claims, FTEs, hours, head count, vehicles, GL, student population, acres, property losses, and OSHA rates.

Safety Index ROI Enhancements

Illustrates the direct and indirect costs of safety risks at UC locations and enterprise-wide.

UC Ready Provides mission (business) continuity plan completion counts for all locations at the department level.

UC Ready Department-Level Enhancements

Systemwide continuity plan completion and activity metrics at department level.

Reputational Risk (CDPH) Provides aggregated counts and trends for medical center–related complaints and penalties as reported by California Department of Public Health.

Reputational Risk (OSHA Cube)

Allows visibility in OSHA claims against UC locations that may cause reputational risk to UC.

Office of General Counsel (OGC)

Provides visibility to legal cost by locations.

Medical Center Provides Medical Center loss and exposure trends and correlations.

Medical Center PL Cube Provides users the ability to create ad hoc reports utilizing selected Medical Center claims data.

www.it-ebooks.info

80 Implementing Enterprise Risk Management

Exhibit 5.3 UC My Managed Risk Portal

Integrating Traditional Risk Management into ERM Are traditional risk management and ERM two separate programs, concepts, and disciplines? The short answer is “No.” Rather, the traditional risk management practices are critical components that make up the ERM portfolio. To get at the big enterprise picture for incidents, events, and claims arising out of the medical centers and hospitals, UC developed an approach to the evaluation of medical inci- dents, events, and claims. (See Exhibit 5.4.)

Trending, monitoring, and reporting of adverse clinical events and their root cause(s) are done as part of ERM:

� Each University of California Medical Center uses a web-based clinical inci- dent reporting system that permits any staff member to report an event or near miss. The university medical centers are moving to a commercial inci- dent reporting platform that will be consistent across all facilities and permit comparison reporting.

� Each of the UC medical centers has individuals (category managers) who are responsible for the monitoring and evaluation of certain types of events and taking action on them. The Office of Risk Services has access to this system and receives notice of significant events through the system.

� Trend reports are prepared for facility patient safety and quality commit- tees and forwarded through the facility committee structure to the facility governing body—typically the dean of the School of Medicine.

� Adverse event incidents are monitored, and serious events that may require reporting to the state are reviewed weekly; any that are sentinel events result in a root cause analysis.

www.it-ebooks.info

ERM IN PRACTICE AT THE UNIVERSITY OF CALIFORNIA HEALTH SYSTEM 81

Incident (Includes Near Misses)

Incident reporting system captures identified event

or near miss

Directed to Category Manager

Trend Reports developed by location Quality or Risk

Metrics & Benchmarks

Trend reports provided to Location Quality & Safety

Committee

Trend reports are forwarded to the location Executive Committee

of the Medical Staff

Trend Reports provided to Governing Body

Adverse Event

Adverse Event directed to Category Manager/

Quality & Risk*

Serious Events identifed and reviewed by weekly Quality of

Care Steering Committee

Sentinel Event/Root Cause Analysis

Metrics & Benchmarks

Trend reports provided to location Quality & Safety Committee

Trends reports are forwarded to the location Executive Committee

of the Medical Staff

Trend reports provided to Governing Body

Claim/Lawsuit

Directed to Local Risk Manager, Claims Adjuster, OGC and OPRS

Case reviewed by facility Risk Committee for quality of care

issues

Corrective Action is reported to Board of Regents as part of

request for settlement

Retrospective Reviews/UC Action

Exhibit 5.4 UC’s Enterprise Risk Management Approach to the Evaluation of Incidents, Events, and Claims ∗Serious events are identified and reported to location Quality of Care Steering Committee for review. This committee is multidisciplinary and includes key individuals of the Quality & Safety Committee (e.g., the chief medical officer, other physician staff members, the chief nursing officer, legal, quality, risk, and compliance).

� In addition, the medical centers measure and review data on a number of metrics from patient complaints to infection rates, patient falls, and so on.

� Hospital-level data is compared with national benchmarks, United Health- care (UHC) data, and so on.

Individual adverse events may result in claims and lawsuits:

� Risk Services manages the Third Party Claims Administrator to ensure that the claims are promptly investigated and appropriately resolved. As part of this process, Risk Services monitors the Third Party Administrator (TPA) performance against developed performance expectations.

� Risk Services in conjunction with the Office of General Counsel (OGC) and medical center risk management staff collaborate to ensure that the cases are well managed throughout the claims and litigation process. A select panel of defense attorneys is assigned cases.

� Risk Services through Legalbill monitors law firm billing compliance with university guidelines to ensure that the university benefits from a cost- efficient and cost-effective legal defense.

www.it-ebooks.info

82 Implementing Enterprise Risk Management

� Medical Staff Risk Management Committee at each facility reviews claims and lawsuits and makes evaluations regarding the quality of care and cor- rective action that is needed internally; the committee monitors the action through to resolution by the responsible departments. The Risk Services director attends the committee meetings at the locations periodically.

� There are also facilities (allocation committees) that review settled claims and lawsuits and attribute responsibility to individual practitioners or to system issues. If individuals are identified as responsible, they are reported to the external state licensing boards. Risk Services and OGC are responsi- ble to ensure that cases are appropriately reported to both the state licensing boards and the federal National Practitioner Data Bank, and work with the locations to advise them on reporting. Both the Risk Services director and an OGC representative participate with a facility medical director to review the reporting recommendations of the local facility.

� If cases result in costs to the university, inclusive of defense and indemnity, each location has to identify the risk issues involved and the corrective action taken or planned; this action is reviewed by the Risk Services professional liability (PL) program director and the CRO; for cases of certain value, the actions are also reviewed by the senior vice president for health sciences and service.

� Additionally, the General Counsel and the Board of Regents review the cor- rective action that is reported.

� In addition, Risk Services has developed and implemented a monitoring sys- tem to ensure that corrective actions on cases costing the university more than $50,000 are tracked through resolution through the UC Action process. UC Action is a software tool that permits the capture of events, the causes of loss, and the corrective action that was implemented across the UC System. It permits the assignment of controls to ensure that loss prevention actions are implemented and monitored to avoid recurrence of identified issues. Devel- oped in conjunction with UC Davis, this tool supports the Risk Services and campus loss prevention efforts. All Risk Services program managers period- ically review and assess the actions being taken for appropriateness.

The role and activities of UC’s Risk Services in adverse event clinical audit (quality assurance) include the following:

� The Risk Services director for professional liability manages the systemwide incident report (IR) system and receives reports of certain types of events via e-mail as well as being able to evaluate trend reports.

� The Risk Services director periodically provides reports of individual events and trends to the facility chief medical directors at their systemwide meet- ings. In addition, each medical director typically brings events to discuss to these meetings so that locations can learn from each other.

� In addition to the IR system, the Risk Services director is often called by the facility risk managers and alerted to serious events. The Risk Services director also serves as a resource for questions from the facilities.

� The Risk Services PL director implemented a program to ensure that all of the university’s claims and lawsuits are coded for loss prevention and

www.it-ebooks.info

ERM IN PRACTICE AT THE UNIVERSITY OF CALIFORNIA HEALTH SYSTEM 83

trended. This was accomplished through using the Controlled Risk Insur- ance Company (CRICO1) Comprehensive Risk Intelligence Tool (CRIT). This program permits the university to identify the areas of greatest fre- quency and cost and the underlying contributing factors in a reliable man- ner. The university facilities have access to the system and are able to com- pare their trends against the other UC system and non-UC entities.

� The Risk Services director hosts monthly conference calls with medical cen- ter risk management staff to discuss matters of interest and loss prevention opportunities.

� Risk Services funds loss prevention activities for the medical centers and student health facilities targeted at reducing university liability. Examples include the prescription rebate program, which provided grant funds for loss prevention activities; ELM Exchange,2 which provides online risk edu- cation; EMMI Solutions information consent program, which helps ensure patient understanding of their clinical options to improve satisfaction; the Vanderbilt Patient Advocacy Reporting System (PARS) to identify and assist physicians who are outliers in terms of patient complaints; disclosure edu- cation; and operating room technology aimed at reducing retained foreign bodies.

� In addition, the senior vice president for health sciences and services collects and reviews data from multiple sources regarding hospital performance in clinical areas other than adverse clinical events.

� UC Action summary reports regarding corrective action are shared with the Regents on high-dollar-value litigated cases in the form of reports from the Office of General Counsel.

PREMIUM REBATE PROGRAM In addition to the tools developed to assess risk and report on KPIs, the Office of the President’s Office of Risk Services has developed programs to reduce the frequency and severity of loss. For the Medical and Hospital Liability Program, Risk Services developed a Premium Rebate Program in 2006–2012 that was known as the Professional Liability Prescription Program (PLPP), designed to encourage risk reduction initiatives aimed at reducing the cost of risk for the hospitals and schools of medicine. The program encouraged clinical loss prevention and patient safety and rewarded hospitals and medical groups for developing and implement- ing specific initiatives. PLPP is a good example of propagating the concept that everyone is a risk manager. It put loss control in the hands of individuals responsi- ble for the outcomes. It gave them the financial resources and incentives to make a difference. There were several parts to the PLPP (see Exhibit 5.5).

The University of California (UC) Professional Medical and Hospital Liability Program (PL) is the second largest component of UC’s cost of risk. In 2012, the Chief Risk Officer believed there was a need for more ERM focus on the university’s five medical centers and began exploring ways to make this happen.

University of California Center for Health Quality and Innovation (CHQI) had established a system to encourage initiatives designed to create a culture of improvement with the support of the CHQI board, comprised of the five academic medical center CEOs, the six deans of the Schools of Medicine, and chaired by

www.it-ebooks.info

84 Implementing Enterprise Risk Management

Exhibit 5.5 Professional Liability Prescription Program (PLPP)

Grant Funds for Locally Developed Loss Prevention Initiative—Maximum Rebate 2 Percent of Premium

Requests for the 2 percent grant funds may be made at any time during the fiscal year; however, locations are encouraged to submit early.

Medical Center Risk Management offices are expected to coordinate the applications. Each project submitted for the grant funds must have both School of Medicine and a Medical Center approval if applicable. Multiple requests per site are permitted until the 2 percent is exhausted. Once the funding applica- tion is approved by Risk Services, the funds will be transferred to the campus account. The campus must transfer to the appropriate local code. The funds must be used for the approved project; failure to apply the funds to the project will result in recoupment of the funds by Risk Services. Projects will be moni- tored by Risk Services.

Medical Center and School Departments Allocation of Premium—Maximum Rebate 4 Percent of Premium

Allocation of premium based on loss experience and exposure is a critical underpinning of a successful loss prevention program. To qualify for this rebate, each School of Medicine and Medical Center must implement allocation to departments using the Bickmore approved methodology. Half of the pre- mium will go to School of Medicine for its allocation to departments and half will go to Medical Centers for allocation of premium among its departments.

Criteria:

Ensuring the location organization structure for premium allocation is current and appropriate.

Reviewing and categorizing all historical and current malpractice cases to loca- tion identified Schools and Medical Centers and then to departments and divisions within each, entering the data into the Sedgwick CMS claims sys- tem on a continuous basis.

Selecting and applying an allocation model from Bickmore recommendations to the fiscal year 2011–2012 budget.

A written report, signed by the Dean and CEO of the Medical Center attest- ing to the methodology employed and the amounts paid by the various departments, is required.

Adoption and Implementation of EMMI—Maximum Rebate 2 Percent of Premium

Qualification for this rebate will require adoption and substantial implemen- tation of EMMI by the individual locations during fiscal year 2011–2012. The

www.it-ebooks.info

ERM IN PRACTICE AT THE UNIVERSITY OF CALIFORNIA HEALTH SYSTEM 85

amount of the rebate will be dependent on the degree of adoption of use as measured by EMMI data.

Use of Technology to Prevent Retained Surgical Sponges—Maximum Rebate 2 Percent of Premium

Human error in the counting process is a significant cause of retained sponges. Technical solutions such as Surgicount provide a reliable method to assure a valid sponge count. Reducing retained sponges through reliable technol- ogy contributes to improved patient safety, enhances hospital reputation, and avoids regulatory and legal expenses.

the University’s Senior Vice President of Health Sciences & Services, with a small coordinating staff based at the UC Office of the President, Oakland.

ERM AND THE CENTER FOR HEALTH QUALITY AND INNOVATION In January 2013, the chief risk officer for the University of California and the executive director for the UC Center for Health Quality and Innovation (CHQI) announced a new joint venture. The new joint venture—the Center for Health Quality and Innovation Quality Enterprise Risk Management (CHQIQERM)—will award up to $8 million in grants for projects designed to reduce the risk of clinical harm to UC surgery patients in three priority areas:

1. Development of enterprise risk management (ERM) within the Schools of Medicine and medical centers. This includes projects that are aimed at clin- ical improvements involving multiple departments and divisions.

2. Projects aimed at reducing medical malpractice claims. These projects should take into consideration issues creating the highest frequency and severity of malpractice claims within the university facilities. Claims data identifying these areas of exposure will be provided. Projects will be eval- uated based on transferability and sustainability. Ability to demonstrate a return on investment will also be considered.

3. Projects aimed at improving patient safety, quality, and efficiency within the University of California medical centers.

The joint venture seeks to fund projects by UC Health faculty and staff that use an evidence-based, systems approach to minimize the risk of clinical harm to UC patients. UC’s actuary will continue to evaluate the return on investment (ROI) of the projects and include evaluation of these loss prevention efforts in its actuarial study as it has in the past.

Funding is available to UC faculty and staff intending to engage in perfor- mance improvement activities at UC-owned and UC-operated medical centers. Individual projects are capped at $250,000 per academic medical center site. A five- campus project may be awarded up to $1.25 million.

www.it-ebooks.info

86 Implementing Enterprise Risk Management

“We’re thrilled to partner with Risk Services,” said Terry Leach, executive director of the UC Center for Health Quality and Innovation. “This collaboration will help leverage the talent of UC Health’s faculty and staff to improve patient safety at UC medical centers.”3

After an initial campus review, top-scored selections will receive a second round of review by the CHQIQERM Risk Advisory Committee in conjunction with the CHQI Operations Committee, with final selection by the CHQI board. Five-campus multisite proposals will automatically advance to receive a review by CHQIQERM.

The CHQIQERM will provide selected Project performance improvements (PIs), within three months of approval, a schedule to present their projects to var- ious multicampus groups responsible for quality improvement and/or reduction of patient harm throughout UC, including the CHQI Operations Committee, the chief medical officer (CMO) and chief nursing officer (CNO) group, the UC qual- ity officers, infection control officers, pharmacy chairs, CEOs, and so on. Presen- tations are designed to provide individuals responsible for integration of perfor- mance improvement projects throughout UC the opportunity to learn more about the funded projects, and to provide consultation for design modification, as appro- priate, to increase support and acceptance of the funded projects.

By January 1, 2014, if project funds remain or if Risk Services provides addi- tional resources, CHQIQERM will disseminate a second round of requests for pro- posals (RFPs), and will provide review and management pursuant to the previous year’s round of funding, with projects to be completed by June 30, 2015, unless a project continuation agreement has been negotiated and agreed upon by all par- ties, including the CHQI board.

PROTECTED HEALTH INFORMATION VALUE ESTIMATOR (PHIve) The chief risk officer was invited to serve on an American National Standards Insti- tute (ANSI) work group. The goal of the work group was to develop and publish a guide to bring attention to the risks associated with personal health information (PHI). When hospitals and medical centers perform risk assessments, they often fail to consider the magnitude of the disruption and reputational damage from a loss of personal health information.

Following participation in the work group, UC asked Bickmore (www.bickmore.net) to develop an electronic software tool for the Protected Health Information Value Estimator (PHIve). The methodology used in PHIve is described in greater detail with examples in the American National Standards Institute (ANSI) publication, “The Financial Impact of Breached Protected Health Information.” ANSI’s publication is available at the ANSI website.4

The PHIve applies a practical methodology for protected personal health information to calculate the potential (or actual) cost of a data breach to their organization. The purpose of this exciting new tool is to help PHI protectors understand the financial impact of a PHI breach so they can evaluate and rec- ommend the appropriate investments necessary to mitigate the risk of a data breach. This helps reduce potential financial exposure while strengthening the organization’s reputation as a protector of the PHI entrusted to its care.

www.it-ebooks.info

ERM IN PRACTICE AT THE UNIVERSITY OF CALIFORNIA HEALTH SYSTEM 87

The tool will not make decisions for you, but it will help you organize your thinking as you consider the enterprise risk management implications of a breach of protected health information.

The five steps in PHIve are:

1. Assess risks. Assess the risks, vulnerabilities, and applicable safeguards for each PHI

home. A PHI home is any organizational function or space (administrative, physical, or technical) and/or any application, network, database, or system (electronic) that creates, maintains, stores, transmits, or disposes of ePHI or PHI.

2. Security readiness score. Determine a security readiness score for each PHI home by determining

the likelihood of a data breach based on the security readiness score scale. 3. Determine relevance.

For each PHI home that has an unacceptable security readiness score, examine the relevance (i.e., likelihood or applicability) of a particular cost category, and apply a relevance factor from a provided hierarchy.

4. Determine potential repercussions. Relevance and consequences combined create the potential repercus-

sions of a breach. Consequences are calculated using multiple aspects of a potential breach based on a variety of considerations for your organization. Types of repercussions include reputational (loss of patients, current customers, new customers, strategic partners, or staff), financial (including costs for remediation, communication, changes to insurance, changing associates, and business distraction), legal and regulatory, operational, and clinical.

5. Total the impacts: Add up all adjusted costs to determine the total adjusted cost of a data breach to the organization.

Relevance and consequences combined create the potential repercussions of a breach. Consequences are calculated using multiple aspects of a potential breach based on a variety of considerations for your organization.

Reputational Repercussions

Reputational repercussions of a breach may include:

� Loss of patients � Loss of current customers � Loss of new customers � Loss of strategic partners � Loss of staff (separate from staff lost due to potential disciplinary action

related to a breach)

The impact of a breach may have greater reputational repercussions if it is shared through social media or other means that raise further awareness of the breach.

www.it-ebooks.info

88 Implementing Enterprise Risk Management

The demographics of those affected by a breach also change its reputational impact. Income and age are considerations for health privacy sensitivity, among other factors.

Financial Repercussions

Financial repercussions are grouped into five segments, each of which may contain multiple types of financial costs.

1. Cost of remediation may include: � Investigation or forensic costs � Corrective action plan costs � Workforce sanction costs � Identity theft monitoring costs

2. Costs of communication may include: � Notifying affected individuals � Notifying media outlets and notifying governmental agencies � Public relations costs � Investor relations

3. Costs of changes to insurance may include: � Broker costs � Presenting and negotiating with agencies � Increased cost of coverage

4. Costs of changing associates may include: � Due diligence for new vendors � Transitions to new vendors � Increased costs of new vendors

5. Costs of business distraction may include: � Lost productivity � Opportunity costs � Diversion of resources

Legal and Regulatory Repercussions

Legal and regulatory repercussions of a breach can be grouped into four areas:

1. Costs associated with actions by the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR), including: � Fines and penalties � Costs of additional corrective action plans

2. State fines and penalties 3. Lawsuit costs, including:

� Legal costs � Settlement costs � Additional payments to affected individuals � Insurance deductibles

4. Costs associated with potential loss of accreditation or reinstatement of accreditation

www.it-ebooks.info

ERM IN PRACTICE AT THE UNIVERSITY OF CALIFORNIA HEALTH SYSTEM 89

Operational Repercussions � Incremental cost of new hires � Costs of recruiting and training new hires � Costs associated with reorganization following a breach

Clinical Repercussions � Fraudulent claims processed � Delayed or inaccurate diagnoses � Bad data in search results

Total the Impacts

Add up all adjusted costs to determine the total adjusted cost of a data breach to the organization.

The pilot PHIve tool was previewed by UC’s medical risk managers for the first time at the University of California’s 2013 Risk Summit. Bickmore is demonstrating the tool and seeking comments from the UC medical risk managers before the tool is released. The tool was demonstrated and comments were sought from the UC medical risk managers before the tool was released.

ERM and Strategy

Risk is an inherent and essential part of any organization. When properly man- aged, risk drives growth and opportunity. If enterprise risk management (ERM) is the process of planning, organizing, leading, and controlling the activities of an organization in order to minimize the effects of risk on an organization’s capital, earnings, and operations, then it only makes sense that ERM is seen as a strategic tool for management.

The past several years have been a financially challenging time for the uni- versity. Even in the face of those challenges, however, the university has made significant strides in reducing its risk exposure, thereby allowing the campuses to focus their limited dollars on the university’s mission of teaching, research, and service. ERM is seen in the university as a continuous improvement process and has been integrated into its Working Smarter initiative.5

The Office of Risk Services, as part of the CFO division, has integrated the Division Strategic Goals6 into our operations:

� Reexamine the day-to-day � Showcase our value-add � Engage with the customer � Develop our staff � Be action-oriented

The Office of Risk Services continues to reexamine the day-to-day operations, looking for innovative ways to reduce risk while improving operational efficiency. It continues to showcase the savings that are generated by implementing ERM, and

www.it-ebooks.info

90 Implementing Enterprise Risk Management

continually engages its customers to learn how it can better meet their needs. It not only focuses on developing its staff, but encourages the professional development of those at the campuses and medical centers by providing the Risk Summit and monthly webinars. Finally, the tools and information provided by Risk Services allow campus and medical center leadership to be action-oriented and to be able to implement quickly programs that will result in immediate impacts. The guiding principle in all of the work that Risk Services does is to support the university mission of teaching, research, and public service, as well as patient care.

QUESTIONS 1. Your Medical Group wants to expand by starting a new venture, owning and operating

a pharmacy. In order to increase the success, you have been asked to perform an enter- prise risk assessment that includes reputational risk. Give three examples of how start- ing a new venture might have risk events that could lead to repercussions that would negatively impact the organizations reputation and three examples where it might be enhanced, creating opportunity.

2. Explain how improvement is measured with KPIs and give one example related to Human Capital and how this KPI might help you improve your organization.

3. In the UC example, the ERM Program gives weight to both data-driven activities and to culture-changing activities. Give two examples of each and then your own opinion regarding which activities you believe to be most effective in implementing an ERM program.

4. What do you think is the difference between traditional risk management and enterprise risk management?

5. From the UC example, identify what aspects of their program were “carrots” and which ones were “sticks.” From your own experience describe which one you think works best in creating lasting change.

NOTES 1. CRICO is the patient safety and medical liability company that serves the Harvard Uni-

versity medical community. It is a leader in evidence-based risk management. 2. Education in Legal Medicine. 3. UC Health, January 8, 2013. 4. http://webstore.ansi.org/phi. 5. http://workingsmarter.universityofcalifornia.edu/. 6. www.ucop.edu/finance-office/mission-goals/strategic-goals.html.

ABOUT THE CONTRIBUTOR Grace Crickette joined AAA Northern California, Nevada, and Utah (NCNU) in May 2013 as the Senior Vice President and Chief Risk and Compliance Officer. She was the former Chief Risk Officer at the University of California. In her current position, she is charged with implementing enterprise risk management (ERM) with her legal, compliance, risk management, and internal audit team. The Risk Services team provides internal audit and consultation, legal consultation, quality assurance and compliance, risk financing and captive solutions, crisis and conse- quence management, and loss prevention and loss control services. The Risk Ser- vices team’s ERM vision is to support AAA’s Membership Promise: “We will keep

www.it-ebooks.info

ERM IN PRACTICE AT THE UNIVERSITY OF CALIFORNIA HEALTH SYSTEM 91

you safe and secure—We will offer you the right product at the right time—We will provide you helpful and knowledgeable service—We will reward your loyalty— One Member, One AAA.”

Prior to coming to AAA NCNU, Grace served as the University of Califor- nia’s Chief Risk Officer. Major initiatives for the Risk Services department included reducing the cost of risk, implementing system and local safety programs, improv- ing claims management systems, developing risk financing strategies, and imple- menting enterprise risk management (ERM), and emergency management and business continuity planning throughout the university.

Grace joined the University of California in December 2004 after 13 years as a vice president and officer in audit, insurance, safety, and human resources capac- ities for the equipment and construction industry. She graduated with distinction from the University of Redlands with a bachelor’s degree in business administra- tion, and holds a variety of professional designations in the areas of claims, safety, audit, and human resources, including Associate in Risk Management and Senior Professional in Human Resources.

In 2008, Grace received the Risk Innovator Award for innovation and excel- lence in risk management in higher education. She received the Information Secu- rity Executive (ISE) of the Year West Award 2011 and National Award 2011 for Higher Education/Non Profit Sector for innovative problem solving related to a collaborative partnership with the University of California’s chief information offi- cer and other information technology (IT) professionals, insurance brokers, and underwriters for securing previously unavailable and much-needed cyber cover- age and at the same time developing a program that will drive improvement and best practices into the future. She also received the ISE award of the decade for Higher Education/Non Profit Sector for her overall commitment to IT security. She was chosen in 2011 as one of Business Insurance’s Women to Watch, an annual feature spotlighting 25 women who are doing outstanding work in commercial insurance, reinsurance, risk management, employee benefits, and related fields, such as law and consulting. She was also selected by Business Insurance magazine for its 2011 Risk Management Honor Roll. Also in 2011, Treasury & Risk magazine named her one of the “100 Most Influential People in Finance.” She has consulted with numerous public and private entities on the implementation of ERM, includ- ing Harvard University and SingHealth, Singapore’s largest health care group.

www.it-ebooks.info

www.it-ebooks.info

CHAPTER 6

Strategic Risk Management at the LEGO Group Integrating Strategy and Risk Management

MARK L. FRIGO Director, Strategic Risk Management Lab, and Ledger & Quill Distinguished Professor of Strategy and Leadership, DePaul University

HANS LÆSSØE Senior Director of Strategic Risk Management, LEGO Group

How can organizations manage strategic risks in a volatile and fast-pacedbusiness environment? Many have started focusing their enterprise riskmanagement (ERM) programs on the critical strategic risks that can make or break a company. This effort is being driven by requests from boards and other stakeholders and by the realization that a systematic approach is needed and that it’s highly valuable to include strategic risk management in ERM and to integrate risk management within the fabric of an organization.

In this case1 we describe strategic risk management at the LEGO Group, which is based on an initiative started in late 2006 and led by Hans Læssøe, senior direc- tor of strategic risk management at LEGO System A/S. It’s also part of the con- tinuing work of the Strategic Risk Management Lab at DePaul University, which is identifying and developing leading practices in integrating risk management with strategy development and strategy execution. This descriptive case provides a great example of integrating risk management into the strategy development and strategy execution.

ABOUT THE LEGO GROUP Headquartered in Billund, Denmark, the family owned LEGO Group has 12,500 employees worldwide and is the second-largest toy manufacturer in the world in terms of sales. Its portfolio, which focuses on LEGO bricks, includes 25 product lines sold in more than 130 countries. The name of the company is an abbreviation of the two Danish words leg godt that mean “play well.” The LEGO Group began in 1932 in Denmark, when Ole Kirk Kristiansen founded a small factory for making

93

www.it-ebooks.info

94 Implementing Enterprise Risk Management

wooden toys. Fifteen years later, he discovered that plastic was the ideal material for toy production and bought the first injection molding machine in Denmark.

In 1949, the brick adventure started. Over the years, the LEGO Group per- fected the brick, which is still the basis of the entire game and building system. Though there have been small adjustments in shape, color, and design from time to time, today’s LEGO bricks still fit bricks from 1958. The 2,400 different LEGO brick shapes are produced in plants in Denmark, the Czech Republic, Hungary, and Mexico with the greatest of precision and subjected to constant controls. There are more than 900 million different ways of combining six eight-stud bricks of the same color.

THE LEGO GROUP STRATEGY To understand strategic risk management at the LEGO Group, you need to under- stand the company’s strategy. This is consistent with the first step in developing strategic risk management in an organization: to understand the business strategy and the related risks as described in the strategic risk assessment process.2

The LEGO Group’s mission is “Inspire and develop the builders of tomorrow.” Its vision is “Inventing the future of play.” To help accomplish them, the company uses a growth strategy and an innovation strategy.

� Growth strategy. The LEGO Group has chosen a strategy that’s based on a number of growth drivers. One is to increase its market share in the United States. Many Americans may think they buy a lot of LEGO products, but they buy only about a third of what Germans buy, for example. Thus there are potential growth opportunities in the U.S. market.

The LEGO Group also wants to increase market share in Eastern Europe, where the toy market is growing very rapidly. In addition, it wants to invest in emerging markets, but cautiously. The toy industry isn’t the first one to move into new, emerging markets, so the LEGO Group will invest at appropriate levels and be ready for when those markets do move. It will also expand direct-to-consumer activities (sales through LEGO-owned retail stores), online sales, and online activities (such as online games for children).

� Innovation strategy. On the product side, the LEGO Group focuses on creat- ing innovative new products from concepts developed under the title “Obvi- ously LEGO, never seen before.” The company plans to come up with such concepts every two to three years. One of the latest examples is LEGO Games System, which consists of family board games (a new way of playing with LEGO bricks) with a LEGO attitude of changeability (obviously LEGO). The company also intends to expand LEGO Education, its division that works with schools and kindergartens. And it will develop its digital business as the difference between the physical world and the digital world becomes more and more blurred and less and less relevant for children.

Now let’s look at the development of LEGO strategic risk management.

www.it-ebooks.info

STRATEGIC RISK MANAGEMENT AT THE LEGO GROUP 95

4

Preparing for Uncertainty

3 1

Enterprise Risk Management

2

Monte Carlo Simulations

Active Risk & Opportunity

Planning (AROP)

Exhibit 6.1 Four Elements of Risk Management at the LEGO Group

LEGO STRATEGIC RISK MANAGEMENT The LEGO Group developed risk management in four steps (numbered in the order in which the steps were initiated) as shown in Exhibit 6.1:

� Step 1. Enterprise risk management was traditional ERM in which financial, operational, hazard, and other risks were later supplemented by explicit handling of strategic risks.

� Step 2. Monte Carlo simulations were added in 2008 to understand the finan- cial performance volatility (which proved to be significant) and the drivers behind it to integrate risk management into the budgeting and reporting processes. During the past two years the use of Monte Carlo simulations was refined, as described later in this chapter.

Those two steps were seen mostly as damage control. To get ahead of the deci- sion process and have risk awareness impact future decisions as well, LEGO risk management added:

� Step 3. Active risk and opportunity planning (AROP), where business projects go through a systematic risk and opportunity process as part of preparing the business case before final decisions about the projects are made.

� Step 4. Preparing for uncertainty, where management tries to ensure that long- term strategies are relevant for and resilient to future changes that may very well differ from those planned for. Scenarios help them envision a set of different yet plausible futures to test the strategy for resilience and relevance.

These last two steps were designed to move upstream—or get involved earlier in strategy development and the strategic planning and implementation process.

Strategic Risk Management Lab Commentary

This four-step approach is a good illustration of how organizations can develop their risk management capabilities and processes in incremental steps. It represents an example of how to evolve beyond traditional ERM and integrate risk manage- ment into the strategic decision making of an organization. This approach positions risk management as a value-creating element of the strategic decision-making pro- cess and the strategy-execution process.

In our research on high-performing companies, we’ve found that the LEGO Group, like those companies, achieves sustainable high performance and creates

www.it-ebooks.info

96 Implementing Enterprise Risk Management

stakeholder value by consistently executing the strategic activities in the Return- Driven Strategy framework (for example, the focus on innovating its offerings toward changing customer needs) while co-creating value through its engagement platforms—that is, the online community, including its My LEGO Network, which engages more than 400 million people and helps its product development process; see Venkat Ramaswamy and Francis Gouillart, The Power of Co-Creation (Free Press 2010). Its strategic risk management processes incorporate distinct elements of co- creation by engaging its employees (internal stakeholders) throughout the strate- gic decision-making, planning, and execution processes, as well as engaging exter- nal stakeholders (suppliers, partners, customers). The LEGO Group’s approach is a good example of how an organization can engage stakeholders in co-creating strategic risk/return management (see Mark L. Frigo and Venkat Ramaswamy, “Co-Creating Strategic Risk-Return Management,” Strategic Finance, May 2009).3

ENTERPRISE RISK MANAGEMENT (STEP 1) The evolution of ERM toward strategic risk management is represented in Exhibit 6.2. Strategic risk was missing from the ERM portfolio until 2006.

To fix this, based on his then 25 years of LEGO experience and a request from the CFO, Hans Læssøe started looking at strategic risk management. “I was a cor- porate strategic controller who had never heard the term until then,” he says. The company had embedded risk management in its processes. Operational risk—minor disruptions—was handled by planning and production. Employee health and safety was OHSAS 18001 certified. Hazards were managed through explicit insurance pro- grams in close collaboration with the company’s partners (insurance companies and brokers). Information technology (IT) security risk was a defined functional area. Financial risk covered currencies and energy hedging as well as credit risks. And legal was actively pursuing trademark violations as well as document and contract management. But strategic risks weren’t handled explicitly or systematically, so the CFO charged Hans with ensuring they would be from then on. This became a full- time position in 2007, and Hans added one employee in 2009 and another in 2011.

Employee Safety

Operational

Hazard

IT Security

Legal

Financial

Strategic (added

2006)

ERM

Exhibit 6.2 The LEGO ERM Umbrella: Adding Strategic Risk

www.it-ebooks.info

STRATEGIC RISK MANAGEMENT AT THE LEGO GROUP 97

Strategic Risk Management Lab Commentary

The 2006 situation is common. Even though strategic risks need to be integrated with risk management, many organizations don’t explicitly assess and manage strategic risks within strategic decision-making processes and strategy execution. A recent study by the Corporate Executive Board found that strategic risks have the greatest negative impact on enterprise value: “strategic risk caused 68 per- cent of severe market capitalization declines.”4 But the LEGO Group’s approach shows how strategic risk management can be a key to increasing the value of ERM within an organization. It also shows how executive leadership from the CFO played an important role in the evolution of ERM as a valuable management process. Finally, Hans came from the business side and had the attributes neces- sary to lead the initiative: broad knowledge of the business and its core strategies, strong relationships with directors and executive management, strong commu- nication and facilitation skills, knowledge of the organization’s risks, and broad acceptance and credibility across the organization. (For more, see Mark L. Frigo and Richard J. Anderson, Embracing ERM: Practical Approaches for Getting Started, at www.coso.org/guidance.htm, p. 4.)

Also, the risk owner concept at LEGO provides a good example of the impor- tance of understanding who owns the risks as well as defining the role of risk man- agement in the organization. The idea of “risk owners” was important to ensure action and accountability. Hans’s charge was to develop strategic risk management and make sure the LEGO Group had processes and capabilities in place to do this. But as senior director of strategic risk management, Hans doesn’t own the risk. He can’t own the risk, because this essentially would mean he would own the strategy, and each line of business owns the pertinent strategic risks. Hans trains, leads, and drives line management to apply a systematic process to deal with risk. The mis- sion of Hans’s strategic risk management team is to “drive conscious choices.” This is just like budgeting functions: They don’t earn the money or spend the money, but they support management to deliver on the budget or compare performance against the budget.

MONTE CARLO SIMULATION (STEP 2) In 2008, Hans introduced Monte Carlo simulation into the process. A mathemati- cian by education (MSc in engineering), he started defining how Monte Carlo simulation could be used in risk management. Now it’s being used for three areas:

1. Budget simulation. The business controllers were asked for their input about volatility, which is combined with analyses based on past performance of budget accuracy. Managers said this helped them understand the financial volatility, so it was part of the financial and budget reporting in 2012. In fact, the first analyses directed top management’s attention to a sales volatility that was known but that proved to be much more significant than every- one intuitively believed. During the past two years, this approach has been refined as described by Hans: “We actually stopped this. It was found that

www.it-ebooks.info

98 Implementing Enterprise Risk Management

the volatility of the business is so significant that we have stopped budget- ing altogether, as the process took a lot of effort—too little value as con- ditions changed. Today (2014) we use an estimate process where a small team of lead controllers defines a preliminary estimate for board of direc- tors discussions. In March (each year) we do a detailed estimate on which we base KPIs, targets, bonus criteria, et cetera. Monthly, we then update the estimate, and hence our financial planning process is more dynamic . . . and we do not need the budget simulation anymore.”

2. Credit risk portfolio. The LEGO Group uses a similar approach to look at its credit risk portfolio so it can have a more professional conversation with a credit risk insurance partner.

3. Consolidation of risk exposure. You could multiply the probability and impact of each risk and add the whole thing up. Risk management isn’t about aver- ages (if it were, no one would take out an insurance policy on anything). With a Monte Carlo simulation, the LEGO Group can calculate the 3 percent worst-case loss compared to budget and use that to define risk appetite and risk report exposure vis-à-vis this risk appetite, as shown in Exhibit 6.3.

Risk Tolerance

As a privately held company, the LEGO Group can’t look at stock values, so it looks at the amount of earnings the company is likely to lose compared to budget if the worst-case combined scenarios happen. Not all risks will materialize in any one year, because some of them are mutually exclusive; but a huge number may happen in any one year, as we have seen during the global financial crisis. Hans

Company Risk Exposure (Gross and Net)

Net EaR

Gross EaR

Effect of mitigation

3% of simulations

Exhibit 6.3 Monte Carlo Simulations and Risk Appetite at the LEGO Group

www.it-ebooks.info

STRATEGIC RISK MANAGEMENT AT THE LEGO GROUP 99

computes a net earnings at risk (EaR), and corporate management and later the board of directors use that net earnings at risk to define their risk tolerance. They have said that the 3 percent worst-case loss may not exceed a certain percentage of the planned earnings (the percentage is not 100). That guides management toward understanding and sizing the risk exposure. This process has helped the LEGO Group take more risks and be more aggressive than it otherwise would have dared to be, and to grow faster than it otherwise could have done.

Strategic Risk Management Lab Commentary

Risk tolerance is a difficult area for organizations to address. The approach used at the LEGO Group provides a good example of deriving risk tolerance (the term LEGO uses rather than risk appetite) in an actionable and systematic way. It also shows an approach that fosters intelligent risk taking and that avoids being too risk averse while maintaining discipline on the amount of risk undertaken. Hans has actually had cases where he recommended taking on more risks to meet elusive targets. He uses an analogy to communicate the idea of taking risks and not being too risk averse: “I used the (very normal) traffic picture . . . ‘Guys, you are getting late for the party, yet you are still cruising at 40 mph on the highway. Why not speed up to the 70 mph you are allowed to drive—if that will more likely take you to the party in time?’”

What we’ve discussed so far is more or less damage control because it’s about managing risks already taken by approving strategies and initiating busi- ness projects. Hans decided he wanted to move beyond damage control and be more proactive so he could create real value as a risk manager. He came up with a process he calls active risk and opportunity planning (AROP) for business projects.

AROP: ACTIVE RISK ASSESSMENT OF BUSINESS PROJECTS (STEP 3) When the LEGO organization implements business projects of a defined minimum size or level of complexity, it’s mandatory that the business case includes an explicit definition and method of handling both risks and opportunities. Hans says that the LEGO Group has created a supporting tool (a spreadsheet) with which to do this, and it differs from the former approach to project risk management in several areas. Hans has the following to say on each:

� Identification, “where we call upon more stakeholders, look at opportunities as well as risks, and look at risks both to the project and from the project (i.e., potential project impact on the entire business system).”

� Assessment, “where we define explicit scales and agree what ‘high’ means to avoid different people agreeing on an impact being high without having a shared understanding of the exposure.”

� Handling, “where we systematically assign risk owners to ensure action and accountability and include the use of early warning indicators, where these are relevant.”

www.it-ebooks.info

100 Implementing Enterprise Risk Management

� Reassessment, “where we explicitly define the net risk exposure to ensure that we have an exposure we know we can accept, the reason being that we have seen people ignore this step, and hence do too much or too little to a particular risk; here, we ask them to deliberately address whether or not they can and will accept the residual risk—and know what it is they accept. From time to time we see the individual risks being accepted, but then, when we do the Monte Carlo simulation on the project (yes, we use it here as well), we see that the likelihood of meeting the target is still too low—and more risk mitigation or opportunity pursuit is called for and included in the project.”

� Follow-up, “where we keep the risk portfolio of the project updated for gate and milestone sessions.”

� Reporting, “which is done automatically and fully standardized based on the data.”

Common Language and Common Framework

The most important point is that the people who address and work with risks get a systematic approach so they can use the same approach from Project A for Project B. The one element that project managers really like is having the data in a database. They don’t receive just a spreadsheet model. Data are entered into the spreadsheet as a database, and all the required reporting on risk management is collected from that data, so project managers don’t have to develop a report—they can just cut and paste from one of the three reporting sheets that are embedded in the tool. All the reports are standardized. That’s good for the project managers, but it’s also good for the people on the steering committees because they now receive a standardized report on risks. They don’t have a change between layouts of probability/impact risk maps or somebody comes up with severity or whatever from project to project. Everyone has the same kind of formula, the same way of doing it.

Strategic Risk Management Lab Commentary

The AROP process is a great example of integrating risk assessment in terms of upside and downside risks in the strategic decision-making process. This balanced approach to strategic risk management allows organizations to create more stake- holder value while intelligently managing risk.

PREPARING FOR UNCERTAINTY: DEFINING AND TESTING STRATEGIES (STEP 4) To get further ahead in the decision process, the LEGO Group has added a system- atic approach to defining and testing strategies. As Hans notes, “We are going one step further upstream in the decision process with what we call ‘Prepare for Uncer- tainty.’ This is a strategy process, and we’re looking at the trends of the world. The industry is moving; the world is moving quite rapidly. I just saw a presentation that indicated that the changes the world will see between 2010 and 2020 will be somewhere between 10 and 80 times the changes the world saw in the twentieth century, compressed into a decade.”

www.it-ebooks.info

STRATEGIC RISK MANAGEMENT AT THE LEGO GROUP 101

He offers the following story to illustrate the forces of change the company is facing: “My seven-year-old granddaughter came to me and asked, ‘Granddad, why do you have a wire on your phone?’ She didn’t understand that. She’d never seen a wire on a phone before. We need to address that level of change and do it proactively.”

Four Strategic Scenarios

A group of insightful staff people (Hans and a few from the Consumer Insight function) defined a set of four strategic scenarios based on the well-documented megatrends defined by the World Economic Forum in 2008 for the Davos meetings. Hans commented:

“We presented and discussed these with senior management in 2009, prior to their definition of 2015 strategies, to support that they would look at the poten- tial world of 2015 when defining strategies and not just extrapolate present-day conditions.

“Having done that, we then prepared to revisit each key strategy vis-à-vis all four scenarios to identify issues (i.e., risks and opportunities) for that particular strategy if the world looks like this particular scenario.

“This list of issues is then addressed via a PAPA model whereby a strategic response is defined and embedded in the strategy.

“This way, we believe that we have reasonably ensured our strategies will be relevant if/when the world changes in other ways than we originally planned for.”

During the past two years, LEGO refined the process and used it actively, the reason being that the original scenarios did in fact not lead to much explicit action. Today a scenario session is a five-hour workshop where participants focus on one particular strategy (e.g., market entry in China). The workshop is with the man- agement team that owns the strategy and its implementation.

� The first hour they discuss and agree on two key drivers of uncertainty to their strategy (the axes of the 2 × 2 scenarios). Hans’s team comes with a battery of potential drivers—and they (after some discussion) end up with two—leading to four quadrants of a 2 × 2 matrix.

� The next two hours the team describes the four quadrants one at a time. First, they individually use Post-it notes to write down descriptive elements or key success factors for the scenario (the Post-it session is to avoid groupthink). Then they share their descriptions and discuss their way into a reasonably consistent image of that scenario, before they move on to the next.

� The fourth hour is used to define strategic issues—again Post-it notes and sharing. Here they are diligently coached to be aware that any issue may be an opportunity (if they choose to pursue this in time). If they do not pursue this, it may become a risk, and if they still don’t do anything and the risk materializes, it becomes a problem. The sharing process includes a prioriti- zation discussion in LEGO’s PAPA model (see later in this chapter).

� The last hour focuses first and foremost on actions to be taken. The team discusses and agrees on explicitly “who is doing what by when” to ensure action on the issues that the team members have themselves decided are important, likely, and fast moving.

www.it-ebooks.info

102 Implementing Enterprise Risk Management

The role of Hans’s team is to coach the process, including asking provocative questions and ensuring that team members get out of their comfort zone (where the real world is). The process is mandatory for business planning and strategy definition, and in 2013 Hans’s team was involved with doing 25 of these workshop sessions as the company business plans were to be updated. Subsequently it was documented that 75 percent of these business plans had taken on explicit actions on issues they had not seen prior to the session—hence the value.

Hans explains, “Once we have decided on the strategy and defined what we’re going to do, we test the strategy for resilience. We very simply take that particular strategy and, together with the strategy owner, discuss: If this scenario happens, what will happen to the strategy? Some of these issues will be highly probable, and some of them will be less probable. Some of them will happen very fast; some others will happen very slowly. This is where the PAPA model comes in.”

THE PAPA MODEL When looking at the issues inspired by the scenarios, the LEGO Group uses what it calls a Park, Adapt, Prepare, Act (PAPA) model, as shown in Exhibit 6.4. Hans explains:

� Park: “The slow things that have a low probability of happening, we park. We do not forget about them.”

� Adapt: “The slow things that we know will happen or are highly likely to happen, we adapt to those trends. In our case, this is a lot around demo- graphics. We know children’s play is changing, we know demographics are changing, and we know the buying power between the different realms or the different parts of the world is changing. Although we know chil- dren’s play is changing, we also know it does not happen fast. So we adjust, systematically monitoring what direction it’s moving in and following that trend.”

� Prepare: “The things that have a low probability of happening, but, if they do, they materialize fast, we need to be prepared for this. In fact, this is where

Overall Strategic Response

Prepare

Park

Low Likelihood

S lo

w F

as t

S pe

ed o

f C ha

ng e

Adapt

High

Act

Exhibit 6.4 LEGO’s PAPA Model

www.it-ebooks.info

STRATEGIC RISK MANAGEMENT AT THE LEGO GROUP 103

we identify most of the risks that we need to put into our ERM risk database, make sure that we have contingency plans for them, and apply early warn- ings and whatever mitigation we can put in place to make sure that we can cover these should they materialize, but they are not expected to.”

� Act: “Finally, we have the high-probability and fast-moving things that we need to act on now in order to make sure the strategy will be relevant. In our case, anything that has to do with the concept of connectivity (i.e., mobile phones, Internet, that world)—if we can see it, we move on it. We know that it is changing so fast, and it’s changing the way kids play. It’s changing their concepts and their view of the world.”

Hans concludes, “This way, we have a kind of model of what we do, because we shouldn’t, of course, be betting on every horse in the race. That’s not profitable, and it isn’t even doable.”

Strategic Risk Management Lab Commentary

One of the challenges of risk management is to find ways to prioritize risks that make business sense. The PAPA model provides a good example of a framework that can prioritize risks and set the stage for the appropriate actions. Our research on high-performance companies (see Mark L. Frigo, “Return Driven: Lessons from High Performance Companies,” and the book Driven: Business Strategy, Human Actions, and the Creation of Wealth by Mark L. Frigo and Joel Litman) found that companies that demonstrate sustainable high performance exhibit a “vigilance to forces of change” that allows them to manage the threats and opportunities in the uncertainties and changes better than other companies do.5 The approach used at LEGO is a great example of embedding this vigilance to forces of change in its strat- egy development and strategy execution processes. The scenario analysis approach used at LEGO provides an engagement platform for engaging stakeholders in the risk management process.6

STATEGIC RISK MANAGEMENT RETURN ON INVESTMENT A great deal has happened in the LEGO Group’s approach to risk management based on strong support from top management (always needed to develop pro- cesses and methodologies) and a strong focus. They have demonstrated value from the efforts they’ve made. They also have explicitly embedded risk management in most of the key planning processes used to run the company:

� The Strategic Scenarios used in business planning � The LEGO Development Process—includes Monte Carlo simulation of over-

all project risk/opportunity exposure � The Customer Business Planning Process—AROP in collaboration � The Sales and Operations Planning Process—tactical scenarios � The Performance Management Process—bonuses based on results, not

efforts

www.it-ebooks.info

104 Implementing Enterprise Risk Management

“All of this has worked,” Hans says. “Based on actual data, we have had a 20 percent average growth from the period between 2006 and 2010 in a market that barely grows 2 percent and 3 percent a year. It has continued so 2006 to 2012 has a cumulative annual growth rate of 20 percent, leading to a tripling of the size of the company based on official public data. Beyond that, our profitability has developed quite significantly as well. We’ve grown from a 17 percent return on sales in 2006 to 34 percent return on sales in 2012. And it goes beyond that. If you go back a couple more years, in 2004 we were in dire straits and had a negative return on sales of 15 percent. We changed a number of strategies.

“Risk management is not the driver of these changes,” Hans continues. “I’m not even sure it’s a big part. But it’s one part. It’s a part that has allowed us to take bigger risks and make bigger investments than we otherwise would have seen. The Monte Carlo simulation has shown us what the uncertainty is and was a key element of changing the financial planning process to a more dynamic estimation approach. The risk tolerance has shown us how much risk we are prepared to take, between the board of directors and the corporate management team. This has meant that we have been prepared to make bigger supply chain investments than we otherwise would have done and have been able to achieve bigger growth than we ever imagined we could have.”

Strategic Risk Management Lab Commentary

The development of strategic risk management at the LEGO Group provides a great example of how organizations can develop their ERM programs to incorpo- rate strategic risk and make strategic risk management a discipline and core com- petency within. One of the key elements was integration. During discussions with LEGO management, when Hans was asked about the ongoing development of risk management at the LEGO Group, he replied that it was “naturally integrated.” It is this integration of risk management in strategy and strategy execution, and the integration of strategy in risk management, that can elevate the value of ERM in an organization.

CONCLUSION We want to emphasize that risk management is not about risk aversion. If, or rather when, you want or need to take bigger chances than your competitors— and get away with it (succeed)—you need to be better prepared. The fastest race cars in the world have the best brakes and the best steering to enable them to be driven faster, not slower. Risk management should enable organizations to take the risks necessary to grow and create value. To quote racing legend Mario Andretti: “If everything’s under control, you’re going too slow.” The approach and philoso- phy described in this case are reflected in the mission of the strategic risk manage- ment team at the LEGO Group to “drive conscious choices.”

QUESTIONS 1. What are the advantages of integrating ERM with strategy and strategy execution as

described in this case?

www.it-ebooks.info

STRATEGIC RISK MANAGEMENT AT THE LEGO GROUP 105

2. How does scenario analysis as described in this case help an organization to prepare for uncertainties?

3. What are the advantages of using the PAPA model to categorize risks? 4. How would you describe the “Strategic Risk Management Return on Investment” at

LEGO? 5. The mission of the strategic risk management team is to “Drive conscious choice.” How

does the Active Risk and Opportunity Planning (AROP) element of strategic risk man- agement at LEGO help to drive conscious choice?

NOTES 1. This chapter was adapted from Mark L. Frigo and Hans Læssøe, "Strategic Risk Man-

agement at the LEGO Group," Strategic Finance (February 2012) with the permission of Strategic Finance and the Institute of Management Accountants. An earlier version of this case was presented at the Risk and Insurance Management Society (RIMS) Conference, where Mark and Hans serve as members of the RIMS Strategic Risk Management Devel- opment Council.

2. M. L. Frigo and R. J. Anderson, “Strategic Risk Assessment: A First Step for Improving Governance and Risk Management,” Strategic Finance 12 (2009), 25–35.

3. Also see Hans Læssøe, Venkat Ramaswamy, and Mark L. Frigo, "Strategic Risk Manage- ment in the Co-Creative Enterprise," Working Paper, Strategic Risk Management Lab, DePaul University, 2014.

4. See “Using ERM to Improve Strategic Decisions,” CEB Risk Management Leadership Council, Corporate Executive Board, 2013.

5. Also see Mark L. Frigo, Driven Strategy: Creating and Sustaining Superior Performance (Palo Alto, CA: Stanford University Press, forthcoming 2015).

6. A. Mikes and D. Hamel, “The LEGO Group: Envisioning Risks in Asia,” Harvard Busi- ness School Case 113-054, November 2012.

REFERENCES Frigo, M. L. 2008. “Return Driven: Lessons from High Performance Companies.” Strategic

Finance 7, 24–30. Frigo, Mark L. 2015. Driven Strategy: Creating and Sustaining Superior Performance. Palo Alto,

CA: Stanford University Press, forthcoming. Frigo, M. L., and R. J. Anderson. 2009. “Strategic Risk Assessment: A First Step for Improving

Governance and Risk Management.” Strategic Finance 12, 25–35. Frigo, M. L., and R. J. Anderson. 2011. “Embracing ERM: Practical Approaches for Getting

Started.” Committee of Sponsoring Organizations of the Treadway Commission (COSO). www.coso.org/guidance.htm.

Frigo, Mark L., and Mark Beasley. 2010. “ERM and Its Role in Strategic Planning and Strat- egy Execution.” In John Fraser and Betty J. Simkins, eds. Enterprise Risk Management. Hoboken, NJ: John Wiley & Sons.

Frigo, Mark L., and Hans Læssøe. 2012. “Strategic Risk Management at the LEGO Group.” Strategic Finance 2, 27–35.

Frigo, Mark L., and Joel Litman. 2007. Driven: Business Strategy, Human Actions, and the Cre- ation of Wealth. Chicago: Strategy & Execution, LLC.

Frigo, M. L., and V. Ramaswamy. 2009. “Co-Creating Strategic Risk-Return Management.” Strategic Finance 5, 25–33.

www.it-ebooks.info

106 Implementing Enterprise Risk Management

Læssøe, Hans, Venkat Ramaswamy, and Mark L. Frigo. 2014. “Strategic Risk Management in the Co-Creative Enterprise.” Working Paper, Strategic Risk Management Lab, DePaul University.

Mikes, A., and D. Hamel. 2012. “The LEGO Group: Envisioning Risks in Asia.” Harvard Business School Case 113-054, November.

Ramaswamy, V., and F. Gouillart. 2010. The Power of Co-Creation. New York: Free Press. Ramaswamy, V., and K. Ozcan. 2014. The Co-Creation Paradigm. Palo Alto, CA: Stanford

University Press, forthcoming.

ABOUT THE CONTRIBUTORS Mark L. Frigo, PhD, CMA, CPA, is director of the Center for Strategy, Execu- tion and Valuation and the Strategic Risk Management Lab in the Kellstadt Grad- uate School of Business at DePaul University in Chicago. He is Ledger & Quill Alumni Foundation Distinguished Professor of Strategy and Leadership in the Driehaus College of Business at DePaul. The author of seven books and more than 100 articles, his work is published in leading journals, including the Harvard Business Review. Dr. Frigo is coauthor (with Joel Litman) of the book Driven: Busi- ness Strategy, Human Actions, and the Creation of Wealth, coauthor (with Richard J. Anderson) of the book Strategic Risk Management: A Primer for Directors and Man- agement Teams, and author of a forthcoming book, Driven Strategy, from Stanford University Press. His research and thought leadership on strategic risk manage- ment and ERM have been published by Harvard Business Press, the Conference Board, Committee of Sponsoring Organizations of the Treadway Commission (COSO), American Accounting Association, Financial Executives International, American Institute of Certified Public Accountants, Institute of Interal Auditors, Institute of Chartered Accountants in England and Wales, Chartered Institute of Management Accountants, Institute of Management Accountants, Risk and Insur- ance Management Society, and other leading organizations, and he has presented keynote presentations and executive workshops on strategic risk management throughout North America, Europe, and the Asia-Pacific region. He is a member of the RIMS Strategic Risk Management Development Council. Dr. Frigo is an adviser to executive teams and boards of directors in the area of strategic risk management.

Hans Læssøe, MSc, is the LEGO Group head of and senior director on strategic risk management, a function he established in 2006 and 2007. He has more than 30 years of LEGO Group experience from a number of areas, which provides him with strong business insight and a network to drive the task of proactive strate- gic risk management. He is a founding member of a Danish ERM network, an executive member of the European Council of Risk Management, and a specialist member of the Institute of Risk Management (IRM). He is a member of the RIMS Strategic Risk Management Development Council. The LEGO Group and Læssøe have won multiple European awards for their unique risk management approach. Læssøe is the author or coauthor of articles in international magazines, and speaks at international risk management conferences.

www.it-ebooks.info

CHAPTER 7

Turning the Organizational Pyramid Upside Down Ten Years of Evolution in Enterprise Risk Management at United Grain Growers

JOHN BUGALLA Managing Principal, ermINSIGHTS

Strategy without tactics is the path to uncertain success; tactics without strategy is the noise before defeat.

—Sun Tzu (c. 544–496 B.C.)

Few companies stand out as successful pioneers in enterprise risk manage-ment (ERM), especially one that undertook the initiative almost 15 yearsago. One such ERM pioneer was United Grain Growers (UGG), a conserva- tive 100-year-old Winnipeg, Canada–based grain handler and distributor of farm supplies. When UGG announced that it had implemented a new integrated risk- financing program in 1999, it received a great deal of attention in the financial press. CFO magazine hailed the UGG program as “the deal of the decade.”1 The Economist characterized it as a “revolutionary advance in corporate finance.”2 Harvard cre- ated a UGG case study.3 While most outside attention focused on the direct finan- cial benefits of implementing the program (protection of cash flow, the reduced risk capital required, and a 20 percent increase in stock price)4, scant attention was given to the less tangible and therefore less measurable issues of governance, lead- ership, and corporate culture—the conditions that enabled such innovation. It was a combination of a collaborative leadership open to new ideas, a culture of con- trolled risk taking, and active risk oversight by the board that produced a strategic approach to UGG’s risk management process. A combination of the same cultural factors had already contributed to the 1993 transformation of UGG from a coop- erative structure to a publicly traded company with access to the capital markets. UGG’s chief executive officer (CEO) had two key strategic objectives: (1) from day one of his tenure, a razor-sharp focus on improving the financial performance of the company to better serve customers and shareholders, and (2) as financial per- formance improved, to change the risk profile of the company to attract long-term shareholders versus short-term stock speculators.

107

www.it-ebooks.info

108 Implementing Enterprise Risk Management

Implementing the integrated risk program that reduced earnings volatility helped to change the risk profile of the company. However, the strategic goals of UGG went deeper than an integrated risk program. Over the next several years, financial performance continued to improve. New value was created by implementing a unique credit financing business (UGG Financial), in partner- ship with the Bank of Nova Scotia (ScotiaBank). This was followed by merging/ acquiring the business of rival Agricore Cooperative in 2001, creating Agricore United (AU). The final act of value creation was extracting a high premium for AU’s stock in 2007 from several bidders that wanted to acquire the company.

BACKGROUND—OPERATING ENVIRONMENT The grain business is capital intensive and inherently risky in terms of supply, commodity prices, currency exchange rates, Canadian government regulation of the industry, and, from time to time, the current political climate existing with key customers. Weather is obviously a major risk, and it determines local and over- all supply. Grain production in the Canadian prairies covers tens of thousands of square miles of Manitoba, Saskatchewan, and Alberta, and stretches into the Peace River district of British Columbia. The success or failure for the entire crop year, for the farmer-growers, grain handlers like UGG, and road and rail trans- porters, is determined by the amount of rainfall in April and May. Not enough rain in those key months translates into a drought-reduced harvest. Added com- plexity was demonstrated by an analysis of a century of rainfall data that revealed that weather events thought to occur every 100 years actually occur every nine to 11 years. However, UGG was a grain handler, not a crop grower. The threat to UGG was related to the volume of grain that it would process, much of it at a fixed price established by the Canadian Wheat Board (CWB).5 UGG had an established aver- age market share of 15 percent. UGG (and its competitors) would be allocated rail cars by the Canadian Wheat Board that were almost entirely determined by its mar- ket share in the preceding year, no matter how large or small the crop. There was, therefore, little opportunity to gain (or lose) grain handling market share. Con- sequently, it was overall grain production volume risk that drove revenues and profits.6

Grain is a commodity traded on global exchanges. The price of grain, such as wheat, like any other commodity, is driven by supply and demand. While local weather conditions impact Canada’s grain-producing provinces, supply and demand are also impacted by global7 weather conditions. Political risk is another factor in the supply-and-demand chain, as Canada is a major grain exporter. A grain embargo placed on a major customer nation is a critical threat. It has been said that wheat is 15 percent protein and 85 percent politics.

Canadian grain (wheat, barley, oilseeds, and pulse crops)8 is harvested in the fall. The average Canadian harvest is over 60 million tons. The farmers harvest the grain and then transport it to the storage elevators operated by UGG and its com- petitors. The primary grain elevators are located on railroad sidings in farming communities that enable the railroad to collect the grain in special hopper cars and transport it to the two main grain terminal ports at Thunder Bay on Lake Superior for shipments going east, and Vancouver for shipments going west. As a result of almost 100 years of railroad regulation and transportation subsidies,

www.it-ebooks.info

TURNING THE ORGANIZATIONAL PYRAMID UPSIDE DOWN 109

Western Canada was dotted with smaller wooden grain elevators, most of which could accommodate only short trains. The business was inefficient. By the 1990s the grain business was in transition. Deregulation of the railroads and the removal of transportation subsidies provided the railroad companies with the incentive to eliminate uneconomic branch lines. This, in turn, required that the smaller wooden elevators that dotted Western Canada would have to be replaced by giant modern elevators able to accommodate 100 or more grain railcars. The railroads were driv- ing cost inefficiencies out of the system. This imposed a massive increase in cap- ital requirements on UGG (and its competitors) as it embarked on an infrastruc- ture rebuilding program—replacing its multitude of old wooden elevators with large, high-throughput, concrete ones capable of loading the multiple carloads demanded by railroad rationalization—reducing grain handling costs per metric ton, but adding new fixed costs.

Adding to the financial pressure of investing in grain handling infrastruc- ture replacement, working capital requirements were also increasing rapidly. Dur- ing the 1990s, the western Canadian grain handling companies responded to the increasing demand for crop inputs (seed, fertilizer, herbicides, and pesticides) by aggressively investing in the farm retail business. Farm retail sales showed dra- matic growth as biotechnology delivered new products and genetics that promised to increase and protect crop yields. This substantially increased the amount of retail credit extended to farm customers.

GOVERNANCE The financial scandals of the mid-1990s, such as Barings Bank and Orange County, were just as troubling then as the recent decade’s risk management mistakes, mis- deeds, and failures are to today’s regulators and investors. The financial culprit then was the emerging issue of financial derivatives rather than the residential mortgage-backed securities that wreaked havoc on the global financial markets in 2008–2009. The scandals of the 1990s had the effect of sensitizing legislators, reg- ulators, and investor advocates to start asking organizations questions about how publicly traded companies manage the inherent risks of their business. From these concerns were born a number of guidelines and standards in many parts of the world that, in general, allocated accountability to directors, officers, and organiza- tional management to effectively manage their risks. One example, corporate gov- ernance guidelines produced by the Toronto Stock Exchange (TSX), set out five general responsibilities of directors in Canada. In addition to strategic planning, succession planning, communication policy, and internal control/management systems, directors were given responsibility for “the identification of the principal risks of the corporation’s business and ensuring the implementation of appropriate systems to manage those risks.”9

For a company historically sensitized to managing substantial business risks, particularly grain price volatility,10 the TSX guidelines immediately struck a chord. The board of directors of UGG therefore mandated the chief executive officer to form a Risk Management Committee, establish a formal risk management policy, develop corporate-wide risk management processes, and report to the Audit Com- mittee of the board of directors on a quarterly basis. The board of UGG created a platform for the adoption of ERM and a strategic approach to risk management.

www.it-ebooks.info

110 Implementing Enterprise Risk Management

UGG already had a solid platform on which to build its approach to ERM. Risk management was a process that was well ingrained at UGG, and had been since the 1970s. The organization had a risk management policy, applied risk manage- ment processes via inspections (identification and evaluation) as required under its corporate insurance programs, and had developed internal loss prevention pro- grams (environment, safety, and loss control); but, unlike many other organiza- tions at the time, UGG also applied a risk measurement metric to its risk manage- ment initiatives by tracking its “cost of risk” (net risk retention costs + risk transfer costs + risk-related administrative overhead = cost of risk).

Concurrently, UGG’s leadership team was wringing out as much cost from the system as possible. Between the capital requirements for the new elevators, a lengthy depressed operating environment, and reduced crop volumes, reducing cost throughout UGG was a critical objective. Risk management expenses were no exception.

Leadership

Tracing its roots back to 1906 as a farmer-owned cooperative,11 UGG was a mature organization entrenched in its own bureaucratic business model. There were numerous business units operating under the UGG umbrella but all reporting in a hierarchical command and control structure straight to headquarters. By the early 1990s, the company had become financially distressed—UGG was in breach of its bank covenants and losing cash. Under consideration in 1990 was the idea of exiting or selling certain noncore business units. An internal study of one business (farm supplies) produced a stark picture of not only that single business, but an entire organization, including operations, and its unresponsiveness to customer needs. The report was a candid assessment of the organization that equated the firm to a geriatric patient 85 years old in need of major care if it expected to survive. Written by the future CEO, the report projected that without dramatic change the fluid and dynamic forces taking place in the entire agribusiness sector, coupled with UGG’s weak balance sheet, would simply overwhelm the cooperative in a matter of a few years.

The financial imperatives critical to survival were fixing the weak balance sheet, recapitalization, and addressing bank covenants that had been breached. Access to cash and the capital markets was of paramount concern. One way to access the capital markets efficiently was to demutualize and become a publicly traded company. While it literally took an act of Parliament to demutualize, UGG went public in 1993.12

The UGG Annual Report in 1994 indicated the transformational shift in think- ing by the new CEO that would set in motion a series of events that propelled the company to greatly improved operating and financial performance:

We have also taken definitive steps to organize our business so that the decisions which most affect customer service are made by the people who deal directly with customers. In the last year, we turned our organizational pyramid upside down. We can’t be prompt and effective in the era of market-driven agriculture if all the decisions that impact on customers are made by senior managers, sitting in Head Office, at the top of the organizational pyramid. In the country—in our core grain

www.it-ebooks.info

TURNING THE ORGANIZATIONAL PYRAMID UPSIDE DOWN 111

and inputs businesses—we’ve tipped the pyramid over. Our management team now provides support and planning services to the people who deal with cus- tomers, therefore enhancing services. This change was perhaps the most profound rethinking of our business approach in many years.13

Improved operational and financial performance would not have been pos- sible without building an executive team of trusted partners who also embraced the need for change. Turning the pyramid upside down and allowing UGG staff interfacing with customers to respond quickly to their needs required a cultural shift—from the previously hierarchal management structure to one that delegated decision making and fostered personnel development. A new chief financial offi- cer, with working experience in publicly traded companies, was appointed to help develop and implement the financial disciplines and tactics necessary to achieve the company’s business strategy.

Turning the pyramid over to improve customer service also required a com- pletely new approach to management information technology (IT) systems.

Like the oil in an engine, lubricating support processes are needed for any busi- ness to operate smoothly. . . . UGG also eliminated its need for mainframe comput- ing over the past year. While the Company incurred the double cost of carrying both our new “client-server” and mainframe for a good part of fiscal 1995, from fiscal 1996 forward we will realize material benefits from this shift. UGG won inter- national recognition from the Smithsonian Institution for innovation in applying computing technology during 1995 for the successful completion of this project.14

Over the decade and a half following the decision to demutualize UGG, the transformation in management philosophy and the executive team’s implemen- tation of strategic decisions proved successful in realizing the company’s objec- tives: The confidence of the board of directors was gained progressively and cumu- latively and developed into an effective partnership with management; it was decision-making capital built up over time that created a culture of welcoming and listening to new and innovative ideas—ideas that could better serve UGG’s customers and other stakeholders.

Of course, no company has a straight line to success, and UGG was no excep- tion. The ERM program was one example. Before risks can be managed and oppor- tunities considered, they have to be identified. It is commonplace today, but, mind- ful of expenses and time constraints, the mandated (Toronto Stock Exchange, UGG Board, and CEO) risk identification process and subsequent risk rankings at UGG were accomplished in a single daylong meeting. The composition of this meeting exemplified the company’s departure from hierarchy: Participants were selected not by the seniority of their rank in the organization but rather for their knowledge and experience of the business; they ranged from frontline representatives to vice presidents, all given an equal opportunity and showing an equal propensity to con- tribute to the process. However, the road to ERM would take more than two years, which, once the company’s major risks were identified, included intense analysis, evaluation, and quantification of the company’s principal risks. There were head- winds along the way. The process was temporarily delayed by (1) a major flood in UGG’s home province and (2) a hostile takeover attempt by a combination of two

www.it-ebooks.info

112 Implementing Enterprise Risk Management

competitors (which, after their failure to acquire UGG, merged to form Agricore Cooperative).

UGG did not embrace ERM as a risk management destination, but as (an important) part of a process that would support executive management’s risk- adjusted decision making. It evolved as a logical progression that had begun eight years earlier with the company’s strategic vision for its future and the development of a more inclusive management style.15

ERM/Integrated Risk Outcomes

The concept of developing an ERM process was new in the late 1990s. UGG started by identifying and assessing its principal risks. As indicated earlier, since the 1970s a substantial amount was already being done to control and measure the cost of property, casualty, liability, environment, safety, and loss control risks, in addition to potential (if unhedged) grain price exposure; the additional dimension was to apply the same systematic procedures to all the company’s major business risks.

The major risks were identified through the ERM exercise. Quantitative risk analysis confirmed (not unexpectedly) that weather had the greatest impact on UGG’s earnings, cash flow, and debt stability. Almost 100 years of data was avail- able on the Canadian prairies’ crop production levels; this revealed that major droughts, such as occurred during the late 1920s and early 1930s, could reduce grain production and, consequently, UGG’s grain handling volume in the subse- quent year by as much as 50 percent. Since this could pose a significant threat to UGG’s profitability, cash flow, and ability to control its debt level (and, therefore, investment plans), UGG’s senior finance, risk management, and treasury person- nel began searching for a means to control this risk at reasonable cost.

Two different approaches to the problem were explored: Aware that finan- cial derivatives might offer a solution, discussions were initiated with financial institutions; but none could be identified that were able to hedge the risk. UGG then began collaborating with its insurance broker, who conceived an insurance solution—a structure that incorporated the grain volume risk with all UGG’s tradi- tionally insured risks (property, casualty, freight, liability, etc.) into an “integrated risk-financing program.” UGG was intrigued by this concept, particularly since a quantitative analysis suggested that such a program would cost no more than the discrete insurance policies that UGG was currently buying—without grain volume insurance. UGG’s executive management worked closely with the broker and mar- ket to address this never previously insured exposure. Swiss Re, largely because of its expertise, capacity, and triple A financial rating, provided UGG with a ground- breaking integrated risk-financing program that applied to the various event risks that had previously been addressed by monoline traditional insurance policies, and a parametric risk solution tied to the expected volume of grain passing through UGG’s grain handling pipeline.

The effect of this on UGG’s potential financial stability was dramatic; while it “protected” (put a floor under) grain handling earnings that represented approxi- mately 50 percent of UGG’s total gross profits, it had an even greater proportion- ate effect on the company’s net profits and cash flow—providing, by stabilizing its debt structure, greater assurance of its ability to deliver on its strategic plan. The

www.it-ebooks.info

TURNING THE ORGANIZATIONAL PYRAMID UPSIDE DOWN 113

Economist pointed out that “for a large chunk of its own equity, it [UGG] substi- tuted the imposing capital of the world’s largest reinsurer.”16

It is worth noting that while the financial media sometimes referred to UGG’s risk-financing program as ERM, this was a misnomer; it was in fact an inte- grated risk-financing program (combining multiple property and casualty risks with the grain volume coverage). It was UGG’s different approach to thinking about risk—considering both the upside as well as the downside from an enter- prise perspective—that was the ERM in the company’s process.

ERM CREDIT FINANCING OUTCOMES Given the high capital demands of grain handling infrastructure renewal, UGG was also concerned about its ability to finance the rapid growth in crop inputs retailing—specifically the burgeoning demand from farmer customers for extended credit. Within UGG, a division called Crop Production Services man- aged the retail sales and logistics of these products, which included the extension of UGG retail credit to farm customers. As the levels of working capital and asso- ciated risk in the credit program increased, UGG sought to bring it under more rigorous control by placing credit at arm’s length from the retail operation, and under the oversight of the corporate treasury.

A cultural shift gradually took place that ensured compliance with improved practices in credit extension, but growth continued to strain working capital. This was alleviated to some extent by renegotiating bank lines, and later by undertak- ing the first off-balance-sheet securitization of Canadian farm receivables, but then competition was driving retailers to use financing as a tool to promote sales—there was a competitive advantage in being able to provide credit terms that extended repayment until after harvest. Ideally, the solution was to retain some control over the credit product, and to have as much credit capacity as needed, at attractive terms, without putting a strain on the balance sheet.17

After lengthy exploration, this was finally accomplished by forming UGG Financial through a strategic alliance between UGG and Scotiabank. Essentially, UGG provided the customers, administration, and reporting while Scotiabank pro- vided the capital. UGG shared an equal level of risk with the bank with a hard cap18 on the maximum limit. UGG received significant fees from Scotiabank based on the performance of the portfolio. The results were dramatic, effectively freeing up to $200 million in capital, extending customer credit terms up to 12 full months, streamlining application processes and providing greater levels of customer ser- vice, and expanding product lines to livestock producers. It was also instrumental in enabling acquisitions of independent retailers’ accounts and the merger of UGG with Agricore Cooperative to form AU in 2001. This arrangement forced competi- tors to engage in similar outsourcing credit arrangements, and it became the stan- dard of the industry. When Saskatchewan Wheat Pool eventually acquired AU, the operation was extending $1.5 billion in credit to 20,000 customers and generating over $10 million in net profits annually.19

A third leg of UGG/AU’s activities was its Livestock Services division. Accounting for between 10 percent and 15 percent of the company’s business, its primary activity was the manufacture and sale of animal feedstuff, the largest segment being to hog farmers. Traditionally highly leveraged, hog farmers were

www.it-ebooks.info

114 Implementing Enterprise Risk Management

vulnerable to cyclical fluctuations in hog prices. Learning from the statistical tech- niques employed in assessing UGG/AU’s other risks during the ERM process, col- laboration between corporate and divisional management identified an opportu- nity to use these methods to acquire a competitive advantage in supporting feed sales to hog producers.

By analyzing the hog price cycle, it became evident that there was an opportu- nity for UGG/AU to provide hog price risk management to customers who con- tracted to purchase their feed from the company. Provided that the customers met strict performance criteria (such as weight gain, morbidity, etc.), the com- pany would agree to support shortfalls in realized prices from a preestablished minimum until prices recovered sufficiently to recover the subventions, thus pro- tecting the producers’ cash flow. Clearly there was always a risk that the histor- ical pattern of the hog price cycle could prove an insufficient predictor of the severity or length of future price downturns; however, using statistical model- ing techniques, it was possible to stress test the company’s exposure to credit risk to ensure that the capital at risk did not exceed preestablished levels based on UGG/AU’s required return targets (on the associated feed sales). In this way, the company was able to promote its feed sales to high-performing producers with the quantitative intelligence to provide a high degree of assurance that it would achieve its return targets without excessive risk, secure in the knowl- edge that if competitors provided more attractive terms under any similar pro- gram they risked eroding their financial (and, therefore, long-term competitive) positions.20

Apart from the obvious risk mitigation provided by the integrated risk- financing program, it could be argued that the broader ERM project further increased UGG’s ability to take on more risk; as it gained a more precise quan- tification of the risks it faced, not only as individual risks but in aggregate, this improved understanding of its overall risk profile reduced the need for “precau- tionary capital.”21

While by no means all of the risks that UGG/AU confronted could be quan- tified (and could only be managed procedurally or avoided altogether), the quan- tification of its major risks substantially enhanced the company’s ability to model its anticipated financial performance. While weather could have a dramatic impact on the volume of grain produced, it could also have a significant influence on the volume, timing, and variety of seed, fertilizer, herbicide, and pesticide sales by the Crop Production Services division (e.g., an unusually wet spring that delayed planting could shift sales from one quarter to another, change farmers’ planting intentions, and alter their fertilizer, herbicide, and pesticide requirements for the entire crop year).

Such variability could substantially affect UGG/AU’s quarterly and annual earnings, even if the impact was not as dramatic as a full-blown drought. UGG had developed a comprehensive financial model of its expected earnings, debt lev- els, and cash flow. Prior to developing the intelligence derived from the quantifi- cation of its major risks during the ERM process, the model had, however, been one that produced average (or normal weather condition) projections—good for long-term planning but of limited use in the short term, as it did not anticipate the consequences of seasonal and year-to-year variability. Given the quantitatively

www.it-ebooks.info

TURNING THE ORGANIZATIONAL PYRAMID UPSIDE DOWN 115

enhanced understanding of the potential range of earnings and cash flow derived from ERM, the company was able to model the complete range of its possible finan- cial outcomes. While this did not significantly enhance its understanding of its expected long-term average results, it did provide a powerful analytical tool: It identified its requirements for contingent capital with more precision; it provided a much better tool for judging its performance against its plans in a set of potentially variable conditions—an infinitely flexible budget; and it improved its capacity to respond appropriately to changing conditions that had, or might have, adverse financial implications.

ERM was also able to bring a more consistent and disciplined treatment of risk exposures across the organization. UGG became better positioned to allocate appropriate resources to ensure that the risks within the different divisions and activities of the company were not over- or undermanaged relative to the corpora- tion’s level of risk tolerance.22

AGRICORE UNITED As the solutions to UGG’s top risks started to pay financial dividends and improve its balance sheet, the management team began to apply enterprise-wide thinking to other areas that had been identified and to factor this competitive strength into its growth strategies. One of these was a merger with Agricore Cooperative, a rival grain processor whose predecessor companies had, three years previously, attempted a hostile takeover of UGG.23

UGG’s integrated risk-financing program proved a valuable tool during the merger negotiations: The potential to expand the program to the enlarged com- pany was perceived by Agricore Cooperative’s board of directors and members as a means of providing greater stability and security to the organization.

In practical terms, though, UGG Financial was a more powerfully persua- sive factor in the merger: Lacking UGG’s access to the capital markets, Agri- core Cooperative had become substantially overleveraged in the race to build high-throughput elevators and expand its crop inputs business in line with its competitors; consequently, the prospect of being able to roll up Agricore Cooper- ative’s receivables into UGG Financial was a very significant advantage for a com- bined company—removing, as it did, the need for some $300 million in financing from the combined company’s balance sheet (compared to the amount previously financed directly by Agricore Cooperative).24

HARVESTING VALUE Every publicly traded company is for sale, and the price is visible to everyone in the form of the stock price. While AU would have preferred to stay independent, the company received a buyout offer from the Saskatchewan Wheat Pool (SWP) that, under Canadian law, could not be ignored even though the initial offer was con- sidered by management to be woefully inadequate. The AU CEO and the board of directors, given their governance responsibilities, thought the offer could be sub- stantially improved or even countered by another suitor—one prepared to put a

www.it-ebooks.info

116 Implementing Enterprise Risk Management

more realistic value on AU. The CEO believed there were three possible options that could create additional stakeholder value:

1. AU could make its own offer to buy out SWP. 2. AU could seek a white knight to counter the SWP offer, effectively creating

an auction that would produce the highest bid (i.e., provide the greatest possible increase in shareholder value).

3. Archer Daniels Midland (ADM) was a strategic partner and significant stakeholder in AU that had aided UGG in its defense of the hostile takeover attempt by Agricore Cooperative’s predecessor companies. ADM could be offered a proposal to increase its ownership position.

The CEO and the board of directors decided upon a strategy to pursue the first two options, which also offered the greatest flexibility to ADM.

As is usual in hostile takeovers, a team of advisers and investment bankers was hired by AU to analyze the company’s financial position and prospects and determine a fair value. At the same time, AU made a buyout offer to SWP that was rejected. After the evaluation was completed, it confirmed that AU was worth considerably more than the share-swap deal offered by SWP. The AU board of directors, which included representatives from ADM, rejected the buyout offer. One of the AU board members then made an overture to Richardson Interna- tional, Canada’s next largest agribusiness, to determine its interest in acquiring AU. Richardson International offered a friendly all-cash offer higher than the offer from SWP. Not to be thwarted in its takeover attempt, SWP countered with a higher all-cash offer. This had the effect of creating an auction process where the price for the AU stock reached a level prompting ADM to make a strategic decision. ADM could increase its holdings in AU and assume control or could sell them at a substantial profit to shareholders, knowing that AU was going to be sold to either SWP or Richardson International. Finally, the highest bid was an all-cash offer from SWP.25

After the buyout was complete in 2007, SWP changed the name of the com- bined company to Viterra, Inc., and continued to operate until being acquired by Glencore International on January 1, 2013.26

CONCLUSION Thomas Edison once quipped: “Vision without execution is hallucination.” Turn- ing the organizational pyramid upside down initiated a transformation in the company—a process starting with the formulation of a strategic plan, then trans- forming the culture of the organization, and finally demanding execution of that plan. Without execution, innovative ideas tend to die on the vine. While one aspect of the organizational vision was intended to be operational—improving customer service—another (more subtle) effect was to transform the entire culture of the company. The cultural shift to a leadership that was aligned in their goals made for quicker and better-informed decision making. UGG and its successor com- pany AU did not just become more responsive to the needs of customers; the new culture developed greater collaboration between senior and middle management

www.it-ebooks.info

TURNING THE ORGANIZATIONAL PYRAMID UPSIDE DOWN 117

teams, and delegated responsibility to them for their decisions. This collabora- tive but accountable environment allowed a number of innovative solutions to the company’s business challenges to be created: developing new (client-server) computing, early adoption of the ERM process, the subsequent groundbreaking risk-financing program, and the creation of UGG/AU Financial—not just indus- try firsts that spawned imitators but also initiatives that significantly added value to the corporation.

QUESTIONS 1. Why does a more participative management style (“tipping the pyramid over”) lead to

greater responsiveness to customers’ needs, increased accountability, and more innova- tive solutions to challenges than a hierarchical “command and control” structure?

2. Under what circumstances might the hierarchical “command and control” structure pro- duce superior results?

3. What particular factors do you believe led UGG/AU to be pioneers in ERM? Was it industry/company/history/circumstances? Was it a changed organizational “culture”? Was it good management?

ACKNOWLEDGMENTS This chapter could not have been written without the extensive cooperation of the following:

Peter G.M. Cox, Former Chief Financial Officer, Agricore United Brian Hayward, Former Chief Executive Officer, Agricore United Michael McAndless, Former Chief Risk Officer, Agricore United George Prosk, Former Treasurer, Agricore United

NOTES 1. “Whatever the Weather,” CFO, June 2000. 2. “Outsourcing Capital,” The Economist, November 1999. 3. “United Grain Growers Ltd. (A),” Harvard Business Publishing, August 2003. 4. United Grain Growers Ltd as of December 2, 1999, Yahoo! Finance stock chart. 5. The CWB was created in 1935—with antecedents going back to before World War I—as a

mandatory producer marketing system for wheat and barley grown in Western Canada. It was illegal for farmers under CWB jurisdiction (anywhere in Western Canada) to sell their wheat and barley through any channel other than the CWB. The CWB became a voluntary marketing organization only in 2012.

6. Interview with Peter Cox. 7. Agricultural Futures Markets. 8. Pulse crops are peas, beans, and lentils. 9. In 1994 a committee sponsored by the TSX published a report (the Dey Report) contain-

ing corporate governance recommendations to TSX-listed companies. In 1995 the TSX adopted them as “best practice guidelines.” Although the guidelines were not manda- tory, the TSX did require listed companies to disclose annually their approach to corpo- rate governance and provide an explanation of any differences from the guidelines.

www.it-ebooks.info

118 Implementing Enterprise Risk Management

10. Virtually all grain purchases not matched by sales contracts, as well as sales contracts for which the company did not have purchased grain, were hedged using derivatives on long-established international grain exchanges, while very limited, unhedged positions had been closely managed and supervised for many years.

11. UGG was formed in 1917 by the merger of the Grain Growers’ Grain Company, founded in 1906, and the Alberta Farmers’ Co-operative Elevator Company of 1913.

12. The United Grain Growers Act was approved by the Canadian Parliament in 1992, allowing UGG to become a public company with both members (the former cooper- ative’s members) and public shareholders.

13. 1994 UGG Annual Report, Chief Executive’s Report, and interview with Brian Hayward. 14. 1995 UGG Annual Report, Chief Executive’s Report, and interview with Brian Hayward

and Peter Cox. 15. Interview with Michael McAndless. 16. “Outsourcing Capital.” 17. Interviews with Peter Cox and George Prosk. 18. A “hard cap” means that there is a fixed upper limit on the amount of risk that UGG

would absorb. 19. Interviews with George Prosk and Peter Cox. 20. Interview with Peter Cox. 21. Interviews with Peter Cox, Brian Hayward, and Michael McAndless. 22. Interviews with Peter Cox, Michael McAndless, and George Prosk. 23. Interview with Brian Hayward. 24. Interview with Peter Cox. 25. Interview with Brian Hayward. 26. Various announcements in financial media.

ABOUT THE CONTRIBUTOR John Bugalla is Principal of ermINSIGHTS, an advisory and training firm special- izing in enterprise risk management and strategic risk management. His experi- ence includes 30 years in the risk management profession serving as Managing Director of Marsh & McLennan, Inc., Willis Group, Plc., and Aon Corporation before founding ermINSIGHTS. He led the Willis team that negotiated the inte- grated risk program on behalf of UGG. He is the author or coauthor of numerous articles in diverse publications such as The Corporate Board magazine, CFO maga- zine, the National Law Review, Credit Union Management magazine, Risk Management magazine, the Journal of Risk Management in Financial Institutions, and the Journal of Risk Education.

www.it-ebooks.info

CHAPTER 8

Housing Association Case Study of ERM in a Changing Marketplace JOHN HARGREAVES Managing Director of Hargreaves Risk and Strategy

This case has two main aims. The first is to help develop an understanding ofthe importance of enterprise risk management (ERM) in a charitable context,and show that modern charities are often very active organizations that face significant risks. Second, the case aims to illustrate the need for a close relationship between risk assessment and strategy development, particularly in sectors where objectives are defined in social as well as in economic terms. This case features four real-life charitable housing associations in England and Wales, each with a different strategy and risk environment. Simple yet practical tools to assist in risk identification and prioritization are also presented.

BACKGROUND The UK housing market is going through a difficult period. The number of house- holds is expanding by 250,000 per year, but the rate of house building is only half of what it needs to be. There is a tradition of home ownership, but the banking sector has recently not been able (or willing?) to fund further growth, and home ownership has fallen to its lowest level for two decades. Young working people who would previously have taken out a mortgage and bought their houses are now turning to renting. There is an urgent need to provide ordinary working peo- ple with good quality homes; the private rental market provides homes of mainly low quality, and market rents are increasing to unaffordable levels.

About one-fifth of the United Kingdom’s housing is owned by housing associ- ations, independent charities that until recently have specialized in so-called social housing (i.e., rental accommodation for the United Kingdom’s poorest people). The quality of this housing has been significantly improved over the past few years to meet the United Kingdom’s Decent Homes Standard.1 There are about 2,000 asso- ciations, of which 250 own more than 1,000 homes each. Currently, their tenants are mainly nominated by local authorities using prioritized waiting lists. Their rents are set at about 40 percent of market rent, and quite a high proportion of these

119

www.it-ebooks.info

120 Implementing Enterprise Risk Management

rents are paid from welfare payments. However, £10 billion worth of welfare cuts are now being implemented, with a further £10 billion still in the pipeline. This, together with a stagnant economy, means that housing associations’ tenant com- munities are now under significant financial stress. In the past year the associations have built a total of about 40,000 houses, mostly for rental, largely using finance from the bond market, to the tune of over £3 billion.

The building of new social housing stock has historically been subsidized by government capital grants, but these have now been reduced both in number and in value, and a typical grant (with strings attached) now covers only about 15 percent of the building cost. Now only about 40 percent of the housing asso- ciations’ house building is utilizing the small grant subsidies available under the government’s Affordable Homes program, to be let at rents between 60 percent and 80 percent of market rent.

In recent years, housing associations have been expanding into new product areas, including:

� Building houses for sale � Low-cost home ownership (the association owns part of a house, on which

the tenant/owner pays a low rent, and the tenant/owner owns the rest, which is financed by a mortgage; the tenant/owner progressively buys his or her share from the association, and repays the mortgage, usually over a period of 25 years)

� Market renting � Intermediate market renting, where rent levels are set somewhere between

social and market rents, for key worker tenants such as nurses, teachers, and police officers

� Services for elderly people, such as old persons’ homes and visiting support services

� Nursing homes and student accommodations � Providing services, such as building maintenance and servicing tenant

repair requests, on a contract basis for other associations

SECTOR ISSUES Each association has its own board, with a large degree of independence. The board members of most large associations are paid for their services, but in smaller associations their participation is voluntary. The sector is regulated by the Homes and Communities Agency (HCA), but only in respect of governance and viability, not the quality of service provided. Most associations cover small local areas, but increasingly associations are amalgamating to give them a regional, rather than local, coverage. The boards of housing associations now have to make difficult strategic decisions, and different associations are adopting contrasting strategies according to their individual circumstances and risk appetites. Their environment is now much riskier than previously, and all of the available strategies are riskier than the typical association is used to. The choice is broadly between four generic strategies:

1. To concentrate on continuing to provide good quality housing services to existing social housing tenants and their replacements, in a situation where

www.it-ebooks.info

HOUSING ASSOCIATION CASE STUDY OF ERM IN A CHANGING MARKETPLACE 121

local authority financing is being cut by up to 28 percent and support ser- vices are therefore likely to be cut. This policy helps those in need, reduces leverage, and conserves resources that could be used to support a more expansive policy in a better socioeconomic climate.

2. To invest in various social services on the borderline between the pri- vate and public sectors with the aim of increasing human or environmen- tal well-being, and in particular regarding employment generation and support.

3. To expand in the affordable rent market, by using a mix of external capital and grants, and by cross-subsidy through progressively transferring exist- ing social-rent housing onto a higher rent level.

4. In areas of high housing demand such as London, to develop high-volume housing for sale or at full market rent, and also to build houses where the tenants pay a rent sufficient to allow them to accumulate a financial interest in the property. An association, in employing this strategy, would typically have a culture similar to that of a commercial developer.

There are a number of issues currently causing concern in the sector; in partic- ular:

� The government currently pays housing welfare benefits to landlords where the tenant qualifies to receive the benefit. This means that the risk of ten- ant rent arrears is much reduced. In the future, to encourage a culture of self-sufficiency, the government will pay benefits directly to tenants, and expect them to pay their own rents. Only if rent arrears reach a level of two months will the government resort to the payment of a tenant’s rent to the landlord.

� Benefit levels are being reduced, and more pressure is being put on recipi- ents to find work.

There is an acute housing shortage in London and the South East of England, which the sector is struggling to meet. In the north of the country the housing market is weak, with some economists being of the opinion that many houses are overvalued. In the event that there is another depression or a reversion within the present one, or a sudden increase in interest rates, then there is a danger of a down- ward correction in house prices.

Some associations were set up several years ago to take over local authority houses, then in poor condition, and bring them up to the Decent Homes Stan- dard using long-term bank financing specifically tied to this (low-risk) purpose. The Decent Homes Program was successful, with the required standard gener- ally being attained by 2012. However, often the bank financing has covenants that prevent the association from borrowing more money to branch out into riskier activities without the need for refinancing their existing lending at higher inter- est rates, typically 1.5 percent greater than their existing finance. For these associ- ations, known as large-scale voluntary transfers (LSVTs), a decision is needed as to whether they should stick with their knitting and limit their investment in new houses to what they can generate internally, or bite the bullet and pay the extra margin for new loans to fund an expansion.

www.it-ebooks.info

122 Implementing Enterprise Risk Management

In some respects the position of the sector is relatively stable, since the demand for its core product would be expected to increase in adverse economic times. However, the sector’s finances are finely balanced, with its borrowing subject to profitability and leverage covenants, so it may be vulnerable to sudden changes in economic conditions, and in particular:

� To an economic downturn if this were to be accompanied by a sudden fall in house prices, since there could then be losses on houses being built for market sale.

� To a sudden hike in interest rates, if this were not accompanied by an equiv- alent increase in inflation. About two-thirds of the sector’s borrowing is at fixed interest rates, thus reducing this risk. Also, the social housing rent lev- els of a typical association are tied to the United Kingdom’s consumer price index (CPI), so if the interest rate rise were accompanied by an increase in inflation, as has commonly been the case in the past, the risk would also be covered. However, there remains a chance that a sudden change in mone- tary policy could result in interest rate increases without an accompanying increase in inflation rates, possibly accompanied by a sudden fall in house prices.

CHARITABLE STATUS Housing associations are registered as charitable organizations under the UK Charities Act of 2006, being set up to provide public benefit by relieving poverty, developing communities, and supporting people who are in need by reason of their age, ill health, financial hardship, or other disadvantage. Most of them make substantial surpluses, which they retain and use for their charitable purposes. As charities, they are exempt from paying UK corporation tax. Housing associations often also engage in noncharitable activities such as market renting or building houses for sale by setting up noncharitable subsidiaries, which then will gift any profits made to the parent charity, which then exempts the subsidiary from having to pay corporation tax. Public donations do not comprise a significant part of the sector’s cash flow.

Sector Risks

The housing association sector is regulated by the Homes and Communities Agency (HCA). The HCA has extensive powers to intervene if it believes an association is being poorly governed or its viability is threatened. Most associa- tions are highly leveraged, and the presence of an efficient regulatory activity is viewed by the financial sector as extremely important in supporting its lending. To date, the regulatory system has been unbelievably successful—while a num- ber of associations have gotten into difficulties over the past 25 years, in no case has a financial institution made lending losses, and there has been only one case of serious default. The regulator adopts a co-regulatory approach, which “gives providers full responsibility for managing their own businesses, including their own risks. The role of the regulator is to seek assurance on how those risks are being managed.”2

www.it-ebooks.info

HOUSING ASSOCIATION CASE STUDY OF ERM IN A CHANGING MARKETPLACE 123

The regulator’s view of the financial risks facing the sector is that:

The model of social housing that has existed for approximately 25 years is chang- ing. Boards of providers more than ever need to be aware of the risks and choices they face in order to meet their objectives. They also need to understand the interac- tion between the various risks and their overall “portfolio” impact. An approach to risk that considers issues in isolation is unlikely to be effective in the current operating environment. . . . The risks can be summarized as:

� Asset-related risks, including risks associated with: � Development � Diversification into other activities � Exposure to the housing market � Maintaining existing stock

� Liability-related risks, including risks associated with: � Existing debt (gearing, loan covenant, and repricing issues) � Mark-to-market exposure � IFRS � New forms of debt

� Income-related risks, including risks associated with: � Affordable rent � Welfare reform � Supporting people

� Cost-related risks, including risks associated with: � Pension issues � Differential inflation rates

The relative importance of each of these risks and their interaction with each other will depend on the precise business models and stock holding patterns of individ- ual providers.

SOME USEFUL METHODOLOGY The following are some notes on two risk techniques that have been found to be useful in the sector.

Risk Appetite Determination

The sector has had a number of cases where associations have taken on rather more risk than their risk capacity allowed. As part of the process of establishing the con- text for risk management in the sector, answering the following questions has been found to be helpful:

Q1: How much risk do we think we are taking (risk perception)? Q2: How much risk are we actually taking (risk exposure)?

What evidence have we got that the assessment is correct? If there are gaps, biases, or incorrect assessments in the risk map, our perception will be incorrect.

Q3: How much risk do we usually like to take (risk propensity/culture)? If this is less than Q1, then we will feel uncomfortable.

www.it-ebooks.info

124 Implementing Enterprise Risk Management

Exhibit 8.1 Sample Probability Scale

Probability Score Description Range

5 Very high More than 90% 4 High 31% to 90% 3 Medium 11% to 30% 2 Low 3% to 10% 1 Very low Less than 3%

Q4: How much risk could we safely take (risk capacity)? This should be bigger than Q1, Q2, and Q3. It mainly depends on financial strength and covenants, but also a view of response speeds should things start to go wrong.

Q5: How much risk do we think we should be taking (risk attitude)? We may feel we should be doing things but we don’t currently have the capacity to do them.

Q6: How much risk do we actually want to take (risk appetite)? This is perhaps a compromise!

Q7: How do we set controls and limits across products and parts of the busi- ness, so that we can be confident that our total risk appetite is not exceeded (risk limits)?

Risk Assessment Methodology

There are technical difficulties in assessing the risks in housing associations, largely concerned with their mix of financial and social objectives. A successful approach to risk assessment for the sector has been developed, as described in Chapter 13 of Fraser and Simkins (2010) and summarized in Exhibits 8.1 and 8.2.

It is difficult to assess a risk that has several types of impact, but the task is considerably simplified if you use a clear set of criteria3 such as those given in Exhibit 8.2.

When using the scale in Exhibit 8.2 to assess a risk, one should decide which is the highest type of impact and make the assessment based on the assessed level of this type of impact. Thus if a risk has mainly staff impact, and many staff are significantly affected, then the risk would be recorded as impact score 4. Similarly, if another risk would result in major reputational damage, the score would be 4. However, if a risk has two or more types of impact at the same level, then the score would be one degree higher (i.e., a score of 5 in the example).

FOUR ASSOCIATIONS The case considers the strategy choice, risk analysis, and risk appetite of four asso- ciations:

1. Large London association (London & Quadrant, 70,000 housing units) This is one of the largest associations with a very strong financial

position. It is following an aggressive development policy with a mix of

www.it-ebooks.info

E xh

ib it

8. 2

Sa m

pl e

Im pa

ct Sc

al e

Im p

ac t

S co

re D

es cr

ip ti

on S

tr at

eg ic

Fi n

an ci

al %

of Tu

rn ov

er C

u st

om er

s an

d S

ta ff

R ep

u ta

ti on

al L

eg al

/R eg

u la

to ry

5 V

er y

hi gh

M aj

or im

pa ct

on d

ir ec

ti on

of bu

si ne

ss

A bo

ve 10

% C

om pu

ls or

y tr

an sf

er of

as se

ts

4 H

ig h

M aj

or im

pa ct

on im

po rt

an t

bu si

ne ss

ob je

ct iv

e

3. 1%

to 10

% Si

gn if

ic an

ti m

pa ct

on m

an y

cu st

om er

s or

st af

f

M aj

or ad

ve rs

e pu

bl ic

it y

an d

ex te

rn al

in te

re st

w it

h d

am ag

e to

re pu

ta ti

on an

d /

or lo

ng -t

er m

im pa

ct

Pr os

ec ut

io n/

re gu

la to

ry su

pe rv

is io

n

Si gn

if ic

an tr

es ou

rc e

to re

ct if

y 3

M ed

iu m

N ot

ic ea

bl e

im pa

ct bu

tb us

in es

s st

ill on

co ur

se

1. 1%

to 3%

N ot

ic ea

bl e

im pa

ct L

on ge

r- te

rm ad

ve rs

e pu

bl ic

it y,

lo ca

lly co

nt ai

ne d

L os

s of

re gu

la to

ry ap

pr ov

al

2 L

ow M

in or

im po

rt an

ce 0.

3% to

1% M

in or

or sh

or t-

te rm

pr ob

le m

s Sh

or t-

te rm

lo ca

l ad

ve rs

e pu

bl ic

it y

M or

e se

ri ou

s br

ea ch

bu tn

o lo

ng -t

er m

im pl

ic at

io ns

1 V

er y

lo w

L es

s th

an 0.

3% Im

pa ct

bo th

m in

or an

d sh

or t-

te rm

N o

ad ve

rs e

pu bl

ic it

y M

in or

br ea

ch of

le ga

l/ re

gu la

to ry

re qu

ir em

en ts

125

www.it-ebooks.info

126 Implementing Enterprise Risk Management

intermediate rent, market rent, and houses for sale in order to meet the expanding housing needs of London and the prosperous South East. It has invented a number of innovative financial instruments and renting regimes to make this high rate of expansion possible.

2. Medium-sized South Wales association (RCT Homes Limited, 10,000 hous- ing units)

Based in the Welsh valleys to the north of Cardiff, an area of acute depression, this association has set up a number of social enterprise sub- sidiaries to help provide employment in the area. The association is also participating in a risky joint venture hoping to build 1,000 units mainly in the northern hinterland of Cardiff, the prosperous Welsh capital.

3. Specialist association (Ability Housing Association, 550 housing units) This association provides housing and support services to disabled peo-

ple living in the South of England. It works in partnership with other agen- cies to help deliver flexible and tailored housing and support for people who want to live more independently. Its housing stock comprises mostly either wheelchair-standard housing or supported housing for people who need additional care or support.

4. Medium-sized association in the prosperous corridor to the west of London (GreenSquare Group, 11,000 housing units)

The GreenSquare Group was originally formed in 2008 from two asso- ciations (Westlea Housing Association and Oxford Citizens Housing Asso- ciation). Another Oxford-based association, Oxbode, joined the Group in November 2012. The Group has achieved an improvement in administrative efficiency and the development of product expertise, with a mixed portfolio of housing product lines and support activities.

ASSOCIATION A: LONDON & QUADRANT Quadrant Housing Association was set up in 1963 by a group of young profession- als who found out about the plight of the homeless in London, bought a house, and converted it into three flats. Initially the association operated from a church crypt, but by 1972 it had its own office and a portfolio of 1,300 homes. In 1973 it merged with the London Housing Trust, which had been set up in 1967, and by 1979 London & Quadrant (L&Q) had 6,000 homes. Quadrant Housing Finance was set up as a subsidiary of L&Q in 1997 to raise funds in the capital markets, and the expansion continued. L&Q now owns and manages about 70,000 homes in London and the South East and employs 1,200 staff.

Mission Statement Our mission is: Creating places where people want to live. For us that means two things:

1. Maximising resident satisfaction with our homes, services, and neighbour- hoods.

2. Responsible growth through new, sustainable investment models and new housing options that increase choice and mobility.

www.it-ebooks.info

HOUSING ASSOCIATION CASE STUDY OF ERM IN A CHANGING MARKETPLACE 127

Both of these are vital to our continued success as the leading provider of affordable homes and services in London and the South East.4

Perceived Risks The Board considers the following risks the most likely to affect future performance and our ability to achieve our five-year plan:

� Welfare reform: L&Q has allocated time and resources to understand the longer-term risk of welfare reform. We are working with local authorities to identify residents who will be affected and contacting them to ensure they are aware and prepared. Our focus has now turned to managing the transition. This includes targeting higher risk accounts, the recruitment of additional staff to deal with increased debt, and the creation of a financial inclusion team to support residents.

� Land cost inflation: We have embarked on a progressive development strat- egy to give us the flexibility to adapt in a fluid marketplace. Returns from private sale and rent portfolios reduce the impact of increased land costs on our affordable housing pipeline. L&Q has adopted a shared risk approach, where appropriate, through joint ventures to counter the impact of land cost inflation.

� Sales/mortgage availability: We adopt a bespoke marketing and sales strat- egy for each new development and undertake scenario modelling based on revenue and cost fluctuation. We work with mortgage lenders to ensure potential customers have access to advice on how much they can borrow and the range of products available. We also undertake market research to ensure the products offered meet market requirements.

� Withdrawal of capital grant funding beyond 2015: We have developed a sustainable cross-subsidy model for new homes, supported by our annual surplus. Our development strategy assumes no additional capital grant.

� Health and safety: A dedicated health and safety team supports all of L&Q activities. . . . The Group Board receives an annual report on progress against our health and safety strategy.

� Business continuity: We have effective IT and logistical back-up arrange- ments in place to ensure business continuity following a major event such as a fire. In particular L&Q has a disaster recovery data centre. This provides real time data replication along with capabilities for hosting our telephony and email in the event of a major incident.

� Protection of charitable assets: Our financial strategy includes sensitiv- ity analysis and performance indicators. These demonstrate that non- charitable activities do not place our charitable assets at risk. All non- charitable projects require Board approval and include exit plans. L&Q will respond to regulatory thinking and requirements as they develop.

� Rent control: L&Q is working with Shelter on its Stable Rental Contract. This involves market rent increases pegged at a percentage over CPI or RPI (Retail Price Index) combined with longer-term (probably five year) tenan- cies. In the worst scenario, current exposure to market rent is limited as a proportion of total housing stock. A greater risk relates to further rent con- trol for existing social rented homes. Any adverse change would be met with a reduction in our development appetite.

� Property prices: Savills predicts zero percentage growth in London during 2013 but over 25 percent growth over the next four years. L&Q’s financial

www.it-ebooks.info

128 Implementing Enterprise Risk Management

strategy tests a worst case scenario twice yearly and concludes that a 25 percent reduction in house prices will not have a material effect on our covenants. Whilst property prices have fallen by more than 25 percent once over the last 30 years, and taken nearly a decade to recover, L&Q is a long- term property investor and able to withstand such events. We are able to delay construction and move completed homes into alternative tenures rather than sell at a loss. Finally we may also see a fall in land prices as an opportunity to invest for the future.

� Impact of austerity/welfare reform on resident satisfaction: Welfare reform combined with continued austerity measures could have an adverse impact on the outlook of residents and their general satisfaction. Resident satisfac- tion is a top priority for L&Q. We have put in place a service improvement plan that will deliver sustainable improvements through investment in our social mission, our culture, systems and process change.

The summarized financial statements of London & Quadrant for the previous five years are presented in Exhibit 8.3.

Choices Made in 2012/2013

To help relieve London’s housing shortage, the size of the L&Q development pro- gram has been increased in the past year from £1.25 billion to £2 billion, and there are now 12,000 homes in the program, of which £250 million is for 1,000 homes for rent at market rates. This represents a quickly accelerating growth rate—in 2012/2013 L&Q completed 1,444 new homes, 952 of which were for social rent, 25 were for affordable rent, 222 were low-cost home ownership homes, 201 were for market sale, 10 were for private rent, and 34 were for intermediate rent. L&Q’s in-house contractor, Quadrant Construction Services, handled over 231 of these homes, with a further 465 in progress at year-end.

In 2011 L&Q committed £100 million to the newly launched L&Q Foundation to tackle the disadvantaged by supporting projects that help people access train- ing and employment, give opportunities to young people, provide guidance and support with managing finances, and build stronger communities.

In 2012/2013, over 4,000 people benefited from activities supported by the Foundation; £10 million was spent as follows:

� £5.6 million on community activities � £1.9 million on giving residents financial advice and supporting Citizens

Advice Bureau and Credit Unions � £1.4 million on schemes to increase resident employability � £1.1 million on youth schemes

ASSOCIATION B: RCT HOMES RCT Homes Limited is the largest social landlord on Wales and winner of Business in the Community’s Welsh Company of the Year 2012 Award. RCT is based in Pontypridd, in the Welsh county borough of Rhondda Cynon Taf, situated at the confluence of the Rhondda and Cynon Taff valleys. The town is famous for its old bridge, which, when it was constructed in 1756, had the longest single-span

www.it-ebooks.info

HOUSING ASSOCIATION CASE STUDY OF ERM IN A CHANGING MARKETPLACE 129

Exhibit 8.3 Financial Performance of London & Quadrant

Panel A: Income and Expenditure Account Income and expenditure account

(£ million) 2013 2012 2011 2010 2009 Turnover 457 368 327 330 306 Operating costs and cost of sales (238) (243) (240) (276) (224) Operating surplus 181 144 89 87 66 Net interest charge (70) (65) (62) (43) (41) Surplus on disposal of assets 11 16 17 17 12 Taxation (4) — — — — Surplus for the year after tax 118 95 44 61 37

Panel B: Balance Sheet Balance sheet (£ million) 2013 2012 2011 2010 2009 Housing properties at cost less

depreciation 4,787 4,618 4,411 4,247 4,023 Social housing and other grants (2,625) (2,564) (2,515) (2,336) (2,215) Subtotals 2,162 2,054 1,896 1,911 1,808 Other tangible fixed assets and

investments 144 51 55 53 28 Net current assets 395 340 457 355 196

2,701 2,445 2,408 2,319 2,032 Loans due after one year 1,877 1,749 1,779 1,880 1,667 Other long-term liabilities 249 216 186 28 12 Cash flow hedge reserve (93) (77) (24) (28) (42) Revenue reserve 668 557 467 439 395

2,701 2,445 2,408 2,319 2,032

Panel C: Cash Flow Statement Cash flow statement (£ million) 2013 2012 Net cash inflow from operating

activities 141.3 123.3 Interest paid/received (93.1) (83.1) Capital expenditure House construction and purchase (146.5) (177.2) Capital reinvestment in existing

stock (49.9) (70.2) Capital grants received 57.4 65.2 Purchase of other assets (95.8) (1.3) Sale of fixed assets 26.5 36.1 Subtotal (208.3) (147.4) Cash outflow before financing (160.1) (107.2) Cash withdrawn from term deposits 56.9 26.2 Financing Loans received 250.0 — Loans repaid (135.5) (3.4) Increase/(decrease) in cash and

cash equivalents 11.3 (84.4)

(continued)

www.it-ebooks.info

130 Implementing Enterprise Risk Management

Exhibit 8.3 (Continued)

Panel D: Financial Ratios and Statistics Financial ratios and statistics 2013 2012 2011 2010 2009 Operating margin on social

housing lettings 46% 46% 34% 37% 31% Operating margin—all

activities 40% 39% 27% 26% 22% Interest cover—excl asset

sales & disposals 212% 211% 142% 202% 161% Interest cover—incl asset

sales & disposals 277% 244% 170% 242% 190% Net gearing 56% 53% 51% 53% 56% Operating cost per unit

managed £ 2,900 2,700 3,200 3,100 3,300 Net debt per unit managed £ 25,400 23,700 22,600 23,400 22,700 Homes managed (000’s) 70.1 68.6 67.1 62.1 60.6 Estimated open market value

of homes £ bn 12.0 10.8 10.3 9.4 8.5

Panel E: Product Profitability 2013

2013 Operating Turnover Surplus

Product profitability £m £m Social housing

General needs 274.7 131.9 Supported housing 22.5 5.9 Intermediate market rent 16.2 8.0 Low-cost home ownership 49.7 19.6 Affordable rent 4.4 (0.3) Other social housing activities

7.1 (4.8)

Community investment 0.2 (9.8) 374.8 150.5

Other Outright sales 76.4 27.2 Market rent 2.6 1.4 Student accommodation 2.5 1.0 Commercial 0.5 0.5

Total 456.8 180.6

Disposal of fixed assets 11.5 Interest payable/receivable (69.3) Other (0.3) Tax (4.4)

Surplus for year after tax 118.1

www.it-ebooks.info

HOUSING ASSOCIATION CASE STUDY OF ERM IN A CHANGING MARKETPLACE 131

stone arch in the world. The coal mines that formerly were the basis of the area’s economy were closed in the 1980s, and it has been difficult to attract new industry. In Rhondda Cynon Taf, the unemployment rate and the proportion of people of working age claiming benefits remain about 50 percent greater than in other parts of the United Kingdom.

RCT Homes was set up in 2007 to take over the ownership and management of more than 10,000 homes in the borough, which had been allowed to get into bad condition. In particular, over 30 percent of them did not meet the Welsh Housing Quality Standard, which the Welsh government said should be satisfied by the end of 2012. The performance of some services that tenants had been receiving was also well below the standard they had a right to expect.

RCT is a community mutual organization with nearly 5,000 members and a board comprising 15 people: five tenants, five members nominated by the Rhondda Cynon Taff Council, and five independent members. Board members are not paid. RCT now employs more than 500 staff and has four unregistered subsidiary companies—Meadow Prospect, Grow Enterprise Wales (GrEW), Homeforce, and Porthcwlis.

At transfer, funding was agreed from the government and from Lloyds Bank to pay for the required works, and 86 performance promises were made to ten- ants. Eighty promises, including achievement of the Welsh Housing Quality Stan- dard, were signed off as delivered by the RCT Homes Members’ Forum and the local authority ahead of schedule in December 2012, and RCT has written to every household to inform tenants and invite challenge.

The RCT Subsidiaries5

RCT has a strong wider social agenda—encompassing financial, social, and digital inclusion and employment and addressing health inequalities—aimed at building individual and community capacity to improve tenancy and neighborhood sus- tainability. Some of these aims are planned to be realized through the four RCT subsidiaries.

RCT Homes has major pipeline proposals for development of new homes via its new development subsidiary, Porthcwlis, working with the Cardiff developer, Bellerophon. The proposals are at an early stage of development, and no homes have yet been completed. A new financing and delivery vehicle has been pro- duced, which has secured £1 billion of private sector finance and which, it is hoped, will enable the public sector, housing associations, and private developers to come together to build many affordable homes without the need for capital grant fund- ing from the Welsh government. An initial development of four homes, the first of a pilot for 30 homes at Cwmbach in the Cynon Valley, is now in progress.

Meadow Prospect, RCT’s regeneration charity, delivers community- enhancing regeneration projects by working with partner organizations. These support three core objectives:

1. Community capacity building projects, including youth work and sup- ported employment programs

2. Community-based renewable energy projects 3. Social enterprise development

www.it-ebooks.info

132 Implementing Enterprise Risk Management

Grow Enterprise Wales (GrEW) is an award-winning social enterprise sub- sidiary of Meadow Prospect that aims to move local people closer to the workplace by offering work experience and basic life skills training.

Homeforce was set up in 2010 as a subsidiary to carry out annual gas safety checks, which are mandatory under current safety legislation, and gas-based responsive repairs. RCT Homes Group Board agreed in 2012 that Homeforce would expand to become the sole contractor for boiler and heating installations and would undertake half of the electrical improvement works program. Home- force also became the appointed contractor for the completion of the power flush- ing program, which forms part of the long-term maintenance program of the cur- rent stock in RCT Homes’ properties.

The Sheltered Housing Remodelling Programme, being achieved within the parent company is a major program for the remodeling of RCT’s sheltered housing accommodation for the elderly. This continued in 2012/2013 with the commence- ment of works in seven schemes. In 2012/2013, £9.2 million was spent, with a total of £12.4 million having been spent since transfer on improving sheltered accom- modation. A further two schemes are planned to commence in 2013/2014.

Perceived Risks

The quotations that follow are from the RCT Homes 2012/2013 Group financial statements:

During 2012 the group risk map was developed to ensure it has a greater strategic focus. It identifies the following risks and challenges to the Group:

� Welfare Reform—As previously stated the changes proposed to welfare benefits will significantly change the UK housing sector and will place increased financial pressure on tenants and subsequently us. Direct pay- ments to tenants increase the risk of our bad debt provision increasing and we will need to find innovative ways to keep cash collection rates at an acceptable level.

� Rent Restructure—The consultation document issued by Welsh Govern- ment in 2011 indicated that our rent envelope is lower than the current aver- age rents charged across the borough, resulting in lower rent increases than those currently included in the business plan. The implementation of the new regime has been delayed until April 2014. This risk coupled with Wel- fare Reform has the potential to have a major impact on the rental income of the Group.

� Sheltered Remodelling Programme—As the project continues we need to ensure specifications are clear and build costs remain within budget. We need to ensure the preferred models are future proofed and fit for purpose whilst at the same time ensuring value for money. Active financial manage- ment, planning, and tenant input will be key to the success of this project.

� Impact on New Build to the Group—We currently have permission to pilot 200 properties through the framework operated by Porthcwlis. Any further increase in volumes will need consent from our funders.

� Expansion of Homeforce—As Homeforce expands into new work streams and begins to operate outside of the Group, we need to ensure growth is manageable in terms of resources and working capital. Asset investment

www.it-ebooks.info

HOUSING ASSOCIATION CASE STUDY OF ERM IN A CHANGING MARKETPLACE 133

will need to be closely managed to ensure cash does not become over committed and profitability on contracts is maintained.

� Long-Term Financial Viability of GrEW—Work is in progress to reduce costs within GrEW and expand its customer base to make the business more financially secure. During this time Meadow Prospect will continue to sup- port its subsidiary.

The summarized financial statements of RCT Homes for the previous five years are presented in Exhibit 8.4.

RCT Homes entered into a value-added tax (VAT)6 shelter coincident with the date of transfer of the housing stock, to carry out an agreed schedule of refurbish- ment works to the properties. The value of these works was £359 million. The cost to the borough council of contracting for these works to be undertaken was offset

Exhibit 8.4 Financial Performance of RCT Homes

Panel A: Income and Expenditure Account Income and expenditure account (£

million) 2013 2012 2011 2010 2009

Turnover 45.9 44.6 43.6 40.0 36.6 Operating costs (33.0) (38.5) (29.6) (28.0) (27.1) Operating surplus 12.9 6.1 14.0 12.0 9.5 Net interest charge (1.4) (0.5) (0.0) (0.5) 0.3 Surplus on disposal of assets 0.5 0.4 0.5 0.5 1.8 Actuarial (loss) on pension scheme (0.1) (3.8) (4.0) (1.3) (6.2) Surplus for the year after tax 11.9 2.2 10.4 10.7 5.4

Panel B: Balance Sheet Balance sheet (£ million) 2013 2012 2011 2010 2009 Housing properties at cost less depreciation

and grant 96.6 75.1 46.4 27.7 11.8 Other tangible fixed assets and investments 1.3 1.6 1.9 2.3 2.5 Net current assets/(liabilities) (0.8) (1.8) 1.6 (10.6) (7.6)

97.1 74.9 49.9 19.4 6.7 Loans due after one year (47.0) (37.0) (18.0) (5.0) (3.0) Other long-term liabilities (pensions) (7.2) (6.8) (3.1) 0.0 0.0 Net assets 42.9 31.1 28.8 14.4 3.7

Panel C: Cash Flow Statement Cash flow statement (£ million) 2013 2012 Net cash inflow from operating activities 16.3 9.9 Interest paid/received (1.5) (1.0) Capital expenditure Improvement works on properties (27.0) (33.1) Social housing and other grants 1.6 3.7 Purchase of other assets (0.3) (0.3) Sale of fixed assets 0.5 0.5 Subtotal (25.2) (29.2) Cash outflow before financing (10.4) (20.2) Loans advances received 10.0 19.0 (Decrease) in cash and cash equivalents (0.4) (1.2)

www.it-ebooks.info

134 Implementing Enterprise Risk Management

against an equal increase in the purchase price of the stock paid to the borough council by RCT Homes. This transaction is not reflected in the financial statements in accordance with Financial Reporting Council (FRS) 5,7 reporting the substance of transactions over the legal form. The works contracted are to be carried out over an envisaged 15-year period and are being recognized as they are undertaken, in accordance with the accounting policy for major, cyclical, and responsive repairs. In the event RCT Homes does not complete the work specified, the development agreement may be terminated at no financial loss to RCT Homes.

At April 2013, it was envisaged that there will be a further £136 million of expenditure under the remaining nine years of the VAT shelter.

ASSOCIATION C: ABILITY HOUSING ASSOCIATION Ability Housing Association is a specialist association that provides housing and support services to disabled people living in the South of England. It works in part- nership with local authority housing, social services, and Supporting People teams, the Homes and Communities Agency, and mainstream housing associations to help deliver flexible and tailored housing and support for people who want to live more independently. The Ability Housing Association operates in London, Essex, Oxfordshire, Berkshire, Hampshire, Surrey, Dorset, and West Sussex. Its housing stock comprises mostly either wheelchair-standard housing or supported housing for people who need additional care or support.

The association was set up in 1999 when the Cheshire Foundation Housing Association changed its name and relaunched as Ability. At this point it had 285 homes under management, employed 47 staff, and had a turnover of £1.86 million. In 2003 the national Supporting People program began, and Ability entered into Supporting People contracts with 18 local authorities. In 2004 Ability set up its first mental health support services, in the London borough of Merton, and in 2004 Ability was rated as the second most efficient registered social landlord (RSL) in England. In 2007 it was selected to provide mental health support services in Surrey and new supported housing in Swindon. Over the next 10 years it grew steadily, and in 2009 the REAP resettlement agency transferred its activities to Ability. By 2012 Ability had over 550 homes under management, and had a turnover of £8.8 million. In 2012, for the second year running, Ability was recognized as one of the Sunday Times’ 100 Best Not-for-Profit Organisations to Work For.

In its corporate plan Ability states its values as follows:

Our pursuit of our visions is underpinned by the following values which permeate the whole organisation:

We focus on ability not disability

– We focus on what each person can do—on their ability—rather than what they can’t do. We work together with our customers to help them overcome barriers to their own personal independent living goals.

We engage actively for feedback

– We engage actively with our customers, colleagues, and partners to seek feed- back that helps us to understand how we can improve what we do and how we do it.

www.it-ebooks.info

HOUSING ASSOCIATION CASE STUDY OF ERM IN A CHANGING MARKETPLACE 135

We value difference

– We respect and value the individuality of each person; we believe that differences are strengths and that diversity enriches our lives and communities.

We demonstrate integrity

– We encourage a culture of openness, honesty, and personal accountability; we respond to a challenge by asking ourselves what we can do to help and always deliver on our promises.

Ability provides the following services:

Housing with Support, to promote independent living, for example:

� Assistance with learning independent living skills � Advice and assistance with claiming welfare benefits and housing benefit � Advice and assistance with budgeting and managing bills � Advice on aids and adaptations � Assistance with reporting repairs and managing tenancies � General counseling and support with day-to-day living � Assistance with arranging personal care and contacting other agencies

involved in care and welfare

Most of the Housing with Support is provided in self-contained flats or bun- galows, although some of it is in shared housing or studio apartments with some shared facilities.

Floating Support, similar support to that just described but provided without housing. This service helps people with physical disabilities, learning disabilities, or mental health–related support needs to manage their homes.

The Accessahome database, to enable disabled people, housing associations, and local authorities to make better decisions about housing. Accessahome records details about accessible features of properties—for example, if a property has been purpose-built to a wheelchair standard, lifetime homes standard, or mobility stan- dard, or it has been specially adapted for a disabled person, for example, with a stair lift, level-access shower, or adapted kitchen. The database offers a matching service for both landlords and applicants and support information for disabled people, so that a landlord with an accessible or adapted property that is available for letting can search the database for applicants whose needs match the features of the property.

Perceived Risks

Extracts from 2012 Annual Report:

The removal of the Supporting People “ring-fence,”8 coupled with extreme fund- ing cuts faced by local authorities, has cast doubt on the future of many supported housing and social care services. At Ability we place faith in maintaining the qual- ity and value for money of services and being able to demonstrate positive out- comes for customers and commissioners.

www.it-ebooks.info

136 Implementing Enterprise Risk Management

Exhibit 8.5 Financial Performance of Ability Housing Association

Panel A: Income and Expenditure Account Income and expenditure

account (£ million) 2012 2011 2010 2009 2008 Turnover 8.8 8.6 8.6 7.4 5.6 Operating costs and cost of sales (7.6) (7.4) (7.3) (6.5) (4.9) Operating surplus 1.2 1.2 1.3 0.9 0.7 Net interest charge (0.4) (0.2) (0.1) (0.1) (0.1) Surplus on disposal of assets 0.1 0.4 — — 0.1 Taxation — — — — — Surplus for the year after tax 0.9 1.4 1.2 0.8 0.7

Panel B: Balance Sheet Balance sheet (£ million) 2012 2011 2010 2009 2008 Housing properties at cost less

depreciation & grant 18.9 16.7 13.0 8.8 7.2 Other tangible fixed assets and

investments 1.1 1.1 1.1 0.5 0.5 Net current assets 0.8 0.2 0.8 0.4 0.3

20.7 20.0 14.9 9.7 8.0 Creditors due after more than

one year (9.9) (8.1) (6.6) (2.5) (1.6)

Other long-term liabilities — — — — — 10.8 9.9 8.3 7.2 6.4

We are pleased therefore to have been able to agree with local authorities in London Borough of Hillingdon and West Sussex extensions to some of our most valuable services. Sadly this has not always been the way and, following a competitive tendering exercise, some of our floating support services in Slough have been transferred to another provider. . . .

Again this year we have seen the loss of some of our supporting people contracts with others reducing in value. We expect further reductions in the years ahead. By winning new business through competitive tender processes we have been able to replace a part of the lost income.

The summarized financial statements of Ability Housing Association for the previous five years are presented in Exhibit 8.5.

ASSOCIATION D: GREENSQUARE Recently, locally based housing associations have been amalgamating together to form regional groups. Once the amalgamation has been accomplished, the groups often organize themselves on a product and activity basis, invest in innovative new products, develop vigorously, and continue to absorb further local associations.

GreenSquare Group Limited is typical of such a group, operating across Wiltshire, Oxfordshire, Gloucestershire, Swindon, and the surrounding areas. GreenSquare was originally formed in 2008 from two associations (Westlea

www.it-ebooks.info

HOUSING ASSOCIATION CASE STUDY OF ERM IN A CHANGING MARKETPLACE 137

Housing Association and Oxford Citizens Housing Association). Another Oxford- based association, Oxbode, joined the GreenSquare Group in November 2012. GreenSquare now manages over 11,000 properties.

The strategy just described allows the reduction of administration costs and the development of product expertise. GreenSquare has the following:

� Development construction services provided by its in-house subsidiary Tidestone

� Property investment and maintenance of public open spaces undertaken by its commercial subsidiary Oakus

� Gas servicing and renewable energy business undertaken by a new acquisi- tion, GW Sparrow & Company Ltd., based in Swindon

GreenSquare Group now has the following key business streams:

� General needs housing for rent, primarily by families who are unable to rent or buy at open market rates

� Supported housing and housing for older people who need additional housing-related support or additional care

� Low-cost home ownership, primarily shared ownership whereby residents purchase a share in the equity of their homes and pay rent to the association on the remainder

� Building large volumes of new affordable housing and a lead develop- ment partner under the Homes and Communities Agency (HCA)’s National Affordable Housing Programme (NAHP)

� A newly registered housing association, GreenSquare Community Hous- ing Association, was set up in 2012. This will build houses financed by a £32 million sale-and-leaseback financing from Aviva, which will enable the Group to respond to new development opportunities as well as continuing to deliver its existing HCA program.

� The GreenSquare Academy has recently been set up to offer training and life skills development to residents, as many associations are becoming increas- ingly involved in education and vocational training.

Amalgamated organization structures carry a danger of reduced resi- dent involvement; GreenSquare therefore set up three communities boards in 2012/2013 to ensure that its services and how the neighborhoods are run are kept under close review. Last year £0.9 million was allocated to support community projects. GreenSquare also has a Resident Scrutiny Panel to carry out inspections and engage directly with residents.

Objectives and Strategy

GreenSquare’s mission is seen as “housing people, building communities.” The achievement of this is underpinned by four key vision statements:

1. Develop good quality housing to meet a wide and growing range of needs. 2. Create places where people want to live, and support a good quality of life.

www.it-ebooks.info

138 Implementing Enterprise Risk Management

3. Provide the range and quality of services our customers want. 4. Grow our activities and improve our financial strength and sustainability.

The following list of key risks is drawn from the 2012/2013 GreenSquare Group Limited annual report:

Key Risks Comment

Current economic climate and impact on public sector funds and the housing market

The continued restraints on government spending, changes to the housing benefit rules, along with the wider economic downturn, have been identified as key risks to the group. Such changes are likely to impact on the group’s ability to deliver its planned development program and may also affect core activities.

Delivery of development program

Successful delivery of the program depends on continued support from the HCA for the Group, as well as the ability and willingness of development contractors to continue to build the Group’s schemes in a challenging economic environment.

Availability of finance Availability of loan finance is key to a thriving housing market, with potential impact on the Group’s ability to deliver its development program as well as difficulty for potential shared ownership purchasers to raise finance.

Low demand for housing properties developed for sale

The Group’s development program includes low-cost home ownership. Success depends on demand for the properties. Low demand in the housing market generally has an impact on low-cost home ownership schemes.

Rise in final salary pension scheme liabilities to unaffordable level

The Group could face significant liabilities for meeting pension fund deficits. The Group’s contributions to the fund may need to increase significantly in order to fund the scheme.

Change in government policy or new legislation

Such changes could have significant impact on the sector and therefore the operations of the Group (e.g., changes to the planning or tax regimes may increase costs of new developments, reducing scheme affordability).

Performance failure Performance failures in services to our customers would affect the Group’s rating with the HCA and its reputation in the sector. Failure to deliver its development program may result in a withdrawal of capital grant.

Loss of key staff Retention of quality staff and managers is key to successful delivery of the Group’s business plans.

Selected summarized financial statements of GreenSquare Group Limited from the previous five years are presented in Exhibit 8.6.9

www.it-ebooks.info

HOUSING ASSOCIATION CASE STUDY OF ERM IN A CHANGING MARKETPLACE 139

Exhibit 8.6 Financial Performance of GreenSquare Group

Panel A: Income and Expenditure Account Income and expenditure account (£ million) 2013 2012 2011 2010 2009 Turnover 56.2 48.5 45.0 45.3 45.7 Operating costs and cost of sales (43.1) (37.2) (35.0) (35.0) (36.8) Operating surplus 13.1 11.3 10.0 10.3 8.9 Net interest charge (11.0) (9.5) (9.2) (8.4) (7.7) Surplus on disposal of assets 0.8 0.3 0.1 0.2 0.1 Other income (note 1) 10.5 Taxation 0.1 (0.3) (0.1) (0.02) (0.1) Surplus for the year after tax 13.5 1.8 0.8 2.1 1.0

Panel B: Balance Sheet Balance sheet (£ million) 2013 2012 2011 2010 2009 Housing properties at current valuation 545.2 384.5 350.6 343.2 301.5 Other tangible fixed assets and investments 6.3 6.2 5.7 5.7 5.7 Net current assets 20.3 3.3 (4.1) 4.3 6.9

571.8 394.0 352.2 353.2 314.1 Loans due after one year (281.6) (237.3) (211.3) (210.3) (194.1) Other long-term liabilities (6.7) (6.7) (5.1) (10.2) (4.6)

283.3 150.0 135.8 132.7 115.4

Panel C: Cash Flow Statement Cash flow statement (£ million) 2013 2012 2011 2010 2009 Net cash inflow from operating activities 20.9 20.1 20.1 20.1 20.1 Interest paid/received (10.7) (10.6) (10.6) (10.6) (10.6) Tax paid (0.1) (0.1) (0.1) (0.1) (0.1) Cash from acquisition of Oxbode 2.3 (0.9) (0.9) (0.9) (0.9) Capital expenditure House construction and purchase (29.2) (39.1) (39.1) (39.1) (39.1) Capital grants received 4.1 9.3 9.3 9.3 9.3 Purchase of other assets (1.1) (0.7) (0.7) (0.7) (0.7) Sale of fixed assets 1.7 1.0 1.0 1.0 1.0 Subtotal (24.5) (29.5) (29.5) (29.5) (29.5) Cash outflow before financing (12.1) (21.0) (21.0) (21.0) (21.0) Cash (invested in) term deposits (13.7) (2.2) (2.2) (2.2) (2.2) Financing Loans received 31.8 26.6 26.6 26.6 26.6 Loans repaid (1.0) (0.8) (0.8) (0.8) (0.8) Increase in cash and cash equivalents 5.0 2.6 2.6 2.6 2.6

Note 1: Gift on acquisition when Oxbode joined the Group in November 2012.

QUESTIONS You are asked to look at the four housing associations and choose one of them whose loca- tion most resembles your own home area, together with another association in a contrasting area. You are asked to address four questions for each of the two associations that you have chosen:

1. Given the fact that the association is a charity, with risks related both to its financial and charitable aims and any profits made being reinvested to support its charitable aims,

www.it-ebooks.info

140 Implementing Enterprise Risk Management

what do you assess as the biggest risks facing the association and what is your assessment of these risks? Note that “for-profit” activities such as building houses for sale can also contribute to an association’s aims (e.g., to provide affordable housing within its chosen area of operation).

2. Considering the list of products in the “Background” section, how do you rate their potential risks and returns for the association, again in relation to its charitable aims and viability constraints and in the context of the association’s operating environment?

3. In the light of the association’s financial position and its charitable aims, how high should be the risk appetite of the association? Is one of the generic strategies listed in the “Sector Issues” section appropriate for the association, and if not then what should the associa- tion’s strategy be?

4. Can you suggest product growth targets and appropriate risk limits that will enable the association to develop safely and dynamically in the short/medium term?

The association data was drawn in 2013 from current real cases, and it may help you to investigate the “actual” cases and their contexts.

NOTES 1. The Decent Homes Standard is a technical standard for public housing introduced by

the United Kingdom government in April 2002. It underpinned the Decent Homes Pro- gramme brought in by the Labour party, which aimed to provide a minimum standard of housing conditions for all those who are housed in the public sector (i.e., council hous- ing and housing associations). The content of the standard is described in the House of Commons Library Research Paper 03/65 “Delivering the Decent Homes Standard: Social Landlords’ Opinions and Progress.”

2. For more detail, see www.homesandcommunities.co.uk/sites/default/files/our-work/ sector-risk-profile-120611.pdf.

3. See section 5.3.5, “Defining Risk Criteria,” in ISO 31000:2009. 4. The quotes are from the L&Q 2013 financial statements; see www.lqgroup.org

.uk/_assets/files/LQ0363_Financial-Statements-2013_LR.pdf. For more information about L&Q see www.lqgroup.org.uk.

5. For more information on the RCT subsidiaries, please refer to: www.rcthomes.co.uk, www.rcthomes.co.uk/main.cfm?type=PORTHCWLIS&object_id=2745, www.bplltd.co .uk/index.php, www.meadowprospect.co.uk/default.htm, and www.meadowprospect .co.uk/growenterprisewales/default.htm.

6. A value-added tax (VAT) is a form of consumption tax. From the perspective of the buyer, it is a tax on the purchase price. From that of the seller, it is a tax only on the value added to a product, material, or service, from an accounting point of view, by this stage of its manufacture or distribution. The manufacturer remits to the government the dif- ference between these two amounts, and retains the rest for itself to offset the taxes it had previously paid on the inputs, see HM Revenue & Customs: Introduction to VAT, www.hmrc.gov.uk/vat/start/introduction.htm.

7. FRS 5 addresses the problem of what is commonly referred to as off-balance-sheet financ- ing. One of the main aims of such arrangements is to finance a company’s assets and oper- ations in such a way that the finance is not shown as a liability in the company’s balance sheet. A further effect is that the assets being financed are excluded from the accounts, with the result that both the resources of the entity and its financing are understated. Source: Financial Reporting Council.

8. Ring-fencing occurs when a portion of a company’s assets or profits are financially sep- arated without necessarily being operated as a separate entity. This might be for regula- tory reasons, creating asset protection schemes with respect to financing arrangements, or segregating into separate income streams for taxation purposes. Ring-fencing guarantees

www.it-ebooks.info

HOUSING ASSOCIATION CASE STUDY OF ERM IN A CHANGING MARKETPLACE 141

that funds allocated for a particular purpose will not be used for anything else. Source: www.oxforddictionaries.com/definition/english/ring-fence. Note: The removal of the Supporting People ring-fence allows local authorities to divert to other activities the money allocated to them for this program. The result has been severe cuts in the total Supporting People funding.

9. For GreenSquare’s financial statements, see: www.greensquaregroup.com/upload/5236 bbc772028GS.pdf and www.greensquaregroup.com/upload/50619fd12a9aaGS_report11 12.pdf.

REFERENCES Fraser, John, and Betty J. Simkins, eds. 2010. Enterprise Risk Management: Today’s Leading

Research and Best Practices for Tomorrow’s Executives. Hoboken, NJ: John Wiley & Sons. Sector Risk Profile. 2012. Homes and Communities Agency, London, England.

www.homesandcommunities.co.uk/sites/default/files/our-work/sector-risk-profile- 120611.pdf.

ABOUT THE CONTRIBUTOR Following a mathematics degree at Cambridge University and six years’ KPMG strategy consultancy experience, John Hargreaves took up a series of financial positions, including periods as the Financial Controller of National Freight, a stint running Shell’s central financial and management accounting and planning sys- tems, and three years as the Finance Director of London Underground. Since 1991 John has specialized in risk management, initially as Corporate Finance Director of Barclays Bank, where he was responsible for introducing risk management systems following the previous United Kingdom depression.

In 1996 he became Managing Director of Hargreaves Risk and Strategy, which has clients in the housing, banking, oil, and transport sectors. The consultancy has implemented risk management systems in about 60 organizations. John is a leading expert on the quantification of risks. He has conducted research over a number of years on the risk profile of the UK social housing sector, initially through study of client risk maps but also through analysis of the risks that occurred in a sample of 41 companies. This knowledge was used in 2005 in the design of the sector’s highly successful risk-related regulatory system.

John is also an authority on the relationship between risk management and strategy, and for 15 years has run a course on strategic management for an MSc program at the London School of Economics.

www.it-ebooks.info

www.it-ebooks.info

CHAPTER 9

Lessons from the Academy ERM Implementation in the University Setting

ANNE E. LUNDQUIST Western Michigan University

The tragedy at Virginia Tech, infrastructure devastation at colleges and uni-versities in the New Orleans area in the aftermath of Hurricane Katrina,the sexual abuse scandal at Penn State, the governance crisis at the Uni- versity of Virginia, American University expense-account abuse, and other high- profile university situations have created heightened awareness of the potentially destructive influence of risk and crisis for higher education administrators.1 The recent Risk Analysis Standard for Natural and Man-Made Hazards to Higher Educa- tion Institutions (American Society of Mechanical Engineers–Innovative Technolo- gies Institute 2010) notes that “resilience of our country’s higher education insti- tutions has become a pressing national priority” (p. vi). Colleges and universities are facing increased scrutiny from stakeholders regarding issues such as invest- ments and spending, privacy, conflicts of interest, information technology (IT) availability and security, fraud, research compliance, and transparency (Willson, Negoi, and Bhatnagar 2010). A statement from the review committee assembled to examine athletics controversies at Rutgers University is not unique to that situa- tion; the committee found that “the University operated with inadequate internal controls, insufficient inter-departmental and hierarchical communications, an uninformed board on some specific important issues, and limited presidential leadership” (Grasgreen 2013).

The situation at Penn State may be one of the clearest signals that risk man- agement (or lack thereof) has entered the university environment and is here to stay. In a statement regarding the report, Louis Freeh, chair of the independent investigation by his law firm, Freeh Sporkin & Sullivan, LLP, into the facts and circumstances of the actions of Pennsylvania State University, said the following:

In our investigation, we sought to clarify what occurred . . . and to examine the Uni- versity’s policies, procedures, compliance and internal controls relating to identi- fying and reporting sexual abuse of children. Specifically, we worked to identify any failures or gaps in the University’s control environment, compliance programs and culture which may have enabled these crimes against children to occur on the Penn State campus, and go undetected and unreported for at least these past 14 years.

143

www.it-ebooks.info

144 Implementing Enterprise Risk Management

The chair of Penn State’s board of trustees summed it up succinctly after the release of the Freeh Report (Freeh and Sullivan 2012) regarding the university’s handling of the sexual abuse scandal: “We should have been risk managers in a more active way” (Stripling 2012).

The variety, type, and volume of risks affecting higher education are numer- ous, and the public is taking notice of how those risks are managed. Accreditation agencies are increasingly requiring that institutions of higher education (IHEs) demonstrate effective integrated planning and decision making, including using information gained from comprehensive risk management as a part of the gover- nance and management process.2 Credit rating agencies now demand evidence of comprehensive and integrated risk management plans to ensure a positive credit rating, including demonstration that the board of trustees is aware of, and involved in, risk management as a part of its decision making.3 Through its Colleges and Universities Compliance Project, the Internal Revenue Service (IRS) is considering how to hold IHEs responsible for board oversight of risk, investment decisions, and other risk management matters.4 The news media has a heightened focus on financial, governance, and ethical matters at IHEs, holding them accountable for poor decisions and thus negatively affecting IHE reputations. In response to this, many IHEs have implemented some form of enterprise risk management (ERM) program to help them identify and respond to risk.

THE HIGHER EDUCATION ENVIRONMENT Colleges and universities have often perceived themselves as substantially differ- ent and separate from other for-profit and not-for-profit entities, and the outside world has historically viewed and treated them as such. Colleges and universities have been viewed as ivory towers, secluded and separated from the corporate (and thus the federal regulatory and, often, legal) world. Higher education was largely a self-created, self-perpetuating, insular, isolated, and self-regulating environment. In this culture, higher education institutions were generally governed under the traditional, independent “silos of power and silence” management model, with the right hand in one administrative area or unit often unaware of the left hand’s mission, objectives, programs, practices, and contributions in another area.

John Nelson (2012), managing director for the Public Finance Group (Health- care, Higher Education, Not-for-Profits) for Moody’s Investors Service, observed that higher education culture is somewhat of a contradiction in that colleges and universities are often perceived as “liberal,” whereas organizationally they tend to be “conservative and inward-looking.”5 Citing recent examples at Penn State and Harvard, he noted that colleges and universities can be “victims of their own success”; a past positive reputation can prevent boards from asking critical ques- tions, and senior leadership from sharing troubling information with boards, and this can perpetuate a culture that isn’t self-reflective, thus increasing the likelihood for a systemic risk management or compliance failure. The Freeh Report (2012) is instructive regarding not only the Penn State situation, but the hands-off and rubber-stamp culture of university boards and senior leaders more broadly. The Freeh Report found that the Penn State board failed in its duty to make reason- able inquiry and to demand action from the president, and that the president, a senior vice president, and the general counsel did not perform their duties.

www.it-ebooks.info

LESSONS FROM THE ACADEMY 145

The report calls these inactions a “failure of governance,” noting that the “board did not have regular reporting procedures or committee structure to ensure dis- closure of major risks to the University” and that “Penn State’s ‘Tone at the Top’ for transparency, compliance, police reporting, and child protection was com- pletely wrong, as shown by the inaction and concealment on the part of its most senior leaders, and followed by those at the bottom of the University’s pyramid of power.”

In his text regarding organizational structures in higher education, How Col- leges Work, Birnbaum (1988) notes that, organizationally and culturally, colleges and universities differ in many ways from other organizations. He attributes this difference to several factors: the “dualistic” decision-making structure (comprised of faculty “shared governance” and administrative hierarchy); the lack of metrics to measure progress and assess accountability; and the lack of clarity and agree- ment within the academic organization on institutional goals (based, in part, on the often competing threefold mission of most academic organizations of teaching, research, and service). Because of these organizational differences, Birnbaum notes that the “processes, structures, and systems for accountability commonly used in business firms are not always sensible for [colleges and universities]” (p. 27).

While noting that colleges and universities are unique organizations, Birnbaum also observes that they have begun to adopt more general business prac- tices, concluding that “institutions have become more administratively centralized because of requirements to rationalize budget formats, implement procedures that will pass judicial tests of equitable treatment, and speak with a single voice to pow- erful external agencies” (p. 17).

This evolution to a more businesslike culture for IHEs has been evolving since the 1960s and has brought significant societal changes while seeing the federal gov- ernment, as well as state governments, begin to enact specific legislation affecting colleges and universities.6 The proliferation of various laws and regulations, cou- pled with the rise of aggressive consumerism toward the end of the 1990s, has led to an increased risk of private legal claims against institutions of higher education— and their administrators—as well as a proliferation of regulatory and compliance requirements. Higher education is now generally treated like other business enter- prises by judges, juries, and creative plaintiffs’ attorneys, as well as by administra- tive and law enforcement agencies, federal regulators—and the public.

Mitroff, Diamond, and Alpaslan (2006) point out that despite their core edu- cational mission, colleges and universities are really more like cities in terms of the number and variety of services they provide and the “businesses” they are in. They cite the University of Southern California (USC) as an example, noting that USC operates close to 20 different businesses, including food preparation, health care, and sporting events, and that each of these activities presents the university with different risks. Jean Chang (2012), former ERM director at Yale University, observed that IHEs are complicated businesses with millions of dollars at stake, but they don’t like to think of themselves as “enterprises.”

Organizational Type Impacts Institutional Culture

While Birnbaum (1988) notes that IHEs differ in important ways from other orga- nizational types, especially for-profit businesses, he also concludes that colleges

www.it-ebooks.info

146 Implementing Enterprise Risk Management

and universities differ from each other in important ways. Birnbaum outlines five models of organizational functioning in higher education: collegial, bureaucratic, political, anarchical, and cybernetic. In Bush’s (2011) text on educational leader- ship, he groups educational leadership theories into six categories: formal, colle- gial, political, subjective, ambiguity, and cultural. In their discussion of organiza- tional structure, Bolman and Deal (2008) provide yet another method for analysis of organizational culture, identifying four distinctive “frames” from which people view their world and that provide a lens for understanding organizational culture: structural, human resources, political, and symbolic.

Each of these models can provide a conceptual framework by which to under- stand and evaluate the culture of a college or university. Understanding the orga- nizational type of a particular institution is imperative when considering issues such as the process by which goals are determined, the nature of the decision- making process, and the appropriate style of leadership to accomplish goals and implement initiatives. What works in one university organizational type may not be effective in another. The leadership style of senior administration may be oper- ating from one frame or model while the culture of the faculty may be operating from another, thus affecting policy and practice in positive or negative ways.

While not true across the board, for-profit organizations tend to operate from what Bush as well as Bolman and Deal refer to as the formal or structural models and Birnbaum terms bureaucratic. The structural frame represents a belief in ratio- nality. Some assumptions of the structural frame are that “suitable forms of coordi- nation and control ensure that diverse efforts of individuals and units mesh” and that “organizations work best when rationality prevails over personal agendas” (Bolman and Deal 2008, p. 47). Understanding this cultural and framing difference is important when considering the adoption and implementation of ERM in the university environment, and can help to explain why many university administra- tors and faculty are skeptical of the more corporate approach often taken in ERM implementation outside of higher education.

Bush observes that the collegial model has been adopted by most universities and is evidenced, in part, by the extensive committee system. Collegial institu- tions have an “emphasis on consensus, shared power, common commitments and aspirations, and leadership that emphasizes consultation and collective responsi- bilities” (Birnbaum, p. 86). Collegial models assume that professionals also have a right to share in the wider decision-making process (Bush 2011, p. 73). Bush points out that collegial models assume that members of an organization agree on orga- nizational goals, but that often various members within the institution have differ- ent ideas about the central purposes of the institution because most colleges and universities have vague, ambiguous goals. Birnbaum describes the collegium (or university environment) as having the following characteristics:

The right to participate in institutional affairs, membership in a congenial and sym- pathetic company of scholars in which friendships, good conversation, and mutual aid flourish, and the equal worth of knowledge in various fields that precludes preferential treatment of faculty in different disciplines. (p. 87)

ERM (or risk management and compliance initiatives in general) tend to be viewed as more corporate functions and to align with formal, structural, and bureaucratic aims, goal setting, planning, and decision making. The chart in Exhibit 9.1 outlines management practices and how they are viewed from the

www.it-ebooks.info

E xh

ib it

9. 1

D is

ti nc

ti on

s be

tw ee

n St

ru ct

ur al

an d

C ol

le gi

al E

le m

en ts

of M

an ag

em en

t∗

E le

m en

ts of

M an

ag em

en t

Fo rm

al /S

tr u

ct u

ra l

C ol

le gi

al /H

u m

an R

es ou

rc es

B ol

m an

an d

D ea

l B

us h

In st

it ut

io na

l B

ir nb

au m

In st

it ut

io na

l B

ol m

an an

d D

ea l

B us

h B

ir nb

au m

L ev

el at

w hi

ch go

al s

ar e

d et

er m

in ed

In st

it ut

io na

l In

st it

ut io

na lt

hr ou

gh ag

re em

en ta

nd co

ns en

su s

Pr oc

es s

by w

hi ch

go al

s ar

e d

et er

m in

ed

V er

ti ca

la nd

la te

ra l

pr oc

es se

s Se

tb y

le ad

er s

B as

ed on

or ga

ni za

ti on

al st

ru ct

ur e

an d

ro le

s

A gr

ee m

en t

A gr

ee m

en t

C on

se ns

us

R el

at io

ns hi

p be

tw ee

n go

al s

an d

d ec

is io

ns

O rg

an iz

at io

ns ex

is tt

o ac

hi ev

e es

ta bl

is he

d go

al s

D ec

is io

ns ba

se d

on go

al s

C on

sc io

us at

te m

pt to

lin k

m ea

ns to

en d

s an

d re

so ur

ce s

to ob

je ct

iv es

Sh ar

ed se

ns e

of d

ir ec

ti on

an d

co m

m it

m en

t

D ec

is io

ns ba

se d

on go

al s

St ro

ng an

d co

he re

nt cu

lt ur

e an

d va

lu e

co ns

en su

s in

fo rm

s d

ec is

io ns

N at

ur e

of th

e d

ec is

io n

pr oc

es s

R at

io na

l; ru

le s,

po lic

ie s,

an d

st an

d ar

d op

er at

in g

pr oc

ed ur

es

R at

io na

l R

at io

na l;

co m

pl ia

nc e

w it

h ru

le s

an d

re gu

la ti

on s

E ga

lit ar

ia ni

sm ;

te am

s C

ol le

gi al

D el

ib er

at iv

e co

ns en

su s

N at

ur e

of st

ru ct

ur e

O rg

an iz

at io

ns in

cr ea

se ef

fi ci

en cy

an d

en ha

nc e

pe rf

or m

an ce

th ro

ug h

sp ec

ia liz

at io

n an

d d

iv is

io n

of la

bo r

O bj

ec ti

ve re

al it

y; hi

er ar

ch ic

al

D es

ig ne

d to

ac co

m pl

is h

la rg

e- sc

al e

ta sk

s by

sy st

em at

ic al

ly co

or d

in at

in g

th e

w or

k of

m an

y in

d iv

id ua

ls

O rg

an iz

at io

ns ex

is t

to se

rv e

hu m

an ne

ed s;

m us

tb e

a go

od fi

tb et

w ee

n or

ga ni

za ti

on an

d pe

op le

L at

er al

C ol

le gi

um

St yl

e of

le ad

er sh

ip E

st ab

lis he

d au

th or

it y

L ea

d er

es ta

bl is

he s

go al

s an

d in

it ia

te s

po lic

y

L ea

d er

is co

nc er

ne d

w it

h pl

an ni

ng ,

d ir

ec ti

ng ,

or ga

ni za

ti on

, st

af fi

ng ,a

nd ev

al ua

ti ng

D oe

sn ’t

co nt

ro lo

r ov

er ly

st ru

ct ur

e; se

ns it

iv e

to bo

th ta

sk an

d pr

oc es

s; us

e of

te am

s

L ea

d er

se ek

s to

pr om

ot e

co ns

en su

s

L ea

d er

is “f

ir st

am on

g eq

ua ls

,” co

ns ul

ta ti

on an

d co

lle ct

iv e

re sp

on si

bi lit

ie s

∗ A d

ap te

d fr

om B

us h

(2 01

1) ,1

99 (F

ig ur

e 9.

1) .

147

www.it-ebooks.info

148 Implementing Enterprise Risk Management

formal/structural and collegial/human resources models. As will become clear in the University of Washington ERM implementation case described in this chap- ter, the culture of higher education in general, and the institution-specific culture of the particular organization, cannot be ignored when adopting or implementing an ERM program, and may be the most important element when making ERM program, framework, and philosophy decisions.

Risks Affecting Higher Education

One way in which colleges and universities are becoming more like other organi- zations is the type and variety of risks affecting them. Risk and crisis in higher edu- cation may arise from a variety of sources: a failure of governance or leadership; a business or consortium relationship; an act of nature; a crisis related to student safety or welfare or that of other members of the community; a violation of federal, state, or local law; or a myriad of other factors. The University Risk Management and Insurance Association (URMIA 2007) cites several drivers that put increased pressure and risk on colleges and universities, including competition for faculty, students, and staff; increased accountability; external scrutiny from the govern- ment, the public, and governing boards; IT changes; competition in the market- place; and increased levels of litigation. A comprehensive, yet not exhaustive, list of risks affecting higher education is outlined in Exhibit 9.2. Risks unmitigated at the unit, department, or college level can quickly lead to high-profile institutional risk when attorneys, the media, and the public get involved. Helsloot and Jong (2006) observe that higher education has a unique risk as it relates to the genera- tion and sharing of its core task: “to gather, develop, and disseminate knowledge” (p. 154), noting that the “balance between the unfettered transfer of knowledge, on the one hand, and security, on the other, is a precarious one” (p. 155).

EMERGENCE OF ERM IN HIGHER EDUCATION In the corporate sector, interest in the integrated and more strategic concept of enterprise risk management (ERM) has grown significantly in the past 15 years (Arena, Arnaboldi, and Azzone 2010). Certain external factors affected the adop- tion and implementation of ERM practices in corporations, including significant business failures in the late 1980s that occurred as a result of high-risk financing strategies (URMIA 2007). Governments in several European countries took actions and imposed regulatory requirements regarding risk management earlier than was done in the United States, issuing new codes of practice and regulations such as the Cadbury Code (1992), the Hampel Report (1998), and the Turnbull Report (1999). In 2002, the Public Company Accounting Reform and Investor Protection Act (other- wise known as Sarbanes-Oxley, or SOX) was enacted in the United States. In 2007, the Securities and Exchange Commission (SEC) issued guidance placing greater emphasis on risk assessment and began to develop requirements for enterprise- wide evaluation of risk. In February 2010, the SEC imposed regulations requiring for-profit corporations to report in depth on how their organizations identify risk, set risk tolerances, and manage risk/reward trade-offs throughout the enterprise.

While widespread in the corporate sector, in large part due to regulatory com- pliance, ERM is fairly new in higher education. Gurevitz (2009) observes that

www.it-ebooks.info

LESSONS FROM THE ACADEMY 149

Exhibit 9.2 Risks Affecting Higher Education

Institutional Area Types of Risk

Boards of Trustees and Regents, President, Senior Administrators

Accreditation Board performance assessment CEO assessment and compensation Conflict of interest Executive succession plan Fiduciary responsibilities IRS and state law requirements Risk management role and responsibility

Business and Financial Affairs

Articulation agreements Bonds Budgets Business ventures Cash management Capital campaign Contracting and purchasing Credit rating Debt load/ratio Endowment Federal financial aid Fraud Gift/naming policies Insurance Investments Loans Outsourcing Transportation and travel Recruitment and admissions model

Compliance with Federal, State, and Local Laws, Statutes, Regulations, and Ordinances

Americans with Disabilities Act (ADA)/Section 504 Copyright and fair use Drug-Free Schools and Communities Act Family Educational Rights and Privacy Act (FERPA) Health Insurance Portability and Accountability Act of

1996 (HIPAA) Higher Education Opportunity Act IRS regulations Integrated Postsecondary Education Data System (IPEDS) Jeanne Clery Disclosure of Campus Security Policy and

Campus Crime Statistics Act (Clery Act) National Collegiate Athletic Association

(NCAA)/National Association of Intercollegiate Athletics (NAIA) regulations

Record retention and disposal Tax codes Whistle-blower policies

Campus Safety and Security

Emergency alert systems for natural disaster or other threat

Emergency planning and procedures Incident response

(continued)

www.it-ebooks.info

150 Implementing Enterprise Risk Management

Exhibit 9.2 (Continued)

Institutional Area Types of Risk

Campus Safety and Security (continued)

Infectious diseases Interaction with local, state, and federal authorities Minors on campus Terrorism Theft Violence on campus Weapons on campus Weather

Information Technology Business continuity Cyber liability Electronic records Information security Network integrity New technologies Privacy System capacity Web page accuracy

Academic Affairs Academic freedom Competition for faculty Faculty governance issues Grade tampering Grants Human subject, animal, and clinical research Intellectual property Internship programs Joint programs/partnerships Laboratory safety Online learning Plagiarism Quality of academic programs Student records Study abroad Tenure

Student Affairs Admission/retention Alcohol and drug use Clubs and organizations Conduct and disciplinary system Dismissal procedures Diversity issues Fraternities and sororities Hate crimes Hazing International student issues Psychological disabilities issues Sexual assault Student death Student protest Suicide

www.it-ebooks.info

LESSONS FROM THE ACADEMY 151

Exhibit 9.2 (Continued)

Institutional Area Types of Risk

Employment/Human Resources

Affirmative action Background checks Discrimination lawsuits Employment contracts Grievances Labor laws Performance evaluation Personnel matters Sexual harassment Termination procedures Unions Workplace safety

Physical Plant Building and renovation Fire Infrastructure damage Off-site programs Public-private partnerships Residence hall and apartment safety Theft

Other Alumni Athletics External relations Increased competition for students, faculty, and staff Increased external scrutiny from the public, government,

and media Medical schools, law schools Vendors

educational institutions “have been slower to look at ERM as an integrated busi- ness tool, as a way to help all the stakeholders—trustees, presidents, provosts, CFOs, department heads, and frontline supervisors—identify early warning signs of something that could jeopardize a school’s operations or reputation.” In 2000, the Higher Education Funding Council of England enacted legislation requir- ing all universities in England to implement risk management as a governance tool (Huber 2009). In Australia, the Tertiary Education Quality Standards Agency (TEQSA 2013) evaluates the performance of higher education providers against a set of threshold standards and makes decisions in relation to their performance in line with three regulatory principles, including understanding an institution’s level of risk.

In the United States, engaging in risk management efforts and programs for IHEs is not specifically required by accrediting agencies or the federal govern- ment. Perhaps because it is not required, ERM has not been a top focus for boards and senior administrators at IHEs. Tufano (2011) points out that risk management in the nonprofit realm, including higher education, is significantly less developed than in much of the corporate world and often still has a focus on avoidance of loss rather than setting strategic direction. Mitroff, Diamond, and Alpaslan’s (2006)

www.it-ebooks.info

152 Implementing Enterprise Risk Management

survey assessing the state of crisis management in higher education revealed that colleges and universities were generally well prepared for certain crises, particu- larly fires, lawsuits, and crimes, in part because certain regulations impose require- ments. They were also well prepared for infrequently experienced but high-profile situations such as athletics scandals, perhaps based on their recent prominence in the media. However, they were least prepared for certain types of crises that were frequently experienced such as reputation and ethics issues, as well as other non- physical crises such as data loss and sabotage.7 A survey conducted by the Asso- ciation of Governing Boards of Universities and Colleges and United Educators (2009) found that, of 600 institutions completing the survey, less than half of the respondents “mostly agreed” that risk management was a priority at their insti- tution. Sixty percent stated that their institutions did not use a comprehensive, strategic risk assessment to identify major risks to mission success. Recent high- profile examples may be beginning to change that. The Freeh Report regarding Penn State determined that “the university’s lack of a robust risk-management sys- tem contributed to systemic failures in identifying threats to individuals and the university and created an environment where key administrators could ‘actively conceal’ troubling allegations from the board” (Stripling 2012).

ADOPTING AND IMPLEMENTING ERM IN COLLEGES AND UNIVERSITIES In 2001, PricewaterhouseCoopers and the National Association of College and University Business Officers (NACUBO) sponsored a think tank of higher educa- tion leaders to discuss the topic of ERM in higher education, likely in response to widespread discussion in the for-profit sector and in anticipation of potential reg- ulatory implications for higher education. The group included Janice Abraham, then president and chief executive officer of United Educators Insurance, as well as senior administrators from seven universities.8 The focus of their discussion was on the definition of risk; the risk drivers in higher education; implementa- tion of risk management programs to effectively assess, manage, and monitor risk; and how to proactively engage the campus community in a more informed dia- logue regarding ERM. Their conversation produced a white paper, “Developing a Strategy to Manage Enterprisewide Risk in Higher Education” (Cassidy et al. 2001). In 2007, NACUBO and the Association of Governing Boards of Universities and Colleges (AGB) published additional guidance in their white paper, “Meeting the Challenges of Enterprise Risk Management in Higher Education.” The Uni- versity Risk Management and Insurance Association (URMIA) also weighed in with its white paper, “ERM in Higher Education” (2007). In 2013, Janice Abraham wrote a text published by AGB and United Educators, entitled Risk Management: An Accountability Guide for University and College Boards. These documents provide guidance and information to institutions considering the implementation of an ERM program and discuss the unique aspects of the higher education environment when considering ERM implementation.

Several authors have discussed the transferability of the ERM model to higher education, even with the cultural and organizational differences that abound between the for-profit environment and higher education. URMIA (2007) con- cluded that “the ERM process is directly applicable to institutions of higher

www.it-ebooks.info

LESSONS FROM THE ACADEMY 153

education, just as it is to any other ‘enterprise’; there is nothing so unique to the col- lege or university setting as to make ERM irrelevant or impossible to implement” (p. 17). Whitfield (2003) assessed the “feasibility and transferability of a general framework to guide the holistic consideration of risk as a critical component of college and university strategic planning initiatives” (p. 78) and concluded that “the for-profit corporate sector’s enterprise-wide risk management framework is transferable to higher education institutions” (p. 79).

National conferences for higher education associations such as NACUBO, AGB, URMIA, and others had presentations on ERM. Insurers of higher educa- tion, such as United Educators and Aon, as well as consultants such as Accenture and Deloitte, among others, provided workshops to institutions and published white papers of their own, such as the Gallagher Group’s “Road to Implemen- tation: Enterprise Risk Management for Colleges and Universities” (2009). In the early 2000s, many IHEs rushed to form committees to examine ERM and hired risk officers in senior-level positions, following the for-profit model.9 However, when specific regulations such as those imposed by the SEC for for-profit entities did not emerge in the higher education sector, interest in highly developed ERM models at colleges and universities began to wane. Gurevitz (2009) points out that the early ERM frameworks weren’t written with higher education in mind and were often presented “in such a complicated format that it made it difficult to translate the concepts for many universities.”

Institutions with ERM programs have taken various paths in their selection of models and methods and have been innovative and individualized in their approaches. There is no comprehensive list of higher education institutions with ERM programs, and not all IHEs with integrated models use the term ERM. Exhibit 9.3 shows a snapshot of IHEs that have adopted ERM; a review of their websites demonstrates the various risk management approaches adopted by IHEs and the wide variability in terminology, reporting lines, structure, and focus. In many instances, those IHEs with highly developed programs today had some form of “sentinel event” (regulatory, compliance, student safety, financial, or other) that triggered the need for widespread investigation and, therefore, the develop- ment of more coordinated methods for compliance, information sharing, and deci- sion making. In other situations, governing board members brought their business experience with ERM to higher education, recognizing the “applicability and rel- evance of using a holistic approach to risk management in academic institutions” (Abraham 2013, p. 6).

Regardless of the impetus, the current focus appears to be on effectively link- ing risk management to strategic planning. Abraham points out that many higher education institutions are recognizing that an effective ERM program, with the full support of the governing board, “will increase a college, university or system’s likelihood of achieving its plans, increase transparency, and allow better allocation of scarce resources. Good risk management is good governance” (p. 5). Ken Barnds (2011), vice president at Augustana College, points out that “many strategic plan- ning processes, particularly in higher education, spent an insufficient amount of time thinking about threats and weaknesses.” Barnds believes that “an honest and thoughtful assessment of the college’s risks . . . would lead [Augustana] in a pos- itive, engaged, and proactive direction.” A recent Grant Thornton (2011) thought paper urges university leaders to think about more strategic issues as part of their risk management, including board governance, IRS scrutiny of board oversight

www.it-ebooks.info

E xh

ib it

9. 3

Sa m

pl e

of C

ol le

ge s

an d

U ni

ve rs

it ie

s w

it h

E R

M Pr

og ra

m s

In st

it u

ti on

T it

le of

P er

so n

w it

h E

R M

R es

p on

si b

il it

y W

eb si

te

D uk

e U

ni ve

rs it

y E

xe cu

ti ve

D ir

ec to

r of

In te

rn al

A ud

it ht

tp :/

/ in

te rn

al au

d it

s. d

uk e.

ed u/

ri sk

-a ss

es sm

en t/

in d

ex .p

hp E

m or

y U

ni ve

rs it

y C

hi ef

A ud

it O

ff ic

er w

w w

.e m

or y.

ed u/

E M

O R

Y _R

E PO

R T

/ st

or ie

s/ 20

10 /

04 /

19 /

ri sk

_ m

an ag

em en

t.h tm

l G

eo rg

ia St

at e

U ni

ve rs

it y

D ir

ec to

r, E

nt er

pr is

e R

is k

M an

ag em

en t

w w

w .g

su .e

d u/

ac co

un ti

ng /

63 37

0. ht

m l

Io w

a St

at e

U ni

ve rs

it y

A ss

oc ia

te V

ic e

Pr es

id en

tf or

B ud

ge ta

nd Pl

an ni

ng w

w w

.p ro

vo st

.ia st

at e.

ed u/

w ha

t- w

e- d

o/ er

m

Jo hn

so n

& W

al es

D ir

ec to

r of

C om

pl ia

nc e,

In te

rn al

A ud

it ,a

nd R

is k

M an

ag em

en t

w w

w .jw

u. ed

u/ co

nt en

t.a sp

x? id

= 57

82 5

M ar

ic op

a C

ou nt

y C

om m

un it

y C

ol le

ge D

is tr

ic t(

M C

C C

D )

D ir

ec to

r of

E nt

er pr

is e

R is

k M

an ag

em en

t w

w w

.m ar

ic op

a. ed

u/ pu

bl ic

st ew

ar d

sh ip

/ go

ve rn

an ce

/ ad

m in

re gs

/ au

xi lia

ry /

4_ 16

.p hp

O hi

o U

ni ve

rs it

y A

ss oc

ia te

V ic

e Pr

es id

en tf

or R

is k

M an

ag em

en ta

nd Sa

fe ty

w w

w .o

hi o.

ed u/

ri sk

an d

sa fe

ty /

ur m

i.h tm

T ex

as A

& M

U ni

ve rs

it y

Sy st

em O

ff ic

e of

R is

k M

an ag

em en

ta nd

B en

ef it

s A

d m

in is

tr at

io n

w w

w .ta

m us

.e d

u/ of

fi ce

s/ ri

sk /

ri sk

m an

ag e/

gu id

e/ en

te rp

ri se

-r is

k- m

an ag

em en

t/ U

ni ve

rs it

y of

A la

sk a

Sy st

em C

hi ef

R is

k O

ff ic

er w

w w

.a la

sk a.

ed u/

ri sk

sa fe

ty /

U ni

ve rs

it y

of C

al if

or ni

a R

is k

Se rv

ic es

,O ff

ic e

of th

e Pr

es id

en t

w w

w .u

co p.

ed u/

en te

rp ri

se -r

is k-

m an

ag em

en t/

U ni

ve rs

it y

of D

en ve

r D

ir ec

to r

of E

nt er

pr is

e R

is k

M an

ag em

en t

w w

w .d

u. ed

u/ in

te rn

al -a

ud it

/ in

te rn

al _a

ud it

/ fa

q. ht

m l

U ni

ve rs

it y

of Io

w a

Se ni

or V

ic e

Pr es

id en

to fF

in an

ce an

d O

pe ra

ti on

s an

d T

re as

ur er

w w

w .u

io w

a. ed

u/ ∼ fu

sr m

/ E

nt er

pr is

eR is

kM an

ag em

en t/

in d

ex .h

tm l

U ni

ve rs

it y

of M

ar yl

an d

V ic

e Pr

es id

en tf

or Pl

an ni

ng an

d A

cc ou

nt ab

ili ty

w w

w .u

m ar

yl an

d .e

d u/

ac co

un ta

bi lit

y- ol

d /

ri sk

-m an

ag em

en t/

U ni

ve rs

it y

of N

ot re

D am

e D

ir ec

to r

of R

is k

M an

ag em

en ta

nd Sa

fe ty

ht tp

:/ /

ri sk

m an

ag em

en t.n

d .e

d u/

ab ou

t/

U ni

ve rs

it y

of V

er m

on t

Se ni

or St

ra te

gi st

fo r

E nt

er pr

is e

R is

k an

d Pl

an ni

ng ,O

ff ic

e of

th e

V ic

e Pr

es id

en tf

or Fi

na nc

e &

A d

m in

is tr

at io

n

w w

w .u

vm .e

d u/

∼ e rm

/

U ni

ve rs

it y

of M

ar yl

an d

V ic

e Pr

es id

en tf

or Pl

an ni

ng an

d A

cc ou

nt ab

ili ty

w w

w .u

m ar

yl an

d .e

d u/

ac co

un ta

bi lit

y- ol

d /

ri sk

-m an

ag em

en t/

U ni

ve rs

it y

of W

as hi

ng to

n R

is k

A na

ly st

ht tp

:/ /

f2 .w

as hi

ng to

n. ed

u/ fm

/ er

m

Y al

e U

ni ve

rs it

y D

ir ec

to r

of E

R M

ht tp

:/ /

og c.

ya le

.e d

u/ ri

sk m

an ag

em en

t

154

www.it-ebooks.info

LESSONS FROM THE ACADEMY 155

practices, investment performance in university endowments, indirect cost rates in research, changes in employment practices, and outsourcing arrangements.

Regardless of terminology, there is an increased priority on taking a more enterprise-wide approach to risk management and moving from a compliance- driven approach to a comprehensive, strategic approach across and throughout the organization that is used to positively affect decision making and impact mis- sion success and the achievement of strategic goals. Tufano (2011) points out that even in the corporate environment, top leaders are not inclined to work through a detailed step-by-step risk management process, but rather take a top- level approach. In the university environment, this means asking three fundamen- tal questions: What is our mission? What is our strategy to achieve it? What risks might derail us from achieving our mission? Richard F. Wilson, president of Illinois Wesleyan University, may best summarize the current perspective of senior-level higher education administrators:

When I first started seeing the phrase “enterprise risk management” pop up in higher education literature, my reaction was one of skepticism. It seemed to me yet another idea of limited value that someone had created a label for, to make it seem more important than it really was. Although some of that skepticism remains, I find myself increasingly in sympathy with some of its basic tenets . . . [especially] the analysis that goes into decisions about the future. Most institutions are currently engaged in some kind of strategic planning effort driven, in part, by the need to protect their financial viability and vitality for the foreseeable future. . . . Bad plans and bad execution of good ideas can put an institution at risk fairly quickly in the current environment. Besides examining what we hope will happen if a particular plan is adopted, we should also devote time to the consequences if the plan does not work. I still cannot quite get comfortable incorporating enterprise risk man- agement into my daily vocabulary, but I have embraced the underlying principles. (Wilson 2013)

THE UNIVERSITY OF WASHINGTON: A JOURNEY OF DISCOVERY The University of Washington (UW) has a robust enterprise risk management (ERM) program that is moving into its seventh year. The program began with what administrators10 at UW call a “sentinel event,” settling a Medicare and Medicaid overbilling investigation by paying the largest fine by a university for a compliance failure—$35 million. This led the new president, Mark Emmert, to for- mally charge senior administrators in 2005 with the task of identifying best prac- tices for “managing regulatory affairs at the institutional level by using efficient and effective management techniques” (UW ERM Annual Report 2008, p. 4). At the outset in 2006, the objective for UW was to “create an excellent compliance model built on best practices, while protecting its decentralized, collaborative, and entrepreneurial culture” (Collaborative ERM Report 2006, p. vi). The ERM pro- cess at UW has been what Ann Anderson, associate vice president and controller, terms “a journey of discovery.” ERM has developed and evolved at UW, mov- ing from what UW administrators describe as an early compliance phase, through

www.it-ebooks.info

156 Implementing Enterprise Risk Management

a governance phase to a mega-risk phase. Currently, the University of Washing- ton is focused on two objectives: (1) strengthening oversight of top risks, and (2) enhancing coordination and integration of ERM activities with decision-making processes at the university. This case study will describe the decision-making and implementation process at UW, as well as outline various tools and frameworks that UW adopted and adapted for use not only in the higher education setting in general, but to fit specifically within the university’s decentralized culture.

Institutional Profile

Founded in 1861, the University of Washington is a public university enrolling some 48,000 students and awarding approximately 10,000 degrees annually (see Exhibit 9.4). The institution also serves approximately 47,000 extension students. There are nearly 650 student athletes in UW’s 21 Division I men’s and women’s teams. There is a faculty/staff of over 40,000, making UW the third-largest employer in the state of Washington. The university is comprised of three cam- puses with 17 major schools and colleges and 13 registered operations abroad. It has a $5.3 billion annual budget, with $1.3 billion in externally funded research and $2.6 billion in clinical medical enterprise. UW has been the top public university in federal research funding every year since 1974 and has been among the top five universities, public and private, in federal funding since 1969. The university has an annual $9.0 billion economic impact on the state of Washington.

Culture at UW

When appointed to serve on the President’s Advisory Committee on ERM (PACERM) in 2007, Professor Daniel Luchtel commented, in the context of talking about risk assessments, that “the number of issues and their complexity is stun- ning. The analogy that comes to mind is trying to get a drink of water from a fire hose” (2007 ERM Annual Report, p. 4). As with most higher education institutions, especially research universities, along with the core business of the teaching and learning of undergraduate and graduate students, the faculty are focused on the creation of new knowledge. “The University of Washington is a decentralized yet collaborative entity with an energetic, entrepreneurial culture. The community members are committed to rigor, integrity, innovation, collegiality, inclusiveness, and connectedness” (Collaborative Enterprise Risk Management Final Report 2006, p. v).

Faculty innovation and the idea of compliance don’t always go hand in hand in higher education, and UW is no exception. Research associate professor David Lovell, vice-chair of the Faculty Senate in 2007–2008, expresses it well:

“Compliance” [is] not necessarily a good word for faculty members. . . . What lies behind [that] is the high value faculty accord to personal autonomy. . . . The notion of a culture of compliance sounds like yet another extension of impersonal, corpo- rate control, shrinking the arena of self-expression in favor of discipline and con- formity. . . . Over the last ten months, I’ve come to understand that you’re not here to get in our way, but to make it possible for us faculty legally to conduct the work we came here to do. . . . I hope that working together, we can try to spread such understanding further, so that we can make compliance—or whatever term you choose—less threatening to faculty and frustrating to staff. (Annual ERM Report 2008, pp. 6–7)

www.it-ebooks.info

LESSONS FROM THE ACADEMY 157

26.3% ASIAN AMERICANS UNDERGRADUATE

32,291

48,022 students were enrolled at the UW in the fall of 2009 STUDENTS

GRADUATE 11,592

PROFESSIONAL 1,907

11% ASIAN AMERICANS

11.7% UNDERREPRESENTED MINORITIES

8.3% UNDERREPRESENTED MINORITIES

5.2% INTERNATIONAL STUDENTS

13.6% INTERNATIONAL STUDENTS

19.2% ASIAN AMERICANS

7.4% UNDERREPRESENTED MINORITIESWOMEN 55.8%

WOMEN 54%

WOMEN 52.4%

MEN 47.6%

MEN 46%

MEN 44.2%

1.6% INTERNATIONAL STUDENTS

GATES CAMBRIDGE SCHOLARS

4MARSHALL SCHOLARS

7RHODES SCHOLARS

SCHOLARS 46

35

Exhibit 9.4 University of Washington Student Profile From University of Washington Fact Book: http://opb.washington.edu/content/factbook.

Organizationally, the institution is divided into silos, which has historically focused risk mitigation within those silos.

Implementation History at UW

On April 22, 2005, President Mark Emmert sent an e-mail to the deans and cabinet members in which he said: “With the most recent example of compliance issues, we have again been reminded that we have not yet created the culture of compliance that we have discussed on many occasions.” He went on to say that “the creation of a culture of compliance needs to be driven by our core values and commitment to doing things the right way, to being the best at all we do. . . . We need to know

www.it-ebooks.info

158 Implementing Enterprise Risk Management

that the manner in which we manage regulatory affairs is consistent with the best practices in existence.”

The Sentinel Event: Largest Fine at a Medical School The Collaborative Enterprise Risk Management Report for the University of Wash- ington (2006) began with the following: “Over the past few years, the UW has been confronted by a series of problems with institution-wide implications, includ- ing research compliance, financial stewardship, privacy matters, and protection of vulnerable populations” (p. v). The situation with the highest impact on the uni- versity began when Mark Erickson, a UW compliance officer, filed a complaint alleging fraud in the UW’s Medicare and Medicaid billing practices. The 1999 com- plaint prompted a criminal investigation, guilty pleas from two doctors, and a civil lawsuit resulting in the $35 million settlement, the largest settlement made by an academic medical center in the nation. The federal prosecutor claimed that “many people within the medical centers were aware of the billing problems” and that “despite this knowledge, the centers did not take adequate steps to cor- rect them” (Chan 2004). UW’s 2006 ERM Annual Report acknowledges that, in addition to the direct cost of the fines, there were also indirect costs in terms of additional resources for reviews of university procedures, increased rigor and fre- quency of audits, and an incalculable damage to the university’s reputation. The federal prosecutor acknowledged that UW’s efforts to reform its compliance pro- gram have been “outstanding” (Chan 2004). He further noted that since the law- suit was filed, the university “has radically restructured their compliance office. The government is very pleased with the efforts the UW is taking to take care of these errors.”

Leadership from the Top: President Outlines the Charge

At the time of the medical billing scandal, Lee L. Huntsman was president of UW. Huntsman had formerly been the acting provost, associate dean for scien- tific affairs at the school of medicine, and a professor of bioengineering. The UW Board of Regents had appointed Huntsman in a special session when Richard McCormick, the incumbent, accepted the presidency at Rutgers. Huntsman served for 18 months as president and continued as Special Assistant to the President and Provost for Administrative Transition until 2005 and as a senior adviser to the uni- versity for several more years. Mark A. Emmert, former chancellor of Louisiana State University and a UW alumnus, was appointed as the 30th president of UW and professor with tenure at the Evans School on June 14, 2004.

In April 2005, President Emmert charged V’Ella Warren, Vice President for Financial Management, and David Hodge, Dean of the College of Arts and Sciences, with conducting a preliminary review of best practices in compliance and enterprise risk management in corporate and higher education institutions. Warren engaged the Executive Director of Risk Management, Elizabeth Cherry, and the Executive Director of Internal Audit, Maureen Rhea, to conduct a literature search on enterprise risk management, particularly in higher education. Cherry and Rhea engaged Andrew Faris, risk management analyst, to assist, and the three spent nearly two years (from 2004 to 2006) conducting the literature search and finding out how risk management was functioning on other campuses. As they

www.it-ebooks.info

LESSONS FROM THE ACADEMY 159

conducted their research, they continued to report their findings to Vice President Warren. They also piloted the risk assessment process with various departments at UW.

Based on their findings and discussions with Vice President Warren, a draft report was compiled to provide initial guidance of the development of a UW- specific framework. The report provided an overview of various approaches to compliance, described best practices at four peer universities (University of Texas system, University of Minnesota, University of Pennsylvania, and Stanford Uni- versity), identified the common problems encountered in several recent compli- ance problems at UW, and offered suggestions for actions that UW might take in the effective management of compliance and risk. President Emmert then charged Warren and Hodge to cochair the recommended Strategic Risk Initiative Review Committee (SRIRC). The role of the SRIRC was to continue to investigate best prac- tices in university risk management and make recommendations about a structure and framework for compliance that would fit the UW culture. In a memo to the SRIRC regarding that review, Warren and Hodge noted that they had “developed a framework for university-wide risk and compliance management which builds on [UW]’s decentralized and collaborative character.” President Emmert also made it clear that the proposed model should be driven by UW’s core values as well as promote “effective use of people’s time and energy.” In a memo to the deans and cabinet members in 2005, President Emmert declared that UW did not “want or need another layer of bureaucracy.”

The SRIRC was comprised of broad university representation, including the Executive Vice President, the Associate Vice President for Medical Affairs, the Senior Assistant Attorney General, the Vice Provost-elect for Research, the Vice Provost for Planning and Budgeting, the Chancellor of the University of Washington–Tacoma, the Athletic Director, the Dean of the School of Public Health and Community Medicine, the Provost and Vice President for Academic Affairs, the Dean of the School of Nursing, the Special Assistant to the President for Exter- nal Affairs, the Vice President of Student Affairs, two faculty members, and two students. Meeting throughout the fall semester, the SRIRC reviewed the prelim- inary research material provided by Hodge and Warren and their team and dis- cussed a variety of issues, including the structure for risk management, how risk assessment has been and could be conducted, communication issues, methods for reporting risks, ways to report progress, and others. For each initiative, they asked the following three questions: Does this proposal add value? What obstacles are appar- ent and how can they be addressed? How could this proposal be improved?

In addition to formal meetings, Cherry, Rhea, and Faris conducted one-on-one meetings with the SRIRC members to gather more information about how they viewed implementation at the university. Because one of the recommenda- tions was the creation of a Compliance Council, meetings were also conducted throughout the campus with director-level personnel to survey their interests and suggestions regarding that aspect of the proposed model. Prior to the formal implementation of the ERM program, resources were also dedicated to create an infrastructure to sustain the recommended model. Faris’s role as risk manager was formally revised to create a full-time ERM analyst position within the Office of Financial Management in the Finance and Facilities division and a half-time ERM project manager position was created, filled by Kerry Kahl.

www.it-ebooks.info

160 Implementing Enterprise Risk Management

Advisory Committee Recommendations: Create a Culture-Specific ERM Program

In February 2006, Hodge and Warren put forth to President Emmert a Collabora- tive Enterprise Risk Management Proposal developed by the SRIRC. The proposal recommended that “the UW adopt an integrated approach to managing risk and compliance, commonly called enterprise risk management (ERM).” They acknowl- edged that the proposed changes were not intended to “replace what already works across the university,” but rather to “augment the existing organization with thoughtful direction, collaboration, and communication on strategic risks” (Collab- orative ERM Final Report, February 13, 2006). At the outset, the SRIRC acknowl- edged that the structure and priorities of the ERM program would likely evolve and develop over time, but the members of the committee were confident that they had created a “strong, yet flexible framework within which to balance risk and opportunity” (February 14, 2006, memo to President Emmert).

While the report acknowledged the impetus for the creation of the ERM pro- gram (the $35 million compliance failure fine), it focused on the positive impact an ERM program could have for UW, beyond addressing compliance concerns. The report defined key terms and made recommendations based on three basic parameters: scope of the framework, organizational structure for the framework, and philosophy of the program. Each aspect was framed in the context of the liter- ature review and campus comparisons; UW-specific recommendations were put forth based on SRIRC discussion and analysis.

Scope of the Risk Framework

The report reviewed and discussed the various approaches taken by organizations in practicing risk management, from a basic practice of risk transfer through insur- ance to a more integrated institution-wide approach. It acknowledged that, prior to implementation, some key decisions would need to be made: Would the scope of the program be institution-wide or targeted at the school, college, or unit level? Would it include all risks (compliance, finances, operations, and strategy) or be focused on certain categories of risk? ERM was cited as “the most advanced point on the continuum,” a model that integrates risk into the organization’s strategic discussions. The report also summarized a Centralized Compliance Management approach. This model, rather than encompassing all risks, would focus primarily on legal and regulatory compliance. It was noted that “while both are university- wide approaches, they vary in a number of important aspects, including scope, objective, and benefits” (p. 6).

The report also summarized the ERM models at four IHEs, based on interviews with compliance and audit managers at those institutions. Noting that all four were institution-wide approaches, Pennsylvania and Texas were identified as having adopted a more corporate philosophy; Minnesota, a compliance approach with a centralized style; and Stanford, a collaborative ERM approach (see Exhibit 9.5). The report recommended developing a “collaborative, institution-wide risk manage- ment model” for UW, one that “ensures that UW creates an excellent compliance model based on best practices, while protecting its decentralized, collaborative, and entrepreneurial culture” (p. 28).

www.it-ebooks.info

LESSONS FROM THE ACADEMY 161

Minnesota

Stanford

Pennsylvania

Texas•

Washington Enterprise Risk Management

Centralized Compliance

Management

Control

Collaboration

Exhibit 9.5 UW’s Approach to Risk Management Compared to Other Institutions From University of Washington Collaborative Enterprise Risk Management Final Report, February 13, 2006.

Organizational Structure

Based on a review of the literature and discussions with risk and audit managers at other universities, the report also summarized various models and structures for organizing the risk management activities. One method was to appoint a cen- tral risk officer with institution-wide oversight and responsibility. With this model, key decisions would need to be made regarding reporting lines and the placement of that position within the organization. The report also outlined UW’s current approach to risk management, noting that it had moved beyond the insurance approach, “which is usually reactive and ad hoc,” but also observing that respon- sibility for specific risks was currently distributed among the institution’s orga- nizational silos (p. 15). It further noted that “the UW does not formally integrate risk and compliance into its strategic conversations at the university-wide level” (p. 15). While acknowledging the good progress being made in several areas (including UW Medicine, the newly restructured Department of Audits, and the Office of Risk Management), the report highlighted the weaknesses of the current approach, including the fact that “due to the size, decentralization, and complexity of the institution, a proliferation of compliance, audit, and risk management activ- ities has grown up around separate and distinct risk areas, each largely operating in a self-defined stovepipe” (p. 18).

Philosophy of the Program

The report also discussed the philosophy of a proposed risk management pro- gram, asking whether the preferred approach should focus on enforcing law and regulation—a compliance or control approach—or be one that “encouraged coop- eration between faculty and staff to develop flexible compliance approaches—a collaborative approach” (p. 2). After sharing the findings from the literature review

www.it-ebooks.info

162 Implementing Enterprise Risk Management

and the institutional profiles of the peer institutions, the report outlined three guid- ing principles to shape the evolution of compliance and risk management at UW: (1) foster an institution-wide perspective, (2) ensure that regulatory management is consistent with best practices, and (3) protect UW’s decentralized, collaborative, entrepreneurial culture. In light of these principles, the report made the following eight recommendations, detailing the key elements and implementation sugges- tions for each:

1. Integrate key risks into the decision-making deliberations of senior leaders and Regents.

2. Create an integrated, institution-wide approach to compliance. 3. Ensure that good information is available for the campus community. 4. Create a safe way for interested parties to report problems. 5. Minimize surprises by identifying emerging compliance and risk issues. 6. Recommend solutions to appropriate decision makers. 7. Check progress on compliance and risk initiatives. 8. Maintain a strong audit team.

EVOLUTION OF ERM AT UW The SRIRC report acknowledged that the ERM concept was not new, but that it has not been fully implemented at many organizations, especially in higher education. The development of risk management within an organization was discussed, not- ing that the management of risk develops along a continuum, with early mod- els focused on hazard risks only and mitigation being accomplished primarily through the purchase of insurance. As risk models evolve at an organization, other risk types are added to the model and more cross-functional participation by other units begins to occur. Ultimately, strategic risks are added to the conversation and there is an integration of information from all units across the university. It is at this point that risk can be viewed as both an opportunity and a threat and where mitigation priorities can be more clearly linked to the strategic objectives of the organization.

In 2006, when the ERM program and model were proposed, UW viewed itself as being in the middle of the continuum (see Exhibit 9.6). The report noted:

Although many operational units, committees, and administrative bodies handled the risks faced in their own environments well, there is little cross-functional shar- ing of information. The opportunity aspect of risk is therefore not fully utilized by the University and risk mitigation priorities are not consistently driven by the institution’s strategic objectives. (p. 4)

The 2012 ERM Annual Report observes that “the ERM program has continued to evolve, developing structural mechanisms to support the 8 initial recommenda- tions” (p. 2).

Faris and Kahl commented that the first few years of implementation of ERM at UW were focused on risk assessments. They spent most of their time (both work- ing with the ERM committees and in their roles as ERM staff) performing risk

www.it-ebooks.info

LESSONS FROM THE ACADEMY 163

UW Evolution of ERM

Risk Categories

Strategic – Mega

Financial

Operational

Compliance

Separate Partial Full Functions - - - - - Integration - - - - -

Degree of Cross - Functional Integration

What we have accomplished

Where UW’s program is headed

Exhibit 9.6 Evolution of ERM at the University of Washington From University of Washington 2009 ERM Annual Report, p. 4.

assessments using the risk mapping process (e.g., writing a risk statement, ranking the risks for likelihood and impact, plotting the risks on a 5 × 5 map). In the first four or five years, they conducted nearly 35 risk assessments across the univer- sity. Based on broad cross-functional topics identified by the President’s Advisory Committee on ERM (PACERM), the risk assessments were facilitated by Faris and Kahl with temporary teams put together to meet three to five times over the course of the year to write risk statements, rank them, and put together suggestions for mitigation.

The first five years of ERM at UW were “formative” and focused on the fol- lowing key activities:

� Developing a common language around risk � Conducting individual risk assessments � Focusing discussion and mitigation on financial and enrollment challenges � Comparing financial strength (as gauged by Moody’s Investors Service)

against peers � Drafting an initial compendium of enterprise-wide success metrics

Well-written, clear annual reports to the president, the Board of Regents, and the UW community helped to connect the dots and keep the strategic overar- ching goals front and center, even as employees at the unit level were continu- ously engaged in the more operational aspects of ERM. Exhibit 9.7 summarizes the implementation time line from the formalized inception of ERM at UW to the present. A review of the chart shows how the UW has continued to focus on mov- ing from an initial focus on hazard risk to a more integrated, strategic approach to enterprise risk management.

www.it-ebooks.info

164 Implementing Enterprise Risk Management

Exhibit 9.7 University of Washington ERM Implementation Time Line

Academic Year Initiatives∗

2005–2006 President Emmert charged administrators with review of best practices and development of broad institutional compliance/risk framework for UW.

Warren and Hodge drafted report with overview of institution-wide approaches, best practices at four peer universities, common compliance problems faced by UW, and suggestions for next steps.

2006–2007 Developed a central focus and common language for evaluating risk across the university.

ERM structure formed (including PACERM, Compliance Council). First UW-wide risk map was compiled. Office of Risk Management dedicated one FTE to ERM initiative. Dedicated $4.8 million in funds for integrity/compliance/stewardship

initiatives, including animal care, student life counseling, human subjects, global activities, and IT security.

Information about ERM program included in reinsurance renewal discussions with international underwriters.

First Annual Report to the Board of Regents. 2007–2008 Identified key strategic and mega risks for the institution.

Expanded Compliance Council to form COFi. Rolled out Enterprise Risk Management Toolkit for units to do

self-assessments. UW Medicine and Department of Athletics presented annual reports on their

compliance programs and ongoing efforts to minimize risks and address current issues.

Continued development of the Institutional Risk Register. Internal Audit department expanded from nine to 15 staff.

2008–2009 Focused on financial crisis and demographics. PACERM formed two mega-risk subgroups to apply ERM processes at a

strategic level: extended financial crisis and faculty recruitment and retention.

HR advance planning for economic downturn and major reduction in state funding.

Office of Risk Management conducted first Employment Practices Liability Seminar.

ERM web pages were enhanced. Hired a new Executive Director for Audits. Second ERM Report to the Board of Regents.

2009–2010 Development of the UW Integrated Framework based on COSO model. PACERM focused discussion on how to remain competitive. Initial exploration of enterprise-wide dashboard of success metrics. Use of risk assessments in business case alternatives and research proposals.

2010–2011 PACERM evaluated the university’s academic personnel profile and oversaw major information technology projects.

Assessed institutional financial strength in comparison to peers (Moody’s). More than 200 ERM Toolkits provided to universities and companies.

2011–2012 Development of enterprise-wide dashboard of success metrics. UW’s work recognized as a “Best Practice” by the Association of Governing

Boards for Universities and Colleges (AGB).

∗All initiatives, including others not detailed in this chart, are outlined in more detail in the UW ERM Annual Reports, available at the website: http://f2.washington.edu/fm/erm.

www.it-ebooks.info

LESSONS FROM THE ACADEMY 165

ERM STRUCTURE AT UW The organizational structure for ERM at UW arose out of the initial recommen- dations of the SRIRC. In its aggregate, the UW ERM program is comprised of the following areas, working together to create an effective structure: UW units; ERM staff; Compliance, Operations, and Finance Council (COFi Council); President’s Advisory Committee on ERM (PACERM); Internal Audit; and the UW President and Provost (see Exhibit 9.8).

UW Units

At the unit level, staff and faculty take ownership of the activities that give rise to risk. They conduct risk and opportunities identification and self-assessments. They develop strategies and take action to mitigate and monitor risk. They are encouraged to share a summary of their risk assessments with the Office of Risk Management.

ERM Program Staff

There are 1.5 full-time equivalent (FTE) ERM program staff located in the office of the associate vice president/controller for UW. This staff supports the work of the various committees and units, in part by establishing the ERM framework, stan- dards, and templates. They monitor and participate in risk assessments for the pur- pose of providing the enterprise view. They provide administrative support and

University President and Provost UW Environment (e.g., right side of cube)

President’s Advisory Committee on Enterprise Risk Management (PACERM)

Entity Level (e.g., top-down view of strategic risks,

mega risks, and opportunities)

Compliance, Operations, Finance Council (COFi)

Division or Function Level (e.g., middle up, cross-functional view of

compliance, operations, and financial risks)

Research Academic

Affairs Athletics

Health Care

Risk and Safety

Finance Information Technology

Human Resources

Eight functional areas of risk

Core Functions Support Services

Attorney General

Risk Management

Environmental Health & Safety

Unit Level (e.g., bottom-up view of risks and opportunities)

Examples of UW Units

Exhibit 9.8 University of Washington ERM Structure From University of Washington 2010 ERM Annual Report, p. 10.

www.it-ebooks.info

166 Implementing Enterprise Risk Management

summary information and analyses to the ERM committees. They also provide professional development in a train-the-trainer format.

Compliance, Operations, and Finance Council (COFi)

The COFi Council, led by the Executive Director of Audits, takes a middle-up, cross-functional view of risks and opportunities, particularly items that have university-wide potential impact or where supervisory authority for various aspects of the risk reside in different departments or divisions across the univer- sity. The COFi Council has oversight of risk assessments at the division or func- tional level. It provides approval of methods to monitor risks and identifies topics for outreach, particularly items that have university-wide potential impact or that involve cross-departmental or divisional silos. The six primary goals of the COFi Council are to:

1. Engage in a continual, cross-functional process that results in effective prior- itization of institutional responses to compliance, financial, and operational risks, and consider the impact to strategic and reputational risks.

2. Ensure that the institutional perspective is always present in risk and com- pliance management discussions.

3. Identify strategies to address emerging risks and compliance management issues.

4. Support risk and compliance management training and outreach efforts throughout the university.

5. Provide external auditors and regulators with information about the uni- versity’s risk and compliance programs.

6. Avoid the creation of additional bureaucracy by minimizing redundancy and maximizing resources.

President’s Advisory Committee on ERM (PACERM)

PACERM, cochaired by the Provost and the Senior Vice President for Finance and Facilities, has oversight of risk assessments at the entity level. Taking a top-down view of risks and opportunities, PACERM advises the university president and other senior leaders on the management of risks and opportunities that may signif- icantly impact strategic goals and/or priorities. They review the ERM dashboard (e.g., key risk indicators and key performance indicators). According to V’Ella Warren and Ana Mari Cauce, cochairs of PACERM in 2008–2009, PACERM “is the one place where participants set aside their individual organizational perspectives, and really think about the major risks and opportunities from an institution-wide view” (2009 ERM Annual Report, p. 6).

Internal Audit

Internal Audit provides independent verification and testing of internal controls. The department also provides administrative support and summary information to the COFi Council.

www.it-ebooks.info

LESSONS FROM THE ACADEMY 167

UW President and Provost

The President and Provost play a key role in acknowledging, validating, and sup- porting the ERM program. They verbally refer to key documents such as the ERM framework, PACERM and COFi Council charters and assessments, and the ERM dashboard. They provide entity-level reporting to the Regents.

UW’S ERM MODEL After a careful review of models in the corporate sector and within higher educa- tion, UW settled on the following regarding its ERM model:

� Assess risks in the context of strategic objectives, and identify interrelation of risk factors across the institution, not only by function.

� Cover all types of risk: compliance, financial, operational, and strategic. � Foster a common awareness that allows individuals to focus attention on

risks with strategic impacts. � Enhance and strengthen UW’s culture of compliance while protecting the

decentralized, collaborative, entrepreneurial nature of the institution.

Adopting and Adapting the COSO Model

UW has defined ERM according to its interpretation of the Committee of Spon- soring Organizations (COSO) model, adapting the framework to fit the university environment and the UW in particular (see Exhibit 9.9). COSO describes ERM

University of Washington Enterprise Risk Management – Integrated Framework

Op era

tio ns

ERM Process

Risk Categories

Leadership, Culture, Values

Strategic Goals

Risk / Opportunity Identification

Risk / Opportunity Assessment

A lternatives

U nit Level

D ivision or Function Level

E ntity LevelResponse

Control Activities

Information & Communication

Monitoring & Measuring UW

En viro

nm en

t

Co mp

lia nc

e

Fin an

cia l

St rat

eg ic

Me ga

Exhibit 9.9 University of Washington’s ERM Integrated Framework From University of Washington Enterprise Risk Management Toolkit, p. 7. Copyright 2007, University of Washington.

www.it-ebooks.info

168 Implementing Enterprise Risk Management

as “a process, effected by an entity’s board of directors, management, and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives” (COSO 2004). Adopted in 2009–2010, the 2010 ERM Annual Report notes:

The UW ERM Integrated Framework offers a schema to integrate the views of risk that have historically been addressed in silos or through a fragmented approach. The ERM framework bridges the gap between lower-level issues and upper-level issues, and it allows us to be explicit about the multiple levels on which the ERM process is deployed as a risk and/or opportunity management mechanism. (p. 4)

Risk Categories The top of the cube identifies risk types, including compliance, operations, and financial risks. Strategic risks can impact the mission. Mega risks are major external events over which the institution has no control, but for which the institution can prepare.

UW Environment The right side of the cube views the organizational structure at three levels: entity, which entails all operations and programs; division or function, looking at a major risk in depth; and unit, where individual departments can use the tools to assess their risks. A fourth level of ERM used in the UW environment is to evaluate alternatives.

ERM Process The front of the cube outlines the traditional eight steps from the COSO model, including setting the tone and context for ERM at the top, identifying risks in con- junction with strategic goals, and through the complete cycle with implementation and follow-up.

The report notes:

UW’s “cube” integrates the several ERM facets into a whole, and enables ERM to be applied in a very intentional manner: Starting any new risk assessment requires identifying the appropriate level of the organization or environment at which the assessment will be made; focusing on which set of risks (compliance—strategic— mega risks) to cover; and applying all the steps in the ERM cycle to ensure a com- plete assessment and follow through.

The UW views ERM as integrating risk discussions into strategic deliberations and identifying the interrelation of risk factors across activities. Using the COSO model, its eight-step process involves the following (see Exhibit 9.10):

1. Leadership, culture, and values. Setting the tone at the top. 2. Strategic goals. At the entity or institutional level (top down), the division

or function level (risk topic across shared goals of VPs and deans—”middle up”), the unit level (such as a department, school, or college—bottom up), or the alternatives level (investment alternatives or business options).

www.it-ebooks.info

LESSONS FROM THE ACADEMY 169

ERM PROCESS

Leadership, Culture and Values

Strategic Goals

Risk Identification

Risk Assessment

Controls

Response

Monitoring and Measuring

Information and Communication

Exhibit 9.10 University of Washington ERM Process From University of Washington Enterprise Risk Management Toolkit, p. 8. Copyright 2007, the University of Washington.

3. Risk identification. In the appropriate context, name the harm, loss, or com- pliance violation to avoid, as well as the opportunities to be identified. This typically begins with listing broad risk activities or subject areas. Risks can be identified at the entity, division, functional, unit, or alternatives level. This process includes the use of risk statements and opportunity identification.

4. Risk assessment. In the appropriate context, analyze the risk or opportunity in terms of likelihood and impact (see Exhibit 9.11). Create a risk map, rank- ing or prioritizing risks to inform decisions regarding response. For oppor- tunities, rate the likelihood of occurrence on a scale of 1 to 5 (1 = rare, not expected to occur in the next five years; 5 = almost certain, expected to occur more than once per year). Also rank the positive impact, considering what impact the opportunity would have on the institution’s ability to achieve goals or objectives (1 = insignificant, with little or no impact on objectives and no impact to reputation and image; 5 = outstanding, could significantly enhance the capability to meet objectives and could significantly enhance reputation and image).

5. Response. Selecting the appropriate response involves comparing the cost of implementing the option against benefits derived from it. Responses include avoid, mitigate, transfer, or accept the risk. For opportunities, the response can be exploit, enhance, share, or ignore.

6. Controls. Document internal controls for top risks, and rank for effective- ness. For UW, internal controls are narrowly defined to describe the meth- ods used by staff or faculty that help ensure the achievement of goals and objectives, such as policies, procedures, training, and operational and phys- ical barriers.

www.it-ebooks.info

170 Implementing Enterprise Risk Management

IM P

A C

T Catastrophic

- 5 - Disastrous

- 4 - Serious

- 3 - Minor - 2 -

Insignificant - 1 -

5

4

3

2

1

Rare - 1 -

10

8

6

4

2

Unlikely - 2 -

15

12

9

6

3

Possible - 3 -

20

16

12

8

4

Likely - 4 -

25

20

15

10

5

Almost Certain - 5 -

LIKELIHOOD

Risk Level

Extreme

High

Substantial

Medium

Low

Score Range

19.5 – 25

12.5 – 19.4

9.5 – 12.4

4.5 – 9.4

1 – 4.4

Exhibit 9.11 University of Washington Risk Assessment: Likelihood and Impact From University of Washington Enterprise Risk Management Toolkit, p. 17. Copyright 2007, the University of Washington.

7. Information and communication. Communicate with stakeholders and take action (the transition from analysis to action). Designate a risk owner for each of the top risks.

8. Monitoring and measuring. Monitor performance to confirm achievement of goals and objectives, and monitor risk to track activities that prevent achievement of goals and objectives.

Tools and Techniques

As its ERM program has developed and evolved, UW has learned from its expe- rience and is positioned to share information not only internally, but with oth- ers in higher education as well. The university has developed a comprehensive Enterprise Risk Management Toolkit, copyrighted in 2007, with the second edition released in 2010. The second edition includes an expanded section on the ERM pro- cess and has new material on evaluating opportunities. It is comprised of a manual and a set of spreadsheets that provides a framework for assessing and understand- ing institutional risks. The UW allows access to the Toolkit for UW staff, faculty, and students, federal agencies, Washington State agencies, and other institutions of higher education at no charge through the UW Center for Commercialization Express Licensing Program.

As is typical with most universities, the tools utilized by UW for conducting the risk assessment process are Microsoft Office products. Excel is used to catalog

www.it-ebooks.info

LESSONS FROM THE ACADEMY 171

risk assessment inventories and Word for report writing. While the administrators have explored many options for software to aid in the process (and to potentially provide outcomes such as dashboards), they find that, having been developed in the corporate for-profit environment, none of those options are particularly suited to capturing the needs of the higher education environment. They note, however, that at the unit level, many departments are investing in unit-specific software to aid in their data management. For example, the Finance and Budgeting Office is investigating software to run stress tests and financial simulations, and the Human Resources Office is examining payroll software. This allows the units to be able to more quickly evaluate risk specific to their areas, but UW finds that its ability to aggregate risks for examination at the entity level can be accomplished effectively with its low-tech process.

OUTCOMES AND LESSONS LEARNED UW administrators can chart the evolution of their ERM program and the effec- tiveness it has on the university. They note that the early wins were at the unit level, when specific departments, such as Information Security and Environmental Health and Safety, integrated the ERM process with their well-established strategic planning processes. Those units used the risk assessment tools to identify and rank risks that could hinder or prevent the achievement of their strategic goals. Integra- tion of ERM at the entity level is happening more slowly, but issues that impact everyone at the UW, such as faculty recruitment and retention or responding to the external financial crisis, now can happen in a more integrated fashion as the understanding of ERM evolves. For several years, due to severe budget reductions, the Office of Planning and Budgeting consciously added some questions about risk assessment into the budget request process. Vice presidents and deans were asked to address the impact of budget reductions in terms of risk. This happened, in part, because two key members of the Budget and Planning Office, as well as the Provost, have been involved with the PACERM.

UW administrators have a few other observations about their process and how and why it has worked. First, they note that they were aware from the outset that the environment at UW is highly decentralized and that appointing an “ERM czar” or chief risk officer (CRO) wouldn’t fit with the culture. They made a deliberate choice not to formalize ERM through a senior-level position, but rather to engage in implementation through a committee structure. Second, they involved faculty members from the beginning. This helped with a sense of shared purpose. Faculty members came to see the business side of academia, and staff and administrators better understood the point of view of scholars engaged in teaching and learning. Third, the senior leadership has stayed dedicated to the ERM process, even with transitions in the president and other senior administrators. The 2011 ERM Annual Report points out the benefits to the UW of the ERM approach:

The value of ERM is both qualitative (e.g., risk and opportunity maps) and quanti- tative (e.g., dashboards to contextualize and display metrics). Qualitative benefits accumulate because the risk mapping process allows groups throughout the Uni- versity to collectively prioritize issues, and ensure that the effort and resources involved in root cause analysis, measurement, and monitoring are applied only

www.it-ebooks.info

172 Implementing Enterprise Risk Management

to the most significant concerns. Each iteration of the ERM process results in new capabilities, and insight gained into maintaining the University’s competitive advantage—particularly from managing our financial risks and strategic opportu- nities better than our peers. (p. 5)

UW has been strategic, deliberate, and inclusive as it continues on its journey to develop and enhance its ERM program, learning lessons from what works and adapting new strategies in order to improve or modify its program. ERM began at UW in 2006 “by establishing a collaborative approach and structure to consider broad perspectives in identifying and assessing risk” (2012 Annual Report, p. 3). This strategy has helped UW overcome some of the traditional challenges fac- ing universities when implementing ERM, including addressing concerns about the real effectiveness of risk assessment, getting agreement on definitions of risk assessment impact, identifying risk owners, and moving beyond the “risk discus- sion” to focus on mitigation (2012 Annual Report, p. 3). In her November 2012 pre- sentation on UW’s ERM program to the Pacific Northwest Enterprise Risk Forum, Ann Anderson, Associate VP and Controller, outlined the following seven key lessons that UW has learned by engaging in ERM for almost eight years:

1. Clarify the roles of the various risk committees. 2. Develop a “work plan” for the committees. 3. Develop engaging agendas, focused at the appropriate level. 4. Don’t overemphasize “lowest common denominator” risks. 5. Gather data/information to develop expertise on specific risks. 6. Avoid discussing low-level, narrow risks—too time-consuming! 7. Don’t get into the weeds with implementation and process. Delegate actions

to responsible parties.

WHAT NEXT?: CURRENT PRIORITIES AND FUTURE DIRECTION As the 2010 ERM Annual Report points out, the process of involving people in risk assessments, even with the most well-developed risk assessment tools, is only part of the process. “Successfully maintaining a large-scale organizational initia- tive such as ERM requires a comprehensive, broad based approach that is widely understood and used regularly to clearly articulate where risks and opportunities exist throughout the University” (p. 4). As ERM moves forward at UW, the focus is on a “greater refinement of institutional success metrics, increased assessments of risks identified, and continued expansion across the university to incorporate risk assessment into decision-making and strategic planning” (2012 Annual Report, p. 2). The objectives for 2013–2014 are: (1) strengthen oversight of the top risks and (2) enhance coordination and integration of ERM activities with decision-making processes. Several initiatives will help UW achieve these objectives, including seek- ing input and approval from the PACERM in order to elevate the monitoring of the top risks; a comparison of the institutional-level risks with unit-level risks; the development of quantitative visual representations of the risks, metrics, and tar- gets; engaging the community more broadly in risk management; integrating risk

www.it-ebooks.info

LESSONS FROM THE ACADEMY 173

management with the budget and planning cycle for the university; a retrospec- tive analysis of risks and mitigation investments; and a forward-looking analysis to highlight gaps and areas of concern. They are also in the process of developing specific deliverables and measures as indicators of success, such as executive-level risk registers, dashboards of key risks, and a foundation and structure to integrate risk maps and dashboards with the planning and budgeting cycle.

CONCLUSION UW’s ERM implementation process and lessons learned are consistent with the guidance offered by the National Association of College and University Attorneys (NACUA). In a 2010 conference presentation, NACUA identified the following eight critical success factors:

1. Establish the right vision and realistic plan. 2. Obtain senior leadership buy-in and direction. 3. Align with mission and strategic objectives. 4. Attack silos at the outset. 5. Set objectives and performance indicators. 6. Stay focused on results. 7. Communicate vision and key outcomes. 8. Develop a sustainable process versus a one-time project.

While complex and time-consuming, effective development of a culture- specific ERM program can have positive outcomes for colleges and universities. Institutions such as UW that view ERM as a long-term investment in institutional health, rather than a fad or simply a set of tools (such as spreadsheets and heat maps), position themselves well not only to respond to the external demands from credit ratings agencies, accreditors, and federal regulators, but to situate them- selves to make key strategic decisions, informed by both quantitative and qual- itative data, to enhance their organization, leading to increased enrollment and graduation and strategic disbursement of resources for teaching and research, as well as increasing the likelihood that, due to their integrated, proactive approach, they will avoid future compliance scandals. Perhaps the two most important deliv- erables on UW’s 2013–2014 agenda are those that demonstrate its awareness of the importance of the human resources component in its collegial environment: outreach to faculty and other administrators to obtain broader validation of risks and to identify additional mitigation activities, and an iterative process to involve senior leaders, the Provost, the President, and the Regents in monitoring the top risks. Through this process, UW is building a culture not only of compliance, but of shared responsibility for the future health of the university.

QUESTIONS 1. How does ERM adoption and implementation in the higher education environment

differ from the for-profit environment? 2. What type of culture is at the University of Washington? Why is culture important to

consider when implementing ERM?

www.it-ebooks.info

174 Implementing Enterprise Risk Management

3. What were some of the key factors in the early stages of UW’s ERM adoption and imple- mentation that led to its current success within the organization?

4. Why did UW decide to adopt a committee structure to administer its ERM program rather than designate a senior level Chief Risk Officer?

5. Who are some of the key players involved in the decision-making about the ERM model and its current administration?

NOTES 1. Many colleges and universities were affected by Hurricane Katrina in the New Orleans

area (see the American Association of University Professors [AAUP] Special Commit- tee Report on Hurricane Katrina and New Orleans Universities at https://portfolio .du.edu/downloadItem/92556). The independent report by Louis Freeh and his law firm, Freeh Sporkin & Sullivan, LLP, documents the facts and circumstances of the actions of Pennsylvania State University surrounding the child abuse committed by a former employee, Gerald A. Sandusky (available at http://progress.psu.edu/the- freeh-report). The AAUP’s Committee on College and University Governance reported on breakdowns in governance at the University of Virginia as the board attempted to remove president Sullivan (www.aaup.org/report/college- and-university-governance-university-virginia-governing-board). American Univer- sity trustees removed then president Ladner in 2005 after investigation of expense abuses of university funds (http://usatoday30.usatoday.com/news/education/2005- 10-11-au-president_x.htm). The most tragic of these situations was, of course, the shoot- ings at Virginia Tech on April 16, 2007. On December 9, 2010, the U.S. Department of Education issued a final ruling that Virginia Tech had violated the Clery Act by fail- ing to issue a “timely warning” to students and other members of the campus commu- nity following the initial shootings early on the morning of April 16, 2007. In comment- ing on the verdict, Stetson Professor of Law Peter Lake stated, “Higher education is under the microscope now. The accountability level has definitely changed” (S. Lipka, “Jury Holds Virginia Tech Accountable for Students’ Deaths, Raising Expectations at Colleges,” Chronicle of Higher Education, March 14, 2010).

2. In order to disperse federal financial aid and grant degrees, institutions in the United States are accredited by one of several accrediting bodies. One example of the way in which accreditors are emphasizing risk management in their review is the Southern Association of Colleges and Schools Commission on Colleges (SACS COC) (www.sacscoc.org/) Standard 3.10.4: The institution demonstrates control over all of its physical and financial resources. The University of Virginia demonstrates evidence of this standard on its website by articulating the organizational structure and inte- grated policies and procedures related to internal and external audit, internal controls, fixed assets, procurement, facilities management, and risk management, among others (www.virginia.edu/sacs/standards/3-10-4.html).

3. The recent Special Comment by Moody’s, “Governance and Management: The Under- pinnings of University Credit Ratings,” declares that “governance and management assessments often account for a notch or more in the final rating outcome compared with the rating that would be indicated by purely quantitative ratio analysis” (Kedem 2010, p. 1). In Moody’s consideration of five broad factors that contribute to its eval- uation of governance and management, the report cites “oversight and disclosure processes that reduce risk and enhance operational effectiveness” (p. 2). The report further notes: “Effective internal controls and timely external disclosure about stu- dent outcomes, research productivity, financial performance, and organizational effi- ciency will become the hallmark of effective university leadership and will become

www.it-ebooks.info

LESSONS FROM THE ACADEMY 175

increasingly critical in mitigating new risks to individual universities and the sector overall” (p. 3).

4. One significant area of change has been the Internal Revenue Service’s increased over- sight of compliance issues affecting tax-exempt entities, including colleges and univer- sities. In 2008, under prompting by members of the U.S. Senate Finance Committee, the IRS developed a 33-page compliance questionnaire (IRS Form 14018) and sent it to a cross section of 400 institutions of higher education. The form focused on a number of potentially sensitive subjects, including the types and amounts of executive compen- sation, the investment and use of endowment funds, and the relationship between an institution’s exempt activities and other taxable business activities. The IRS also revised its Form 990, “Return of Organization Exempt from Income Tax,” beginning with the 2008 tax year. The purpose of the changes is to increase the transparency and account- ability of tax-exempt organizations and to ensure compliance with the Internal Revenue Code by requiring more detailed information in several categories. The changes focus not only on revenue, investment, and spending issues, but also on governance, conflicts of interest, and whistle-blower policies and procedures.

5. Based on a March 13, 2012, phone interview. 6. The Higher Education Act, up for renewal again in 2014, is a law almost 50 years old

that governs the nation’s student-aid programs and federal aid to colleges. It was signed into law in 1965 as part of President Johnson’s Great Society agenda of domestic pro- grams, and it has been reauthorized nine times since then, most recently in 2008. Addi- tional examples at the federal level include Section 504 of the Rehabilitation Act of 1973, the Americans with Disabilities Act (ADA) (1990), Family Educational Rights and Pri- vacy Act (FERPA) (1974, 1998, 2009), Health Insurance Portability and Accountability Act (HIPAA) (1996), Clery Act (1990), and Campus Sex Crimes Prevention Act (2000), among others. Lawsuits brought against institutions of higher education in which they and/or certain administrators at those institutions are accused of violating a particular federal law or a related legal right can lead to case decisions that impact that institution and perhaps others. Lawsuits can also have a significant impact even if they result in a settlement rather than a court decision. In May 2006, a group of 12 current and former deaf students at Utah State University sued the institution in U.S. District Court alleg- ing that it had violated the Rehabilitation Act and the ADA by failing to provide enough fully qualified interpreters. The lawsuit also named the Utah State Board of Regents as defendants. After negotiations, the lawsuit was settled in April 2007 with the univer- sity agreeing to hire qualified, full-time interpreters at a ratio of one translator for every two deaf students. The lawsuit, the issues it raised, and its ultimate resolution received significant media attention, as well as attention from various organizations around the country promoting the interests of students who are deaf or have hearing deficiencies.

7. Mitroff, Diamond, and Alpaslan (2006) note that “colleges and universities are in the very early stages of establishing their crisis management programs, and much remains to be done. The recent experience in New Orleans and elsewhere suggests that develop- ing and maintaining a well-functioning crisis management program is an operational imperative for college and university leaders” (p. 67).

8. One of those administrators was Elizabeth Cherry, Director of Risk Management, from the University of Washington (UW). As will be discussed in the case study, the UW was embroiled in several high-profile risk situations at the time and was undergoing the first of several presidential transitions.

9. See A. P. Liebenberg and R. E. Hoyt, “The Determinants of Enterprise Risk Management: Evidence from the Appointment of Chief Risk Officers,” Risk Management and Insurance Review 6:1 (2003): 37–52. Their study uses a logistic model to examine the characteristics of firms that adopt ERM programs, most of which signal the fact that they have an ERM program through the hiring of a CRO.

www.it-ebooks.info

176 Implementing Enterprise Risk Management

10. Many thanks to Andrew Faris, Enterprise Risk Management Analyst at the Uni- versity of Washington, and Kerry Kahl, ERM Project Manager at UW. They pro- vided information via an interview in April 2012 that is incorporated throughout this case study. Additional information for the case study comes from Annual Reports, memos, and other documents found on the University of Washington ERM website: http://f2.washington.edu/fm/erm.

REFERENCES Abraham, Janice. 2013. Risk Management: An Accountability Guide for University and College

Boards. Washington, DC: Association of Governing Boards of Universities and Colleges and United Educators.

American Society of Mechanical Engineers–Innovative Technologies Institute, LLC. 2010. A Risk Analysis Standard for Natural and Man-Made Hazards to Higher Education Institutions. Washington, DC: American National Standards Institute.

Arena, M., M. Arnaboldi, and G. Azzone. 2010. “The Organizational Dynamics of Enterprise Risk Management.” Accounting, Organizations and Society 35:7, 659–675.

Association of Governing Boards of Universities and Colleges and United Educators. 2009. The State of Enterprise Risk Management at Colleges and Universities Today. Available at www.agb.org.

Barnds, W. Kent. 2011. “The Risky Business of the Strategic Planning Process.” University Business. Available at www.universitybusiness.com/article/risky-business-strategic- planning-process.

Birnbaum, Robert. 1988. How Colleges Work: The Cybernetics of Academic Organization and Lead- ership. San Francisco: Jossey-Bass.

Bolman, Lee G., and Terrence E. Deal. 2008. Reframing Organizations: Artistry, Choice and Leadership. San Francisco: Jossey-Bass.

Bush, Tony. 2011. Theories of Educational Leadership and Management (4th ed.). London: Sage Publications.

Cassidy, D. L., L. L. Goldstein, S. L. Johnson, J. A. Mattie, and J. E. Morley Jr. 2001. “Devel- oping a Strategy to Manage Enterprisewide Risk in Higher Education.” National Asso- ciation of College and University Business Officers and PricewaterhouseCoopers. Avail- able at www.nacubo.org/documents/business_topics/PWC_Enterprisewide_Risk_in_ Higher_Educ_2003.pdf.

Chan, Sharon Pian. 2004. “UW Failed to Address Overbilling, Probe Finds.” Seattle Times, May 1, 2004. Available at http://seattletimes.com/html/localnews/2001917467_ uwmed01m.html.

Chang, Jean. 2012. Skype interview, March 2. Committee of Sponsoring Organizations of the Treadway Commission. 2004. Enterprise

Risk Management—Integrated Framework. Available at www.idkk.gov.tr/html/themes/ bumko/dosyalar/yayin-dokuman/COSOERM.pdf.

Committee of Sponsoring Organizations of the Treadway Commission. 2011. Internal Control—Integrated Framework. Available at www.coso.org/documents/coso_framework _body_v6.pdf.

Freeh, Sporkin & Sullivan, LLP. 2012. “Report of the Special Investigative Counsel Regard- ing the Actions of the Pennsylvania State University to Related the Child Sexual Abuse Committed by Gerald A. Sandusky,” July 12. Available at http://progress.psu.edu/the- freeh-report.

Gallagher Higher Education Practice. 2009. “Road to Implementation: Enterprise Risk Management for Colleges and Universities.” Arthur Gallagher & Co. Available at www.nacua.org/documents/ERM_Report_GallagherSep09.pdf.

www.it-ebooks.info

LESSONS FROM THE ACADEMY 177

Grant Thornton LLP. 2011. “Best-Practice Tips for Boards, Presidents and Chancel- lors Regarding Enterprise Risk Management.” OnCourse, January. Retrieved from www.grantthornton.com/staticfiles/GTCom/Not-for-profit%20organizations/ On%20Course/On%20Course%20-%20Jan%2011%20-%20FINAL.pdf.

Grasgreen, Allie. 2013. “Report Shows How Rutgers Botched Handling of Former Coach, Reiterates 5-year-old Recommendations to Improve Athletics.” Inside Higher Education. Available at www.insidehighered.com/news/2013/07/23/report-shows-how-rutgers- botched-handling-former-coach-reiterates-5-year-old.

Gurevitz, Susan. 2009. “Manageable Risk.” University Business. Available at www.university business.com/article/manageable-risk.

Helsloot, I., and W. Jong. 2006. “Risk Management in Higher Education and Research in the Netherlands.” Journal of Contingencies and Crisis Management 14:3.

Huber, C. 2009. “Risks and Risk-Based Regulation in Higher Education Institutions.” Ter- tiary Education and Management 15:2.

Kedem, K. 2010. “Special Comment: Governance and Management: The Underpinnings of University Credit Ratings.” Moody’s Investors Service, Report 128850.

Mitroff, I. I., M. A. Diamond, and M. C. Alpaslan. 2006. “How Prepared Are America’s Colleges and Universities for Major Crises?: Assessing the State of Crisis Management.” Change 38:1, 61–67.

National Association of College and University Business Officers and the Association of Governing Boards of Universities and Colleges. 2007. “Meeting the Challenges of Enter- prise Risk Management in Higher Education.” Available at www.ucop.edu/riskmgt/ erm/documents/agb_nacubo_hied.pdf.

Nelson, John. 2012. Phone interview, March 13. Stripling, Jack. 2012. “Penn State Trustees Were Blind to Risk, Just Like Many Boards.”

Chronicle of Higher Education, July 12. Available at http://chronicle.com/article/Penn- State-Trustees-Were-Blind/132943/.

Tertiary Education Quality Standards Agency. 2013. Available at www.teqsa.gov.au/ Tufano, Peter. 2011. “Managing Risk in Higher Education.” Forum Futures. Available at

http://net.educause.edu/ir/library/pdf/ff1109s.pdf. University Risk Management and Insurance Association. 2007. “ERM in Higher Education.”

Available at www.urmia.org/library/docs/reports/URMIA_ERM_White_Paper.pdf. Whitfield, R. N. 2003. “Managing Institutional Risks: A Framework.” Doctoral dissertation.

Retrieved from ProQuest Dissertation and Theses database, AAT 3089860. Willson, C., R. Negoi, and A. Bhatnagar. 2010. “University Risk Management.” Internal Audi-

tor 67:4, 65–68. Wilson, Richard. 2013. “Managing Risk.” Inside Higher Education, May 20. Available at

www.insidehighered.com/blogs/alma-mater/managing-risk.

ABOUT THE CONTRIBUTOR Anne E. Lundquist has had 20 years of increasing administrative responsibilities in higher education, having served as the dean of students at four liberal arts colleges. She received a BA in religious studies from Albion College and an MFA in creative writing from Western Michigan University. Currently, she is a PhD candidate in the Educational Leadership program at Western Michigan University with a con- centration in higher education administration, where she works with the vice pres- ident of student affairs on student affairs assessment and strategic planning and with the internal auditor and University Strategic Planning Committee on ERM implementation. Her dissertation research study is titled “Enterprise Risk Man- agement (ERM) in Colleges and Universities: Administration Processes Regarding

www.it-ebooks.info

178 Implementing Enterprise Risk Management

the Adoption, Implementation and Integration of ERM.” Using her expertise in several areas, she has presented and been the author of articles on risk manage- ment, institutional liability, students with psychiatric disabilities, assessment and strategic planning, intercultural competence, and the development and implemen- tation of integrated community standards/restorative justice judicial models. She is the coauthor of The Student Affairs Handbook: Translating Legal Principles into Effec- tive Policies (LRP Publications, 2007). She has had three recent risk management publications in peer-reviewed journals: URMIA Journal (2011, 2012) and New Direc- tions for Higher Education, Special Issue, Disability and Higher Education (with Allan Shackelford, July 2011).

Special thanks to Andrew Faris, Enterprise Risk Management Analyst at the University of Washington, for sharing information about the university’s ERM pro- cess, answering questions, and providing material for the case study.

www.it-ebooks.info

CHAPTER 10

Developing Accountability in Risk Management The British Columbia Lottery Corporation Case Study

JACQUETTA C. M. GOY Director of Risk Management Services, Thompson Rivers University, Canada and Former Senior Manager, Risk Advisory Services, British Columbia Lottery Corporation

This case study describes how enterprise risk management (ERM) has devel-oped over the past 10 years at British Columbia Lottery Corporation (BCLC),a Canadian crown corporation offering lottery, casino, and online gam- bling. BCLC’s enterprise risk management program has been developed over time through a combination of internal experiential learning and the application of spe- cialist advice. The program’s success has been due to the dedication of a number of key individuals, the support of senior leadership, and the participation of BCLC employees.

The approach to ERM has evolved from informal conversations supported by an external assessment, through a period of high-level corporate focus supported by a dedicated group of champions using voting technology, to an embedded approach, where risk assessment is incorporated into both operational practice and planning for the future using a variety of approaches depending on the context.

BACKGROUND BCLC is a crown corporation operating in British Columbia (BC), Canada. The corporation was established by act of the British Columbia legislature in 1985. As a commercial crown corporation, BCLC is wholly owned by the province but operates at arm’s length from government, enjoying operational autonomy while reporting to the minister responsible for gaming, currently the Finance Minister. All profits generated by BCLC go directly to the provincial government. The initial remit of the corporation was to operate the lottery schemes previously administered for British Columbia by the Western Canada Lottery Corporation. In 1997, BCLC was given responsibility to conduct and manage slot machines, and in 1998 the corporation’s remit broadened again with additional responsibilities for

179

www.it-ebooks.info

180 Implementing Enterprise Risk Management

table games in casinos. In 2004 an online service, PlayNow (www.playnow.com), was launched.

BCLC has been a highly successful organization for over 28 years, delivering over $15.7 billion in net income to the province of British Columbia. Through April 2012 to March 2013 more than $1 billion in gambling proceeds helped fund health care, education, and community programs in British Columbia (BCLC Annual Ser- vice Plan Report 2012/2013). BCLC operates the provincial lottery and instant games and provides national lottery games through the Interprovincial Lottery Corporation. Across the province, BCLC manages 17 casinos (15 casinos plus two casinos at racetracks), 19 community gaming centers, and six bingo halls through a number of private-sector service providers. PlayNow, BCLC’s legal online gam- bling website, offers lottery, sports, bingo, slot, and table games, including online poker. BCLC employs about 850 corporate staff with more than 37,000 direct and indirect workers employed in British Columbia in gambling operations, govern- ment agencies, charities, and support services.

BCLC’s mandate is to “conduct and manage gambling in a socially responsi- ble manner for the benefit of British Columbians” with a vision that “gambling is widely embraced as exceptional entertainment through innovation in design, technology, social responsibility, and customer understanding.” The organization holds the following values as key to its success:

� Integrity: The games we offer and the ways we conduct business are fair, honest, and trustworthy.

� Social Responsibility: Everything we do is done with consideration of its impact on and for the people and communities of British Columbia.

� Respect: We value and respect our players, service providers, and each other.

BCLC believes that playing fairly is a serious responsibility and an empower- ing opportunity. A commitment to social, economic, and environmental respon- sibility is central to everything the organization undertakes, and is reflected in the BCLC slogan, “Playing it right.” BCLC strives to create outstanding gambling experiences with games evolving with the player’s idea of excitement. For BCLC, playing is not all about winning; it’s about entertainment.

THE BEGINNINGS OF THE RISK MANAGEMENT JOURNEY BCLC began its enterprise risk management journey in 2003 with the initiation of an Enterprise-wide Risk & Opportunity Management (EROM) initiative. The impetus for the initiative was twofold—the 2002 inclusion of risk management in the British Columbia Treasury Board’s Core Policy and Procedures Manual and BCLC’s head of Audit Services championing the need for enterprise risk manage- ment (ERM).

As a first step, an external consulting firm was contracted to undertake an enterprise-wide risk assessment and to support the Internal Audit team in devel- oping the skills and resources to manage the new ERM program. Interviews and facilitated workshops at management and executive levels were conducted, a risk

www.it-ebooks.info

DEVELOPING ACCOUNTABILITY IN RISK MANAGEMENT 181

dictionary was constructed, and the highest risks were identified. The assessment focused on inherent risk compared with an evaluation of management effective- ness to produce a gap analysis, and there was also a discussion around risk toler- ance. A final report was produced (Deloitte and Touche 2003), and advice was also provided on potential next steps for the program.

Although the EROM initiative was well received, financial constraints put a hold on the subsequent business case. As a result, the plan to take the program forward through the appointment of a dedicated risk manager and funding for training of a number of risk champions was not implemented at that time.

LEARNING FROM THE FIRST ERM INITIATIVE The initial assessment provided a strong starting point for the BCLC ERM pro- gram, but even though the engagement was originally intended to be the first part of a longer-term initiative, there was insufficient impetus to put the pro- gram into operation in the face of competing priorities. This is not an unusual outcome, as although using a consultant to kick-start programs can leverage expe- rience and expertise that organizations may not otherwise have access to, using an external party contracted for a defined period of time can also lead to a project type approach, where the focus is more on getting the risk assessment com- pleted and less on longer-term implementation. In addition, it may be easier to source short-term consultancy fees than it is to obtain longer-term resourcing commitments.

Another issue can arise where consultants bring in defined methodologies that do not easily fit with the organization’s normal approach to decision making or where participants do not understand the underlying process, and so do not fully endorse and own the outcome. To overcome this issue, the consultants worked closely with the BCLC Internal Audit team with part of the stated purpose of the engagement being to build risk management expertise within BCLC.

RESTARTING THE PROGRAM–2006–2008 In early 2006, the head of Audit Services’ proposal to update the 2003 risk assess- ment was endorsed by BCLC’s executive team. Audit Services facilitated an assess- ment of critical strategic and operational risks facing BCLC, by developing a set of risks for analysis through consultation with the executive team, preparing an environmental scan, and concluding with a facilitated risk workshop to evaluate and prioritize each risk. The initiative was strongly informed by the successful ERM program being run at that time by another Canadian lottery organization, the Atlantic Lottery Corporation.

The intended outcome of the 2006 assessment was to inform the three-year-old audit plan, to develop new risk criteria, and to raise awareness about the impor- tance of risk management. The success of the exercise led to the development and acceptance of a business case in August 2006 to resource a part-time risk man- ager, responsible for putting into operation the risk management program. This approach was endorsed by the CEO as part of an organization-wide initiative to develop and embed a high-performance culture across BCLC.

www.it-ebooks.info

182 Implementing Enterprise Risk Management

Board of Directors via Audit Committee

Executive

Executive Sponsor

ERM Advisory Team

Enterprise Risk Manager

Audit Services

Exhibit 10.1 2006 ERM Organizational Structure

Leadership for the initiative was assigned to an executive sponsor. In the first instance, this was the chief information officer.

A cross-functional leadership team model was also approved, to be known as the ERM Advisory Team, responsible for oversight and approval of recommenda- tions on behalf of the Executive Committee and consisting of the executive spon- sor and a small number of key directors from each BCLC division. Operational support was provided by Internal Audit. The organizational structure is shown in Exhibit 10.1.

It is not entirely clear why the 2006 risk assessment exercise led to support for an ongoing ERM program while the 2003 initiative did not. The head of Inter- nal Audit championed both initiatives, and the earlier risk assessment activity was well received. The consultants reporting in 2003 stated that “the culture in BCLC is proactive and is ideally suited to the EROM’s philosophy and benefits.” Executive response to both initiatives was largely positive. There does not appear to have been a so-called burning platform created in 2006; it was more a growing recogni- tion that the time was right to adopt a more formal approach to ERM. It may be that increasing recognition of the importance of managing risk across North America with the introduction of Sarbanes-Oxley requirements1 and publication of COSO’s ERM Integrated Framework in 2004 influenced senior management. Or it could be that the simple iterative approach adopted by the head of Internal Audit when he decided to update the 2003 risk assessment—”Start slow and at the top, get learn- ing and feedback, and then take down the ladder”—demystified the concept and increased engagement. Regardless, 2006 marked a new start for ERM, and the gen- esis of the current BCLC program.

www.it-ebooks.info

DEVELOPING ACCOUNTABILITY IN RISK MANAGEMENT 183

KEY STEPS IN THE DEVELOPMENT OF THE ERM PROGRAM For the second risk assessment, a streamlined process was adopted. Rather than starting with the risk statements from the dictionary, each VP was simply asked to identify their top three strategic and operational risks, with the results analyzed, combined, and allocated into the 2006 categories.

The resulting 37 risks were brought to two executive-level workshops and, as with the 2003 assessment, voting technology was used for prioritization. Nine critical risks were identified and taken forward to be integrated into the audit plan. One key difference from the 2003 assessment was the development of BCLC-specific likelihood and consequence qualitative criteria. Of interest is the correlation between the two assessments, with only two critical risks identified in 2003 not appearing in the critical zone in 2006, and no new critical risks introduced.

With the appointment of a dedicated Enterprise Risk Manager and the support of an executive sponsor, the launch of a formal ERM program became possible. The senior auditor from the Internal Audit team moved to the new position, bringing continuity with previous ERM initiatives. Between August and December 2006, the focus was on developing the core risk documentation, including terms of reference for the new steering group, an ERM policy, a project charter, and an initial plan. The initial areas of focus were to:

� Develop and continuously refine a practical ERM framework to support the identification and management of risk.

� Continuously manage risks, limiting exposure to an acceptable level while maximizing business opportunities.

� Embed a risk awareness that is a key component of instilling a high- performance culture.

A key feature of the new approach to ERM was the formation of the ERM Advi- sory Committee (known as ERMAC). The concept of ERMAC was to create risk champions, high-performing senior leaders from each division whose role would be to influence, communicate, and educate management and staff within their busi- ness areas about the benefits of risk management.

By January 2007, the new committee was established and the ERM policies and plan were in place, with proposals to embed risk management into project planning, business cases, and strategic planning under discussion.

In May 2007 a critical report about BCLC was issued by the British Columbia Ombudsman following an investigation into BCLC’s prize payout processes (BC Ombudsman 2007). The investigation was triggered by a CBC Fifth Estate investigation2 in October 2006 on issues in Ontario associated with lottery retail- ers winning major prizes, with the concern being that similar issues could have occurred in British Columbia. Although no incidents of wrongdoing were discov- ered during the investigation, the report and a subsequent audit and recommen- dations published by Deloitte & Touche in October 2007 marked a critical point in BCLC’s transformation into a modern player-centric organization.

www.it-ebooks.info

184 Implementing Enterprise Risk Management

For risk management, the Ombudsman’s review led to both a greater impe- tus and a broader focus for the program. BCLC had always considered integrity to be vital to the organization, but the fundamental goal of delivering revenue to government was often the dominant concern, and this was reflected in earlier risk assessments. With the advent of the Player First program,3 significant additional resources and oversight were now dedicated to security, compliance, and reputa- tion management, and this increased emphasis was reflected in the risk assessment conducted by the ERMAC team in April 2007.

The basis of the assessment was the risk statements completed by the Executive Committee in 2006, with new key risks facing BCLC added through consultation with key members of each of the business/support units and incorporated into an expanded risk dictionary. Once the new risk statement descriptions were agreed on, workshops were held to assess the risk ratings, and also to determine how effective were current arrangements for managing each risk. The 12 risks with the largest gaps identified between risk rating and management effectiveness were then selected for further profiling and control analysis.

Throughout 2007, the remaining enterprise risks were profiled in order to bet- ter identify the associated causes and controls. Two further enterprise risk assess- ments were facilitated in 2008, and a regular quarterly risk report produced from June 2008 forward provided details of both the development of the overall program and monitoring of individual risks.

Parallel to the enterprise risk assessment, a project risk assessment approach was developed and implemented, with a number of initiatives used to facilitate risk assessments, very similar to those conducted at an enterprise level. As with the enterprise risk assessments, the risk dictionary was used to support the devel- opment of potential risk statements, which were then voted on at a facilitated meeting of the core project team. Project risk assessments were piloted with four projects in 2007, and further developed with seven project risk assessments facilitated in 2008. Although the workshops were generally felt to be productive and beneficial, the volume of risks generated meant that on occasion it was not possible to assess all the risks presented.

In May 2008, the Enterprise Risk Manager was appointed director of Audit Services. Although risk assessments continued to be supported by the Internal Audit team, the further development of enterprise risk management was con- strained due to the lack of dedicated resources, as the ERM manager post was not immediately filled.

REVITALIZING THE ERM PROGRAM—2009–2010 In the fall of 2008 the position of Manager, Risk Planning and Mitigation was created and an experienced risk manager was recruited to the position in late December 2008. The original intention of the appointment was to increase focus on risk treatment strategies and business-unit-level risk management activities, with the expectation that Internal Audit would continue to develop and report on the enterprise risk management framework. In late January 2009, the director of Audit Services left BCLC and the manager of Risk Planning and Mitigation assumed responsibility for managing all aspects of the ERM program.

www.it-ebooks.info

DEVELOPING ACCOUNTABILITY IN RISK MANAGEMENT 185

The new risk manager brought a more operational approach, and was able to build on the excellent foundations already established to develop a new ERM strategy and supporting plan designed to move the ERM program to the next stage of maturity.

Throughout 2009, BCLC transitioned from the previous approach, where a portfolio of enterprise risk statements was assessed at a corporate level by ERMAC members, to a specific risk register with risks evaluated and agreed on at a divi- sional level and significant risks then escalated to the enterprise register.

One of the first changes was to move from an assessment of inherent risk with a supplementary assessment as to whether the risk was thought to be managed effectively to the use of a residual risk assessment methodology that included a more formal assessment of the effectiveness of control mechanisms in place. The next enterprise risk assessment was conducted in March 2009, and moved from the ERMAC voting approach to assessments by individual risk owners, with the committee providing more of a quality assurance function. New risk criteria were also adopted. A significant outcome was that the majority of risks were rated at a lower impact/consequence level (18 out of 29 dropping at least one rating, and three falling from critical to low risk).

Between March and July 2009, a series of risk and controls assessments work- shops were held covering all divisions. The workshops brought together either functional teams or collections of specialists in thematic sessions (for example, marketing). Close to 300 managers and staff were involved. Each group attended two workshops; the first featured an educational component, brainstorming exercises, and process mapping with threats and vulnerabilities identification, while the follow-up session looked at a number of prioritized areas of risk in more detail, with a deep-dive assessment of risks and controls. The output of the workshops was the creation of divisional risk registers. Enterprise-level risks were then extracted from the divisional registers for an organization-wide view of all significant risks.

By September 2009, risk registers were established for all divisions. The new registers were more comprehensive than the previous risk documentation, with a greater focus on risk treatment and specific individuals identified as responsible for each risk treatment plan. The risk management policy was updated and new supporting guidance published.

Through 2009 and 2010, the risk management approach was further developed and embedded. In particular, the use of risk management in business case develop- ment and project management increased, while the new registers were updated on a quarterly basis. Regular quarterly reports on the risk management program were produced for discussion by the Executive Committee and at the Audit Committee.

In the summer of 2010, the risk management policy and guidelines were updated and a new risk management strategy was produced to reflect the newly published international standard on risk management, ISO 31000:2009, Risk Management—Principles and Guidelines. BCLC had previously been using the Australian risk management standard (AS/NZS 4360:2004), so the move to the new standard was a simple transition. At the same time, the government of British Columbia endorsed the new standard across all ministries, and subsequently used the approach for a number of provincially coordinated risk management activities (for example, planning for the 2010 Winter Olympics and preparing for a potential

www.it-ebooks.info

186 Implementing Enterprise Risk Management

pandemic). The policy stated: “BCLC is committed to building increased aware- ness and a shared responsibility for risk management at all levels of the organiza- tion, and to facilitate the integration of the management and prioritization of risks into planning and operational activities.”

The terms of reference for the ERMAC were also updated (see Exhibit 10.2), reflecting the change in practice from a single central risk assessment to the more devolved approach now in place.

Exhibit 10.2 Terms of Reference for the Enterprise Risk Management Advisory Committee

January 2007–March 2010 March 2010–March 2011

C. Terms of Reference C. Terms of Reference

ERM Advisory Committee (“ERMAC”) ERM Advisory Committee (“ERMAC”)

The ERMAC is an operational committee promoted and supported by the Executive to oversee the risk management process of the BCLC. The ERMAC reports to the Executive Sponsor. The ERMAC will:

The ERM Advisory Committee is tasked by the Executive to support the implementation of risk management across BCLC. The committee will:

Approve a suitable risk management mandate, terms of reference, and policy for BCLC, for endorsement by the Executive

Approve and oversee the implementation of a flexible, adaptable Risk Management process of BCLC as a whole, on behalf of Executive

Recommend an appropriate risk appetite or level of exposure for BCLC to the Executive

Identify and quantify fundamental risks affecting BCLC, and ensure that arrangements are in place to manage those risks

At least annually, review fundamental risks and their controls and report to Executive

Inform the Audit Committee on risks and controls that should be included in the Audit needs assessment, ensuring the integration of Audit Services into risk management

Ensure that critical risks are adequately dealt with

Help embed a risk management culture into all major decisions, through risk education, high-level controls, and procedures

Consider major decisions affecting BCLC’s risk profile or exposure

Appraise, revise, and monitor the annual risk management program;

Review any changes to the Risk Management Policy prior to submission for approval by the Executive;

Consider and approve procedures and guidance to support the risk management policy and process;

Review the effectiveness of risk management processes used across BCLC;

Help embed a risk management culture across the organization;

Support the development of a risk management awareness and education program; and

Provide support for the Divisional Risk Representatives, through encouraging sharing experience and enabling frank discussion of any risk-related issues arising.

From time to time the committee may also focus on a particular area of risk.

www.it-ebooks.info

DEVELOPING ACCOUNTABILITY IN RISK MANAGEMENT 187

STRENGTHENING THE PROGRAM—2010–2013 In 2010, it was agreed that Internal Audit should conduct a review of the risk management program with a view to “identify any gaps and areas for improve- ment to ensure that the fundamental building blocks are in place to deliver on the organization’s risk management needs effectively and efficiently.” Interviews were conducted with Enterprise Risk Management Advisory Committee members, the executive team, CEO, and board and Audit Committee members.

The review found that the ERM process was well established and documented, with strong levels of support from all levels of the organization and an increasingly risk-conscious culture. However, risk management was not yet fully embedded within all of the organization’s functions. There was some variance in perceptions of risk tolerance, and in general the program was stronger on reporting risks than it was at driving change, with significant amounts of informal risk-related discus- sions taking place outside of the program. Senior management also reported that too many risks were escalated to them, often at a level that was perceived to be too granular or operational.

In addition to the internal review, BCLC took part in a benchmarking exercise conducted by Ernst & Young together with seven other Canadian lottery and gam- ing organizations. The exercise consisted of a questionnaire completed by key risk personnel at each organization facilitated by telephone interviews conducted by the E&Y team.

The results (Ernst & Young 2010) showed that BCLC was in a similar position to many of the other gaming organizations in having a relatively young ERM pro- gram. In common with much of the gaming industry at the time, BCLC’s strongest area was risk assessment, while risk tracking and the ERM structure were rela- tively weak (see Exhibit 10.3). The exercise included a simple self-assessment of perceived ERM maturity, where BCLC assessed itself as having risk activities in

Culture and Communication

5

4

3

2

1 A B C D E F G H

Risk Tracking

Assessed ERM maturityPerceived ERM maturity

Structure

Risk Assessment

Action Plans

Link to Strategy

Level 3—In place: risk management activities are established, yet not consistently applied or fully understood by management and relevant employees in key functions/business areas.

Exhibit 10.3 ERM Maturity at BCLC in 2010 Extracted from Ernst & Young ERM Benchmarking Survey, 2010.

www.it-ebooks.info

188 Implementing Enterprise Risk Management

place, but that risk management was not yet consistently applied and well under- stood by management and employees across the organization.

The results of the internal review and the E&Y assessment were presented to BCLC’s executive team in February 2011. A number of recommendations were pro- posed and adopted, including strengthening senior management ownership and accountability, realigning risk criteria to better match the BCLC’s tolerance for risk across organizational objectives, and broadening the focus of the program from largely operational to a more strategic level.

In April 2011, the risk management function moved to the Finance and Cor- porate Services division, with the CFO taking responsibility for executive leader- ship of the program. The risk criteria and evaluation matrix were updated and the risk review process strengthened, establishing regular review meetings for every division whereby each division’s senior management team reported to their vice president (VP) on their risks every quarter. Risk oversight was also reviewed, and in addition to strengthening processes at a divisional level, dedicated time at exec- utive meetings was scheduled to review the quarterly risk report prior to presen- tation to the Audit Committee. A key step in increasing accountability came from the formal assignment of each area of high risk to the appropriate VP, who would be responsible for reporting each risk in detail and providing a regular update on progress with the agreed treatment plans.

At this time, the ERM Advisory Committee was disbanded. While the commit- tee of risk champions had played a significant role in coordinating initial assess- ment activities and in increasing the understanding of risk management across the organization in the early years of the risk management program, it was now felt that as all directors were expected to be fully conversant with risk management and with the movement of risk identification, evaluation, and reporting into main- stream management, the group no longer added significant value.

A new Risk Management Planning Group reporting to the CFO was estab- lished to align and coordinate a number of risk and compliance activities, in par- ticular looking for synergies between the risk, business continuity, insurance, and antifraud programs. The intention of the group was to assist in the design of tools and approaches that deliver progress across the programs and also reduce man- agerial overload from potentially competing programs.

Over the next year, a series of risk reviews were undertaken with each divi- sion, with the aim to refresh the divisional registers and to make sure that each group reviewed both current and potential risks against both BCLC and divisional strategies. The format of the reviews varied across groups, dependent on divisional responsiveness and parallel activities. Several workshops were held with broader management teams, two were jointly coordinated with Internal Audit exercises, and one was externally facilitated. The review process further increased ownership and accountability by reinforcing the message that risk management and reporting are the responsibility of everyone throughout the organization.

In early 2012 BCLC invited an external consulting firm to look again at its ERM program, consider the progress made since the work in 2003, and make some recommendations as to next steps. In April 2012, the consultants delivered a presentation to the board on “Moving from a Risk Monitoring Organization to a Risk Intelligent Organization,” and facilitated a discussion on risk governance and oversight. It was agreed to move risk oversight from the Audit Committee to the

www.it-ebooks.info

DEVELOPING ACCOUNTABILITY IN RISK MANAGEMENT 189

full board, to include more formal consideration of risk in the strategic planning process, and to continue to improve risk management processes, practices, and awareness.

In the winter of 2012 an opportunity arose to embed ERM into strategic plan- ning when an exercise to identify and assess strategic risks was undertaken. The aim of this exercise was to identify and prioritize a set of holistic enterprise-level longer-term risks in order to inform strategic planning alongside a program of opti- mization. An off-site workshop was led by the CEO and the executive team with additional input from a small group of directors known as the leadership team, and supported by risk, corporate strategy, and audit services. Facilitation was provided by an external party. During the workshop, political, regulatory, economic, com- petitive, technology, and social business environmental factors were considered, and after a lively and informed discussion 11 key strategic risks were identified and initial sponsors assigned.

Following the workshop, a series of meetings were held with the assigned VP leads and other relevant parties, facilitated by the Senior Manager, Risk Advi- sory to discuss each risk in greater detail and using a bow tie approach,4 identi- fying key causes, consequences, controls, and planned treatments. A formal report was developed, and a strategic risk register is now in place. Going forward, the strategic risks will be used to inform strategic planning and business optimization, while the shorter-term, more operationally focused risks continue to be reflected and addressed in business planning at an enterprise, divisional, and initiative level.

BUILDING THE RISK PROFILE One of the first steps often taken by many organizations in developing enter- prise risk management is to identify the risks that the organization faces, although ISO 31000 recommends that the risk framework is established prior to this step and that the context is established prior to risk identification. For BCLC’s first risk iden- tification exercise, the context was provided by the consultancy team in the form of a risk dictionary or universe. The idea behind the risk universe concept is that all potential risks can be identified and classified into definitive categories, which can then be used as a generic tool to identify risk within and across organizations in a consistent manner.

The universe used for the initial BCLC risk assessment contained 70 generic descriptions of risks, which were adapted after consultation to fit the BCLC environment more accurately. The resulting 2003 BCLC risk universe included 59 potential risks divided into external and internal categories with strategic, oper- ations, technology, financial, and organizational health subcategories, and can be seen in Exhibit 10.4. Each risk was given both a two- or three-word title and a short high-level description.

Some risk practitioners consider that the development and use of a risk uni- verse or defined classification system is essential in any enterprise risk manage- ment program (Society of Actuaries 2009, 2010). However, to be effective there must be clear rules to support consistent classification, and each set of risks must consist of like items that are relevant to management decision making.

www.it-ebooks.info

190 Implementing Enterprise Risk Management

Exhibit 10.4 The 2003 BCLC Risk Universe

External Risks

Competitor Catastrophic Loss Financial Markets

Legal Regulatory Player Demands &

Satisfaction

Economic, Political & Societal Change

Industry

Technological Innovation

Internal Risks

Strategic Environmental Scan External Relations Business Portfolio Performance

Measurement

Mergers & Acquisitions Alignment Organizational Structure Business Model

Culture Governance Strategic Alliance

Operations Capacity Fraud Communication Extended Enterprise Vendor Management Health & Safety Change Management Environmental

Compliance Customer Satisfaction Brand Name Reputation Pricing Product Development Safeguarding of Assets Business Interruption

Supply Chain Product/Service Failure Knowledge

Management Project Planning Performance Gap Gaming Integrity

Organizational Health Technology Financial Recruitment Training & Development Employee Satisfaction

Access, Security, & Tech. Integrity

Information Availability Technology

Infrastructure

Credit Market Liquidity

Ethics & Values Accountability & Responsibility Leadership

Retention, Recruitment, & Succession Planning

Budget & Planning Valuation

Capital Acquisition & Management

Financial & Management Reporting

One common issue is that the list of risk statements may contain a mix of risk events, root causes, and outcomes, leading to imprecision and confusion, which may make assessing the level of risk or determining appropriate treatment more difficult. Another issue is that risk statements may be expressed in very generic terms that may not easily apply to the organization in question, or may make con- tributors feel that the risk assessment exercise is academic and not directly related to their day-to-day experiences.

The 2003 BCCL risk dictionary exhibited both of these issues, as can be shown in Exhibit 10.5.

www.it-ebooks.info

DEVELOPING ACCOUNTABILITY IN RISK MANAGEMENT 191

Exhibit 10.5 Analysis of Sample Statements from the 2003 BCLC Risk Dictionary

Example Statement Type Issue

Catastrophic loss risk—A major disaster threatens BCLC’s ability to sustain its operations and minimize financial losses.

Outcome The outcome could arise from a variety of different circumstances, making risk response problematic.

Governance risk—BCLC does not have the appropriate governance practices in place.

Cause It is unclear why practices might be a cause for concern, making assessing the level of risk difficult.

Health and safety risk—Failure to provide a safe working environment for its workers exposes the organization to compensation liabilities, loss of business reputation, and other costs.

Risk This is a clear problem and outcome statement but is expressed generically, which may mean that there is a poor fit to the organization.

The intention behind the development of the risk dictionary was to provide common categorizations for specific risks identified across BCLC, and it was used effectively at a business unit level both to stimulate conversation and to identify specific risks, which were then translated to draft risk registers. At the enterprise level, the high-level statements were used for evaluation, and specific risk state- ments were not created.

The BCLC risk dictionary was reviewed, updated, and expanded in 2007 fol- lowing the risk assessment exercise conducted by the Enterprise Risk Manager and the ERMAC team. One hundred and nine risk statements were captured in the cat- egories of external, process, strategic, information, human capital, integrity, tech- nical, and financial.

Through 2007 and 2008, the risk dictionary was used as the basis for assess- ments at an enterprise level, and the prioritized enterprise risks were then used to structure project risk assessments and also increasingly to support risk assess- ments in business cases.

In late 2008, as part of the ongoing development of corporate performance management, BCLC completed an exercise to implement the balanced scorecard methodology. This approach greatly assisted the risk management program in tak- ing a fresh look into the corporate risk profile, and all of the risks were aligned to the new balanced goals. As a result, the risk dictionary was retired, with new guidance issued in 2009 recommending that all risk assessments start not from a predetermined list, but instead by looking at the objectives of the enterprise and, where relevant, the specific initiative.

The BCLC risk register generally includes around 100 risks across the nine divi- sions. As spreadsheets are currently used to manage the risk information, a deci- sion was made to remove green (low) risks where it is determined that the risk level is stable and provided that there are sufficient monitoring processes embedded

www.it-ebooks.info

192 Implementing Enterprise Risk Management

into mainstream management. Each quarter, a small number of new risks are iden- tified and an equally small number are retired as circumstances change, awareness increases, and treatment plans come to fruition.

BCLC pays particular emphasis to the construction of clear descriptions for each risk, with the following guidance provided to all employees:

It is of particular importance that all risks are clearly expressed. BCLC has adopted a “CCC” approach where all risk statements should include not only the poten- tial change but also the most significant consequence and cause. Risk statements should start with wording equivalent to “The risk of/that” or “The opportunity to” and be expressed as a possibility (using “may” or “might”). Descriptions should be limited in length and specialized jargon or acronyms should be avoided where possible, so that anyone reading the risk statement can easily understand the risk. Care should be taken in order to avoid alarmist language. When recording partic- ularly sensitive risks, advice should be sought from either Risk Advisory Services or the Legal Services team.

—BCLC Risk Management Guidelines, 2013

On a regular basis, the Enterprise Risk Manager assesses the full set of risks and develops thematic risk maps, cascading from organizational goals and relat- ing to key corporate strategies (the template schematic is shown in Exhibit 10.6). These maps have been used as a key input to risk review workshops and are incorporated into quarterly reporting processes. The advantage to this fluid approach is that the maps are easily modified as organizational focus has evolved; however, at present production is reliant on the insight and capacity of the Enterprise Risk Manager. BCLC is currently exploring purchasing a specialist ERM

GOAL

STRATEGY

SPECIFIC RISK

SPECIFIC RISK

HIGH-LEVEL RISK

VISION

HIGH-LEVEL RISK

HIGH-LEVEL RISK

STRATEGY

GOAL

GOAL

HIGH-LEVEL RISK

HIGH-LEVEL RISK

SPECIFIC RISK

SPECIFIC RISKHIGH-LEVEL RISK

Exhibit 10.6 Thematic Risk Map Schematic

www.it-ebooks.info

DEVELOPING ACCOUNTABILITY IN RISK MANAGEMENT 193

software support solution to more efficiently manage the program. Automated risk interdependency mapping is a function that the administrators hope to be able to purchase.

THE ROLE OF RISK MANAGERS, CHAMPIONS, AND COMMITTEES

BCLC’s risk management program would not have been possible without the two risk managers, the ERMAC group and its champions, and the initial drive from the head of Internal Audit to implement ERM. Although most risk managers will state that the most important prerequisite for a successful risk management program is active endorsement by senior management, the provision of operational manage- rial resources is also essential. At BCLC, as with most organizations, the greatest progress has been made when there has been a designated risk manager assigned to the ERM program.

The role of the central risk function at BCLC, Risk Advisory Services, has not been to manage any specific risks, but rather to provide expert facilitation, coordi- nation, and advice to management. The accountability for individual risks remains with the manager responsible for the program where the risk originates.

The two managers who have supported the ERM program came from very different backgrounds and brought different approaches to the program. Initially the program was initiated within Internal Audit and the first risk manager brought both extensive internal audit experience and, as an internal appointment, an under- standing of BCLC’s culture and approach. The second risk manager came with a more operationally focused risk management background and from a very differ- ent sector. Enterprise risk management is a developing discipline, and practition- ers come from a wide variety of backgrounds (including finance, audit, health and safety, quality assurance, engineering, insurance, etc.), each with their own slightly different approach. Where risk management programs are supported by a single individual, change in personnel can be an opportunity to revitalize programs but also has the potential for discontinuity.

During the initial establishment of the program in 2007–2008, the active engagement of the ERMAC group of risk champions supported adoption of risk management across BCLC, bringing their knowledge and enthusiasm to both the enterprise risk assessments and the development of the program as a whole.

Risk champions are frequently advocated as a way to embed risk management into functional areas through their existing personal and professional relation- ships, and also as a group with diverse backgrounds and operational experience to assist with articulating a more holistic enterprise-level view of risk. However, there are some issues with the concept:

� Those selected may be the usual suspects—individuals who are chosen for every initiative either because they are felt to be particularly capable, in which case they may be overly stretched, or conversely because they are underutilized at present, leading to the possibility that they may not have the required influence to be effective.

www.it-ebooks.info

194 Implementing Enterprise Risk Management

� There may be a perception that the champion is responsible for risks in his or her division or functional area, even though other individuals hold the appropriate managerial or oversight role. This issue may lead to risks being identified but not effectively managed with formal treatment plans, and potentially to difficulties with monitoring and follow-up. Over time, champions may feel that they are put in a difficult position, or may become frustrated that their concerns are not taken forward and acted upon.

During the establishment of the ERM program, the role of the champions on the ERM Advisory Committee was clear, but as the program progressed, and in particular following the changes in 2009, the mandate became less clear and mem- bers began to feel a degree of frustration. The 2010 Internal Audit ERM review picked up on these concerns, and a new model was proposed that led to the dis- banding of the committee in 2011.

The new model recognized the high level of engagement of senior manage- ment across BCLC and the more dynamic role of the Executive and the board, and also picked up on the developing concept of linking governance, risk, and compliance (GRC) matters into an integrated approach. The previous mandates of both ERMAC and a compliance committee that BCLC had established in early 2010 were brought together into the new Risk Management Planning Group (see Exhibit 10.7). This group consists of the leads from key BCLC programs, such as business planning, portfolio management, business continuity, enterprise architec- ture, internal audit, and policy management, with the primary role to share knowl- edge and improve coordination across the functions.

Early accomplishments for the group included the development and adoption of a shared lexicon of key risk management terms, and a jointly developed compli- ance management proposal and business case. Currently, the group is focused on developing a broad-based GRC-type dashboard, which will bring together infor- mation about the status of risks, audits, policies, regulations, performance indica- tors, incidents, and issues at a divisional level.

Project Steering Group Meetings

Board of Directors

Risk Management Planning Group

Project Management

Coordination

Internal Audit

Support the Risk Management Program

Review Risks and Treatment Plans

Undertake Risk Management Activity

Divisional Risk Review Meetings

Divisional Management

Provides advice and verification

Oversees the program and leads risk reviews

Determines strategy

Executive Monitors significant risks, treatment plans, and compliance issues

D IR

E C

T IO

N

R E

P O

R T

IN G

Exhibit 10.7 ERM Governance Structure, 2012–2013

www.it-ebooks.info

DEVELOPING ACCOUNTABILITY IN RISK MANAGEMENT 195

DEVELOPING A MORE SOPHISTICATED APPROACH TO RISK ANALYSIS AND EVALUATION According to ISO 31000, an essential part of developing any risk management framework is defining the criteria for evaluating risk. Risk criteria are used to reduce subjectivity and to communicate risk tolerance, and should lead to con- sistency across different assessments. In common with many nonfinancial organi- zations, BCLC uses risk tables with qualitative descriptions of a variety of potential impacts.

Over the past 10 years, a variety of risk tables and evaluation approaches have been adopted.

When BCLC conducted its initial enterprise risk management exercise in 2003, generic consequence and likelihood and management effectiveness scales with a 1 to 5 range were provided to BCLC by the consultants. The impact ratings focused on monetary and service provision consequences, while the likelihood ratings con- sidered the chance of occurrence over the next three years.

For this initiative, risk workshops were used for the majority of risk analysis, with risk statements either predetermined or defined in advance using interviews with key internal stakeholders and then voted on by the Executive Committee, the ERMAC team, or a specific project team depending on the context. Voting tech- nology was used at each workshop, with each participant independently rating each risk. After each vote, the software calculated the average score and derived an overall risk rating for each risk. Using voting has a number of benefits, princi- pally allowing a large number of risks to be assessed in a relatively short period of time. Advocates also claim that voting reduces group bias, as results can be pre- sented anonymously and any variations can be discussed.

Voters at each facilitated workshop were asked to rate the likelihood that a particular event would occur in the absence of any controls in place to mitigate the risk (known as the inherent likelihood). Each risk was then mapped to one of four categories (see Exhibit 10.8). An additional exercise considered the effectiveness of current control levels for each risk and also the desired level of control in order to identify any risks where it was considered that additional levels of control were required.

The Internal Audit–led exercise in 2006 initially used a very simple scale (high, moderate, low, and very low) when asking participants to identify/report their top three risks, and then introduced a new BCLC-specific impact and likelihood table to assess inherent impact and likelihood, using the same voting and aver- aging methodology as used in 2003. The new risk criteria considered a range of potential consequences, from threats to product integrity, to media reports, sales, stakeholder relations, regulatory noncompliance, and budgetary impact. The new likelihood ratings included both an assessment of the probability of occurrence and reference to historical incidence and common root causes and control effec- tiveness. The risks were again grouped into four categories, as can be seen in Exhibit 10.9.

The 2007 enterprise assessment developed the risk assessment framework fur- ther, reflecting the additional resources now available to the ERM program with the appointment of a dedicated manager and the engagement of the new ERMAC team. The criteria were revised once more, with metrics developed for each

www.it-ebooks.info

196 Implementing Enterprise Risk Management

INHERENT LIKELIHOOD

C O

N S

E Q

U E

N C

E

Less significant

Less significant risks. Little monitoring or effort

required.

Secondary

Are likely to occur but have a small impact. Consider the cost/benefit trade-off.

Critical Critical risks that will have a

significant impact on the operations and

organizational objectives are likely to occur.

Primary Lower likelihood but could have significant adverse effect on operations and business objectives if the

risk occurred.

Exhibit 10.8 2003 Risk Mapping Approach

category of consequence, a cleaner likelihood table with measures of both prob- ability and frequency, and a new management effectiveness rating table.

Assessment participants were asked to vote on the impact if the risk event were to occur and the inherent likelihood of that event occurring. As with the previous assessments, the overall rating assigned to each risk was taken as the average, giving a score from 1 to 5 for each risk. A further vote was then conducted

Im pa

ct

Likelihood

Low Risks

List of two risk statements

Moderate Risks

List of five risk statements

Critical Risks

List of nine risk statements

Risks used to inform the three-year Audit Plan

High Risks

List of 17 risk statements

H i g h

High

Exhibit 10.9 2006 Internal Audit Risk Matrix

www.it-ebooks.info

DEVELOPING ACCOUNTABILITY IN RISK MANAGEMENT 197

Im pa

ct

Likelihood

Low Risks

Risks where the management effectiveness rating is the same as the inherent risk rating

Moderate Risks

Risk / Opportunity Risks where the management effectiveness rating and the inherent risk rating are only slightly different (–/+ 0.5)

Critical Risks

Risk Risks where management effectiveness is significantly lower (<1) than inherent risk

Opportunity Risks where management effectiveness is significantly higher (>1) than inherent risk

High Risks

Risk Risks where management effectiveness is somewhat lower (<0.5 – 1) than inherent risk

Opportunity Risks where management effectiveness is somewhat higher (>0.5 – 1) than inherent risk

H i g h

High

Exhibit 10.10 2008 ERM Residual Risk Rating Matrix

on how effective the ERMAC team considered current controls to be for each risk (the “current management effectiveness”). The two scores were then compared and any risks with a high-risk rating and lower management effectiveness rating were identified as requiring management attention.

The two enterprise risk assessments in 2008 in February and November used a very similar approach to the 2007 assessment, except that, instead of reporting on the inherent risk ratings and highlighting any significant gaps between the inher- ent risk rating and the management effectiveness rating, the management effec- tiveness metric was used to place each risk in a residual risk matrix, according to the size of the gap. Where the gap showed that controls were insufficient, this was termed a risk (better described as intolerable residual risk), and where the gap showed that controls were excessive, this was classified as an opportunity (to reduce control levels). The final outcome of the exercise is shown in Exhibit 10.10.

This approach was adopted partly in recognition that BCLC had not always put in place sufficient controls for the level of risk, but also because there was a perception that in some areas excessive controls had been implemented, partly in response to the Ombudsman report and subsequent recommendations and partly because some areas of the organization were considered to be risk averse.

From 2009, there was a change in emphasis from primarily inherent to residual risk assessments. This was partly due to the different approach of the new man- ager, partly due to difficulties with accurately assessing inherent risk, and partly

www.it-ebooks.info

198 Implementing Enterprise Risk Management

because of a new opportunity with the development of new organizational goals. BCLC had been exploring the concept of balanced scorecards5 as part of devel- oping a more mature approach to performance management, and in early 2009 new risk criteria were introduced based on the new goals. This reinforced the link between risk and wider business and strategic planning, and enabled the develop- ment of a smaller set of risk impact categories that resonated with both manage- ment and senior leadership. The impact criteria were developed with key man- agers and validated with the executives, with an annual update incorporated into the risk management planning timetable.

At this time also BCLC ceased to use the voting technology for a variety of reasons, including cost and geographical limitations, and moved to an approach where group workshops prioritized risk but did not undertake formal analysis or evaluation. A variety of visual mapping techniques were introduced with a more hands-on style adopted, requiring workshop participants to engage more directly through the use of techniques such as using Post-its, voting cards, target placement, assigning spots, and drawing process maps. Formal analysis moved to the appropriate subject matter expert with quality assurance provided by the risk manager and then confirmation of risk scoring provided by the relevant member of the executive or project steering group.

In 2011, as an outcome of the Internal Audit ERM review, it was agreed that the criteria were not sufficiently aligned with leadership attitudes to risk, and that too many risks were being reported with a high rating and thus being escalated in the quarterly report. An exercise was conducted with executives to better align the existing risk criteria to organizational tolerance, and to discuss the perception that the organization, or at least some parts of it, was overly risk averse. Perspec- tive was provided through discussion of the balance between risk aversion and excessive risk appetite and the use of the “as low as reasonably practical” princi- ple (sometimes referred to as ALARP or ALARA [as low as reasonably achievable], and described in ISO 31010).

Two activities were undertaken, each designed to look at the four dimensions of impact in the ERM framework to ascertain whether current levels were an accu- rate representation of the attitude of BCLC leadership toward risk, and to initiate discussion where that attitude varied among the executives.

The first exercise (see Exhibit 10.11) used a poster showing the existing impact criteria, and each executive was asked to mark where he or she believed the current catastrophic or level 5 impact should truly fall on the scale. This clearly shows that the scales in use at the time were generally felt to be misaligned with organizational risk tolerance, in particular for financial/operations and people impacts.

The second exercise took a small number of existing and well-understood risks, all currently assessed at a similar risk rating but with impacts across the different dimensions. Each executive was asked to place the risk where he or she believed it lay on the current impact table, again displayed as a large poster. Exhibit 10.12 depicts the mapping for two of the risks, showing both the spread of opinion, and the disparity between the rating at the time and the risk attitude of the executives both as individuals and collectively.

The exercises were successful in generating discussion about relative risk tolerances and showed both that the overall evaluation tools were escalating risk at too low a level and also that the risk criteria across the different impact

www.it-ebooks.info

DEVELOPING ACCOUNTABILITY IN RISK MANAGEMENT 199

Player

Financial / Operations

People

Public / Planet

1 2 3 4 512345

1

2

3

4

5

1

2

3

4

5

Brief description of level 4 player

criteria

Brief description of level 2 player

criteria

Brief description of level 2 people criteria

Brief description of level 4 people criteria

Brief description of level 2 financial/

operations criteria

Brief description of level 4 financial/

operations criteria

Brief description of level 4 public/ planet criteria

Brief description of level 2 public/

planet criteria

Exhibit 10.11 Impact Scale Evaluation Exercise

dimensions were not completely aligned to the collective executive risk percep- tion and attitudes.

The impact criteria and the risk evaluation table were adjusted after the exec- utive meeting, and the new approach adopted for the next risk review in March 2011. As a result of changing the criteria, the number of risks escalated to the exec- utive declined from 33 to 10, allowing a much greater focus on the most significant risks, while risks now rated as having a moderate risk level continued to receive focus at the divisional risk review meetings.

In early 2012, a new risk framework was put in place describing BCLC’s now maturing approach to enterprise risk management. The framework contained a section on determining appropriate risk responses, including a formal state- ment that BCLC had adopted the ALARP approach to determine the appropriate response to risk. This approach divides risks into three regions or zones:

1. An acceptable region, where further treatment may be undertaken but is not required

www.it-ebooks.info

200 Implementing Enterprise Risk Management

Likelihood

Rare Unlikely Possible Likely Almost Certain

Im pa

ct

Insignificant 1 2 3 4 5

Minor 2 4 6 8 10

Moderate 3 6 9 12 15

Major 4 8 12 16 20

Catastrophic 5 10 15 20 25

Risk5 Risk5 Risk5Risk5

Risk5Risk5

Risk5Risk5

Risk5 Risk5

Risk8

Risk8

Risk16

Risk2

Risk2Risk8Risk8

Risk8

Risk8

Risk8Risk8 Risk8

Risk8

Risk8

Risk16Risk16Risk16Risk16

Risk16Risk16

Risk16Risk16

Risk2

Risk2

Risk2 Risk2Risk2Risk2Risk2 Risk2

Risk2

Risk16

Risk8 Original rating Risk3 Rating by each VP Risk16 Consensus

Risk5

Risk16

Exhibit 10.12 Specific Risk Impact/Likelihood Evaluation Exercise

2. A tolerable region where treatment should be undertaken dependent on cost/benefit analysis

3. An unacceptable region where treatment to lower the risk is mandated

Taking an ALARP approach to risk response allows for flexibility when deter- mining the best approach to managing risk, and reflects that organizations may on occasion choose to adopt higher-risk strategies where the potential reward is deemed to be sufficient, or may elect to carry significant risk where the cost of treatment is felt to be prohibitive.

The relationships between criteria, severity, escalation, and tolerance are set out in Exhibit 10.13.

The next significant risk assessment and evaluation development was the expansion of the risk consequence criteria in August 2012 to include positive out- comes. Consideration of positive outcomes from uncertainty was introduced in ISO 31000, but has long been recommended by project management, for exam- ple in the Project Management Institute (PMI)’s Practice Standard for Project Risk Management. The concept was introduced for two reasons: to better engage those parts of the organization that were aiming to become highly innovative, and to better assess the risks associated with new initiatives. The new approach enables the comparison of risk with potential reward, and establishes the idea that both threats and opportunities are associated with uncertainty.

The new consequence table was based as previously on the key BCLC goals but for the first time included consideration of both positive and negative impacts, with benefits considered as opportunity and loss/harm as threat. The table has

www.it-ebooks.info

DEVELOPING ACCOUNTABILITY IN RISK MANAGEMENT 201

Likelihood

Rare Unlikely Possible Likely Almost Certain

Im p

ac t

Insignificant 1 2 3 4 5

Minor 2 4 6 8 10

Moderate 3 6 9 12 15

Major 4 8 12 16 20

Catastrophic 5 10 15 20 25

GREEN LOW

TEAM LEADERS

YELLOW MEDIUM

DIRECTORS

AMBER HIGH

VPS

RED CRITICAL

CEO

Unacceptable region Risk cannot be justified save in

extraordinary circumstances

Acceptable region Necessary to maintain

assurance that risk remains at this level

Tolerable only if risk reduction is impracticable or if its cost is

grossly disproportionate to the improvement gained

Tolerable region Tolerable if cost of reduction

would exceed the improvement gained

The relationship between risk criteria, severity assessment, escalation, and tolerance

Exhibit 10.13 Implementing the ALARP Approach to Risk Response

four levels of positive outcomes and four levels of negative outcomes (with a neu- tral zone bridging the two). BCLC has opted for a symmetrical approach so that a given level of negative outcome in any of the dimensions is balanced by the equiv- alent level of positive outcome. For example, one of the existing financial criteria references the possibility of making a loss of up to $5 million. Therefore, the par- allel positive consequence is a potential gain of up to $5 million. Likewise, in the overall severity matrix, the appetites and tolerances for positive risk follow the same principles already in use for negative risk.

The new table was incorporated into the business case template, with sim- ple graphical maps produced as an outcome of a detailed assessment showing the overall risk profile of any proposed initiative. These maps are used as one of the fac- tors determining both the selection of initiatives and the level of risk management support and monitoring subsequent to approval. The approach has proved very helpful for both risk mitigating proposals to be able to demonstrate value more clearly and for those initiatives that have a more balanced profile to incorporate risk treatment plans from a much earlier stage, allowing for better risk planning and resourcing.

Exhibit 10.14 shows an example of the summary charts produced as an out- come of a business case risk assessment exercise. The business case is for an initia- tive that is primarily designed to reduce existing risks across a number of organi- zational objectives. The bars show the current threat and opportunity assessment, while the lines show the anticipated effect of the initiative on the organizational risk profile. The matrix looks at the overall balance between threat and opportu- nity, with the pre- and post-treatment statuses showing very positive changes. This initiative was approved and is proceeding. Because of the high levels of uncer- tainty, monitoring of threat mitigation and benefit realization will be important.

Exhibit 10.15 shows another example, this time for an initiative with very low levels of uncertainty. The overall effect of the initiative on the organization’s risk profile is broadly neutral. This initiative was also approved and is proceeding. As levels of uncertainty are low, monitoring will be minimal.

Although there was a significant learning curve both for the teams participat- ing in the risk assessments and for senior management in interpreting the results,

www.it-ebooks.info

202 Implementing Enterprise Risk Management

0

10

15

20

30

O p

p o

rt u

n it

y

Threat

Pretreatment Posttreatment

High

Low High

–25

–20

–15

–10

–5

0

5

10

15

20

25 Player People Public Profit Process

S u

m m

ar y

R is

k S

co re

s

OPPORTUNITY Initial opportunity level Level after treatment

Initial threat level Level after treatmentTHREAT

Exhibit 10.14 Business Case Risk Assessment Output Example 1

the new approach was endorsed by management and was used again in 2013 with some minor improvements to increase consistency.

Linking discussion of potential rewards with potential problems has sup- ported the development of a more nuanced view of risk across BCLC and proved more culturally acceptable to individuals and groups tasked with developing inno- vative practices, as there is less of a focus on asking “What could go wrong?” and more emphasis on “What is not certain?” This has helped the ERM program to counter the viewpoint held by some groups that managing risk is a necessary but uninspiring and possibly bureaucratic exercise required by a risk-averse corpo- ration, and has led to a better understanding that becoming risk-aware helps in embracing change and achieving objectives.

Player People Public Profit Process

OPPORTUNITY

THREAT

Initial opportunity level Level after treatment

Initial threat level Level after treatment

3

8

13

18

23

28

3 8 13 18 23 28

O p

p o

rt u

n it

y

Threat

High

Low High

Pretreatment Posttreatment–25

–20

–15

–10

–5

0

5

10

15

20

25

S u

m m

ar y

R is

k S

co re

s

Exhibit 10.15 Business Case Risk Assessment Output Example 2

CONCLUSION This case study has described how enterprise risk management has developed over the past 10 years at BCLC, a Canadian crown corporation offering lottery,

www.it-ebooks.info

DEVELOPING ACCOUNTABILITY IN RISK MANAGEMENT 203

casino, and online gambling. BCLC’s enterprise risk management program has been developed over time through a combination of internal experiential learn- ing and the application of specialist advice. The program’s success has been due to the dedication of a number of key individuals, the support of senior leadership, and the participation of BCLC employees.

The approach to ERM has evolved from informal conversations supported by an external assessment, through a period of high-level corporate focus supported by a dedicated group of champions using voting technology, to an embedded approach, where risk assessments are incorporated into both operational practice and planning for the future using a variety of approaches, depending on the con- text. The increasing maturity of the program has been mapped to a simple scale adapted from a model developed by Deloitte (Exhibit 10.16).

BCLC’s current approach to managing risk is one that recognizes that, in order to innovate and develop, it needs to embrace change with all the associated uncertainty that brings. At the same time it needs to protect its reputation and preserve the integrity of its systems and processes. Risk awareness and appro- priate response are thus essential in both day-to-day and longer-term strategic planning.

BCLC is moving into a more challenging future and working to transform into an increasingly dynamic and innovative organization, where effective risk man- agement will increasingly become a core competency for success. As its leaders reflect on 10 years of enterprise risk management, there are still plenty of chal- lenges ahead in order to continue to sustain and develop its program. In particular they are looking to automate monitoring and reporting.

• No formal procedures for risk assessment

• Depends primarily on individual heroics, capabilities, and verbal wisdom

• Ad-hoc/chaotic

• No focus on risk inter-linkages

• Limited alignment of risk to strategy

• Disparate monitoring • Reaction to adverse

events by specialists • Discrete roles

established for small sets of risks

• Risk definitions vary across the organization

• Policies, risk authorities defined and communicated

• Common approach for routine risk assessments

• Communication of key risks to the Board

• Executive committee for risk management established

• Dedicated team • Primarily qualitative • Reactive

• Coordinated risk management activities

• Risk appetite is defined • Enterprise-wide risk

monitoring, measuring and reporting

• Training • Risk analysis tools

developed and communicated

• Integrated response to adverse events

• Rapid escalation • Proactive

• Embedded in strategic planning, resource allocation, business / product development, and other key decisions

• Early warning risk indicators

• Linkage to performance measurement and incentives

• Risk modeling and scenarios

• Industry benchmarking • Technology implementation • Sustainable

1: Unaware 2: Fragmented 3: Coordinated 4: Systematic 5: Strategic

• ERM manager recruited • ERMAC established • ERM policy produced • 1st ERMAC assessment • Board assume primary

ERM oversight • Risk Planning Group

established • Opportunity criteria

incorporated • Strategic risk

assessment

• Realignment of risk criteria • High risks formally assigned

to VPs

2010 • Updated ERM guidance issued • Internal Audit ERM review

• New risk manager recruited • Risk workshops • Risk registers established • Introduce supporting technology

• Develop GRC synergies Next steps:

2003 • EROM assessment

2006 • IA ERM assessment

initiated

2006–2007 • ERM program launch

2012 • New ERM framework

2009

2011 • ERM move to CFO

2008 • Quarterly ERM reporting

Exhibit 10.16 BCLC’s Journey toward Risk Management Maturity

www.it-ebooks.info

204 Implementing Enterprise Risk Management

QUESTIONS 1. Sometimes risk workshops generate so many risks that it is not possible to assess all

of them, while on other occasions only a small number of risks are identified and in- depth assessment is possible. What are the advantages and disadvantages of these two scenarios?

2. How do outcomes, causes, and risks differ, and what are the implications of confusing these?

3. Is the term inherent risk helpful? How could it help and/or hinder the assessment of risk? 4. What are the implications of moving from assessments of predefined sets of risks to using

top-down objectives based on the balanced score card approach? 5. Contrast the advantages and disadvantages of using voting technology compared with

other approaches such as those described in this case study.

NOTES 1. The Sarbanes-Oxley Act of 2002 was enacted in the United States as a response to a num-

ber of corporate governance scandals and introduced a number of financial governance regulations, including the requirement to produce a report on internal control.

2. The CBC investigative series Fifth Estate aired an episode entitled “Luck of the Draw” on March 14, 2007, about insider wins, featuring the story of Bob Edmonds, who was defrauded out of his lottery winnings by a retail clerk.

3. The Player First program was BCLC’s response to the Ombudsman report and Deloitte recommendations, a collection of significant change initiatives under way from 2007 to 2011 designed to put the player at the forefront of BCLC activities.

4. Bow-tie analysis is a simple diagrammatic way of describing and analyzing the pathways of a risk from causes to consequences. The approach is outlined in ISO 31010 risk assess- ment techniques. Also see pages 291–293 of Enterprise Risk Management: Today’s Leading Research and Best Practices for Tomorrow’s Executives, ed. John Fraser and Betty J. Simkins (Hoboken, NJ: John Wiley & Sons, 2010).

5. The balanced scorecard originated by Drs. Robert Kaplan and David Norton as a per- formance measurement framework that added strategic nonfinancial performance mea- sures to traditional financial metrics to give managers and executives a more balanced view of organizational performance.

REFERENCES AS/NZS 4360:2004 Risk Management. BCLC Annual Service Plan Report 2012/2013. BC Ombudsman. 2007. “Winning Fair and Square: A Report on the British Columbia Lottery

Corporation’s Prize Payout Process.” British Columbia Treasury Board. Core Policy and Procedures Manual (CPPM). “Risk Manage-

ment,” Chapter 14. Committee of Sponsoring Organizations of the Treadway Commission (COSO). 2004.

“Enterprise Risk Management—Integrated Framework.” Deloitte & Touche. 2003. “Enterprise-Wide Risk & Opportunity Management (EROM)—

Phase 1 Final Report.” Deloitte & Touche. 2007. “Report on the Independent Review and Assessment of the Retail

Lottery System in British Columbia.” October.

www.it-ebooks.info

DEVELOPING ACCOUNTABILITY IN RISK MANAGEMENT 205

Ernst & Young. 2010. “Results of the Enterprise Risk Management Benchmarking Study Involving 11 Participating Organizations.”

ISO 31000:2009 Risk Management—Principles and Guidelines. Society of Actuaries. 2009, 2010. “A New Approach for Managing Operational Risk.”

ABOUT THE CONTRIBUTOR Jacquetta Goy is the Director of Risk Management Services, Thompson Rivers Uni- versity and former Senior Manager, Risk Advisory Services at British Columbia Lottery Corporation, responsible for establishing and developing the enterprise- wide risk management program. Prior to that she spent 14 years in the English health service, where she was responsible for setting up and developing the risk, quality, and governance programs for an inner-city health care organization. This involved preparing for a variety of accreditation reviews and inspections, manag- ing quality assurance, audit, complaints, clinical risk, investigations, and root cause analysis. Jacquetta has both participated in and organized a number of conferences on both risk and quality management. She studied international politics at Aberys- twyth University, Wales, and has a master’s in public health from St. George’s Uni- versity of London. Currently, she is a member of the Canadian Committee for Risk Management and Related Activities, Canadian Standards Association, and one of the Canadian delegates on the international technical committee for risk manage- ment (TC262). She can often be found on various LinkedIn risk groups advocating ISO 31000.

www.it-ebooks.info

www.it-ebooks.info

CHAPTER 11

Starting from Scratch The Evolution of ERM at the Workers’ Compensation Fund

DAN M. HAIR Senior Vice President, Chief Risk Officer, Workers Compensation Fund

Modern workers’ compensation systems are children of the industrial rev-olution. The concept of a social insurance program protecting work-ers from job-related injuries and illnesses had its modern origins in the development of European factory, child labor, and mining regulations throughout the eighteenth and nineteenth centuries. In the United States there was a long ges- tation period leading to the adoption of similar schemes. In the nineteenth century accidents in the mining and railroad industries led to early regulatory structures in those areas. The Russell Sage Foundation’s Pittsburgh Survey of 1907 along with the Triangle Shirtwaist Factory fire in 1911 were major factors in the adoption of the first state workmen’s compensation laws from 1911 to 1915.

In 1917, the Utah legislature passed the Workers’ Compensation Act, requiring all employers to obtain workers’ compensation insurance coverage. The Workers Compensation Fund (WCF), then called the State Insurance Fund, was created to provide competitively priced insurance to Utah employers. In the same year, the legislature appropriated $40,000 from the state treasury for WCF to begin writing insurance. This loan was repaid by WCF in four years, and from that time forward WCF has operated financially independent of the state and has functioned largely as a state agency.

A formal organizational study of WCF was completed in 1987. It recom- mended autonomy from state administration by establishing WCF as a quasi- public corporation with a board of directors comprised of policyholders and indi- viduals with expertise. In 1988 the Utah legislature again modified its statutes to protect the state from any WCF expenses or debts and to prohibit the state from accessing the Injury Fund. In 2005 the Utah Supreme Court ruled that WCF and all of its assets were solely owned by its policyholders.

Today, WCF operates as a mutual insurance company owned by its policy- holders and governed by a seven-member board of directors appointed by the governor. WCF performs a public purpose relating to the state and its citizens. Specifically, WCF serves as Utah’s carrier of last resort for workers’ compensation

207

www.it-ebooks.info

208 Implementing Enterprise Risk Management

insurance coverage. As such, any Utah employer, no matter its size, the riskiness of its business, or its prior loss history, can obtain workers’ compensation insurance coverage from WCF.

WCF is under state regulatory oversight provided by the Utah Department of Insurance and Utah Labor Commission. WCF also receives annual rating agency financial oversight through the A.M. Best Company, which examines, among other things, solvency, operating performance, risk-based capital requirements, and enterprise risk management (ERM) capabilities. Currently, WCF is rated A or excellent. WCF has its headquarters in Sandy, Utah, and additional branch offices in central, northern, and southern Utah. It also owns affiliated companies that are licensed to write workers’ compensation insurance and perform claims manage- ment services in other states as well.

TOWARD ERM PROGRAM INITIATION The early 1990s were a time of transformative change at WCF. In 1992 the board hired a new president and CEO, Layne Summerhays, who soon added additional executives. The resulting executive group was an amalgam of new leaders who had spent their careers in the private sector and retained leaders with critical insti- tutional memory and experience with the workers’ compensation system in Utah. The new executive team established a focus on customer service, internal account- ability, operating efficiency, and private carrier best practices.

In the ensuing years WCF obtained its initial (A–) A.M. Best rating, signifi- cantly improved operating results and customer satisfaction, grew its surplus from $67 million to more than $600 million, and returned 40 percent of net income to policyholders in dividends. These impressive results came despite the vagaries of market cycles and some very difficult strategic challenges.

Utah has been a very competitive insurance market for many years. Com- petitors have included large, national multiline carriers, national workers’ com- pensation specialty carriers, and locally domiciled insurers. Their ability to quote multiple lines of insurance in and out of Utah put WCF at a distinct competitive disadvantage. Additionally, as WCF’s fortunes changed, various parties initiated discussions within the legislature regarding WCF’s structure, its future status as a tax-exempt market of last resort, and the ultimate ownership of company assets.

These two significant risks were tackled by the management team in close col- laboration with the board. Working toward solutions involved risk assessment, evaluation of options, and envisioning potential outcome scenarios, both positive and negative. Ultimately the multistate issue was creatively resolved by working with the legislature to get limited statutory changes in an amicable fashion and the formation of an affiliated company. Resolving ownership of company assets was a more contentious issue between WCF and the executive branch of state gov- ernment. This was only resolved after the board and management determined it would be necessary to take legal action by suing the State of Utah. The resulting litigation was decided in favor of WCF by the landmark 2005 Utah Supreme Court decision.

www.it-ebooks.info

STARTING FROM SCRATCH 209

This episode in the history of the company, which involved robust discussion of risk, potential scenario development, and close collaboration with the board, was the foundation for what has followed. In addition, at the company’s annual retreat and planning session for board members, senior vice presidents, and vice presidents in 2006, time was set aside for consideration of the range of potential risks to the company. Returning from this board retreat, the executive team began an ongoing discussion of key strategic risks and opportunities that continues to this day.

Although the financial trials of the Great Recession of 2007–2011 did not seriously impact the solvency of WCF or the property-casualty insurance indus- try, it certainly stimulated boards to think about risk, fat tails, black swans, and low-frequency, high-severity events. This watershed event also resulted in financial rating organizations such as Standard & Poor’s and A.M. Best mov- ing toward the development of much more robust questioning of rated firms’ capital management, risk assessment practices, and enterprise risk management capabilities.

At this time WCF’s President and CEO, Ray Pickup, along with Board Chair Dallas Bradford and other directors, began serious discussions of the need for more formality and structure in the company’s risk management efforts. As the former CFO, Ray Pickup not only had a deep understanding of risk but a passion for transparency and openness, as well as a self-effacing management style that valued input from all areas of the company. As a retired partner in a public accounting firm, Chairman Bradford had long dealt with issues of risk and was a self-described “glass is half empty guy” who “imagined the worst scenario.” He noted that when a company’s risk management efforts fail, “a great many people would be financially damaged and the company’s public image would perhaps be irreparably damaged.” He also expressed that “The company had done some sig- nificant work in this arena, but little of it had been documented and there was no clear response mechanism in place. Also, there was no organized process in place to evaluate the various risks. It was an easy step for me to encourage the company to undertake a much more rigorous program to identify and manage potential risks that could severely damage our company and the important public interests we serve.”1

INITIAL ACTIONS In late 2010 Ray Pickup, with the approval of the board, created the chief risk offi- cer (CRO) position, designating Dan Hair, who had been and would continue to serve as the Chief Underwriting and Safety Officer, as the first CRO. An addi- tional committee of the board, the Risk Oversight Committee, was also created. The job description for the new CRO position contained several key elements (see WCF Chief Risk Officer Job Description). First, the CRO was to report to the pres- ident and CEO but with additional reporting responsibilities to the board and the newly formed Board Risk Oversight Committee. This was reinforced by the CEO, who encouraged direct access to the board by the CRO, including the airing of

www.it-ebooks.info

210 Implementing Enterprise Risk Management

any differences of opinion. Second, the CRO was to have access to all areas of the company and its affiliates. This was fundamentally important if the CRO was to have an enterprise-wide understanding of all the risks facing WCF. Third, implicit in the job description and explicit in the WCF Risk Policy (see WCF Risk Policy) is the idea of excellence in the development of a program that is suitable and appro- priate for WCF.

January 25, 2011: Initially the CRO, working with Chief Financial Officer Scott Westra, developed a preliminary risk assessment matrix to be used by the senior officers in a Delphi qualitative assessment of all risks facing the company. Each executive was asked to look at a list of risks provided by the CRO, add to it any risks they felt should be considered, and score the severity and probability of those risks. Several meetings followed with the entire senior team to come to a consensus on the matrix, scores, and risk list. Initial results were then presented to the entire Board, which resulted in further refinement of the matrix and heat maps (Exhibits 11.1 and 11.2). The Board and management were in agreement that risk appetite should primarily be evaluated by impact on WCF surplus. This was later refined to include statutory combined ratio and operating income. Senior management was explicitly tasked with developing mitigation plans for any risks scoring in the red area of the heat map.

WCF Chief Risk Officer Job Description

Position Purpose

The purpose of this position is to develop and monitor the Risk Manage- ment strategy, policies, and processes under the direction of the CEO, Board of Directors, and Board Risk Oversight Committee. Ensure that appropriate risk assessment and mitigation strategies are developed for all core functions of WCF.

Nature and Scope

The Chief Risk Officer (CRO) is a Senior Executive with 10–15 years of experience who has a broad understanding of all key areas of the business. The CRO possesses management experience in key business areas with proven ability to provide strategic direction and leadership. He/she has superior analytical, presentation, communication, and facilita- tion skills. The incumbent usually possesses advanced degrees and/or tech- nical certifications in accounting, actuarial, risk management, operations, or finance.

Performance is measured on overall achievement of company financial objectives and the effectiveness of the ERM program in developing and implementing the best approaches for protecting WCF, its employees, and assets.

www.it-ebooks.info

STARTING FROM SCRATCH 211

Principal Duties

Essential Functions

1. Develops and communicates an appropriate Enterprise Risk Manage- ment (ERM) infrastructure within WCF by working cooperatively with the Senior Officers as a group and with each department in a collabora- tive manner.

2. Under the direction of the CEO, works with other company executives and the Board Risk Oversight Committee to develop an ERM strategy for WCF that identifies, quantifies, and mitigates risks facing the com- pany. Provides appropriate risk reporting.

3. Consults with and provides assistance as requested to WCF affiliates and subsidiaries. Works with them to ensure that appropriate ERM planning is in place.

4. Facilitates enterprise-wide risk assessments and monitors the capabili- ties around managing priority risks across the organization.

WCF Risk Policy

Failure to manage risk, whether it is financial, operational, or reputational, may subject the Company to negative outcomes. These outcomes could impact our customers, colleagues, partners, and the viability of our business. Managing risk reinforces our corporate values of compassion, accountability, and expertise.

Consequently, every employee, WCF department, and affiliate will con- tinually assess and monitor risks of all types. Under the direction of Senior Management and the Board of Directors we will take appropriate mitigation actions consistent with our mission of excellence.

In subsequent months the CRO met with the leadership of each WCF depart- ment and affiliate to explain the importance of the ERM program, why it was being launched, and their role in the program. Basic risk management training was given to them along with a modified departmental risk matrix. Their views on risks within the company and their departments were solicited and they were guided to the development of their own heat maps. At the same time the initial meeting of the Board Risk Oversight Committee was held and the duties of the Internal Risk Committee (IRC), chaired by the CRO, were established (see WCF Internal Risk Committee Duties). This effectively created an ongoing three-level review of risk consisting of the board, senior management, and key company leaders.

www.it-ebooks.info

212 Implementing Enterprise Risk Management

Exhibit 11.1 WCF ERM Risk Management Matrix Values

Incident or exposure probability descriptions (Risk = P × S) Very low (1): Improbable, no prediction confidence (P = .01/range = <.02) Low (2): Remote, may occur once every 10 to 50+ years (P = .02) Moderate (3): Occasional, may occur once every 3 to 10 years (P = .16/range = .10

to .33) High (4): Probable, may occur once every 2 to 5 years (P = .25/range = .20 to

.50) Very high (5): Frequent, could occur annually (P = .50/range = .50 to 1.0) Incident or exposure severity descriptions Slight loss (1): Inconsequential with respect to financial, personnel, or brand

damage: less than 1% of surplus, or $10M loss or a 1- to 5-point impact on combined ratio.

Medium loss (2): Important financial, personnel, or brand damage; threshold of financial materiality, 5% or more of surplus, or $11M to 25M loss or a 6- to 10-point impact on combined ratio.

Material loss (3): Material damage to financial strength, personnel, or brand; $26M–$50M loss or an 11- to 15-point impact on combined ratio.

Large loss (4): Significant damage to financial strength, personnel, or brand; 10% or more of surplus, or a $51M to $75M loss, could damage stakeholder confidence or a 16- to 20-point impact on combined ratio.

Very high loss (5): Catastrophic impact on solvency, brand, or personnel; 50% or more of surplus; greater than a $75M loss, would damage stakeholder confidence or a combined ratio impact of >20 points.

WCF Internal Risk Committee Duties

Description � Meets quarterly under the direction of the Chief Risk Officer. � Attended by representatives/risk champions from each department or

business unit. � Reviews reports on department risk identification and mitigation efforts. � Reviews risks and risk mitigation efforts company-wide. � Receives training in risk recognition and mitigation techniques from

CRO and others. � Helps develop WCF risk policies and resources. � Assesses risk integration and response issues.

Members � Preferably business unit managers or leaders with interest in risk man-

agement. � Ability to train and coach others. � Thorough understanding of all aspects of the department/business unit.

www.it-ebooks.info

STARTING FROM SCRATCH 213

Standing Agenda � Review/update WCF key risks and mitigation efforts. � Review/update department or business unit key risks and mitigation

efforts. � Training in ERM, risk identification, and control techniques (CRO or

guest speakers). � Committee member new business. � Improving/strengthening the risk culture at WCF and affiliates.

In its initial meetings, the Board Risk Oversight Committee, which meets two or three times per year, approved the IRC Charter and gave direction and feedback regarding initial efforts. One valuable suggestion was to do a risk sur- vey of the entire company. Although approximately one-third of WCF employ- ees had already been involved in ERM activities to date, this was a very help- ful idea. Over 50 percent of all employees responded (see 2012 All-Employee

Incident or exposure probability descriptions

Very low (1)

5

4

3

2

1 3 5

1512

8

Large loss (4)

Material loss (3)

Medium loss (2)

Slight loss (1)

Very high loss (5)

Low (2)

(9) Large Earthquake 15 20 25

16 20(8) AWCIC Failure

(4) Violent Security Breach; (3.84) Pinnacle or AWCIC Failure; (5.04) Data Breach With Loss of Data

(2) Other Credit Risks - Receivables

(5.2) Detrimental State Regulatory Action; (4.64) Catastrophic Multi-Claim Incident; (4.5) Loss of Tax Exemption Retroactively; (5.76) Other Detrimental Federal Regulatory Action; (6.46) Terrorist Act; (5.8) Adverse Loss Reserve Development; (6) Inflation Risk; (7.02) Multi-Year High Combined Ratio

Moderate (3)

(12) Loss of Tax Exemption; (12) Multi- line competition, leveraging

(9) Prolonged Economic Downturn Beyond 2011; (9) Prolonged Soft Market Beyond 2011

High (4) Very high (5)

Incident or exposure severity descriptions

(6) Bond Credit Risk; (6.24) Malevolence Against Company; (5.52) Significant Number of Large Losses in Single Year; (6.9) Interest Rate Risk

(4) Employee Malfeasance

(10) Equities or Securities Impairment

Exhibit 11.2 WCF Risk Assessment Matrix; the increased darkness corresponds to the risk, i.e. low = least dark, medium = middle shade, and high = darkest. Risk Score Under 4: Category 1: Risk reduction actions discretionary, risk acceptable 4 to 8: Category 2: Ongoing risk assessment appropriate with informal mitigation but may

be within risk tolerances; to be discussed with Internal Risk Committee 9 or greater: Category 3: Unacceptable risk, triggers scenario planning and development of

mitigation plan to be presented to Board Committee

www.it-ebooks.info

214 Implementing Enterprise Risk Management

ERM Survey). The survey was done electronically with optional anonymity for all participants.

2012 All-Employee ERM Survey

� What are the most important challenges facing WCF today? � What are the greatest threats to our reputation/brand? � What local or national events or trends should cause us the most con-

cern? � What other issues should the Chief Risk Officer be concerned about? � Name (optional)

Initial IRC discussions were robust and enthusiastic. The mix of company offi- cers, managers, and risk champions worked effectively together. Many of the risks that were contained in the consolidated risk list they developed were also iden- tified by the senior group and the company-wide survey. Having wide unanim- ity on which risks were most important was very helpful and allowed effective focus. Early on it was decided to split the list of risks thus developed into two sections. The first section contained the risks that, as department leaders, the IRC could impact and manage. The second-tier risks were those that were of a strategic nature or just simply could only be managed by senior management.

The initial duties of the Internal Risk Committee were to review all the depart- ment risks, consolidate them where possible, and come up with a consensus scor- ing using the risk matrix. The committee was split into a gold team and a blue team to accomplish this and report back to the IRC, whereupon a consensus was reached. Mitigation plans were discussed and developed where appropriate. In some cases this involved tailored mitigation steps. In many others it was deter- mined that existing WCF and department management protocols and procedures were adequate. It is the ongoing duty of the IRC to meet quarterly to discuss the adequacy of existing mitigation efforts and to consider new risks. In each meeting of the IRC, members are asked to again consider the question “Have we adequately protected the company against these risks?” Many of the early discussions of the IRC were taken up with data security concerns, particularly relating to the Health Insurance Portability and Accountability Act of 1996. The committee also focused on cyber risk, other operational risks, affiliate risks, and compliance risks.

As a final note to this section, developing and maintaining positive and helpful relationships with other executives is very important. Two roles that are especially important at WCF are the CFO and the company’s head of Internal Audit. At WCF they work closely and effectively by fully sharing information, both internal and external. Both the CFO and Internal Audit leader participate in the IRC. The CRO has no direct authority over other executives, so he or she must work in a collabo- rative manner, building consensus as to needed measures and ERM development. Should problems arise, the CEO has been willing to intervene in support of the ERM program, but that has rarely been needed.

www.it-ebooks.info

STARTING FROM SCRATCH 215

MATURING: YEARS 1 AND 2 In the spring of 2011 a new tool was added to the ERM program with the intro- duction of the risk register (RR). Although this did not replace the risk list and heat maps, it consolidated all that information into one Excel file (see Exhibit 11.3) and added new elements necessary to properly manage risk. This is the primary document WCF uses to monitor enterprise risks.

The first cell contains each risk’s assigned number and designation reflecting whether it is assigned to the IRC or to senior management. There are currently about 25 of each. A description of each risk is in the next cell, which is refined from time to time. The next cell captures risk correlation by listing the number of other risks in the document believed to be likely to occur at the same time or to be interrelated in some way. For example, a prolonged economic downturn affects other risks such as market cycle risk and pricing risk.

The next six cells in the RR deal with how the risk is scored and the poten- tial loss to the company. The probability and severity scores are listed as currently scored. These are subject to modification to reflect changing conditions or success- ful mitigation. The risk score is listed and the cell is filled with light gray/medium gray/dark gray indications. The risk matrix gives ranges for both probability and severity, and selections are made for both and entered as AP (actual probability) and severity potential. These two cells are multiplied to produce a potential loss value. In a separate chart produced for the board, this cell is graphed into a tor- nado chart (see Exhibit 11.4) to give a representation of total potential losses at any one time. The CRO also prepares for them a separate modified heat map that shows only the most critical risks and opportunities with indications of whether we feel they are increasing or decreasing (see Exhibit 11.5).

The remaining five cells include space for probability and severity-reduction targets, mitigations recommended by the IRC or senior management, the risk own- ers, and who originally identified the risk. Formal mitigation steps are entered for higher-scoring risks. Usually at least a dozen or so risks have mitigation plans. A mitigation plan could be a set of active steps designed to reduce or control a risk or simply those steps that have been taken and are deemed adequate. Where this field is blank it represents a consensus that the risk is appropriately mitigated by current WCF guidelines and protocols. The risk owners are primarily responsible for actively monitoring the risk and suggesting changes or actions. The origination column just gives a record of where the concern started. Multiple people or WCF departments can appear in both cells.

In late 2011 the CRO suggested to the CEO and board that at some time a third- party review of the program might by helpful in reviewing progress to date, as well as providing some benchmarks for future improvements through the following two to three years. The board agreed, and allocations were made in the 2012 budget to engage a recognized thought leader with experience in the field to review WCF’s ERM program. This was completed in the first quarter of 2012 and proved to be very helpful. The ERM expert thus engaged was Sim Segal, a Fellow of the Society of Actuaries (FSA), a Chartered Enterprise Risk Analyst (CERA), and president of Simergy Inc.

The engagement included a review of all documents relating to ERM at WCF to date, including matrices and heat maps in all their iterations. The risk register was

www.it-ebooks.info

E xh

ib it

11 .3

W C

F R

is k

R eg

is te

r

216

www.it-ebooks.info

STARTING FROM SCRATCH 217

$5.00

$5.00

$3.90

$3.75

$3.75

$3.75

$2.50

$2.50

$1.65

$1.65

$1.50

$1.50

$1.50

$1.50

$1.50

$1.10

$1.10

$1.10

$1.10

$1.10

$0 $1 $2 $3 $4 $5 $6

Bad Faith lawsuit, class action lawsuit

Catastrophic event causing multiple large claims

Transportation (aircraft) related catastrophic event (multipassenger, policyholder employees…

Subsidiary risk (AWCIC, Pinnacle)

Monoline/Monostate business model, increased competition and loss of market share

Risk of delays/failures with the TORCS rewrite project

Risk of widespread misclassification resulting in inadequate rates

Legal environment-- case law, benefits, retroactive or prospective legislative changes that…

Premium fraud schemes

External employee risk exposure-- traveling, external appointments, working from home

Loss of sensitive data, HIPPA compliance

Inequity in benefits administration, regulatory fines, lawsuits

Loss of critical vendor (Software AG, IBM/Filenet and others)

Negative Social Media/PR event

Loss of key employees including senior management

Medical advances at high cost

Internal employee risk exposure-- inside and around building, violence in the workplace Approval/payment of treatments resulting

in death (Rx meds, opioids, etc)

Zions bank processing error/failure

Inadequate resources to meet business needs (employees, equipment, etc).

Millions

Internal Risk Committee Risks Probable Cost

Uncorrelated Risks Correlated Risks

$ Potential = AP x Severity Potential

Exhibit 11.4 Internal Risk Committee Risks: Probable Cost

reviewed along with minutes of all the IRC and Board Risk Oversight Committee meetings. This document review was followed by a lengthy discussion with the CRO responding to questions about the process, personalities, and content. A full day was spent by Sim Segal in one-on-one discussion with WCF’s president and CEO, the board chairman, other WCF executives, and members of the IRC.

The final report with recommendations was given to and reviewed with all parties and discussed at the 2012 annual board retreat. The report was helpful in verifying WCF’s initial steps and pointing it toward several key future steps with some action items. These included more rigorous risk analysis of key risks using sophisticated process safety tools, engaging more closely with the affiliates and moving toward a more formalized approach to risk/opportunity issues.

The action items have been a primary focus throughout 2012 and 2013, and two are worth specifically addressing. The most consistent failure mode for property- casualty insurance carriers is reserve failures. Workers’ compensation claims have a very long tail in that costs are not finalized for many years. In fact, WCF is still paying on claims dating back to the 1950s. Case reserving involves an adjuster’s considered estimate of all costs to the end of the claim and an actuary’s judgment of the cumulative expected development on those claims. Some will close for less

www.it-ebooks.info

V er

y H

ig h

(5 )

R is

k S

co re

5 R

is k

S co

re 1

0 R

is k

S co

re 1

5 R

is k

S co

re 2

0

S en

io r

M an

ag em

en t

R is

ks T

h re

at / O

p p

o rt

u n

it y

M at

ri x

(T o

p 1

0 by

R is

k S

co re

)

R is

k S

co re

2 5

R is

k

3 8 2

7 9

5 15

13

12 4

1

R is

k S

co re

4 R

is k

S co

re 8

R is

k S

co re

1 2

R is

k S

co re

1 6

R is

k S

co re

2 0

R is

k S

co re

3 R

is k

S co

re 6

R is

k S

co re

9 R

is k

S co

re 1

2 R

is k

S co

re 1

5

R is

k S

co re

2 R

is k

S co

re 4

R is

k S

co re

6 R

is k

S co

re 8

R is

k S

co re

1 0

R is

k S

co re

1 R

is k

S co

re 2

R is

k S

co re

3 R

is k

S co

re 4

R is

k S

co re

5

S lig

ht L

os s

(1 )

M ed

iu m

L os

s (2

)

T hr

ea t

O pp

or tu

ni ty

R is

k m

ov em

en t s

in ce

la st

r ev

ie w

R is

k tr

en d

ba se

d on

s ta

tu s

an d

cu rr

en t a

ct io

n

51291513748213

R is

k tit

le

P ro

lo ng

ed E

co no

m ic

D ow

nt ur

n B

ey on

d 20

12

B on

d C

re di

t R is

k

In te

re st

R at

e R

is k

S ig

ni fic

an t N

um be

r of

L ar

ge L

os se

s in

a S

in gl

e Y

ea r

In fla

tio n

R is

k

A W

C IC

F ai

lu re

/R at

in g

D ow

ng ra

de

La rg

e E

ar th

qu ak

e

U ns

uc ce

ss fu

l P

ric in

g S

tr at

eg y,

H ig

h M

ul tiy

ea r

C om

bi ne

d R

at io

M ul

til in

e C

om pe

tit io

n

Lo ss

o f T

ax E

xe m

pt io

n

E qu

iti es

/S ec

ur iti

es Im

pa irm

en ts

R is

k O

w ne

r

S r,

G ro

up

S co

tt W

es tr

a

S co

tt W

es tr

a

D an

H ai

r

S co

tt W

es tr

a

R ay

, D an

, S

co tt

D an

H ai

r

D an

H ai

r &

S r.

T ea

m

P eg

gy La

rs on

, D an

H ai

r

R ay

P ic

ku p,

D en

ni s

Ll oy

d

S co

tt W

es tr

a

R is

k S

co re

6666. 22

99912121216

B ot

h

M at

er ia

l L os

s (3

) La

rg e

Lo ss

( 4)

V er

y H

ig h

Lo ss

( 5)

H ig

h (4

)

M od

(3 )

Lo w

(2 )

V er

y Lo

w (1

)

Probability

S ev

er it

y

E xh

ib it

11 .5

Se ni

or M

an ag

em en

tR is

ks :T

hr ea

t/ O

pp or

tu ni

ty M

at ri

x (T

op 10

by R

is k

Sc or

e)

218

www.it-ebooks.info

STARTING FROM SCRATCH 219

than the estimate whereas many will ultimately exceed the estimates by a consid- erable margin. If a carrier gets this wrong, it will become insolvent. The same is true for pricing workers’ compensation insurance. It is based on a volatile estimate of cost of goods sold and is subject to fluctuation and pricing error. While this does not usually result in insolvency, it can dramatically impact profitability. Therefore, claim reserving error and pricing error seem to be the best candidates for a more rigorous risk analysis.

To make this analysis, a simple fault tree methodology was selected (see Exhibits 11.6 and 11.7).

The fault trees were developed through consultation with subject experts. They consist of an end point failure that WCF is seeking to avoid and levels of precipi- tating errors built upon each other that would lead to that top-level outcome. The final bottom end points would be factors for which WCF needs to build mitigation plans. In both cases significant variables are system malfunctions, human errors, and oversight failures. The finalized analyses are then reviewed with both risk committees.

Finally, the other major focus in 2013 is on developing both a robust risk/opportunity assessment tool and determining the parameters for its use. For WCF an acceptable tool has been difficult to agree on. An initial form was devel- oped and experimented with on a voluntary basis (see Exhibit 11.8). The form con- tained a restatement of WCF’s risk appetite/tolerance statement guiding the users in regard to when it should be used. A description of the proposed action was required along with cost and expected value explanations.

Identified risks to successful implementation were listed and scored using a matrix embedded in the tool. Mitigation strategies for risk scoring at a certain level were completed.

Information regarding the risk owner and approvals completed the form. The usefulness of the process seemed to lie in three areas:

1. The process could help users to cover all the bases in considering their plans. 2. It could also be helpful in creating a management review and oversight

circuit breaker that many companies that fared poorly in 2007–2010 might today wish they had.

3. Finally, it provides a record of risk taking. We often look back on failures and ask: How did that happen? A good risk record might show us whether the issue was an unidentified, unforeseen risk, an execution failure, or just a failure in judgment.

The question seems to come down to whether present systems are adequate or is additional formalization worth the effort and extra work? After further consulta- tion with the Board Risk Oversight Committee in late 2013, management decided to adopt a “principle-based guideline that could be used on a voluntary basis or required by management as desired.” (See pp. 223–224.) This approach gives max- imum flexibility along with simplicity. Simple but fundamental questions are used to elicit understanding of a proposed action. Examples of ventures that might be suitable for an analysis are given and a simple follow-up process is described. So far, this approach has been successfully used several times and seems to meet the needs of the organization at this time.

www.it-ebooks.info

In ad

eq u

at e

o r

R ed

u n

d an

t C

la im

R es

er ve

s

C as

e R

es er

ve s

M is

ca lc

ul at

io n

M IR

A F

ai lu

re or

A no

m al

y

U ne

xp la

in ed

ch an

ge in

M IR

A In

te rn

al ca

lc ul

at io

ns o

r as

su m

pt io

ns

B as

ic m

at h

or be

ne fit

ca lc

ul at

io n

er ro

rs

D ep

ar tm

en t Q

C re

vi ew

s no

t ef

fe ct

iv e

or tim

el y

Li be

ra liz

at io

n of

B en

ef its

B ey

on d

S ta

tu to

ry D

ut y

A ct

ua ria

l Ju

dg m

en t

E rr

or s

In co

m pl

et e

or In

co rr

ec t D

at a

U se

d

U na

nt ic

ip at

ed B

en ef

it S

tr uc

tu re

C ha

ng es

In ad

eq ua

te In

fla tio

n Fa

ct or

in g

C -S

ui te

P re

ss ur

e

F ed

er al

R es

er ve

A ct

io ns

P re

ss ur

e to

ad op

t di

ffe re

nt fa

ct or

s or

as su

m pt

io ns

P re

ss ur

e to

m is

- st

at e

re su

lts o

r fa

il to

r ep

or t

co nc

lu si

on s

U na

nt ic

ip at

ed N

at io

na l o

r R

eg io

na l

E co

no m

ic T

ur ns

In co

rr ec

t A

ss um

pt io

ns of

In fla

tio n

C ha

ng es

O ve

rr el

ia nc

e on

P ai

d or

in cu

rr ed

M et

ho ds

Im pr

op er

M od

el in

g Te

ch ni

qu e

S el

ec te

d

A ct

ua ry

to o

E ag

er to

P le

as e

P ro

bl em

w ith

N C

C I

D at

a A

cc ur

ac y

Lo ss

o r

C or

ru pt

io n

of D

at a

U nd

et ec

te d

R et

ro ac

tiv e

B en

ef it

C ha

ng es

P ro

sp ec

tiv e

B en

ef it

C ha

ng es

O th

er C

om pe

ns ab

ili ty

C ha

ng es

La ck

o f a

cc ou

nt ab

ili ty

m ea

su re

s fo

r ad

ju st

er s

or S

up er

vi so

rs

E xa

m in

er fa

ils to

r es

po nd

to ch

an gi

ng c

as e

in fo

rm at

io n

E xa

m in

er fa

ils to

r ev

ie w

re se

rv es

pe rio

di ca

lly

S ig

ni fic

an t c

ha ng

e in

nu m

be r

of e

xa m

in er

ov er

rid es

o f

M IR

A r

ec om

m en

da tio

n

E xa

m in

er R

es er

vi ng

P ro

to co

ls Fa

il/ In

ad eq

ua te

S up

er vi

so ry

R ev

ie w

o r

O ve

rs ig

ht F

ai lu

re

O th

er U

nd et

ec te

d S

ys te

m E

rr or

s or

F ai

lu re

B ul

k R

es er

ve s

M is

ca lc

ul at

io n

E xh

ib it

11 .6

C la

im R

es er

vi ng

E rr

or Fa

ul tT

re e

220

www.it-ebooks.info

B o

o k

P ri

ci n

g E

rr o

r/ In

ad eq

u at

e R

at es

In di

vi du

al A

cc ou

nt s

P ric

in g

E rr

or s

U nd

er w

rit in

g S

ys te

m o

r U

nd er

w rit

in g,

M an

ag em

en t E

rr or

s LC

M E

rr or

s Lo

ss C

os t

E rr

or s

U nd

er w

rit er

E xc

ee ds

U nd

er w

rit in

g A

ut ho

rit y

U nd

er w

rit er

F ai

ls to

F ol

lo w

D ep

ar tm

en t

G ui

de lin

es

U nd

er w

rit er

G iv

es in

to M

ar ke

t P re

ss ur

e

U nd

er w

rit er

P ric

in g

D ec

is io

n O

ve rr

id de

n

Fa ilu

re o

f P M

M od

el to

A cc

ur at

el y

P re

di ct

L os

s R

at io

s

O th

er U

nd et

ec te

d S

ys te

m E

rr or

s

F la

w ed

A na

ly tic

al To

ol s

(R at

e/ R

A W

)

S up

er vi

so ry

R

ev ie

w o

r O

ve rs

ig ht

F ai

lu re

C on

ce pt

ua l

W ea

kn es

se s

in

th e

U nd

er w

rit in

g G

ui de

lin es

C S

ui te

R is

k

R eg

ul at

or y

R es

is ta

nc e

E ac

h e

n d

e ve

n t

sh o

w n

in t

h e

b o

tt o

m re

ct an

g u

la r

b ox

es w

ill h

av e

it s

o w

n s

er ie

s o

f m

it ig

at io

n a

ct io

n s

d es

ig n

ed to

li m

it t

h e

p o

ss ib

ili ty

o f

o cc

u rr

en ceN C

C I

M is

ca lc

ul at

io n

O th

er U

nd et

ec te

d M

an ag

em en

t Fa

ilu re

s

U nd

er w

rit er

’s A

na ly

si s

is F

la w

ed or

In co

m pl

et e

M al

fe as

an ce

o r

E th

ic al

L ap

se s

E xh

ib it

11 .7

Pr ic

in g

E rr

or Fa

ul tT

re e

221

www.it-ebooks.info

222 Implementing Enterprise Risk Management

It is the policy of WCF senior management to identify risk exposures that represent a potential “material” loss to the Company with an occurrence probability of “moderate” or higher. Material loss is defined as >5% of specific company surplus, or Departmental budget. In addition, management will identify correlated risks that, occuring simultaneously, would trigger either of these or an income statement loss greater than 10% of annul premium.

Risk Analysis Worksheet

Date:

Prob. Score Sev. Score Total Score

Company, Department, or Subsidiary:

1)

2)

3)

4)

5)

6)

7)

8)

9)

10)

Proposed Action, Product, or Operational Change:

Potential Risks

Incident or expsoure probability descriptions Incident or exposure severity descriptions

Very Low (1): Improbable, no prediction confidence

Low (2): Remote, may occur once every 10-50+ years

Moderate (3): Occasional, may occur once every 3-10 years

High (4): Probable, may occur once every 2-5 years

Very High (5): Frequent, could occur annually

Potential risks scoring 6 or greater must have completed mitigation plans.

Slight Loss (1): Inconsequential with respect to financial, personnel, or brand damage. Less than 1% of surplus or $10M loss or less

Medium Loss (2): Important financial, personnel, or brand damage; 5% or more of surplus or $11M-$25M loss.

Material Loss (3): Material damage to financial strength, personnel, or brand; 10% or more of surplus or a $26M-$50M loss.

Large Loss (4): Significant damage to financial strength, personnel, or brand; 10% more of surplus or a $51M-$75M loss, could damage stakeholder confidence.

Very High Loss (5): Catastrophic impact on solvency, brand or personnel; 50% or more of surplus, greater than a $75M loss, would damage stakeholder confidence.

Spaces requiring input are shaded.

Mitigation Plans and Risk Owners (Attach additional documentation as needed)

Expected Value of Action

Implementation Costs

Completed by: Dept. SVP: Dept. Manager or VP: CEO: Chief Risk Officer:

Exhibit 11.8 Risk Analysis Worksheet

www.it-ebooks.info

STARTING FROM SCRATCH 223

WCF Group—Risk Assessment Framework February 2014

In order to protect our assets, our employees and our customers, WCF is com- mitted to excellence and consistency in risk assessment and risk management. We are creating a risk assessment process that is transparent, scalable and pro- ductive. An effective process is one that promotes a thorough analysis and pro- vides a framework for successful execution of the initiative.

Principle Based Format

The following questions should be addressed in a single document for new ventures or initiatives meeting the risk assessment “trigger”:

1. Why do we need to take this step at this time and what are the expected costs and benefits?

2. What are the key risks (financial, operational, market, strategic, etc.) involved in the initiative?

3. How will each risk be mitigated? (Identify the specific controls to be applied.)

4. What are the most likely outcomes of the venture, as well as, the worst and best case scenarios?

Examples of initiatives triggering a risk assessment

1. Significant pricing changes, e.g. refiling Loss Cost Modifiers. 2. Legislative initiatives proposed by WCF. 3. Changes in commission structure. 4. IT software or hardware purchases in excess of $500,000. 5. Changes in claim reserving methodology or claims settlement policy. 6. Investment initiatives requiring a change in investment policy and/or

including a commitment of assets of $20,000,000 or more. 7. Other non-investment initiatives requiring a financial commitment

greater than $500,000. 8. Significant changes to our reinsurance structure or policy.

Approval and follow up

1. The risk assessment should be completed prior to the initiative’s pre- sentation to senior management or the Board for approval with a copy provided to the Chief Risk Officer.

2. At reasonable milestones, and at the conclusion of the project, the CRO will follow up with the project leaders to assess: (A) Are the original goals of the initiative being met? (B) Are actual costs in line with expected costs?

www.it-ebooks.info

224 Implementing Enterprise Risk Management

(C) Are the risk mitigation strategies being executed successfully? (D) Would we make the same decision if we had it to do over again?

THE FUTURE At the time of the preparation of this chapter, WCF is analyzing the results of its second employee survey (see 2013 All-Employee ERM Survey). The questions in the survey were reviewed with both the IRC and the Board Risk Oversight Committee prior to the survey, and again, about half of the company’s 300+ employees have responded. WCF is trying to ascertain whether it is truly develop- ing a risk-sensitive culture and whether it has any barriers to the free expression of concerns and ideas. This desire for transparency and openness has been clearly and publicly articulated by both the president and the chairman. Analysis of the survey results, when completed, will be presented to the board.

2013 All-Employee ERM Survey

� Are there any risks the company faces that you don’t feel are being ade- quately addressed?

� Do you feel comfortable raising concerns about risk at WCF and do you feel they will be taken seriously?

� What should be done to help employees carefully consider risks, com- municate concerns, and take appropriate actions to mitigate risks?

� Are there areas of WCF’s Enterprise Risk Management Program that you would like to know more about?

� Name (optional)

The question of how much is enough is one WCF continues to grapple with. For better or worse, it is one in which both its regulator and its rating agency are giving specific direction as well. In the past couple of years A.M. Best has become increasingly clear regarding its expectations of the companies it is rating. Speaking at an industry conference in the spring of 2012, Group Vice President Ed Easop outlined an approach of generally matching ERM expectations to the general risk profile of the company. Where a carrier’s ERM risk capabilities did not measure up to its risk profile, its rating might be notched down or capital requirements might be raised. If a carrier’s capabilities matched or exceeded its risk profile, more favorable ratings treatment and lower capital requirements would be likely.

More recently A.M. Best addressed this in greater detail at its annual confer- ence in March 2013. A.M. Best indicated that although the property-casualty indus- try is making progress in developing ERM programs, information gleaned from its supplemental risk questionnaires leaves little doubt that the industry has a long

www.it-ebooks.info

STARTING FROM SCRATCH 225

way to go. The rating agency also spelled out in great detail the underlying char- acteristics of its ERM rating levels of superior, strong, good, and weak in 17 key risk management areas. WCF will have its annual rating discussion meeting with A.M. Best in late fall 2013. It will be interesting to receive feedback in those meetings regarding the rating agency’s perception of the WCF risk profile and the adequacy of WCF’s efforts to date.

Since 2013, the state regulator, the Utah Department of Insurance, has not engaged WCF on this subject, but that is expected to change. As a member of the National Association of Insurance Commissioners (NAIC), it is aware of that orga- nization’s adoption in September 2012 of the Risk Management and Own Risk and Solvency Assessment (ORSA) model legislation. This model law is effective for adoption by state legislatures in 2015. Among other things, the Act requires that “An insurer shall maintain a risk management framework to assist the insurer with identifying, assessing, monitoring, managing, and reporting on its material and relevant risks. This requirement may be satisfied if the insurance group of which the insurer is a member maintains a risk management framework applicable to the operations of the insurer.”2 At this time, WCF meets the exemption require- ment due to premium volume written, but the Act clearly sets out standards of best practice that should be considered.

Management has committed to, and the board expects, continued develop- ment of the ERM program and culture. This must be done to a level that matches WCF’s risks and ensures it will always be able to discharge the long-term respon- sibilities it has to policyholders and injured workers. The depth and complex- ity of the ERM program will be determined through discussion and consultation between management and the board. WCF’s mission is excellence.

QUESTIONS 1. What skill set or industry experience would be most valuable for a CRO to acquire? 2. If a Board has an audit, investment, and risk committee how should they work together

and what would be an appropriate division of duties? 3. Should the CRO’s role be a directing or a counseling one? How would this vary in small,

medium, or large companies? 4. What would the ideal working relationship be between the CRO and CFO? 5. How should the Board and CEO evaluate a CRO’s performance and contribution to the

Company?

NOTES 1. Bradford, Dallas. June 2013. Written comments from WCF Board Chair Dallas Bradford

to author. 2. National Association of Insurance Commissioners. 2012. “Risk Management and Own

Risk and Solvency Assessment Model Act.”

ABOUT THE CONTRIBUTOR Dan Hair is the Chief Risk Officer (CRO) at Workers Compensation Fund, located in Utah. He joined WCF in 2005 after a 25-year career with Zenith Insurance

www.it-ebooks.info

226 Implementing Enterprise Risk Management

Company. As CRO, Dan is responsible for the enterprise risk management efforts of WCF and reports to the president and CEO. He works directly with the board of directors and the Board Risk Oversight Committee. Dan was educated at UCLA and USC, has an insurance operations and safety engineering back- ground, and has taught and published in the areas of risk and risk management for years.

www.it-ebooks.info

CHAPTER 12

Measuring Performance at Intuit A Value-Added Component in ERM Programs

JANET NASBURG Chief Risk Officer, Intuit Inc.

Intuit started small in 1983 with Quicken personal finance software, simplifyinga common household dilemma: balancing the family checkbook. Today, we’veimproved the lives of more than 50 million people, and our annual revenue exceeds $4 billion. We are publicly traded with the symbol INTU on the NASDAQ Stock Market, and are regularly recognized as one of the best places to work in locations around the world.

Our flagship products—QuickBooks, TurboTax, Quicken, and Mint—define our commitment to revolutionize the way people manage their personal finances, run small businesses, and pay employees. Our lineup of tax preparation products helps individuals and small business owners easily and accurately file their own taxes. And working with accountants, we’ve become a staple of American small business, with a widespread and deep-rooted presence that’s second to none.

But we’re much more than that. Today, our expanding portfolio serves cus- tomers in North America, Europe, Singapore, and India. And our products have evolved from the desktop to the cloud, with many available both online and for mobile devices.

As the way we live and work evolves, we adapt our strategy to meet and lead these changes. No matter where you find us—and whether you use our products on your PC or mobile phone—we remain committed to creating new and easier ways for consumers and businesses to tackle life’s financial chores, giving them more time to live their lives and run their businesses. As our business and product lines grow beyond accounting and into new areas, we will build on our heritage of innovation. That’s not just our history. It’s our future.

INTUIT’S ERM JOURNEY Like most companies, Intuit’s enterprise risk management (ERM) journey began with the practice of risk management on an ad hoc basis. Organized efforts came into play only when a significant problem occurred. Problems identified

227

www.it-ebooks.info

228 Implementing Enterprise Risk Management

were primarily operational in nature and were defined narrowly to the specific issue. Well-intentioned and committed teams would attack the problem, stopping everything to focus on and solve the problem. These teams would produce long lists of issues and potential mitigation steps—some significant and some minor— to be addressed. Once the immediate problem was solved, it was back to busi- ness as usual. This ad hoc approach was not only extremely inefficient but was also not producing a lasting framework that would allow risks to be managed intelligently. In 2009 Intuit established the foundation of the ERM program that is in place today. This foundation included an enterprise-wide common risk frame- work, annual assessment cycle, and integration into the strategic planning process.

At Intuit, our ERM program has focused not simply on building a process but on building a sustainable risk management capability. Process is a necessary component, but process alone will not build the capability; it will not ensure that risk management is an integral part of how the company operates. Establishing operating mechanisms, practices, and processes that can be maintained well into the future and drive continuous focus on risk management was an important first step. Once the process was solidly in place, focus shifted to building risk management capability. Robust processes for identifying risk, assessing risk, and monitoring risk management progress helped our business leaders to develop and implement risk management activities as part of the normal operating pro- cesses of the company instead of reacting to risk on an ad hoc basis. This regular rhythm of risk management has built a strong risk management capability across the company.

Underlying Intuit’s ERM program are some core principles that have brought Intuit’s program to the leadership level it is at today.

� A common risk framework enterprise-wide. The establishment of a common risk framework has enabled business lead- ers to speak about risks with a common language despite the differences in business lines.

� Assessing risks on an ongoing basis. A constant lens on the risk landscape increases agility to adapt to changes in our business and the environment in which we operate.

� Focusing on the most significant risks. Targeting attention and resources on those risks with the greatest impact on Intuit’s growth, product delivery, and operations drives progress.

� Clearly defined ownership and accountability for risk management. With appropriate oversight from the board and executive management, ownership and accountability for managing risk are the responsibility of business leaders across the company, thereby aligning ownership with lead- ers who are driving Intuit’s growth strategy and operational priorities.

� Performance measurement and monitoring. Continuously monitoring performance drives progress in risk mitigation and continuously strengthens risk management capability.

Intuit’s ERM program provides our business leaders with an understanding of current and emerging risks providing insights that inform strategic decisions. Each year the journey has continued to increase the level of risk intelligence across

www.it-ebooks.info

MEASURING PERFORMANCE AT INTUIT 229

the company by building risk management strength and continuously measuring risk management effectiveness.

ERM MATURITY MODEL ERM programs take time to establish and mature, and building the right founda- tion is critical.

Patience is not an absence of action; rather it is “timing”; it waits on the right time to act, for the right principles and in the right way.

–Fulton J. Sheen

Enterprise risk management programs are designed to drive identification of risks that may affect a company and management of those risks in order to enable achievement of the company’s objectives. As the level of risk management capabil- ity matures, the value of ERM becomes more visible and impactful. The stages of risk management maturity can be described in many ways, all of which generally fall into the following levels (see Exhibit 12.1):

� Ad hoc risk management. Risk Management activities are designed to address a specific problem or task, and not intended to be adapted for wider application.

� Targeted risk management. Independent risk management activities are focused on a limited set of specific risk areas.

� Integrated risk framework. A common, repeatable enterprise framework is used for assessment, own- ership and accountability, and reporting of risk management performance.

Ad-hoc Risk

Management

Targeted Risk

Management

Integrated Risk

Framework

Risk Management Capability

S ta

ke h

o ld

er V

al u

e

Risk Intelligent

Risk Leadership

Exhibit 12.1 Enterprise Risk Management Maturity Model

www.it-ebooks.info

230 Implementing Enterprise Risk Management

� Risk intelligent. Established processes are used to continuously measure and monitor risk management effectiveness and drive optimal performance.

� Risk leadership. Risk management is seamlessly embedded in strategic decision making.

The speed at which a company moves through each level of maturity will vary, as it must be tailored to the individual needs and capacity for change of the company.

BENEFITS OF MEASURING PERFORMANCE IN ERM PROGRAMS Performance measurement is not new. Measuring performance provides insights into where additional attention may be required or potential opportunities exist. Understanding the risk landscape enables business leaders to formulate and exe- cute strategies informed by potential pitfalls and opportunities. The use of mea- surements to monitor current significant risks, highlight emerging risks, and understand the impact of both on company strategies and objectives is a key component of any ERM program.

The type of performance measures used varies based on the objective. Key risk indicators (KRIs) can be used to understand how potential emerging risks or trends may impact current risks, business opportunities, and business strategies. Key performance indicators (KPIs) can be used to measure the effectiveness of risk management activities. Both of these types of indicators are important, and using a combination of KRIs and KPIs can increase the value achieved from an ERM program.

Using Key Performance Indicators to Measure Risk Management Effectiveness

Key performance indicators are used to measure and monitor business strategies and business operations. Performance measurement provides information on the gaps between actual performance and targeted performance. It can be used to determine organizational effectiveness and operational efficiency. Measuring and monitoring risk management effectiveness is no different from measuring other performance. Measures are identified, expected targets or thresholds are estab- lished, and a starting point or baseline is set. Key performance indicators can take many forms:

� Qualitative and quantitative indicators. Qualitative measures are based on subjective characteristics or qualities rather than on a quantity or measured value. Quantitative measures are based on objective, quantifiable data, like percentages, counts, and ratios. The difference between qualitative and quantitative measures can be con- fusing, and there is often debate over which is better; however, both can be equally useful, and many times a combination of qualitative and quantita- tive measures can provide a more holistic picture of performance.

www.it-ebooks.info

MEASURING PERFORMANCE AT INTUIT 231

� Leading and lagging indicators. Leading indicators are predictive in nature, like early warning signals. They can highlight that an overall change in performance level is expected based on specific triggers that are monitored. Lagging indicators provide insights into the success or failure of an activity after it is complete.

� Input, process, and output indicators. These indicators are useful in evaluating an end-to-end process. Input indi- cators measure resources used in executing an activity. Process indicators measure efficiency or productivity. Output indicators measure the result of the process or activity.

In measuring risk management effectiveness, a combination of indicator types is often used. The biggest challenge in measuring performance is knowing what to measure. Selecting performance measures that cannot be gathered and tracked on an ongoing basis or selecting performance measures that are too complex for business leaders to understand their relevance will not provide value. To be most effective, key performance indicators need to be defined so that they are clear, meaningful, and measurable.

When defining KPIs for ERM, ensuring that the following four characteristics are incorporated can be helpful:

� Tangible. Tangible performance measures, aligned with the level of risk exposure that the company deems acceptable, provide true measures of risk management effectiveness, not just milestones in a risk management plan.

� Flexible. Flexible performance measures that can be adjusted to changes in the organization and risk landscape.

� Standardized. Common performance measures used enterprise-wide that provide a view of how each business line’s performance contributes to the aggregated risk exposure at the enterprise level.

� Outcome or objective focused. Performance measures that are aligned to a specific objective or desired outcome.

Exhibit 12.2 provides some examples of key performance indicators.

Exhibit 12.2 Key Performance Indicators

Examples of Key Performance Indicators

Percentage of customer attrition Percentage of employee turnover Profitability of customers by demographic segments Percentage of mission-critical business processes with tested contingency plans Current-period write-offs or fraud losses

www.it-ebooks.info

232 Implementing Enterprise Risk Management

Analyzing Performance Data

Performance measurement alone is not enough to add value; learning from the information and applying that learning to drive changes that improve perfor- mance are important steps. Optimizing the benefits of performance measurement can be achieved by performing analysis of the data collected. Data analysis trans- forms the performance information making it useful input, which can help busi- ness leaders to make better risk-informed decisions. There are many types of anal- ysis that can be used, and the choice will vary based on the objectives of the analysis.

While this list is not exhaustive, here are some examples of commonly used analyses:

� Failure mode and effects analysis (FMEA). FMEA helps to identify potential failure points based on certain conditions. The consequences of failures are further analyzed to understand their impact on other parts of a system or process. FMEA can help to design more com- prehensive risk mitigation efforts.

� Regression analysis. Regression analysis provides information on the relationship between one dependent variable and one or more independent variables. This type of analysis can be helpful in understanding the correlation between different risks.

� Pareto analysis. Pareto analysis measures the frequency of issues, from most to least fre- quent. This type of analysis is useful in making decisions that provide the greatest results—for example, targeting resources to address issues in a spe- cific component of a process with the greatest number of errors or control failures.

� Root cause analysis. Root cause analysis is designed to identify and correct the fundamental cause of a problem. It helps focus remediation not on merely correcting symptoms but on preventing the recurrence of problems. This type of anal- ysis is especially useful as a method to proactively forecast probable events before they occur.

� Scenario analysis. Scenario analysis uses discrete scenarios to understand the potential out- come. Typically the worst case, best case, and most likely case are consid- ered. Single-point estimates or a Monte Carlo simulation model using a range of values can be used. This type of analysis is useful to enhance readi- ness and strengthen response capabilities.

� Benchmarking. Benchmarking compares a company’s current practices to best practices. This type of analysis facilitates development of strategies to improve pro- cesses and performance measures.

� Threat analysis. Threat analysis can be used to evaluate a broad spectrum of areas such as natural disasters, criminal activity, legal or regulatory factors, technology

www.it-ebooks.info

MEASURING PERFORMANCE AT INTUIT 233

trends, internal capabilities, and market forces. Using this type of anal- ysis to gain insights into potential threats is useful to enhance readiness and strengthen response capabilities, as well as to enhance risk mitigation strategies.

Analyses such as these can be used to perform a deep review of a specific risk area to understand effectiveness of current risk mitigation strategies, or can be used broadly to understand potential emerging risks.

Using Key Risk Indicators to Understand Potential New Risks or Changing Risks

Most organizations use key performance indicators to monitor progress in meet- ing corporate objectives. Those indicators provide valuable information, includ- ing insights into risks. However, key performance indicators primarily provide insights into risks already well known by the organization. With ever-changing business environments challenging companies to take a longer-term view into potential risks, there is increased focus on understanding emerging risks. Key risk indicators are used to provide an early warning signal by not just looking at current risks but looking for leading indicators or triggers in the business environment. These triggers can be used to develop strategies that better position the company to manage new risks as they arise. Development of risk indicators can come from analysis of previous risk events to understand their root cause and triggers that can be used in the future as risk indicators. External information, such as economic indicators, industry benchmarks and trends, competitor actions, and the like, can all be utilized in developing key risk indicators. Just as with key performance indi- cators, key risk indicators are most effective if they are tangible, flexible, standard- ized, and outcome or objective focused.

Exhibit 12.3 provides some examples of key risk indicators.

Exhibit 12.3 Key Risk Indicators

Examples of Key Risk Indicators

Industry trends in customer attrition Frequency of critical process failures Trends in gasoline or other critical commodity prices in relevant geographies Unexpected significant change in number of competitors or suppliers Spreads on debt for comparably rated companies

ERM PERFORMANCE MEASUREMENT AND REPORTING AT INTUIT Performance measurement in Intuit’s ERM program has been a journey of con- tinuous improvement. As ERM programs mature over time, increasing their com- plexity and value, performance measures and reporting must evolve as well. What gets measured at each level of maturity may vary greatly. The ERM performance

www.it-ebooks.info

234 Implementing Enterprise Risk Management

measurement approach at Intuit has been continuously updated to keep it relevant and flexible with respect to the organization’s level of risk management maturity. At each stage in the evolution of ERM maturity, objectives and expectations are adjusted. In addition, the appropriateness of current metrics is evaluated given the constantly changing business environment.

First Evolution: ERM Process Adoption

In the early stages of ERM maturity at Intuit, performance measurement was focused on adoption of the ERM process. The objective was to ensure a robust process of risk identification and prioritization facilitating focus on the most sig- nificant risks. The measures at this point were twofold: process participation and risk assessment impact and likelihood. Reporting to executive management and the board included the results of the annual assessment, participation rates and heat maps, as well as an outline of strategies to improve the company’s top risks.

ERM Process Participation Participation in the process was targeted at senior leadership at both the company and business line levels. Business line leadership provided subject matter expertise and insights into the most significant risks facing their specific businesses. Exec- utive management provided an enterprise perspective. The desired participation rate target was 80 percent or greater. Participation rates were calculated at the individual business line level as well as at the company level. This may seem like a very simplistic measure, but you need to consider the level of risk management maturity that was in place at this point. Expecting business leaders to track com- plex measures when they are just beginning to build a risk management capability may be unrealistic. Measuring participation in the ERM process provided an indicator of risk awareness and risk management currently in place. This was an important benchmark. Since performance measurement provides information on the gaps between actual performance and targeted performance, this measure highlighted opportunities to help business leaders increase their risk focus and knowledge.

Risk Impact and Likelihood Intuit’s ERM program, like many other companies’ programs, includes an annual risk assessment. The annual risk assessment provides an enterprise-wide under- standing of key risks. Intuit conducts risk assessments at both the company level and on an individual business line level. The assessment solicits information from the company’s executive management on the impact and likelihood of risks affecting the organization’s strategies and objectives. Measuring impact and like- lihood is clearly defined and standardized, facilitating aggregation of the informa- tion received from participants across the company. Heat maps, as illustrated in Exhibit 12.4, are used to show the results of the assessment, and attention is then focused on the risks in the upper right-hand quadrant.

www.it-ebooks.info

MEASURING PERFORMANCE AT INTUIT 235

6 5

4 3

2

1

Likelihood

Im p

ac t

Low

L o

w

High

H ig

h

Exhibit 12.4 Risk Impact and Likelihood Diagram

This type of performance measurement and reporting provided many benefits, including:

� Helping business leaders to understand the effect of risks on performance against strategic goals and objectives

� Targeting focus to the critical few, and in doing so accelerating progress on addressing these risks

� Identifying potential events or circumstances that may impede ability to optimize performance

Second Evolution: Risk Mitigation Progress Measurement

With the rhythm of an annual ERM assessment in place and top risks at the com- pany and business line level appropriately prioritized, the focus shifted to build- ing risk management strength. The objective was to ensure direct alignment of risk management activities and resources to the most critical issues identified as part of the assessment process. The focus of performance measurement was one of the top risks identified at the company and business line levels. Ownership and account- ability for the top risks are specifically designated to a senior leader at the company level or business line level. Performance measurement includes an indicator of the status of overall risk exposure, an indicator of current risk trending, as well as a separate measure tracking the progress on individual risk mitigation activities.

Exhibit 12.5 provides an example of the levels of status indicators. Quarterly ERM performance reporting is integrated into Intuit’s annual enter-

prise and business line strategic planning process and quarterly operating reviews. Exhibit 12.6 provides a sample business line top risk status report.

www.it-ebooks.info

236 Implementing Enterprise Risk Management

Color Status of Risk Exposure Plan Status

Plan significantly at risk.

Some mitigation in place, stronger additional mitigation needed. Plans developed and some risk reduction occurring.

Managed well with appropriate mitigation in place. Risk has been reduced to an acceptable level.

Status not available.

N/A

Missing or ineffective mitigation and/or significant process breakdowns. Further action required.

Plan potentially at risk.

Plan not started.

Plan complete.

Plan on schedule.

Exhibit 12.5 Example of Levels of Status Indicators

This type of performance measurement and reporting provides many benefits, including:

� Demonstrating the breadth of top risk coverage with defined risk manage- ment plans

� Highlighting potential gaps in resources to execute mitigation activities � Providing transparency to risk management activities across the organiza-

tion and opportunities to leverage common risk management strategies and best practices

Exhibit 12.6 Sample Business Line Top Risk Status Report

www.it-ebooks.info

MEASURING PERFORMANCE AT INTUIT 237

Risk 1 Status

Status as of x period

KPI/KRI 1 KPI/KRI 2 KPI/KRI 3 KPI/KRI 4 KPI/KRI 5 KPI/KRI 6 Overall

Business Line 1

Business Line 2 Not measured

Business Line 3

Business Line 4

Business Line 5

Business Line 6

Business Line 7 Not measured

KPI / KRI 1 rating criteria example Medium Gray: ≤ X ………… Light Gray: Between x and x ……… Dark Gray: > x …………………

Exhibit 12.7 Sample Executive Dashboard

Third Evolution: Multidimensional Risk Management Performance Measurement

As Intuit’s program evolved, performance measurement and reporting focus moved from tracking progress on risk mitigation to a more holistic approach. The objective was to actively monitor the most important risks facing the company and ensure that business leaders were proactively adjusting strategies to balance managing these risks and leveraging the opportunities they provide. To this end, executive dashboards were developed, which use a combination of key perfor- mance indicators and key risk indicators. Aggregation of a number of different KPIs provides a multidimensional view of risk and an overall risk score. Standard metrics are used enterprise-wide to ensure that all business lines are aligned to the objectives. Additionally, an overall risk rating is assigned that demonstrates the collective effect of these activities on the risk exposure at the company level. Dash- boards for each of the company’s top risks and an overall summary are routinely reported to the board and executive management. Exhibit 12.7 provides a sample executive dashboard.

This type of performance measurement and reporting has provided many ben- efits, including:

� Providing visibility into business line risks to aid understanding of the cumulative impact of these risks on Intuit as a whole

� Enabling the company to drive focus and allocate resources to the highest- impact work, and to accelerate progress on specific risks by leveraging a rigorous program from the center and coordinated business line effort

www.it-ebooks.info

238 Implementing Enterprise Risk Management

From:

• Tactical activities to address current gaps

• Narrow scope

• Long road maps

To:

• Better understanding of the risks and their effect on company growth

• Longer term view of strategies to address risk, with tighter timelines to accelerate progress

• Embrace Innovation

Exhibit 12.8 From Tactical Risk Management to Strategic Risk Management

� Driving the development and adoption of enterprise standards and best practices (e.g., hosting principles, security standards, technology principles)

As Intuit’s ERM program, and the approach to performance measurement and reporting, has matured, we have a higher bar for risk management—it is more strategic, and we have significantly improved execution. We have moved from tactical risk management to strategic risk management, as shown in Exhibit 12.8.

CONCLUSION This chapter has described the value of performance measurement as a component of ERM programs.

At Intuit, risk management is the responsibility of everyone in the organiza- tion, from the board and executive management all the way down to the individual employees. To ensure that risk management is effective, it must be a core business competency, and measuring performance facilitates tracking that the appropriate level of competency is achieved.

Intuit’s ERM program provides a rigorous and coordinated approach to assess- ing and responding to risks. It recognizes the upside opportunity and downside nature of risks. Routine performance measurement is a critical component of the program and not only ensures a focus on the most significant risks but also accel- erates progress on managing current and emerging risks and assuring alignment with strategic goals.

Performance is reviewed regularly with the Audit and Risk Committee of the board, and, as a result, feedback drives continuous innovation around per- formance measurement and reporting. ERM is viewed as an integral part of the company’s current operating model, and continuously improves enterprise-wide risk awareness, monitoring, and management.

QUESTIONS 1. How do Key Risk Indicators help companies identify emerging risks? 2. How do Key Performance Indicators help companies to manage existing risks?

www.it-ebooks.info

MEASURING PERFORMANCE AT INTUIT 239

3. If measuring performance is not a component of an ERM program, what is the effect on the overall quality of the program?

4. How can the Board be confident in the information reported on management’s progress in responding to significant risks?

ABOUT THE CONTRIBUTOR Janet Nasburg is Chief Risk Officer at Intuit, makers of QuickBooks, TurboTax, Quicken, and Mint. Intuit is committed to revolutionizing the way people man- age their small businesses and personal finances. Ms. Nasburg is responsible for driving Intuit’s enterprise risk management capability to ensure that the company appropriately balances opportunities and risks to achieve optimal business results. She reports routinely to the board of directors on the company’s risk landscape, risk tolerance, and emerging risks.

Ms. Nasburg has more than 30 years of experience in finance and risk manage- ment. She is on the executive committee of the Conference Board’s Strategic Risk Management Council, and is also a member of the Institute of Internal Auditors. She is a Certified Internal Auditor (CIA), Certified in Risk Management Assur- ance (CRMA), and Certified in Control Self Assessment (CCSA). She has a BS in agricultural economics and business management from the University of Califor- nia, Davis, and an MBA in finance from the Graduate School of Business, San Francisco State University.

www.it-ebooks.info

www.it-ebooks.info

CHAPTER 13

TD Bank’s Approach to an Enterprise Risk Management Program PAUL CUNHA Vice President, Enterprise Risk Management for TD Bank Group

KRISTINA NARVAEZ President and Owner of ERM Strategies, LLC

This case study focuses on how TD Bank Group uses enterprise risk manage-ment (ERM) to grow profitably while keeping in mind the balance betweentaking and managing its risks. TD recognizes that having a strong risk culture and approach to risk management is fundamental to success. TD’s ERM approach is comprehensive and proactive. It combines the experience and special- ized knowledge of individual business segments, risk professionals, and the cor- porate oversight functions. It is based on enabling TD’s business to understand the risks it faces and to develop the policies, processes, and controls required to man- age them appropriately in alignment with the bank’s strategy and risk appetite.

BACKGROUND Headquartered in Toronto, Canada, with more than 85,000 employees in offices around the world, TD and its subsidiaries offer a full range of financial products and services to approximately 22 million customers worldwide through three key business lines:

1. Canadian retail, including TD Canada Trust, TD Auto Finance Canada, Canadian credit cards, Canadian wealth, and TD Insurance

2. Wholesale Banking, including TD Securities 3. U.S. retail, including TD Bank (“America’s Most Convenient Bank”), TD

Auto Finance U.S., U.S. wealth, and U.S. credit cards

As of April 30, 2014, TD had $896 billion (Canadian) in assets. TD also ranks among the world’s leading online financial services firms, with approximately eight million active online and mobile customers. It is the second-largest bank in

241

www.it-ebooks.info

242 Implementing Enterprise Risk Management

Canada and the tenth-largest bank in the United States (by market capitalization). TD trades on the Toronto Stock Exchange and New York Stock Exchange under the symbol “TD.”

ERM at TD Bank

TD’s risk management approach is comprehensive with TD Bank’s Enterprise Risk Framework (ERF), reinforcing TD’s risk culture and ensuring that all stakeholders have a common understanding of how TD manages risk. The ERF addresses: (1) the nature of the risks to TD’s business strategy and operations; (2) how TD defines the types of risk it is exposed to; (3) risk management governance; and (4) how TD manages risk through processes that identify, measure, assess, control, and moni- tor risk. TD’s risk management resources and processes are designed to enable all of its businesses to understand the risks they face and to manage them within TD’s risk appetite.

TD’s Risk Appetite Statement is the primary means used to communicate how TD views risk and determines the risks it is willing to take in order to grow its busi- ness. TD takes into account its mission, vision, guiding principles, and strategy, as well as risk philosophy and capacity to bear risk, in defining its risk appetite.

TD takes risks required to build its business, but only if those risks:

� Fit its business strategy, and can be understood and managed � Do not expose the enterprise to any significant single-loss events � Do not risk harming the TD brand

In applying its risk appetite, TD considers both the current conditions in which it operates and the impact that emerging risks will have on TD’s strategy and risk profile. Adherence to the enterprise risk appetite is managed and monitored across TD and is based on a broad collection of principles, policies, processes, and pro- cedures, including risk appetite statements and related performance measures for major risk categories and the business segments.

At the enterprise level, metrics are tracked against key risks like capital ade- quacy, market risk, liquidity risk, credit risk, and operational risk. These metrics and compliance with the Risk Appetite Statement are monitored and reported by risk dashboards on an ongoing basis. To ensure that TD Bank’s Risk Appetite State- ment remains current and relevant, TD has established a Risk Appetite Governance Framework approved annually by the Risk Committee of the Board (RCoB). This framework describes TD’s processes, structure, and responsibilities to develop, govern, and approve the Enterprise and Business Segments Risk Appetite State- ments and the requirements for monitoring and escalating exceptions. Specifically, the governance process provides that:

� The Enterprise and Business Segments Risk Appetite Statements and related metrics must be reviewed at least annually.

� Updates and amendments are developed by Risk Management with input from business segments, corporate functions, the senior executive team, and the RCoB.

www.it-ebooks.info

TD BANK’S APPROACH TO AN ENTERPRISE RISK MANAGEMENT PROGRAM 243

� The TD Enterprise Risk Appetite Statement and related metrics must be reviewed and approved by the RCoB annually.

� The Business Segment Risk Appetite Statements must be recommended by each of the Business Group heads and approved by the president and chief executive officer (CEO) and chief risk officer (CRO) annually.

� Performance against the Enterprise and Segment Risk Appetite Statements must be monitored and reported on an ongoing basis.

Understanding an Organization’s Risks Helps Reinforce the Risk Culture

Each of the ERF’s components reinforces the desired risk culture of TD Bank, and they are all equally necessary to ensure that TD successfully manages its risk. The ERF sets the direction of how TD manages enterprise risk. The TD Risk Inventory sets out TD’s major risk categories and related subcategories to enable a consistent language and approach to measuring, reporting, and disclosing TD’s risks. This inventory of risks facilitates consistent enterprise risk identification and becomes the starting point to develop the appropriate risk strategies and processes to man- age TD’s risk exposure. Definitions of common terms include:

Strategic risk is the potential for financial loss or reputational damage arising from ineffective business strategies, improper implementation of business strategies, or a lack of responsiveness to changes in the business environ- ment. The CEO manages strategic risk supported by the members of the senior management team. Together they define the overall strategy, in con- sultation with and subject to approval by the board.

Credit risk is the risk of loss if a borrower or counterparty in a transaction fails to meet its agreed payment obligations. Credit risk is one of the most significant and pervasive risks in the banking sector. Every loan, exten- sion of credit, or transaction that involves transfer of payments between TD and other parties or financial institutions exposes TD to some degree of credit risk. The responsibility of credit risk management is enterprise- wide. Each business segment’s credit risk control unit is primarily respon- sible for credit decisions and must comply with established policies, expo- sure guidelines, and credit approval limits.

Market risk is the risk of loss in financial instruments or the balance sheet due to adverse movements in market factors such as interest and exchange rates, prices, credit spreads, volatilities, and correlations. TD is exposed to market risk in its trading and investment portfolios, as well as through its nontrading activities. The primary responsibility for managing market risk in trading activities lies with Wholesale Banking with oversight from Market Risk Control within Risk Management.

Liquidity risk is the risk of having insufficient cash or collateral resources to meet financial obligations without raising funds at unfavorable rates or being unable to sell assets at a reasonable price in a timely manner. Demand for cash can arise from deposit withdrawals, debt maturities, and

www.it-ebooks.info

244 Implementing Enterprise Risk Management

commitments to provide credit or liquidity support. The Asset/Liability and Capital Committee oversees the liquidity risk management program.

Operational risk is the risk of loss resulting from inadequate or failed internal processes, people, and systems or from external events. Operational risk is embedded in all of the bank’s business activities, including the prac- tices for managing other risks such as credit, market, and liquidity risk. Operational Risk Management is an independent function that designs and maintains TD’s overall operational risk management framework. This framework sets out the enterprise-wide governance processes, policies, and practices to identify, assess, report, mitigate, and control operational risks.

Insurance risk is the risk of financial loss due to actual experience emerging differently from expected in insurance product pricing or reserving. This could be due to adverse fluctuations in timing, actual size, and/or fre- quency of claims mortality, morbidity, policyholders’ behavior, or asso- ciated expenses incurred. Senior management within the insurance busi- ness units has primary responsibility for managing insurance risk with oversight by the Chief Risk Officer for Insurance, who reports into Risk Management.

Legal, regulatory, and compliance risk is the risk of negative impact to busi- ness activities, earnings or capital, regulatory relationships, or reputation as a result of failure to comply with or to adapt to current and chang- ing regulations, laws, industry codes, rules, or regulatory expectations. Legal risk includes the potential for civil litigation or criminal or regula- tory proceedings being commenced against the bank that, once decided, could materially and adversely affect its business, operations, or financial condition. Business segments and corporate areas are responsible for man- aging day-to-day regulatory and legal risk, while the Legal, Compliance, Global Anti-Money Laundering, and Regulatory risk groups assist them by providing advice and oversight.

Capital adequacy risk is the risk of insufficient capital available in relation to the amount of capital required to carry out the bank’s strategy and to satisfy regulatory capital adequacy requirements. Capital is held to protect the viability of the bank in the event of unexpected financial losses. The board of directors has the ultimate responsibility for overseeing adequacy of capital and capital management. The board reviews the adherence to capital limits and targets, and reviews and approves the annual capital plan and the Capital Management Policy.

Reputational risk is the potential that stakeholder impressions, whether true or not, regarding an institution’s business practices, actions, or inactions, will or may cause a decline in the institution’s value, brand, liquidity, or customer base. TD Bank’s enterprise-wide Reputational Risk Manage- ment Policy is approved by the Risk Committee of the Board. This pol- icy sets out the framework under which each business unit is required to implement a reputational risk policy and procedures. These include designating a business-level committee to review reputational risk issues and to identify issues to be brought to the Enterprise Reputational Risk Committee.

www.it-ebooks.info

TD BANK’S APPROACH TO AN ENTERPRISE RISK MANAGEMENT PROGRAM 245

Risk Governance Structure

TD’s risk governance structure emphasizes and balances strong central oversight and control of risk with clear accountability for, and ownership of, risk within each business unit. Under TD’s approach to risk governance, the business owns the risk that it generates and is responsible for assessing risk, designing and implementing controls, and monitoring and reporting its ongoing effectiveness to safeguard TD from exceeding its risk appetite.

TD’s risk governance model includes a senior management committee struc- ture to support transparent risk reporting and discussion with overall risk and control oversight provided by the board and its committees. The CEO and Senior Executive Team determine TD’s long-term direction within the bank’s risk appetite and apply it to the businesses. Risk Management, headed by the Group head and chief risk officer (CRO), sets enterprise risk strategy and policy and provides inde- pendent oversight to support a comprehensive and proactive risk management approach for TD.

TD employs a “three lines of defense” model that describes the roles of the business, governance, risk, and oversight groups in managing TD Bank’s risk pro- file. The first line of defense is the business and corporate line of accountabilities and includes the following:

� Managing and identifying risks in day-to-day activities � Ensuring that activities are within TD’s risk appetite and risk management

practices � Designing, implementing, and maintaining effective internal controls � Monitoring and reporting on the risk profile

The second line of defense deals with setting standards and challenging busi- ness assumptions to improve governance, risk, and control groups’ responsibilities and accountability. These include the following:

� Establishing enterprise governance, risk, and control strategies and practices � Providing oversight and independent challenge to the first line through

review, inquiry, and discussion � Developing and communicating governance, risk, and control policies � Providing training, tools, and advice to support policy compliance � Monitoring and reporting on compliance with risk appetite and policies

The third line of defense is independent assurance through the internal audit department, which allows for the following:

� Verifying independently that TD’s ERF is operating effectively � Validating the effectiveness of the first and second lines of defense in fulfill-

ing their mandates and managing the risk profile

The RCoB oversees TD’s risk direction and the implementation of an effective risk management culture and internal control framework across the

www.it-ebooks.info

246 Implementing Enterprise Risk Management

enterprise. In support of this oversight, the RCoB reviews, challenges, and approves certain risk policies while also reviewing and approving TD’s Risk Appetite Statement.

TD’s executive committees provide oversight at the most senior level and support management by guiding, challenging, and advising executive decision makers. The following committees oversee governance, risk, and control activities relating to the bank’s key risks, and review and monitor the risk strategies and associated risk activities and practices:

� The Enterprise Risk Management Committee oversees the management of major enterprise governance and risk and control activities.

� The Asset/Liability and Capital Committee (ALCO) oversees the manage- ment of TD’s nontrading market risk and each of its consolidated liquidity, funding, investments, and capital positions.

� The Operational Risk Oversight Committee oversees the strategic assess- ment of TD’s governance, control, and operational risk structure.

� The Disclosure Committee ensures that appropriate controls and procedures are in place and operating to permit timely accurate, balanced, and compli- ant disclosure to regulators, shareholders, and the market.

� The Reputational Risk Committee ensures that corporate or business ini- tiatives with significant reputational risk profiles have received adequate review for reputational risk implications prior to implementation.

The Risk Management function, headed by the CRO, provides independent oversight of risk governance and control, and is responsible for establishing risk management strategy, policies, and practices. Risk Management’s primary objective is to support a comprehensive and proactive approach to risk man- agement that promotes a strong risk management culture. Risk Management works with the business segments and other corporate oversight groups to estab- lish policies, standards, and limits that align with TD’s risk appetite, and moni- tors and reports on existing and emerging risks and compliance with TD’s risk appetite.

Each business segment has an embedded risk management function that reports directly to a senior risk executive, who in turn reports to the CRO. This structure supports an appropriate level of central oversight while emphasizing ownership and accountability for risk within the business segment. Business man- agement is responsible for recommending the business-level risk appetite and met- rics, which are reviewed and challenged as necessary by Risk Management and ultimately approved by the CEO.

TD’s audit function provides independent assurance to the board of the effectiveness of risk management, control, and governance processes, employed to ensure compliance with TD’s risk appetite. Internal Audit reports on its evaluation to management and the RCoB. The Compliance group establishes risk-based programs and standards to proactively manage known and emerging compliance risks across TD to provide independent oversight and delivers oper- ational control processes to comply with the applicable legislation and regulation requirements.

www.it-ebooks.info

TD BANK’S APPROACH TO AN ENTERPRISE RISK MANAGEMENT PROGRAM 247

The Global Anti Money Laundering (AML) group establishes a risk-based pro- gram and standards to proactively manage known and emerging money launder- ing compliance risks across TD. The AML group provides independent oversight and delivers operational control processes to comply with the applicable legisla- tion and regulatory requirements. The Treasury and Balance Sheet Management (TBSM) group manages, directs, and reports on TD’s capital and investment posi- tions, interest rate risk, liquidity and funding risks, and the market risks of TD’s nontrading bank activities. The Risk Management function oversees TBSM’s capi- tal and investment activities.

Risk Identification, Assessment, and Reporting

TD applies the following principles to how it manages risks:

� Enterprise-wide in scope. Risk management spans all areas of TD, including third-party alliances and joint venture undertakings and all boundaries, both geographic and regulatory.

� Transparent and effective communication. Matters relating to risk are commu- nicated and escalated in a timely, accurate, and forthright manner.

� Enhanced accountability. Risks are explicitly owned, understood, and actively managed by business management and all employees, individually and col- lectively.

� Independent oversight. Risk policies, monitoring, and reporting will be estab- lished independently and objectively.

� Integrated risk and control culture. Risk management discipline is integrated into TD’s daily routines, decision making, and strategy.

� Strategic balance. Risks are managed to an acceptable level of exposure, rec- ognizing the need to protect and grow shareholder value.

Risk identification and assessment are focused on recognizing and under- standing existing risks, risks that may arise from new or evolving business ini- tiatives, and emerging risks from the changing environment. TD looks to establish and maintain integrated risk identification and assessment processes that enhance the understanding of risk interdependencies, consider how risk types interact, and support the identification of emerging risks.

Depending on the risk type, the risk identification and assessment process may be developed and/or controlled by the business segment with oversight provided by Risk Management, or it may be controlled by a function within Risk Manage- ment. For example, credit risk assessment processes developed by a business seg- ment exist for both retail and nonretail clients. The nature of those processes may vary by and/or within a business segment depending on the specific nature of the risk. Risk Management’s role in these processes is to provide oversight and chal- lenge to ensure that the analysis and results produced by the process focus on the relevant issues.

Other risk assessment identification and assessment processes that can and/or need to be applied on a consistent basis across TD have been developed by Risk Management at the enterprise level. Examples of such processes would include the Risk and Control Self-Assessment (RCSA) report, the Emerging Risk Identification

www.it-ebooks.info

248 Implementing Enterprise Risk Management

process, scenario analysis and stress testing, and the Internal Capital Adequacy Assessment Process (ICAAP).

Risk Measurement

The ability to quantify risks is also a key commitment of TD’s risk management processes. These processes align with regulatory requirements for capital ade- quacy, leverage ratios, liquidity measures, stress testing, and maximum credit exposure guidelines. TD has a process in place to quantify risks to provide accurate and timely measurements of the risks it assumes.

In quantifying risk, TD uses various risk measurement methodologies, includ- ing value at risk (VaR) analysis, scenario analysis, stress testing, and limits. Other examples of risk measurements include credit exposures, provision for credit losses, peer comparisons, trending analysis, liquidity coverage, and capital ade- quacy metrics. TD also conducts structured Risk and Control Self-Assessment (RCSA) programs and monitors internal and external risk events. This allows TD to identify, escalate, and monitor significant risk issues as needed.

TD’s Enterprise-Wide Stress Testing involves the development, application, and assessment of severe but plausible stress scenarios on earnings, liquidity, and capital of the bank. It enables senior management and the board and its commit- tees to identify and articulate enterprise-wide risks and understand potential vul- nerabilities for TD. It informs and supports risk appetite, capital adequacy, and liquidity requirements, providing a framework to assess emerging, concentration, and contagion risks.

Risk Control

TD’s risk control processes are established and communicated through risk com- mittees and approved policies, procedures, and control limits. Policies are used as a key risk control tool to provide consistency, predictability, and alignment with risk appetite by communicating the principles, rules, and limits to guide and determine decisions and behaviors. TD’s Policy Governance Framework provides a common structure and requirements for the consistent development, implemen- tation, approval, and management of policy at TD.

TD’s approach to risk control includes risk and capital assessments to appropriately capture key risks in TD’s measurement and management of cap- ital adequacy. This involves the review, challenge, and endorsement by senior management committees of the ICAAP practices. The Internal Control Frame- work describes enterprise principles governing internal control and management accountability to own and manage risk across the enterprise by practicing ongo- ing risk and control self-assessment; designing, implementing, and monitoring the effectiveness of a comprehensive program of internal control; and responding in a timely manner to control weaknesses identified by management, governance, risk and control groups, Internal Audit, or other parties.

In recognition of the importance of technology risk control and management, TD has established the Technology Risk Management and Information Security Program, which is designed to reduce business risk with technology controls, and to protect the bank, its customers, and its employees. This enterprise-wide program

www.it-ebooks.info

TD BANK’S APPROACH TO AN ENTERPRISE RISK MANAGEMENT PROGRAM 249

is delivered through governance and policy setting, along with the Technology Risk Assessment and Control Framework that generates awareness, communica- tions and ongoing assessments, information security architecture and strategy, and vulnerability and incident management.

Risk Monitoring and Reporting

TD monitors and reports on risk levels on a regular basis to senior management, the RCoB, and the board. Complementing regular risk monitoring and reporting, ad hoc risk reporting is provided as appropriate for new and emerging risk or any significant changes to the bank’s risk profile. Risk-specific reporting is also in place as described in the relevant risk-specific frameworks.

TD’s risk dashboards provide a comprehensive quantitative and qualitative assessment of key risk types across the enterprise. The risk dashboards reflect established guidelines and risk tolerance based on TD policies that encompass key aspects of risk to the businesses.

TD measures management’s performance against risk appetite using the Risk Appetite Scorecard, which is a consolidated assessment of enterprise and busi- ness segment risk performance measured against risk appetite metrics. In com- pleting the Risk Appetite Scorecard, TD Risk Management assesses various fac- tors to determine whether the bank takes risks consistent with the Risk Appetite Statement and whether the risk level changed in the businesses as a result of man- agement actions or external factors. This annual assessment of management’s per- formance against TD’s risk appetite is used as a key input into compensation deci- sions.

Extensive external reporting is produced to comply with legal and regulatory requirements. TD also discusses the ERF and related risk management practices in the Management Discussion and Analysis (MD&A) section of its annual report. All forward-looking statements to external stakeholders included in the MD&A are, by their very nature, subject to inherent risks and uncertainties, general and specific, which may cause the bank’s actual results to differ materially from the expectations expressed in the forward-looking statements.

CONCLUSION TD Bank’s earnings are affected by the general business and economic conditions in Canada and the United States. These conditions include short-term and long- term interest rates, inflation, fluctuations in debt and capital markets, consumer debt levels, government spending, exchange rates, the strength of the economy, threats of terrorism, civil unrest, the effects of public health emergencies, the effects of disruptions to public infrastructure, and the level of business conducted in the regions where the bank operates.

TD Bank employs an ERM framework that emphasizes and balances central oversight and control of risk with clear accountability for and ownership of risk within each business segment. TD’s approach to ERM is based on six key princi- ples: enterprise-wide in scope, transparent and effective communication, enhanced accountability, independent oversight, integrated risk and control culture, and strategic balance.

www.it-ebooks.info

250 Implementing Enterprise Risk Management

QUESTIONS 1. How does an ERM program help an organization to better understand their risk culture? 2. How would you describe TD Bank’s risk profile to a financial analyst on Wall Street? 3. What are the determining factors in deciding which risks TD can take? 4. How does TD measure the risks in their organization?

REFERENCES TD Bank. 2012. ERM Framework, June. TD Bank. 2012. Management and Decision Analysis Report.

ABOUT THE CONTRIBUTORS Paul Cunha is Vice President, Enterprise Risk Management, at TD Bank. He grad- uated from Wilfrid Laurier University with an honors bachelor of business admin- istration and is a CFA charterholder. During his career at TD Bank, he has spent time in risk management, internal audit, retail banking, commercial banking, and corporate and investment banking.

Kristina Narvaez is the president and owner of ERM Strategies, LLC. She grad- uated from the University of Utah in environmental risk management and then received her MBA with two advanced certificates in finance and information tech- nology from Westminster College. She is a two-time Spencer Education Founda- tion Graduate Scholar from the Risk and Insurance Management Society, and has published more than 25 articles and papers on topics relating to enterprise risk management and board risk governance.

Note: The material contained in this chapter represents the views of the authors and not necessarily those of the TD Bank Group.

www.it-ebooks.info

PART III

Linking ERM to Strategy and Strategic Risk Management

www.it-ebooks.info

www.it-ebooks.info

CHAPTER 14

A Strategic Approach to Enterprise Risk Management at Zurich Insurance Group LINDA CONRAD Director of Strategic Business Risk at Zurich Insurance Group

KRISTINA NARVAEZ President and Owner of ERM Strategies, LLC

This case study describes how the Zurich Insurance Group has implementedand evolved its enterprise risk management (ERM) approach for more than10 years across the globe. It describes how Zurich has organized its gov- ernance structures and ERM champions to help integrate ERM into the business model that focuses on promptly identifying, measuring, managing, monitoring, and reporting risks that affect the achievement of strategic, operational, and finan- cial objectives. This includes adjusting their risk profiles to be in line with Zurich’s stated risk tolerance to respond to new threats and opportunities in order to opti- mize returns.

ENTERPRISE RISK MANAGEMENT AT ZURICH As a large global insurance carrier, Zurich Insurance Group has relied on its ERM program for more than 10 years as a means to help Zurich remain profitable. With over 60,000 employees around the world and serving customers in more than 170 countries and territories, Zurich is exposed to a wide range of risks from its cus- tomers to its own operations. Yet Zurich recognizes that taking the right risks at the right time is a necessary part of growing and protecting shareholder value. Nat- urally, Zurich aims to capitalize on appropriate market opportunities that could attract the best talent and investor capital. To achieve this, Zurich utilizes insight from its ERM program to help balance growth opportunities with the reality that it is operating in a complex world economy.

ERM not only is embedded in Zurich’s business, but is also aligned with its strategic and operational planning and budgeting process. Zurich assesses risks systematically and from a strategic perspective through its proprietary tools that allow it to identify and then evaluate the probability of a risk scenario occurring,

253

www.it-ebooks.info

254 Implementing Enterprise Risk Management

as well as the severity of the consequence should it occur. Zurich then develops, implements, and monitors appropriate improvement actions. Its ERM tools are integral to how Zurich deals with change, by helping to evaluate strategic risks as well as risks to its reputation. At the senior management level, the ERM process is annually reviewed and tied to the strategic planning process, but is also embedded in the ongoing business.

Listed here are Zurich’s major ERM objectives, and a tangible proof point:

� Protect the capital base by monitoring that risks are not taken beyond Zurich’s risk tolerance.

� Enhance value creation and contribute to an optimal risk/return profile by providing the basis for efficient capital deployment.

� Support Zurich’s decision-making processes by providing consistent, reli- able, and timely risk information.

� Protect Zurich’s reputation and brand by promoting a sound culture of risk awareness and disciplined and informed risk taking.

Tangible Results

By aligning ERM with its business strategy, Zurich has been able to use certain tools to create new value to its organization in a variety of areas. Zurich’s ERM program has sustained business growth throughout the recession, contributing to more than 40 consecutive quarters of growth. One way it added value through ERM was when Zurich introduced an enhanced operational risk management framework. One business unit reduced operational risk-based capital (RBC) consumption by 21.7 percent when Zurich moved from an asset-based to a risk-based approach for operational risk quantification. Tools such as Total Risk Profiling (TRP, described later in this chapter) and the business unit then identified high risk exposures, per- formed a deeper assessment and developed mitigation measures, The business unit experienced an additional reduction of 28.9 percent in operational risk cap- ital consumption the following year. Operational risk capital not consumed was then available to fund profitable growth for Zurich

Optimizing the Risk and Reward Balance at Zurich

To consistently achieve the right balance between risk and reward to optimize cap- ital, many corporate leaders around the world have adopted ERM within their organizations. Zurich has a well-established ERM program, which it sees as a crit- ical component to its success. Zurich’s comprehensive ERM and risk tolerance framework links risk taking, strategic planning, and operational planning with a comprehensive risk limit system. It enables active risk-taking within a consistent framework across the entire organization. It also allows for the flexibility to either increase or limit risk levels as appropriate for specific applications, geographies, or business units on a case-by-case basis, in accordance with Zurich’s risk policy.

Global businesses like Zurich are increasingly focused on the challenge of map- ping and managing their risk profiles, looking beyond a single dimension to under- stand the complex interactions between many different types of risks. Zurich’s risk landscape outlines the number of risks, types of risks, and potential effects of those

www.it-ebooks.info

ENTERPRISE RISK MANAGEMENT AT ZURICH INSURANCE GROUP 255

risks to the organization. This outline supports each business unit within Zurich as they strive to anticipate additional costs or disruption to its operations. Also, it describes the willingness of Zurich to take risks and how those risks will affect the operational strategy of the organization. Managing the vast scope of business expo- sures and growth initiatives requires taking a broader view on risks from a strategic perspective. In defining its desired risk profile, Zurich must determine which risks will optimize its returns. Its ERM mission is to promptly identify, measure, man- age, report, and monitor the risks that affect the achievement of its strategic goals.

Risk Culture at Zurich

The risk culture at Zurich could be defined as the individual and group behav- ior within the organization that determines the way in which Zurich identifies, understands, discusses, and acts on the organization’s risks and opportunities. Embedding a positive risk culture is the responsibility of the Zurich leadership team because it is critical to the effective management of the business.

The core characteristics expected from an effective risk culture include com- mitted leadership, an effective governance structure with clear risk responsibilities and timely escalation procedures, continuous and constructive challenges, active learning from past mistakes, and incentives that reward consideration of risk management objectives and risk appetite in the organization’s management of the business.

Zurich recognizes the need to constantly improve on its ERM program. Senior leadership also wishes to have an effective way of understanding and reporting on the risk culture and framework of the company, both to support internal manage- ment and oversight and to be able to report externally. In principle, the risk culture should not be seen as something separate from the overall culture of the organi- zation, and, for risk to be truly embedded, it should be regarded as one element, albeit one that currently deserves specific attention.

ZURICH GROUP’S ENTERPRISE RISK MANAGEMENT FRAMEWORK At the heart of Zurich’s ERM framework is a governance process with clear respon- sibilities for taking, managing, monitoring, and reporting risks. (See Exhibit 14.1.) Zurich articulates the roles and responsibilities for risk management throughout the organization, from the board of directors and the chief executive officer (CEO) to its businesses and functional areas. In fact, each business and functional or project team will have someone designated as a risk owner to be responsible for identifying and addressing relevant risk exposures and to help embed ERM further in the business unit and build a more open, positive risk culture.

One of the key elements of Zurich’s ERM framework is to foster transparency by establishing risk reporting standards throughout the organization. Zurich reg- ularly reports on its risk profile, current risk issues, adherence to its risk policies, and improvement actions both at a local and on a senior management level. Zurich has procedures in place for the timely referral of risk issues to senior management and the board of directors. Various governance and control functions coordinate

www.it-ebooks.info

256 Implementing Enterprise Risk Management

Strategic Risk Management

Risk Assessment and Mitigation

Risk Quantification

Risk Transparency

Risk Governance and Risk Culture

Exhibit 14.1 Zurich Risk Management Framework

to help ensure that objectives are being achieved, risks are identified and appro- priately managed, and internal controls are in place and operating effectively.

Risk Governance Approach at Zurich with Three Lines of Defense

Zurich uses a “three lines of defense” model to help ensure governance and control. (See Exhibit 14.2.) This model consists of the following:

1. The first line of defense in the business or functional areas involves the employees making day-to-day business decisions like underwriting, man- aging projects, developing information technology (IT) solutions, or man- aging human capital issues.

2. The second line of defense is Group Risk Management, which oversees the company’s efforts to apply appropriate risk identification and gover- nance processes and provides tools and frameworks to manage decisions. Group Risk Management also coordinates very closely with the Compli- ance and Legal departments, Business Continuity Management, IT, Pro- curement, and other areas, to encourage better coordination across various silos to build an enterprise lens on risk management.

3. The third line of defense is the independent internal audit function, which is responsible for verifying the functionality of the ERM and internal controls framework.

To support the governance process, Zurich relies on documented policies and guidelines. The Zurich Risk Policy is its risk governance document; it spec- ifies Zurich’s risk tolerance, risk limits and authorities, reporting requirements,

www.it-ebooks.info

ENTERPRISE RISK MANAGEMENT AT ZURICH INSURANCE GROUP 257

Board of Directors

Risk Committee

Group Chief Risk OfficerCEO and Group Executive Committee

Group Balance Sheet Committee Group Finance and Risk Committee

Group Audit

Audit, Risk, and Control Committees

Business Management

Risk Taking

The overview above highlights only key elements of the governance framework that apply to risk management;

R eg

io n,

S eg

m en

t, D

iv is

io n,

B us

in es

s U

ni t l

ev el

G ro

up E

xe cu

tiv e

le ve

l B

oa rd

o f

D ire

ct or

s le

ve l

Risk Control Independent Assurance

Risk Management Network (including regional/segment/division Chief Risk Officers

and Local Risk Officers)

Audit Committee

Exhibit 14.2 Zurich Risk Governance Overview

procedures to approve any exceptions, and procedures for referring risk issues to senior management and the board of directors. The limits are specified per risk type, reflecting the willingness and ability to take risks, considering issues such as earnings stability, economic capital adequacy, financial flexibility and liquidity, franchise value, and reputation. Zurich’s strategic direction and operational plan seeks to achieve a reasonable balance between risk and return, and to be aligned with economic and financial objectives.

An important element of Zurich’s ERM framework is a well-balanced and effectively managed remuneration program. This includes a groupwide remunera- tion philosophy and robust short- and long-term incentive plans, with strong gov- ernance and links to the business planning, performance management, and risk policies. Based on Zurich’s Risk Policy, the board establishes the structure and design of the remuneration arrangements so that they do not encourage inappro- priate risk taking.

As an ongoing process, adherence to requirements stated in the Zurich Risk Policy is assessed. Zurich regularly enhances its Risk Policy to reflect new insights and changes in the environment and to reflect changes to the risk tolerance. For example, the Zurich Risk Policy was recently updated and strengthened for vari- ous areas, including actuarial reserving in General Insurance, reinsurance, receiv- ables, operational risk management, and particularly outsourcing and business continuity management. Related procedures and risk controls were also strength- ened or clarified for these areas.

www.it-ebooks.info

258 Implementing Enterprise Risk Management

Coordinate risk identification, risk assessment, and financial quantification of risk to achieve a holistic view of the organization’s risks. Group Risk

Management

Group Audit

Group Compliance

Facilitate alignment of assurance methodology and assurance coverage (including raising any gaps in assurance coverage). Includes assurance work of Group Audit, Group Compliance, External Audit, Technical Underwriting, and Claims QA.

Responsible for coordinating assurance reporting.

Responsible for coordinating risk reporting. The resultant risk landscape will inform the risk-based assurance activities of the other functions.

Specialist function that contributes insights regarding compliance matters. Coordinates with other assurance functions in the discharge of its mandate.

Group Compliance

Group Risk Management

Group Audit

Exhibit 14.3 Zurich’s Core Assessment and Assurance Functions

Integrated Assessment and Assurance

Integrated Assessment and Assurance (IAA) is a coordinated view from the Assur- ance functions to provide greater confidence that risks are identified, those risks are appropriately managed, and mitigation actions are implemented and controls are operating effectively. The Assessment and Assurance functions include Group Risk Management, Group Compliance, and Group Audit. (See Exhibit 14.3.) Close coordination is also maintained with Group Legal, External Audit, and manage- ment’s review functions such as underwriting or claims reviews and actuarial peer reviews.

Internal Control Framework

Swiss law prescribes the existence of an Internal Control System (OR 728a) to all “listed companies” and “companies of economic significance.” Zurich Insurance Group was one of the early firms to pioneer the industry with the establishment of its internal control system in 2004. The framework is of core importance in ensuring that company objectives are adhered to and that risks are controlled. The board of directors wants to have positive assurance that an effective internal control system is embedded in the business processes.

Zurich’s Internal Control Framework (ICF) provides to the board the requested global overview of the risks in each business unit and how they are controlled. The evidence of these controls and its documentation serve as proof of the ICF’s existence for regulatory and auditing purposes. Zurich’s three lines of defense help ensure that the Internal Control Framework is enabled.

ROLE OF THE CHIEF RISK OFFICER AND GROUP RISK MANAGEMENT AT ZURICH Zurich’s chief risk officer (CRO) consults with the other assurance, control, and governance functions to provide the chief executive officer (CEO) with a review of risk factors to consider in the annual process to determine variable compensation. The CRO leads the Group Risk Management function, which develops methods

www.it-ebooks.info

ENTERPRISE RISK MANAGEMENT AT ZURICH INSURANCE GROUP 259

and processes for identifying, measuring, managing, monitoring, and reporting risks throughout Zurich. The CRO is responsible for the oversight of risks across Zurich and regularly reports risk matters to the CEO, senior management commit- tee, and the Risk Committee of the board.

The Group Risk Management organization at Zurich consists of central func- tions at the Corporate Center and a decentralized risk management network at all the segment, regional, business unit, and functional levels. At the Group level there are two centers of expertise: risk analytics and risk and control. The Risk Analyt- ics department quantitatively assesses insurance, financial market, asset/liability, credit, and operational risks, and is Zurich’s center of excellence for risk quantifica- tion and risk modeling. The Risk and Control department includes operational risk management, internal control framework, risk reporting, risk governance, and risk operations. Group Risk Management proposes changes to the risk management framework and Zurich’s risk policies; it makes recommendations on the organiza- tion’s risk tolerance and assesses the risk profile.

The risk management network consists of the chief risk officers (CROs) of the Group’s segments and regions, and the local risk officers (LROs) of the business units and functions and their staff. While their primary focus is on operational and business-related risks, they are also responsible for providing a holistic view of all risks for their areas. The risk officers are part of the management teams in their respective businesses and therefore are embedded in the business units. The LROs also report to the segment or regional CROs, who in turn report to the Group’s chief risk officer. The CROs of the Group’s segments and regions are members of the leadership team of the Group’s chief risk officer.

In addition to the risk management network, Zurich has audit and/or over- sight committees at the major business and regional levels. These committees are responsible for providing oversight of the risk management and control functions. This includes monitoring adherence to policies and periodic risk reporting. At the local level, these oversight activities are conducted through risk and control com- mittees or quarterly meetings between senior executives and the local heads of governance functions.

In 2012, Zurich strengthened the process through which the assurance, control, and governance functions provide risk and compliance information about each business unit as part of the annual individual performance assessment. Through these processes, Zurich encourages a culture of disciplined risk taking across the organization. It continues to consciously take carefully selected risks for which it expects an adequate return.

Board-Level Risk Committee and Executive Risk Committee Responsibilities

The board of directors of Zurich Insurance Group has ultimate oversight responsi- bility for Zurich’s risk management program. The board approved the guidelines for the Group’s risk management framework and key principles, particularly as articulated in the Zurich Risk Policy, and decides on changes to such guidelines and key principles, as well as transactions reaching specified thresholds.

The Risk Committee of the board serves as a focal point for oversight regarding Zurich’s risk management. In particular its risk tolerance, including agreed limits that the board regards as acceptable for Zurich to bear, the aggregation of these

www.it-ebooks.info

260 Implementing Enterprise Risk Management

limits across the entire organization, the measurement of adherence to risk limits, and its risk tolerance in relation to anticipated capital levels. The Risk Committee further oversees the organization-wide risk governance framework, including risk management and control, risk policies and their implementation, as well as risk strategy and the monitoring of operational risks.

The Risk Committee also reviews the methodologies for risk measurement and its adherence to risk limits. The Risk Committee further reviews, with business management and Zurich’s Risk Management functions, its general policies and procedures and satisfies itself that effective systems of risk management are estab- lished and maintained. It receives regular reports from Zurich’s Risk Management Group and assesses whether significant issues of a risk management and control nature are being appropriately addressed by management in a timely manner. The Risk Committee assesses the independence and objectivity of Zurich’s Risk Management functions; approves its terms of reference; reviews the activities, plans, organization, and quality of the function; and reviews key risk management principles and procedures. To facilitate information exchange between the Audit Committee of the board and the Risk Committee of the board, at least one board member is a member of both committees. The Risk Committee generally meets seven times per year, including once jointly with the Remuneration Committee.

Zurich’s Executive Risk Committee, which consists of the CEO together with the Group Executive Committee (GEC), oversees the Group’s performance with regard to risk management and control, strategic, financial, and business policy issues of organization-wide relevance. This includes monitoring adherence to and further development of the Group’s risk management policies and procedures. The Group Balance Sheet Committee and the Group Finance and Risk Committee reg- ularly review and make recommendations on the Group’s risk profile and signifi- cant risk-related issues.

The chief risk officer is a member of the GEC and reports directly to the CEO and the Risk Committee of the board. The CRO is a member of each of the man- agement committees listed below, in order to provide a common and integrated approach to risk management, to allow for appropriate quantification and, where necessary, mitigation of risks identified in these committees.

Emerging Risk Group

Zurich’s Emerging Risk Group (ERG) seeks to preempt potential downsides of emerging risk and help its employees and customers understand and address them. The ERG looks to serve customers and society and build business oppor- tunities to increase, not exclude, insurability of emerging risks. The ERG’s remit is to respond to emerging risk threats and opportunities with strategies that help customers understand and protect themselves from risk and that drive profitable underwriting results.

The Zurich Emerging Risk Radar shows potential risks and opportunities that the ERG has currently identified. The online, internal version of Zurich Risk Radar is interactive, and one can roll the cursor over each threat to see a description of a risk and its potential harm—and each risk is classified by its primary scope (Science and Technology, Regulatory, Environmental, Social, or Legal), as well as the time over which the risk will potentially emerge (zero to three years, three to five years,

www.it-ebooks.info

ENTERPRISE RISK MANAGEMENT AT ZURICH INSURANCE GROUP 261

five or more years), plus its potential impact on Group earnings. (See Exhibit 14.4 for a public version.)

WORKING WITH EXTERNAL STAKEHOLDERS Various external stakeholders, among them regulators, rating agencies, investors, and accounting bodies, have placed emphasis on the importance of a sound risk management program in the insurance industry. Regulatory requirements, such as the Swiss Solvency Test in Switzerland and the regulatory principles of Solvency III in the European Union, have emphasized a risk-based and economic approach, based on comprehensive quantitative and qualitative assessments and reports.

Rating agencies are now interested in enterprise risk management as a factor in evaluating companies’ creditworthiness. Standard & Poor’s, a rating agency with a separate rating for ERM, has rated Zurich’s overall ERM as “strong.” Reinsurance and credit risk controls remain “excellent.” Market, asset/liability management (ALM), reserving, catastrophe, and operational risk controls, as well as strategic and emerging risk management, are seen as “strong.” Zurich is rated either “excel- lent” or “strong” in all of the Standard & Poor’s dimensions for ERM.

Zurich also seeks external expertise from its International Advisory Council and Natural Catastrophe Advisory Council to better understand and assess risks, particularly regarding areas of complex change. In addition, the Investment Management Advisory Council provides feedback to Investment Management on achieving superior risk-adjusted returns versus liabilities for the Group’s invested assets. Zurich also organizes various regional Risk Management Coun- cils comprised of key customers, which engage to help identify and address issues together.

Zurich is involved in a number of international industry organizations engaged in advancing the regulatory dialogue and sound risk management prac- tices pertaining to the insurance industry. It is also a standing member of and actively contributes to the Emerging Risk Initiative of the CRO Forum (an organiza- tion composed of the chief risk officers of major insurance companies and financial conglomerates that focuses on developing and promoting industry best practices in risk management).

Zurich actively participates in professional risk management bodies such as the Risk and Insurance Management Society (RIMS), the Institute of Risk Manage- ment (IRM), the Federation of European Risk Management Association (FERMA), and the Association of Insurance and Risk Managers in Industry and Commerce. For example, Zurich’s staff serves on the RIMS ERM Committee and on the global Education Advisory Board of the IRM. It is also involved in various working groups in the Conference Board, supports the Red Cross in crisis recovery, and collaborates with other entities to help promote better risk identification, assess- ment, prevention, and mitigation.

Zurich is a main contributor to the Global Risk Report that is produced by the World Economic Forum in cooperation with other corporations (Swiss Re, Marsh & McLennan Companies, the Oxford Martin School [University of Oxford], the National University of Singapore, and the Wharton Risk Management and Decision Processes Center [University of Pennsylvania Center for Risk Manage- ment] [www.weforum.org/reports/global-risks-2012-seventhninth-edition]).The

www.it-ebooks.info

B ro

ad im

pl ic

at io

ns o

f U S

C

ar e

R ef

or m

R at

in g

to ol

re

st ri

ct io

ns

Lo w

c ar

bo n

ec on

om y

W at

er s

ho rt

ag e

G eo

en gi

ne er

in g

(o r

cl im

at e

en gi

ne er

in g)

W at

er q

ua lit

y

Th re

at to

b ee

po

pu la

tio n

O be

si ty

A gi

ng w

or kf

or ce

Lo ng

ev ity

- fin

an ci

al

pr od

uc ts

S oc

ia l

m ed

ia

S hi

ft a

nd

ir re

gu la

r w

or ki

ng D

ig ita

l m

is in

fo rm

at io

n

B an

ks , B

as el

II ,

S ol

ve nc

y II,

r eg

ul at

io n

Fo od

in fla

tio n

G am

in g

in du

st ry

X en

o tr

an sp

la nt

at io

n

S yn

th et

ic

bi ol

og y

C os

m ec

eu tic

al s

G lo

ba l s

up pl

y ch

ai ns

A bu

si ve

c la

ss

ac tio

ns /

C ol

le ct

iv e

re dr

es s

fr om

no

n U

S

C el

l m ut

at io

n

M ot

or /L

ia bi

lit y

le ga

l co

nv er

ge nc

e

E le

ct ro

m ag

ne tic

fie

ld s

M an

-m ad

e E

QP er

va si

ve

co m

pu tin

g

S pa

ce w

ea th

er

U nc

on ve

nt io

na l

so ur

ce s

fo r

fo ss

il fu

el s

C og

ni tiv

e co

m pu

tin g

/ d ri

ve rl

es s

ca rs

V ir

tu al

re

al ity

a nd

cu

rr en

cy

S ec

ur ity

o f p

ow er

su pp

ly

G en

et ic

te st

in g

an d

pr ed

is po

si tio

n

N an

ot ec

hn ol

og y

G re

en

pr od

uc ts

A sb

es to

s re

pl ac

em en

t pr

od uc

ts

E nd

oc ri

ne

di sr

up to

rs

A nt

ib io

tic r

es is

ta nt

ba

ct er

ia

In te

rn et

o f t

hi ng

s

E le

ct ri

c ve

hi cl

e m

an uf

ac tu

ri ng

A gi

ng in

fr as

tr uc

tu re

Tr an

sp or

ta tio

n in

21

st c

en tu

ry

S ha

ri ng

ec

on om

y

Q ua

nt ifi

ed s

el f

G lo

ba liz

at io

n an

d th

e ill

ic it

ec on

om y

E -C

ig ar

et te

s

K ey

L o

w p

ro b

ab ili

ty

M ed

iu m

p ro

b ab

ili ty

H ig

h p

ro b

ab ili

ty

L o

w im

p ac

t

M ed

iu m

im p

ac t

H ig

h im

p ac

t

E xh

ib it

14 .4

Z ur

ic h

R is

k R

ad ar

262

www.it-ebooks.info

ENTERPRISE RISK MANAGEMENT AT ZURICH INSURANCE GROUP 263

report’s assessment of the most pressing global risks and the interconnections among them provides valuable information for risk mitigation worldwide. Sup- porting the report is also part of the Group’s commitment to corporate responsi- bility by sharing Zurich’s expertise to help businesses, nations, and society.

ZURICH’S PROPRIETARY TOOLS USED IN ERM FRAMEWORK Zurich uses a variety of methodologies and tools to manage its business risk, with the following aims. More information on Zurich’s Strategic Risk Management work can be found at www.zuricherm.com.

� Understand issues in enterprise strategy, resilience, supply chain, and busi- ness continuity.

� Identify scenarios that could—or should—be built into a strategic and/or operational resilience plan.

� Develop action points and risk responsibilities to help protect profitability.

Total Risk Profiling Tool

One of Zurich’s key proprietary tools is called Total Risk Profiling (TRP); it is a workshop-based approach where a facilitator-led team develops a risk profile by determining relative ratings in probability and severity (likelihood and impact) for potential risk scenarios. (See Exhibit 14.5.) TRP is a structured approach to identifying, assessing, and monitoring holistic risks and improvement

Vulnerability identification and assessment

Vulnerability catalog

Risk profile Risk improvement catalog

Risk mapping/Risk tolerance boundary

Risk reduction/Risk improvement advice

Develop risk scenarios, quantify financial severity, and assess probability 1. Vulnerability A

B

C

D

E

P ro

ba bi

lit y 1

42

3

IIIII Severity

IV I

6

5

F

2. Trigger

3. Consequences

what? where? control?

• • •

how? why? when?

• • •

how big? why bad? when much?

• • •

Define the risk appetite, prioritize risk scenarios, and deliver improvement plan

Prioritized

Exhibit 14.5 Zurich Total Risk Profiling Tool

www.it-ebooks.info

264 Implementing Enterprise Risk Management

actions needed. By embedding its Total Risk Profiling methodology into its risk culture, this has helped ensure its risk management culture is consistent and effec- tive across its various business units. It uses these risk scenarios to define the underlying issues and break them into components of vulnerability, trigger, and consequences. The TRP tool can also help a business unit define and quantify its risk tolerance limit. A short video explains more about Total Risk Profiling (http://zdownload.zurich.com/zna/TotalRiskProfiling.html).

A risk tolerance limit is defined as part of the risk appetite, and action plans are developed to improve the prioritized risks and bring them within the busi- ness unit’s tolerance for risk. The structure of the TRP risk identification process provides a sound basis for detailed quantification of more complex risks. TRP has helped Zurich’s business units set the agenda for internal audit or enterprise risk management to monitor risks at or just below the risk tolerance boundary.

By being able to define multiple risk triggers with different potential conse- quences, the TRP tool has helped Zurich to identify the true drivers of risk by undertaking various stress tests or even to define new risk exposures. A facilitator- led team develops a relative rating for each risk scenario, often without a prede- fined scale of impact and likelihood, to improve the business unit’s understanding of the risk.

Another main aim of the flexible TRP tool is to help embed a risk culture that will sustain shareholder value through better enterprise risk management prac- tices and strategic planning processes. Zurich performs nearly 200 TRP workshops per year, ranging from assessing strategy execution, project management, human resources (HR), mergers and acquisitions (M&A), or business interruption (BI) exposures to new product development. In fact, completion of a TRP is a requi- site part of the submission for a project budget or operational plan. The TRP tool helps to enable the following:

� Assessment of current and emerging risks to business resilience and prof- itability

� Alignment of business strategy with key performance indicators � Communication of board discussion on risk appetite to investors and other

stakeholders � Reviewing the environmental scanning tool for corporate or competitive

business strategy development � Embedding of ERM in the strategic planning process � Product launches, acquisitions or divestitures, and project management � Considering the vulnerabilities in the supply chain � Evaluation of business interruption risk scenarios � Testing of existing strategies in the context of unrealized/underrealized

risks and opportunities � Use in the objective-setting stage of the business cycle to determine the

budget

Zurich Hazard Analysis Tool

The Zurich Hazard Analysis is a powerful methodology to systematically identify, address, and manage various types of hazards or vulnerabilities and to address

www.it-ebooks.info

ENTERPRISE RISK MANAGEMENT AT ZURICH INSURANCE GROUP 265

and manage the corresponding risks. The methodology is closely related to Total Risk Profiling, and is helpful in defining “pathways” of risks. Zurich has been suc- cessfully applying and using it within its operations and with customers for over 20 years in various industries, commercial enterprises, and, more recently, in the financial services industry, as well as public entities.

Zurich’s Risk Room

Another of Zurich’s proprietary tools, called the Zurich Risk Room, helps the orga- nization and its customers to systematically explore major global risks, investigat- ing how they are expressed on a country-by-country basis. (See Exhibit 14.6.) It shows on a 3-D screen how risks and geographies combine (sometimes unexpect- edly) to be relevant to Zurich’s business concerns. This tool allows one to see which countries reflect similar profiles, and which risks begin to stand out on mapping various risk correlations. By working across different types of risks, risk correla- tions are identified that illustrate whether relevant risk connections exist and which ones are the strongest.

The Zurich Risk Room creates a statistical, fact-based assessment of global threats as they relate to business planning and implementation. Its output can com- plement departmental, regional, or consultant-based research and data, provid- ing an additional objective lens to risk evaluation and reducing the issues related to silo-based risk assessments. Using a consistent global framework, the Zurich Risk Room can help identify threats that may cross boundaries and provide key decision makers with relevant risk information that can help them make more informed business decisions, even if they are not experts in risk analysis.

Exhibit 14.6 Zurich’s Risk Room

www.it-ebooks.info

266 Implementing Enterprise Risk Management

By examining risks and interconnections in detail, Zurich is able to compare both individual issues and overall country risk characteristics of one country to those of another. This allows Zurich to see whether a country’s risk profile is unique or it shares similarities with other countries. For international businesses, it is vital to form a picture of where operations and investments are vulnerable and where these vulnerabilities may reside. Zurich is then able to identify how risks are bundled, or where a threat in one area might cascade to another.

A demo version of the Zurich Risk Room software for an iPad or Android tablet can be downloaded by searching for Zurich Risk Room in iTunes or Google Play. In addition, this is a link to a short video that will give a brief overview of the Zurich Risk Room application: www.youtube.com/watch?v=_UMaYJtDu6Q.

CATEGORIZING VARIOUS RISKS AT ZURICH In order to enable a consistent, systematic, and disciplined approach to ERM, Zurich categorizes its main risks. (See Exhibit 14.7.) This grouping assists Zurich in monitoring any aggregation of exposures that may be accumulating across the enterprise and could, therefore, have a greater impact on the company.

PEOPLE RISKS Accident/ Health Labor/Key employees Recruiting and retention Corporate governance Knowledge management

RISK MONITORING AND REPORTING

RISK TREATMENT AND CONTROLLING

RISK AWARENESS AND CULTURE

RISK AND OPPORTUNITY

IDENTIFICATION

RISK ASSESSMENT AND

QUANTIFICATION STRATEGIC RISKS Joint ventures and subsidiaries Product development Mergers and acquisitions Reputation Intellectual property Management skills Legal and compliance risks

OPERATIONAL RISKS Sabotage Machinery breakdown Transportation Fire/Explosion Product liability Pollution e-risk Interdependency Earthquake Business interruption Storm Bottleneck supplier Flood

MARKET RISKS Geographical spread Patent infringement Competitors Trade barriers Market share

FINANCIAL RISKS Stock Exchange Capital Markets Liquidity Fraud Debtors/Creditors Currency fluctuation K

E E

P IN

G Y

O U

IN B

U S

IN E

S S

U N

D E

R S

TA N

D IN

G Y

O U

R B

U S

IN E

S S

UNDERSTANDING RISK ACROSS YOUR BUSINESS

Exhibit 14.7 Categorizing Various Risks at Zurich

www.it-ebooks.info

ENTERPRISE RISK MANAGEMENT AT ZURICH INSURANCE GROUP 267

Strategic Risks

Strategic risks are the unintended risks that can result as a by-product of planning or executing a strategy. For example, they can arise from the following:

� Inadequate assessment of strategic plans � Improper implementation of strategic plans � Unexpected changes to assumptions underlying plans

Risk considerations are a key element in the strategic decision-making process. The senior leadership team assesses the implications of strategic decisions on risk- based return measures and risk-based capital in order to optimize the risk/return profile and to take advantage of economically profitable growth opportunities as they arise.

Zurich works on reducing the unintended risks of strategic business decisions through its risk assessment processes and tools. The Group Executive Committee regularly assesses key strategic risk scenarios for the Group as a whole, including scenarios for emerging risks and their strategic implications.

An example of this is when Zurich evaluates the risks of mergers and acqui- sitions (M&A) transactions from both a quantitative and a qualitative perspective. Zurich conducts risk assessments of M&A transactions to evaluate risk, especially related to the integration of acquired businesses, to help increase the likelihood of successfully attaining the expected benefits. They may also review country-level exposures using the Zurich Risk Room tool.

Insurance Risks

Insurance risk is the inherent uncertainty regarding the occurrence, amount, and timing of insurance liabilities. The exposure is usually transferred to Zurich through the underwriting process. Zurich assumes certain customer risks and aims to manage that transfer of risk and to minimize unintended underwriting risks through the following:

� Establishing limits for underwriting authority � Requiring specific approvals for transactions involving new products or

where established limits of size and complexity may be exceeded � Using a variety of reserving and modeling techniques to address the various

insurance risks inherent in the insurance business � Ceding insurance risks through proportional, nonproportional, and specific

risk reinsurance treaties

Market Risks

Market risks can be associated with the Group’s balance sheet positions where the value or cash flow depends on financial markets. Fluctuating risk drivers resulting in market risk may include:

� Equity market prices � Real estate market prices

www.it-ebooks.info

268 Implementing Enterprise Risk Management

� Interest rates and credit spreads � Currency exchange rates

Zurich has policies and limits to manage market risk. Zurich aligns its strategy asset allocation to its risk-taking capacity. The Group centralizes the management of certain asset classes to help control aggregation of risk, and provides a consistent approach to constructing portfolios and selecting external asset managers. Zurich also diversifies portfolios, investments, and asset managers. It regularly measures and manages market risk exposure. Zurich has established limits on concentration in investments by single issuers and certain asset classes, as well as deviations of asset interest rate sensitivities from liability interest rate sensitivities, and also has limits on investments that are illiquid.

Credit Risks

Credit risks are associated with a loss or potential loss from counterparties failing to fulfill their financial obligations. Zurich’s exposure to credit risks may be derived from the following main categories of assets:

� Cash and cash equivalents � Debt securities � Reinsurance assets � Mortgage loans and mortgage loans given as collateral � Other loans � Receivables � Derivatives

Zurich strives to manage individual exposures as well as credit risk concentra- tions. Its objective in managing credit risks is to maintain them within parameters that reflect its strategic objectives and risk tolerance. Sources of credit risks are assessed and monitored, and Zurich has policies to manage special risks within various subcategories of credit risk. To assess counterparty credit risk, Zurich uses the rating assigned by external rating agencies, qualified third parties such as asset managers, and internal rating assessments. When there is a difference among exter- nal rating agencies, Zurich assesses the reason for the inconsistencies and applies the lowest of the respective ratings unless other indicators of credit quality justify the assignment of alternative internal credit ratings. Zurich maintains counterparty credit risk databases that record external and internal sources of credit intelligence.

Liquidity Risks

Risks that Zurich may not have sufficient liquidity to meet its obligations when they fall due, or would have to incur excessive costs to do so, are categorized as liquidity risks. Zurich’s policy is to maintain adequate liquidity and contingent liquidity to meet its liquidity needs under both normal and stressed conditions.

Zurich has groupwide liquidity management policies and specific guidelines as to how local businesses have to plan, manage, and report their local liquidity. These include regularly conducting stress tests for all major carriers within Zurich.

www.it-ebooks.info

ENTERPRISE RISK MANAGEMENT AT ZURICH INSURANCE GROUP 269

The stress tests use a standardized set of internally defined stress events and are designed to provide an overview of the potential liquidity drain that Zurich would face if it had to recapitalize local balance sheets.

Operational Risks

Operational risks can be associated with Zurich’s people, processes, and sys- tems, and external events such as outsourcing, catastrophes, legislation, or external fraud. Zurich has a comprehensive framework with a common approach to iden- tify, assess, quantify, mitigate, monitor, and report operational risks within the scenario-based assessments, internal controls evaluations, and loss event data.

In the area of information security, Zurich continues to focus on its global improvement program with special emphasis on protecting customer information, improving security with its suppliers, and monitoring that access to information is properly controlled. This helps Zurich better protect information assets and ensure greater alignment with regulation and policies. A key consideration is maintaining and developing the capability of Zurich’s business continuity with an emphasis on recovery from possible risk events such as natural catastrophe or pandemic. Zurich continues to develop its existing business continuity capa- bility by further implementing a more globally consistent approach to business continuity and crisis management.

Focusing on the risk of claims fraud and nonclaims fraud continues to be of great importance to Zurich. Zurich continues its global antifraud initiative to fur- ther improve Zurich’s ability to prevent, detect, and respond to fraud. While claims fraud is calculated as part of insurance risk and nonclaims fraud is calculated as part of operational risk for risk-based capital, both are part of the common frame- work for assessing and managing operational risks. Zurich considers risk controls to be key instruments for monitoring and managing operational risks. The opera- tional effectiveness of key controls is assessed by self-assessments and independent testing of controls supporting the financial statements.

Reputation Risks

Reputation risks are risks that might arise from an act or omission by Zurich or any of its employees that could result in damage to the Group’s reputation or loss of trust among its stakeholders. Every risk type could have potential consequences for Zurich’s reputation, and therefore effectively managing its exposures holistically and systematically helps Zurich reduce threats to its reputation.

CAPITAL MANAGEMENT Capital and solvency are managed through an integrated and comprehensive framework of principles and governance structures as well as methodology, mon- itoring, and reporting processes. The capital management process is illustrated in Exhibit 14.8. At the group executive level, the Group Balance Sheet Committee defines the capital management strategy and sets the principles, standards, and policies for the execution of the strategy. Group Treasury and Capital Manage- ment are responsible for the execution of the capital management strategy within the mandate set by the Group Balance Sheet Committee.

www.it-ebooks.info

270 Implementing Enterprise Risk Management

Zurich’s capital management strategy

Economic Capital Adequacy Capital Management

Program

Regulatory Capital Adequacy

Insurance Financial Strength Rating

Governance and principles

Methodology, monitoring, and reporting

• Dividends • Share buy-back • Share Issuances • Senior and hybrid debt • Reinsurance • Securitization

Exhibit 14.8 Zurich’s Capital Management Strategy

Within these defined principles, the group manages its capital using a number of different capital models, taking into account regulatory, economic, and rating agency constraints. The capital and solvency position is monitored and reported on a regular basis. Based on the results of the capital models and the defined standards and principles, Group Treasury and Capital Management has a set of measures and tools available to manage capital within the defined constraints. This tool set is referred to as the Capital Management Program.

The Capital Management Program comprises various measures to optimize shareholders’ return and to meet capital needs, while enabling Zurich to take advantage of growth opportunities as they arise. Such measures are used as and when required and could include efficient balance sheet structuring as well as cash dividends, share buy-backs, special dividends, issuances of shares or senior and subordinated debt, and purchase of reinsurance.

The group seeks to maintain the balance between higher returns for sharehold- ers on equity raised, which may be possible with higher levels of borrowing, and the security provided by a sound capital position. The payment of dividends, share buy-backs, and issuances and redemption of debt can have an important influence on Zurich’s capital levels.

Zurich Economic Capital Model

In addition to a qualitative approach to measuring risks, Zurich regularly mea- sures and quantifies material risks to which it is exposed through both TRP and the Zurich Economic Capital Model (Z-ECM). This model provides a key input into the strategic planning process, as it allows an assessment as to whether its risk profile is in line with its risk tolerance level. In particular, Z-ECM forms the basis for optimizing Zurich’s risk/return profile by providing consistent risk measure- ment across the Group.

Zurich uses Z-ECM to assess the economic capital consumption of its busi- ness with a balance sheet approach. Under the balance sheet approach one looks at the change in stockholders’ or owners’ equity to determine the amount of net income during the period between balance sheets. The Z-ECM framework is

www.it-ebooks.info

ENTERPRISE RISK MANAGEMENT AT ZURICH INSURANCE GROUP 271

embedded in Zurich’s risk culture and plays a critical role in decision making, and is used in capital allocation, business performance management, pricing, reinsur- ance purchasing, transaction evaluation, and risk optimization, as well as regu- latory, investor, and rating agency communication. Z-ECM quantifies the capital required for insurance-related risk (including premium and reserve, natural catas- trophe, business, and life insurance), market risk (market/ALM [asset/liability management]), credit risk (including reinsurance credit and investment credit), and operational risks.

At the Group level, Zurich compares Z-ECM capital required to the Z-ECM available financial resources (Z-ECM AFR) to derive an economic solvency ratio (Z-ECM ratio). Z-ECM AFR reflects financial resources available to cover poli- cyholder liabilities in excess of their expected value. It is derived by adjusting the International Financial Reporting Standards (IFRS) shareholders’ equity to reflect the full economic capital base available to absorb any unexpected volatil- ity in Zurich’s business activities. As part of Z-ECM, Zurich uses a scenario-based approach to assess, model, and quantify the capital required for operational risk for business units under extreme circumstances and a very small probability of occurrence (internal model calibrated to a confidence level of 99.95 percent over a one-year time horizon).

Analysis of Capital Adequacy

Zurich maintains interactive relationships with three global rating agencies: Stan- dard & Poor’s, Moody’s, and A.M. Best. The Insurance Financial Strength Rating (IFSR) of Zurich’s main operating entity is an important element of its competi- tive position. Moreover, Zurich’s credit ratings that are derived from its financial strength rating do, in fact, affect its cost of capital, just like any other credit-rated company.

In each country in which Zurich operates, the local regulator specifies the min- imum amount and type of capital that each of the regulated entities must hold in relation to its liabilities. In addition to maintaining the minimum capital required to comply with the solvency requirements, Zurich targets holding an adequate buffer of capital reserves to ensure that each of its regulated subsidiaries meets the local capital requirements. Zurich is subject to different capital requirements depending on the country in which it operates. The main areas are Switzerland and European Economic Area countries, and the United States.

Since January 1, 2011, the Swiss Solvency Test (SST) capital requirements are binding in Switzerland. The Group uses an adaptation of its internal Risk-Based Capital (RBC) model to comply with the SST requirements and runs a full SST cal- culation twice a year. The model is still subject to Swiss Financial Market Supervi- sory Authority (FINMA) approval.

ZURICH’S BUSINESS RESILIENCE TOOLS Business resilience management helps provide Zurich with the structure for deal- ing with risks systematically, holistically, and successfully. Zurich’s Business Resilience program is supported by an enterprise risk management framework that identifies particular events or circumstances relevant to its business objectives,

www.it-ebooks.info

272 Implementing Enterprise Risk Management

Profitable Growth

Business Resilience

Total Risk Profiling

Enterprise Risk Management

Business Interruption Modeling

Supply Chain

Assessment

Business Continuity

Management

Business Impact

Analysis

Exhibit 14.9 Zurich’s Business Resilience Program

assesses them in terms of likelihood and magnitude of impact, and then deter- mines a response strategy. (See Exhibit 14.9.) A resilient enterprise is better able to anticipate surprises, recover more quickly from disruptions, adapt to changing conditions, and leverage emerging opportunities.

The objective of Zurich’s Business Resilience program is “Prepared, Informed, and Resilient.” This tagline is regularly communicated to staff, especially dur- ing Business Resilience Awareness week. Some of Zurich’s proprietary Business Resilience tools are listed here.

Business Interruption Modeling allows Zurich the capability to better man- age its risks based on an in-depth understanding of the value chain, with a main focus on the business critical value flow, followed by identification, assessment, and quantification of business interruption exposures and optional mitigations. Like all organizations, a business interruption for Zurich could have the poten- tial to inhibit productivity and could have multiple negative impacts on its orga- nization. Some examples of business interruption impacts could include loss of customers, diminished customer service, legal and/or regulatory issues, lower employee morale, and even delays in projects, products, or other strategic growth. Thus, it is essential that organizations try to map and quantify how they serve cus- tomers, in order to proactively protect where they generate value.

Key stages of Business Interruption Modeling include:

� Defining scope by identifying the business-critical part(s) of the value chain � Building an interdependency framework of business-critical value flows � Identifying relevant business interruption vulnerabilities as loss of resources

such as supplier, production, storage, and customer � Assessing the extent based on interruption scenarios, and modeling the

effects quantitatively

www.it-ebooks.info

ENTERPRISE RISK MANAGEMENT AT ZURICH INSURANCE GROUP 273

� Prioritizing risks based on financial impact of scenarios, with focus on unac- ceptable risks in order to develop a beneficial mitigation plan

� Assessing the effectiveness of current business continuity plans and identi- fying improvement actions

Supply Chain Risk Assessment allows Zurich to improve its reliability and minimize the effects of a supply chain disruption on its capital and earnings. Zurich’s supplier risk assessment should help address vulnerabilities that could inhibit Zurich’s ability to respond to a changing risk landscape. Its supply chain risk evaluation, mapping, and grading are designed to assess and quantify the broad areas of exposures and risk controls in its supply chain. This gives Zurich actionable insights to help facilitate mitigation strategies that can address the char- acteristics of each supplier individually, including risk transfer options.

The stages of a Supply Chain Risk Assessment include:

� Develop a supply chain/value chain map. � Gather key supply/supplier details. � Evaluate risk factor information. � Define and evaluate potential risk or loss scenarios. � Develop risk grading for each critical supplier. � Determine risk strategies.

Business Continuity Management (BCM) includes the mitigation strategies used to minimize the impact after an incident, with the possible scope of risks com- ing from supply chain risks, strategic risks, operational risks, technological risks, or natural hazards. BCM is very useful in identifying gaps in risk mitigation strategies and improving risk controls to manage those exposures more effectively. As part of Zurich’s business resilience process, BCM is important for managing the multi- tude of risk exposures and potential interruptions scenarios and thus strengthen- ing Zurich’s business resilience program.

Zurich’s Six-Stage Business Continuity Management Life Cycle

1. Modeling key business processes 2. Business impact analysis 3. BCM strategy and processes 4. Business continuity planning 5. Crisis management 6. Training, exercise, maintenance, and assessment

Zurich is able to undertake a regular gap analysis of its business continuity plans against best practices and common BCM-related standards such as Interna- tional Standards Organization (ISO), National Fire Protection Association (NFPA) and the British Standard. It also routinely tests its crisis response activities. For example, it has planned or completed simulation exercises such as:

� Eurostar trains caught in tunnel � India: Bomb explosion in hotel where Zurich has employees, impacting the

country where company has operations in Pune, Bangalore, and Chennai

www.it-ebooks.info

274 Implementing Enterprise Risk Management

� Fire in Home Office location injuring employees, impacting critical pro- cesses, and possibly preventing occupancy in location for up to three to four months

� Los Angeles earthquake � Kansas tornado � Political demonstration in New York City

Business Impact Analysis is designed to provide the method to identify the systems that, when absent, would create a danger to the survival of the organiza- tion. This analysis can also ensure that these systems receive the correct priority in any subsequent business continuity plan.

Key stages of Zurich’s Business Impact Analysis include:

� Prioritize the key business services or processes. � Identify the internal and external risks to the continuity of these business

processes. � Assess the importance of each risk in terms of both the likelihood and the

financial impact of potential outcomes. � Establish priorities for mitigating the critical risks. � Develop a management plan of action. � Assess the business continuity plan and management plan of action.

HOW ZURICH USES ITS ERM TOOLS TO CREATE NEW VALUE In the area of mergers and acquisitions, Zurich may use two opportunity analysis tools to supplement traditional due diligence practices. Both the Total Risk Pro- filing tool and the Zurich Risk Room can be used to simulate various risk scenar- ios and investigate potential outcomes. (See Exhibit 14.10.) When Zurich acquired holdings in Asia and Latin America, these tools served to help identify and under- stand the risks associated with the strategy, so they could be managed accordingly and increase the likelihood of success on these opportunities.

While key performance indicators (KPIs) can help an organization understand how well it is performing in relation to its strategic objectives, key risk indicators (KRIs) are leading indicators of risks to business performance. (See Exhibit 14.11.)

Zurich’s ERM tools can add value by helping to determine and embed KRIs within an operations to provide an early warning that potential risks are on the rise. Some examples of Zurich using KRIs to monitor risks are in the areas of natural catastrophe risks (percentage of group shareholder equity), asset-liability match- ing (duration mismatch), strategic asset allocation (mix of investment across cate- gories), and credit risk (weighted average credit rating).

Zurich has the opportunity to create value through business resiliency as well, which addresses disruption to business operations. It can use a combination of modeling software, supply chain risk assessment software, and business conti- nuity gap analysis techniques to evaluate its exposure. It has recently appointed a supply chain risk officer, who reports into Zurich’s CRO organization and is tasked with finding the appropriate balance between cost and reliability. It has a business

www.it-ebooks.info

E xh

ib it

14 .1

0 Z

ur ic

h B

us in

es s

R es

ili en

ce T

oo ls

275

www.it-ebooks.info

276 Implementing Enterprise Risk Management

Key Performance Indicators (KPI)

Progress on organizational targets and strategic goals

• •

Monitoring of employee activity completion and budget spend

Measurement of results

Forecasting for planning purposes

Key Risk Indicators (KRI)

Track metrics that are leading indicators to risk of performance

Measurement based on data of influencing factors

Ongoing monitoring of the level and cost of risk against risk tolerance

Track changes in the risk profile of business landscape

Exhibit 14.11 Zurich Key Performance Indicators and Key Risk Indicators

continuity planning team throughout its operating regions, and maintains a robust network of champions within the business, trained to return the business to operation quickly and efficiently after a disruption. The business continuity team regularly exercises a variety of plans to ensure that Zurich can be ready for many potential risk situations. Stress-testing activities take place in parallel to ensure that the network is prepared to shift workload, deploy contingencies, and remain operational, particularly when customers may have suffered from the same event.

With new projects or product development opportunities, Zurich can also use its Total Risk Profiling (TRP) tool to evaluate risk scenarios that may prevent it from delivering on time, on budget, and with the expected results. Completion of a TRP analysis is normally required as part of most requests for project approval and budget. Improvement actions are assigned to risk owners during TRP ses- sions, and monitored regularly to ensure risk reduction. The TRP tool can also help with quantifying the potential exposure and risk tolerance level. For example, TRP was used as an analysis tool before considering outsourcing IT services, helping to vet the solution as a viable alternative. The risk assessment team assigned risk improvement actions to individuals, and proceeded with the project. The TRP was regularly updated and benchmarked throughout the course of the project, as risks changed and new ones surfaced. The TRP assessment can even be used as a yes/no decision gate during the project phases to help determine that the expected project benefits still outweigh the risks.

The TRP methodology can also be used at the board and senior management levels to help develop strategic (top-down) scenarios that can be applied consis- tently during operational (bottom-up) assessments across the enterprise. This has helped to ensure uniform handling of certain systemic issues and exposures to better balance the risks and rewards of new opportunities. It is very important to Zurich to set financial parameters around managing current risk issues and guid- ing key business decisions going forward. The TRP process can build team com- mitment and focuses management expertise on dedicating resources to mitigate those risks that are outside the risk tolerance level and pose the greatest barriers to achieving corporate objectives.

Another use of the TRP methodology is its employment in a risk tolerance workshop. Establishing a corporate risk tolerance is a critical step in helping

www.it-ebooks.info

ENTERPRISE RISK MANAGEMENT AT ZURICH INSURANCE GROUP 277

increase business controls and profitability across an enterprise. The corporate risk boundary provides a clear indication of both an acceptable risk appetite for new opportunities and an unacceptable risk threshold for downside cost on potential exposures. Risk tolerance is often defined as the level of variability that an organi- zation is willing to accept in its aggregate earnings and capital value at risk (VaR) limits. It is essential to both define and apply corporate risk tolerance in order to prioritize the most critical areas for risk improvement. The risk appetite at Zurich is set by senior management, and then broadly articulated and followed by business and functional areas.

Zurich’s ERM program also contributes to its core business through the pro- cesses and procedures to review customer risks. Zurich performs credit checks to monitor collateral and financial viability of many of its customers and suppliers. Its cross-divisional Emerging Risk Group is tasked with scanning the horizon for new exposures that may impact Zurich and its customers. Zurich reviews customers’ loss control techniques and provides best practices guidance through nearly 1,000 risk engineers who specialize in safety and operational risks around the world, serving the dual purpose of supporting customers’ needs as well as protecting Zurich’s own portfolio. Last, accumulations within Zurich’s risk portfolio are mon- itored via a database to identify areas of disproportionate exposure to a single com- pany, industry, supplier, or geographic location.

CONCLUSION Every organization’s directors and officers will approach ERM differently in order to achieve their unique objectives. Zurich has taken many steps to help develop a strong and effective ERM program. This program did not emerge overnight, but today Zurich views its ERM program as a competitive advantage well worth the investment. Despite having embedded a robust program into the fabric of its busi- ness, Zurich does not rest on its laurels. The program is constantly scrutinized in search of better ways to identify, assess, manage, and monitor Zurich’s key risks. The company has even developed an ERM Gap Analysis that can be done yearly to help determine risk maturity and focus on its top areas for improvement. The organization’s management continuously looks for opportunities to create a closer partnership between ERM and the core business, so that its ERM team is ready to consult and assist the business in understanding risk in pursuit of profit. ERM is certainly a long journey defined by many paths, but one that can continue to yield tremendous benefits for the organization.

APPENDIX Internally, Zurich uses its Risk-Based Capital (RBC) model, which also forms the basis of the SST model. The RBC model targets a total capital level that is calibrated to an AA-rated financial strength. Zurich defines RBC as being the capital required to protect the Group’s policyholders in order to meet all of their claims with a confidence level of 99.95 percent over a one-year time horizon.

While the Group’s RBC model and the SST model are broadly the same, the following is a summary of the main differences between the three approaches:

www.it-ebooks.info

278 Implementing Enterprise Risk Management

� Model calibration. The RBC calibration is based on a value at risk at a 99.95 percent confidence level, whereas SST calibration is based on an expected shortfall at a 99 percent confidence level. The Group thereby sets itself a higher financial strength target than the SST regulatory requirement.

� Scope. Operational and business risks for General Insurance are reflected in RBC, but are not required in SST.

� Market/ALM risk. The extreme scenario for market/ALM risk in RBC is directly attributed to that risk, whereas extreme scenarios in SST are aggre- gated to the combination of all risk types. This treatment of the extreme sce- nario in the RBC model leads to a more conservative result than in the SST model.

� Available financial resources (AFR). Senior debt is included in AFR for RBC purposes, but not included in AFR for the SST calculation.

Zurich uses RBC to assess the economic capital consumption of its business in a one-balance-sheet approach. The RBC framework is an integral part of how Zurich is managed. The RBC framework is embedded in Zurich’s organization and deci- sion making, and is used in capital allocation, business performance management, pricing, reinsurance purchasing, transaction evaluation, and risk optimization, as well as regulatory, investor, and rating agency communication.

Zurich compares RBC to its AFR to derive an economic solvency ratio. AFR reflects financial resources available to cover policyholder liabilities in excess of their expected value. It is derived by adjusting the IFRS shareholders’ equity to reflect the full economic capital base available to absorb any unexpected volatility in the Group’s business activities.

At a Group level, the management committees dealing with risks are:

� The Group Balance Sheet Committee (GBSC) acts as a cross-functional body whose main function is to control the activities that materially affect the bal- ance sheets of the Group and its subsidiaries. The GBSC is charged with setting the annual capital and balance sheet plans for the Group based on the Group’s strategy and financial plans, as well as recommending specific transactions or unplanned business changes to the Group’s balance sheet. The GBSC has oversight of all main levers of the balance sheet, including capital management, reinsurance, asset/liability management, and liquid- ity. The GBSC reviews and recommends the Group’s overall risk tolerance. It is chaired by the CEO.

� The Group Finance and Risk Committee (GFRC) acts as a cross-functional body for financial and risk management matters in the context of the strat- egy and the overall business activity of the Group. The GFRC oversees finan- cial implications of business decisions and the effective management of the Group’s overall risk profile, including risks related to insurance, financial markets and asset/liability, and credit and operational risks, as well as their interactions. The GFRC proposes remedial actions based on regular briefings from Group Risk Management on the risk profile of the Group. It reviews and formulates recommendations for future courses of action with respect to potential mergers and acquisitions (M&A) transactions, changes to the Zurich Risk Policy, internal insurance programs for the Group, material

www.it-ebooks.info

ENTERPRISE RISK MANAGEMENT AT ZURICH INSURANCE GROUP 279

changes to the Group’s risk-based capital methodology, and the overall risk tolerance. The GFRC is chaired by the chief financial officer, while the chief risk officer acts as deputy.

The management committees rely on output provided by technical commit- tees, including:

� The Asset/Liability Management and Investment Committee (ALMIC) deals with the Group’s asset/liability exposure and investment strategies and is chaired by the chief investment officer.

� The General Insurance Global Underwriting Committee (GUC) acts as a focal point for underwriting policy and related risk controls for General Insurance and is chaired by the Global Chief Underwriting Officer for Gen- eral Insurance.

� The Group Reinsurance Committee (GRC) defines the Group’s reinsurance strategy in alignment with its risk framework and is chaired by the Global Head of Group Reinsurance.

QUESTIONS 1. How do Zurich ERM tools help them better understand their existing and emerging

risks? 2. How are Zurich’s risk roles and responsibilities impacting their risk culture? 3. Why is it important to include a Business Resilience program in your organization’s ERM

program? 4. How is Zurich’s Capital Management program helping their ERM program? 5. Give some examples on how Zurich has created new value through their ERM program?

REFERENCES Bugalla, John, Linda Conrad, and Kristina Narvaez. 2013. Presentation given at Risk and

Insurance Management Society Annual Conference in Los Angeles, April 22. Conrad, Linda. 2013. Presentation given at Risk and Insurance Management Society ERM

Conference in San Francisco, November 4. Zurich Insurance Group. 2012. Zurich Risk Report.

ABOUT THE CONTRIBUTORS Linda Conrad is Director of Strategic Business Risk Management for Zurich. She leads a global team responsible for delivering tactical solutions to Zurich and to customers on strategic issues such as business resilience, supply chain risk, enter- prise risk management (ERM), risk culture, and Total Risk Profiling. Linda also addresses enterprise resiliency issues in print and television appearances, includ- ing CNBC, Fox Business News, and the Financial Times, and is featured in a Wall Street Journal microsite at www.supplychainriskinsights.com.

Linda holds a Specialist designation in ERM, and serves on the global Edu- cation Advisory Board of the Institute of Risk Management in London. Linda is deputy member of the ERM Committee of the Risk and Insurance Management

www.it-ebooks.info

280 Implementing Enterprise Risk Management

Society (RIMS), sits on the Supply Chain Risk Leadership Council, and was chair- woman of the Asian Risk Management Conference. She taught at the University of Delaware Captive program and in the Master’s on Supply Chain Management pro- gram at the University of Michigan’s Ross School of Business, where she serves on the Corporate Advisory Council. Linda studied at the Graduate Institute of Inter- national Studies in Geneva, Switzerland, and Fox Business School.

Kristina Narvaez is the president and owner of ERM Strategies, LLC, which offers ERM research and training to organizations on various ERM-related topics. She graduated from the University of Utah in environmental risk management and then received her MBA from Westminster College. She is a two-time Spencer Edu- cation Foundation Graduate Scholar from the Risk and Insurance Management Society and has published more than 30 articles relating to enterprise risk manage- ment and board risk governance. She has given many presentations to various risk management associations on topics of ERM. She teaches a Business Strategy class at Brigham Young University.

www.it-ebooks.info

CHAPTER 15

Embedding ERM into Strategic Planning at the City of Edmonton KEN BAKER ERM Program Manager at the City of Edmonton, Alberta, Canada

To me, the only good reason to take a risk is that there’s a decent possibility of a reward that outweighs the hazard. Exploring the edge of the universe and push- ing the boundaries of human knowledge and capability strike me as pretty signif- icant rewards, so I accept the risks of being an astronaut, but with an abundance of caution: I want to understand them, manage them, and reduce them as much as possible.

—Commander Chris Hadfield1

The Administration of the City of Edmonton in 2012–2013 explored waysto implement enterprise risk management (ERM), with a focus on strategicrisk. Previous attempts at ERM were not fully implemented, but a new opportunity

arose when Edmonton created a new strategic plan, The Way Ahead, in 2008. With the strategic plan and goals well established, they required risk analysis to deter- mine what could prevent the city from achieving its goals and objectives, and how to allocate scarce resources most effectively to mitigate risks to achieving those goals and objectives.

The City Administration hired an Enterprise Risk Management Program Man- ager in 2012 to address the need to implement ERM at a strategic level.

After studying several models and frameworks for addressing risk, and con- ducting pilot workshops for two of the six directional plans that supported the strategic plan, The Way Ahead, the ERM Program Manager worked with the Admin- istration to determine a course of action going forward based on these workshops.

CONTEXT—CITY OF EDMONTON The City of Edmonton, capital of the western Canadian province of Alberta, has been a meeting place since the end of the last Ice Age. First settled by Europeans as a fur-trading post in 1795, Edmonton has grown incrementally, driven by prairie

281

www.it-ebooks.info

282 Implementing Enterprise Risk Management

settlement in the 1880s, rail connections in 1891 and 1905, and the Klondike Gold Rush of 1897. Already an agricultural center, its reputation as “Oil Capital of Canada” was cemented in 1947 with the discovery of major oil deposits nearby. Growth since that time was largely based on resource development, and further accelerated as Edmonton served as hub for new oil sands development in northern Alberta starting in the 1970s.

Edmonton has grown significantly. In 2013, it was a city of over 800,000, anchoring an Alberta capital region of over 1.1 million. The city is experiencing nation-leading economic and population growth2 and is expected to reach 900,000 by 2018.3 It is home for world-leading research in several fields, including medicine, energy, nanotechnology, and winter city design. Its commercial and cultural life has earned it the nicknames “Gateway to the North,” “Canada’s Festival City,” and “City of Champions.”

City Government

Constitutionally, municipalities in Canada are the responsibility of their respec- tive provincial governments. As such, the City of Edmonton is subject to provin- cial legislation, mainly the Alberta Municipal Government Act. In 2013 the elected City Council consisted of the mayor as well as a councillor for each of Edmonton’s 12 geographic divisions (wards). Reporting to Council is the City Manager, and through him the City’s 11,000 employees,4 divided into five departments.

The Edmonton City Council operates the two-employee model, the second employee being the City Auditor.

ERM DEVELOPMENT IN THE PAST In 2003 the Office of the City Auditor (OCA) and Administration jointly created an ERM framework, the Corporate Business Risk Planning (CBRP) model. Using input from several city departments as well as external subject matter experts, the CBRP model was based on the Committee of Sponsoring Organizations (COSO) risk management framework, with modifications to allow for weighting of risks at multiple levels of management. The Conference Board of Canada requested permission to use parts of the framework, in particular the Risk Management Assessment Framework tool. CBRP was presented to senior leadership in 2005 and piloted but not fully implemented; it is believed that Edmonton was not yet ready to undertake the discipline at that time.

City Auditor’s Report

In a 2005 audit report,5 the city auditor reported to the City Council’s Audit Com- mittee that:

� Known risks were being managed reasonably well. � Risks that are strategic in nature were not clearly identified. � ERM results were not consistently incorporated into business plans.

www.it-ebooks.info

EMBEDDING ERM INTO STRATEGIC PLANNING AT THE CITY OF EDMONTON 283

Administration Response to City Auditor’s Report Following the 2005 city auditor’s report, several steps were undertaken to address the issues raised in the report:

� The chief financial officer was appointed sponsor for the ERM program. � ERM governance was added to the responsibilities of the City Council’s

Audit Committee, which consists of the mayor, four city councillors, and two members of the public.

� In 2011 a Program Manager and an ERM Working Committee, made up of subject matter experts from throughout the Administration, were appointed to advise on a framework for strategic risk. At this point the 2005 city audi- tor’s report was closed.6

� An ERM Program Manager was hired in 2012 to assist the Program Manager. In addition, oversight of the ERM framework selection process was passed to the Transforming Edmonton Committee (TEC), comprised of senior lead- ers responsible for the goals within the strategic plan (The Way Ahead), and from the ERM Working Committee, although the entire ERM Working Committee was kept abreast of developments.

CURRENT OVERALL ERM DEVELOPMENT After the city auditor’s report in 2005, Edmonton adopted a 30-year vision and six 10-year goals, forming the City of Edmonton Strategic Plan, The Way Ahead. From it were derived six “Ways” plans (directional goals, objectives, performance measures, and targets) in support of The Way Ahead:

Transform Edmonton’s Urban Form The Way We Grow Shift Edmonton’s Transportation Mode The Way We Move Improve Edmonton’s Livability The Way We Live Preserve and Sustain Edmonton’s Environment The Way We Green Ensure Edmonton’s Financial Sustainability The Way We Finance Diversify Edmonton’s Economy The Way We Prosper

At the time of writing, all the directional plans have been approved by City Council, except for The Way We Finance.

A summary of The Way Ahead and the six “Ways” plans derived from it can be found in the Appendix at the end of this chapter.

LINKS TO STRATEGIC PLAN AND TO OTHER STRATEGIC TOOLS When developing ERM strategy, the following five questions are asked:

1. What are our long-term vision and goals? 2. What strategy will help achieve the vision? 3. What objectives will achieve the strategy? 4. What performance measures will show whether the objectives are achieved? 5. What risks will interfere with achievement of the objectives?

www.it-ebooks.info

284 Implementing Enterprise Risk Management

Both performance measurement (PM) and ERM need to be considered when advancing the strategic objectives. Recognizing this, the Office of the Chief Finan- cial Officer realigned its Corporate Strategy and Performance section so that the ERM Program Manager, strategy, and PM staff work together in the same section. This provides possible opportunities to combine the processes of ERM, strategy, and PM to gather information for each more efficiently.

Results-Based Budgeting

ERM assists in resource allocation decisions (as shown in Exhibit 15.1) and so was seen to possibly conflict with budgeting models, including a results-based

Strategic Objectives

ERM

M ea

su re

s of

Su cc

es s

R isk

M itigations

Programs and Costs

R is

ks to

A ch

ie ve

Desired Outcomes

M itigation

Priorities

Fu nd

in gK

PIs

Risk Assessment

ERM provides risk assessments to mitigate risks to achievement of the Ways.   Performance Measurement provides Key Performance Indicators (KPIs) to determine the successful achievement of the Ways.   

Results-Based Budgeting  provides information to assist with determining funding of programs, initiatives,  and projects to fulfill the strategic objectives of the Ways. 

1. ERM receives measures of success from Performance Measurement, determines risks to achieve the objectives.    2. Performance Measurement sends list of desired outcomes to Results-Based Budgeting, and receives lists of  prioritized programs and costs. 

3. Results-Based Budgeting receives list of risk mitigations from ERM, creates a list of budgeted mitigation priorities.  

-

Exhibit 15.1 Relationship between ERM, Performance Measurement, and Results-Based Budgeting

www.it-ebooks.info

EMBEDDING ERM INTO STRATEGIC PLANNING AT THE CITY OF EDMONTON 285

budgeting (RBB) model concurrently piloted by the Administration. The two mod- els can be reconciled, however. For instance, one of the criteria in the RBB model for evaluating city programs was the amount and likelihood of risk relative to the amount of benefit the program was deemed to provide. Conversely, a program’s quartile rating in RBB could be used as an indicator in the ERM model to deter- mine a program’s effectiveness in achieving its desired outcome. In this way, both models could inform each other.

Capital Budgeting Models

Edmonton’s infrastructure branches use sophisticated risk management models for maintaining and replacing current capital assets, and are introducing risk assessment into business cases for new capital projects. The strategic ERM model needs to incorporate these projects at the strategic level.

A graphic showing the linkages between ERM, Performance Measurement, and Results-Based Budgeting is shown in Exhibit 15.1.

SELECTING AND TESTING A STRATEGIC RISK MANAGEMENT MODEL After a review of several ERM frameworks (CBRP, ISO 31000, COSO, etc.), the Administration decided on a strategy-focused approach. The relationship of strate- gic ERM as part of the risk universe is shown in Exhibit 15.2.

Such a method was provided in the Risk Scorecard model devised by pm2 Con- sulting (www.pm2consulting.com). The Financial Services and Utilities depart- ment (facilitated by the ERM Program Manager) conducted two pilot Risk Score- cards using the pm2 model, for The Way We Move and The Way We Live. Following is a description of the pm2 Risk Scorecard methodology.

The WaysStrategic

Project

Operations

Short to medium term, finite start/end

Day-to-Day

ER M

Exhibit 15.2 Relationship between Strategic, Project, and Operational Risks

www.it-ebooks.info

286 Implementing Enterprise Risk Management

Pilot pm2 Risk Scorecard Methodology

The Risk Scorecard consisted of six steps, each dependent on the previous one:

1. Weighting of goals in the plan based on what is the highest priority in the organization to advance

2. Linking of strategic objectives to goals—determine how the strategic objec- tives contribute to goals, and to what degree (relationship expressed as low/medium/high)

3. Identification of risks to each strategic objective, scored 1 to 5 in likelihood and 1 to 5 in impact

4. Identification of how current programs (processes) contribute to achieving strategic objectives; currently performed—scored 1 to 5 in relationship to strategic objective and in effectiveness in meeting expectations

5. Identification of planned future initiatives—scored 1 to 5 in relationship to strategic objectives

6. Identification of possible future mitigations and risk indicators

Deliverables from this process include a risk register, a heat map, and charts showing each strategic objective’s cumulative levels of risk, program contribution, and initiative contribution, to show relative effort toward areas of relative risk. In addition, a list of possible future mitigations and a list of risk indicators (mea- sures to show as early as possible that a risk may be occurring) can be derived. The methodology is shown in Exhibit 15.3.

Ideally, risk assessment would have taken place during the creation of strate- gic planning documents to help determine the most risk-appropriate actions to achieve the vision and goals. However, the “Ways” documents were created before ERM was conceptualized in Edmonton. Therefore, pilots were conducted to catch up to each Ways document by conducting a Risk Scorecard workshop for each one. Because of the resource commitment of this exercise, workshops could realistically only be done one at a time. By the summer of 2013, pilot Risk Scorecards for two Ways documents had been completed or nearly completed: The Way We Move and The Way We Live.

Initial Planning

After agreeing to the plan between Administration and pm2 Consulting, a facilita- tor conducted workshops. For the first pilot, three staff members from pm2 Con- sulting facilitated the workshop; for the second, the ERM Program Manager was the facilitator. For both pilots, permission for the participation of lead department staff was sought and received from the general manager of the lead department: for The Way We Move, Transportation Services; for The Way We Live, Community Ser- vices. Branch managers for strategic planning for both departments were tasked to provide subject matter experts from their staff for the entire workshop; each provided three to five staff members to bring department expertise. In addition, for steps 2 and 3 (risk Identification and Scoring), senior department staff, mainly branch managers, were asked to participate in scoring the likelihood and impact of risk events, and to add to or amend the list of risk events.

www.it-ebooks.info

EMBEDDING ERM INTO STRATEGIC PLANNING AT THE CITY OF EDMONTON 287

• The Way We … Goals • The Way We … Strategic Objectives

• ISO 31000-based checklist • Identify Risks

• Rate Impact and Likelihood against strategic objectives

• Rate Impact and Performance against strategic objectives

• Identify risk indicators • Determine risk mitigation actions

1. Identify Strategy

4. Rate Impact and Performance

2. Identify Key Risk Elements

3. Score Risk Elements

5. Determine Indicators and Mitigation Action

Exhibit 15.3 pm2 Risk Scorecard Process Diagram Source: pm2 Consulting, 2012.

Each of the workshops took approximately 60 to 70 hours to complete. To keep time commitments, some portions of steps that were deemed to be less critical were omitted.

Step 1: Identify Strategy

The first step in the process is to identify strategic direction. Edmonton had a 30-year strategic plan, The Way Ahead. Using input from the public as well as sub- ject matter experts, The Way Ahead was approved by the City Council and is the key planning document for the city going forward. To assist in its implementation are the six Ways plans noted previously. These documents made strategy identifica- tion straightforward. For the first pilot, The Way We Move (transportation plan) was selected. It was considered the best place to start because it was the most homoge- neous of the plans; responsibility for its implementation was overwhelmingly with one department, Transportation Services. As well, its format made it essentially a capital plan, with easily understood objectives and goals.

At this point the ERM team had to decide at what level the strategic weightings were to occur. Options included the six 10-year goals or the 19 strategic objectives, among others. It was decided that the strategic objectives would be the appropriate level of analysis for the risk register. The goals would be at too high a level to be meaningful, and other criteria would not serve the city’s purpose in addressing the risk needs of the Ways.

www.it-ebooks.info

288 Implementing Enterprise Risk Management

Vibrant, Connected, Engaged, Welcoming

GOALS

THE WAY WE LIVE

Vibrant

Communities

Using Public

Spaces

5

4

4

2

2

3

5

1

3

1

2

4

5

2

5

1

1

4

4 3 4

21

Wgt

12

24

19

10

14

100.0

STRATEGIC OBJECTIVE

1.1 1.2 1.3

Create

Connections

Using

Infrastructure

Integrate

Transit

with

Local

Hubs

Celebrates Life

Caring, Inclusive, Affordable

Safe City

Attractive City

Sustainable City

A

B

C

Exhibit 15.4 Relationship between Strategic Goals and Objectives Source: Adapted from pm2 Consultants Risk Score Card Model, 2012.

At this point a weighting of the goals was attempted. Subject matter experts, including the department general manager, allocated a percentage of support to each of the six goals. (It should be noted that, for political reasons, this weighting of the goals may be skipped as management may not want to prioritize these at this time.) The goals were then placed on the vertical axis of a table, with the strategic objectives across the top. An example of this table can be found in Exhibit 15.4.

For each strategic objective, the subject matter experts (in this case, four people from the Community Services department) indicated the link to each goal on a scale of 1 to 5. The larger an objective, the more goals it would relate to, and the higher weighting it would receive. When this was completed, each strategic objective had a weighting (C), expressed as a percentage, calculated as:

C = Σ (A × B)∕Σ all columns [Σ (A × B)] × 100 where:

A = Goal weighting (expressed as a percentage) B = Relationship to objective (1 to 5)

The sums for each column are added together to get a total weighting; the sum for each column is divided into this total to derive its relative weighting (in this example, 4 percent).

This gave each strategic objective a weighting. This weighting was then com- pared to that of every other strategic objective to arrive at a percentage of the total weighting. This kept the weightings constant in relative terms.

The objectives were then transposed to another table where they formed the vertical axis, then sorted by their percentage of the total objective weighting, with

www.it-ebooks.info

EMBEDDING ERM INTO STRATEGIC PLANNING AT THE CITY OF EDMONTON 289

the highest weightings at the top. This allowed the group to select high, medium, or low weightings for each strategic objective. This categorization would be carried on to the next step, risk identification.

Step 2: Identify Key Risk Elements

Using a risk category checklist (a list of categories of potential risks covering all possible types of risk—e.g., financial, political, partner), the workshop group, with assistance from a number of subject matter experts, including branch managers, created a list of risks that could impact the achievement of the strategic objectives.

Step 3: Score Risk Elements

The risks agreed on by the group were then placed across the top of a table with the strategic objectives listed vertically along the left side. Directly below each risk was a measure of likelihood of the risk occurring (again on a 1 to 5 scale). The likelihood score was agreed on by the subject matter experts. The team then scored each risk to each strategic objective, again on a 1 to 5 scale. This provided two outputs: the scoring of risks and the risk weighting of each strategic objective. A sample of this table is shown in Exhibit 15.5.

The risk scores were calculated as:

Σ (D × E × F)

where:

D = Strategic objective weighting (1 for low, 3 for medium, 5 for high) E = Risk impact on objective (1 to 5) F = Risk likelihood (from top of column) (1 to 5)

These were summed vertically for each risk. The risk weighting of each strategic objective was calculated using the same

formula but summed horizontally for each strategic objective. The risks were then transposed onto a data table with their likelihood and their

weighted impact score (the sum of each D × E calculation for each cell in the col- umn). This provided the basis for the risk register and the heat map.

At this point, several graphs can be created to show the relative nature of the risks and the strategic objectives. From a risk-based perspective, a heat map can be created showing the risks with the highest likelihood and weighted impact score. The more strategic objectives a risk can affect, the greater is the weighted impact score for that risk. For strategic objectives, a graph can be produced to show the strategic objectives most impacted by risk. The more risks affecting a strategic objective, and with greater impacts, the greater that objective’s weighted risk score.

Step 4: Link Programs, Initiatives, and Risks

The next list required was that of the existing programs currently in place to ful- fill the strategic objectives. For the ease of the workshop, it was decided to use

www.it-ebooks.info

290 Implementing Enterprise Risk Management

Exhibit 15.5 Relationship between Risks and Strategic Objectives Source: Adapted from pm2 Consulting Risk Scorecard model, 2012.

the list of programs shown in the annual operating budget. Other program lev- els could have been used, such as that used in the city’s results-based budgeting (RBB) initiative. This initiative divided budget-level programs into smaller com- ponents, which would be easier to change but increased the number of programs tenfold. It was for this reason the RBB-level program list was rejected; the number of programs in that initiative was exceedingly high.

Once a program level was agreed on, a new table was created, with the pro- grams across the top and the strategic objectives down the left side. On this table, the subject matter experts scored the impact of the relationship between each pro- gram and each strategic objective (on a 1 to 5 scale). In addition, the participants estimated the effectiveness of each program (i.e., whether it fulfilled the require- ments of the program), again on a 1 to 5 scale, with 5 meaning the program was performing as required and 1 meaning the program’s performance was well below what was required. The difference between what was required of the program and its actual performance (i.e., 5 minus the effectiveness score) was known as the strategic gap. An excerpt from this table can be found in Exhibit 15.6.

www.it-ebooks.info

EMBEDDING ERM INTO STRATEGIC PLANNING AT THE CITY OF EDMONTON 291

Exhibit 15.6 Linkages between Strategy and Programs Source: Adapted from pm2 Consulting Risk Scorecard model, 2012.

At this point a new graph could be created, with a vertical bar for each strategic objective and its cumulative program requirements. Adding the cumulative effec- tiveness and cumulative strategic gap gave a stacked bar graph whose height was its cumulative program requirement. The bigger the objective, the more programs it had and therefore the higher cumulative program requirements (and likely a proportionally large strategic gap).

The last dimension in step 4 was to list new initiatives the City planned to implement, and rate their importance to each strategic objective. For the purposes of the workshop, it was decided to limit the list to those in the Implementation Plan for each Ways document. Within this set of possibilities, only the initiatives coded as “will do” (not “already done,” “already doing,” “could do,” or “aspire to

www.it-ebooks.info

292 Implementing Enterprise Risk Management

5

4 4

4

2

3

2

5 52 1

2 22 1

1 11 3

1 11 4

4 41 3

5

2

2

2 2

22

4

3

5

1

1

1

1 1

1

1

11

1

5 4

33 3

22

1 4

4

2

3

3

1 12

3 43

1 31

35

Exhibit 15.7 Linkages between Strategy and Initiatives Source: Adapted from pm2 Consulting Risk Scorecard model, 2012.

do”) were used for the initiatives list, to keep it to a manageable size. With this list scored by each strategic objective on a 1 to 5 scale, a graph could be produced showing the cumulative impact of future initiatives on each strategic objective. A table linking initiatives to strategy is found in Exhibit 15.7.

With the strategic gap and initiatives impact established, the two graphs for each objective could be combined on one graph to show the cumulative strategic gap and cumulative initiative impact for each strategic objective. If resources were properly allocated, one would expect to see a correlation between the height of the strategic gap bar and the height of the cumulative initiative impact point for each objective. For viewing purposes, it was necessary to use different scales for each data series, to best show the correlation. Finally, the risk weighting for each strate- gic objective could be added to the graph. This showed the relative risks associated with each strategic objective in relation to its required programs and initiatives.

www.it-ebooks.info

EMBEDDING ERM INTO STRATEGIC PLANNING AT THE CITY OF EDMONTON 293

Exhibit 15.8 Strategic Objectives—Risk, Strategic Gap, and Impact of Initiatives Source: Adapted from pm2 Consulting Risk Scorecard model, 2012.

Overall, a correlation between risk, strategic gap, and initiatives may be observed. For objectives whose risks do not correlate with strategic gap and initiatives, this forms the basis of discussion for the objective; in-depth analysis shows the types of risks, whether they are caused by or independent of the programs comprising the strategic gap, and whether future initiatives address the risks, either directly or indirectly. The graph showing risk, strategic gap, and impact of initiatives on strategic objectives is found in Exhibit 15.8.

Step 5: Determine Indicators and Mitigation Actions

The final step involved completion of a risk indicator worksheet for each risk/ strategic objective combination. This sheet required the user to list potential mitiga- tion strategies, including required lead time, as well as indicators of inputs, actions, or outputs that would signal the potential onset of a risk event. The worksheet data were then summarized in a database indicating strategic objective, risk, mitigation, lead time, and whether the organization is already undertaking the mitigation. The database could then be grouped by objective, risk, or mitigation as needed.

On completion of the mitigation database, the final risk scorecard could be completed. This was a table showing strategic objectives on the left and risks across the top. For each data point, the impact of the risk on that objective was indicated, as was its performance (good, fair, or poor shown as medium gray, light gray, dark gray), and showed the risk level for each objective (the level of potential risk of the risk element impacting this strategic objective).

This provided a basis of discussion to identify key risks affecting strategic objectives.

www.it-ebooks.info

294 Implementing Enterprise Risk Management

SELECTING AN ERM FRAMEWORK At the end of the second pilot, each department involved (Transportation Services for The Way We Move and Community Services for The Way We Live) was consulted to provide feedback on the process. As a result of the consultations it was decided to componentize the pm2 model, as some aspects were seen to add more value than others. In addition, the model as a whole was found to provide levels of complexity that, while useful, might preclude its successful implementation. Each individual component could then be compared with other frameworks.

During this time, staff from the Edmonton Police Service (EPS) met with the Financial Services staff and presented its ERM process, based on the ISO 31000 framework. By provincial law, EPS maintains a separate command structure, reporting to the City Council through the Edmonton Police Commission. Inde- pendently, the EPS had, over a span of five years, evolved a mature ERM process based on in-depth performance measurement tools and impetus from the Police Commission to proactively identify and treat its risks. The EPS felt at this time that it could offer to share its ERM model with other city departments on an operational level. This provided an incentive for the Financial Services department to compare the pm2 model with the ISO 31000 framework to determine a best solution going forward. A diagram of the ISO 31000 ERM process is found in Exhibit 15.9.

Comparison of pm2 and ISO 31000 Frameworks

After two pilots of the pm2 framework (with The Way We Move and The Way We Live), the ERM team evaluated the pilots to provide recommendations for strategic

Establish Context

Identify Risks

Analyze Risks

Evaluate Risks

Treat Risks

Risk Assessment

M on

ito r

an d

R ev

ie w

C om

m un

ic at

e an

d C

on su

lt

Exhibit 15.9 ISO 31000 Enterprise Risk Management Process Chart Source: Based on CAN/CSA-ISO 31000-10, Risk Management—Principles and Guidelines, International Standards Organization/Canadian Standards Association, 2009.

www.it-ebooks.info

EMBEDDING ERM INTO STRATEGIC PLANNING AT THE CITY OF EDMONTON 295

PM RISK SCORECARD 2 ISO 31000

PROS PROS Strong weighting method Simpler to implement

Includes programs and initiatives Robust global standard

Powerful tool Required for Enviso

CONS CONS Part of a larger process No programs and initiatives

Complex—hard to implement No direct tie to other processes

Mitigation process hard to implement

Exhibit 15.10 Comparison—pm2 Risk Scorecard versus ISO 31000 Model

ERM going forward. Elements were taken from ISO 31000 and the pilot project. A comparison of the two frameworks is found in Exhibit 15.10.

RECOMMENDED STRATEGIC ERM MODEL After reviewing the results from the two pm2 pilots, the ERM team consulted with the subject matter experts from both operating departments involved in the Risk Scorecard workshops. The participants saw the logic in the model and had a good understanding of what was required in the workshop. They also provided valuable feedback on the usefulness of each section of the model.

All participants regarded step 1, the linking of goals and strategic objectives, as a strength; in fact, it was believed that this methodology would add value to other processes as well, such as results-based budgeting. Steps 2 and 3, identifying and scoring risks, would be core processes for any risk model. Step 4, linking pro- grams, initiatives, and risks, was regarded as powerful but potentially confusing to branch managers and, as a result, might not add the expected value to the process. Moreover, linking programs and initiatives may have also been done with other processes, making this a duplication of effort. Finally, step 5, while necessary to the ERM process, was considered to be excessively complex and time-consuming. A simpler process for determining mitigations and following up was needed. From discussions with EPS and other research regarding ISO 31000, it was determined that the ISO 31000 framework held the key to a simpler risk mitigation and review process. It was also superior to the Risk Scorecard model in that it focused on miti- gation at the risk level, rather than the strategic objective level, and did not require a separate worksheet for each risk/objective combination. Finally, because several city branches were certified to the ISO 14001 (Environmental Management) stan- dard under Edmonton’s Enviso program, it was noted that upcoming recertifica- tions would require risk assessment conforming to the ISO 31000 standard.

The final recommended strategic ERM model for the City of Edmonton con- sisted of four steps, and is shown in Exhibit 15.11.

Step 1 (Weight Goals and Objectives), step 2 (Identify Risks), and step 3 (Assess Risks) are the same as steps 1 to 3 in the pm2 Risk Scorecard model. Step 4, however, is based on the “Evaluate Risks” and “Treat Risks” sections of the ISO 31000 RM

www.it-ebooks.info

• Id

en tif

y ris

ks to

s tr

at eg

ic o

bj ec

tiv es

( fr

om th

e W

ay s

pl an

s) u

si ng

r is

k

un iv

er se

c he

ck lis

t

• D

et er

m in

e lik

el ih

oo d

an d

im pa

ct o

f r is

ks to

s tr

at eg

ic o

bj ec

tiv es

• P

rio rit

iz e

ris ks

b y

w ei

gh tin

g (li

ke lih

oo d

x im

pa ct

x w

ei gh

tin g)

• D

et er

m in

e ap

pr op

ria te

a ct

io ns

, a ss

ig n

to r

is k

ow ne

rs , a

nd fo

llo w

u p

1.

W ei

gh t

G

oa ls

a nd

O

bj ec

tiv es

2.

Id en

tif y

R

is ks

3.

A ss

es s

R

is ks

4.

D et

er m

in e

M

iti ga

tio ns

5.

R ev

ie w

a

nd

U pd

at e

• Id

en tif

y lin

ka ge

s be

tw ee

n go

al s

an d

ob je

ct iv

es

• G

oa ls

fr om

T he

W ay

s •

O bj

ec tiv

es fr

om T

he W

ay s

E xh

ib it

15 .1

1 T

he C

it y

of E

d m

on to

n’ s

Pr op

os ed

IS O

31 00

0– B

as ed

St ra

te gi

c R

is k

M an

ag em

en tF

ra m

ew or

k

296

www.it-ebooks.info

EMBEDDING ERM INTO STRATEGIC PLANNING AT THE CITY OF EDMONTON 297

(risk management) standard. In Step 4, the risks are transposed onto a risk reg- ister, where each row contains the necessary information for that risk: category, description, likelihood score, weighted impact score, weighted risk score, risk rat- ing, risk acceptance, summary comments, current mitigations, future mitigations, risk owner, status update, and update interval.

An example of the proposed risk register is found in Exhibit 15.12.

LESSONS LEARNED Several lessons were learned in terms of (1) key success factors and (2) the process of selecting and implementing a framework. The findings from these two cate- gories are shown next.

Key Success Factors

Buy-In by Senior Management Edmonton’s Corporate Leadership Team (CLT, comprised of the city manager and the general manager of each department) has supported the concept of ERM. At a senior management level, staff must be able to perceive the value added by ERM. This makes design of an appropriate ERM process, which can show value to man- agement, critical to its success. An example of the value proposition is found in Exhibit 15.13.

In general, the process must have two properties: it must be simple and it must show the value of doing it.

A critical balance must be struck between model power (i.e., how much infor- mation it provides) and user-friendliness. A model can provide large amounts of information but will not be helpful if it is too complex to be understood or too time- consuming to be considered worthwhile by the users. Conversely, a model that is too simple will not be helpful, as it will lack the relevance to achieve buy-in.

The pm2 model consists of a number of simple steps performed in sequence to produce powerful results. These results include comparisons of risk, effectiveness of current programs, and the impact of future initiatives on achievement of strate- gic objectives. The challenge for the ERM team is to show the simplicity of the steps in the model to leaders, to ensure their understanding of the concept and buy-in to the model. Concerns have been voiced by department staff that the model, as followed in the pilot Risk Scorecard workshop, may include steps deemed too com- plex by branch managers. If necessary, some steps can be removed, and the model stripped to its risk analysis component if other levels of analysis are deemed not to add value to management, without losing the robustness of the model.

Whatever model is used, it must be customizable to the city’s circumstances. For example, if branch managers believe a process to be too time-consuming or too difficult, it must be shortened and simplified to overcome this concern. Conversely, if the model is considered too simplistic to add value, rigor must be added to the model to show the value added and to show the time spent to be worthwhile.

Culture of Innovation (Risk-Smart) In addition to buy-in from senior leadership, ERM also requires a culture of innovation, where new ideas are embraced and failure is tolerated. At a senior

www.it-ebooks.info

E xh

ib it

15 .1

2 Sa

m pl

e Pr

op os

ed R

is k

R eg

is te

r

C u

rr en

t R

is k

C u

rr en

t R

is k

R is

k A

cc ep

te d

? M

it ig

at io

n Fu

tu re

M it

ig at

io n

R is

k U

p d

at e

C at

eg or

y R

is k

E le

m en

t R

at in

g (Y

/N )

S u

m m

ar y

C om

m en

ts A

ct io

n s

A ct

io n

s O

w n

er S

ta tu

s U

p d

at e

R eq

u ir

ed

E co

no m

ic E

co no

m ic

sl ow

d ow

n re

su lt

s in

in cr

ea se

d d

em an

d s

on So

ci al

Su pp

or ts

M ed

iu m

N o

S tr

at eg

ic O

u tc

om es

: H

ig he

r d

em an

d s

ar e

pl ac

ed on

ex is

ti ng

pr og

ra m

s, re

su lt

in g

in re

d uc

ed ov

er al

ls er

vi ce

le ve

ls R

is k

N ot

A cc

ep ta

b le

: E

co no

m ic

sl ow

d ow

n w

ill re

qu ir

e th

e C

it y

to pr

io ri

ti ze

pr og

ra m

s an

d re

al lo

ca te

re so

ur ce

s to

pr ov

id e

so ci

al se

rv ic

es in

th e

m os

t ef

fe ct

iv e

m an

ne r

D ev

is e

sc al

ab le

pl an

fo r

pr og

ra m

pr io

ri ti

za ti

on

C L

T E

co no

m ic

co nd

it io

ns ar

e m

on it

or ed

co ns

ta nt

ly no d

ow nt

ur n

d et

ec te

d to

d at

e (4

O ct

.1 3)

6 M

on th

s

298

www.it-ebooks.info

EMBEDDING ERM INTO STRATEGIC PLANNING AT THE CITY OF EDMONTON 299

Enterprise Risk Management

Better Information

Quality Decisions

Enhanced Performance

More Value for Citizens

Exhibit 15.13 The ERM Value Proposition Source: Integrated Risk Management “Building Bridges: City of Winipeg, Audit Department”, February 2009.

management level, the Transforming Edmonton Committee (TEC) is responsible for overseeing strategic planning and successful achievement of the city’s strategic goals under The Way Ahead. Ensuring that the TEC understands the relationship between strategy, ERM, and performance measurement (PM) is key to successful ERM implementation.

Governments have traditionally been regarded as risk-averse, as political opponents would pounce on any perceived error by the government. To enable a culture of innovation, however, the organization must move from a risk-averse view to a risk-aware view, in which it openly recognizes the risks it faces. Finally, as the organization fully embraces its culture of innovation, it must move from a risk-aware view to a risk-smart view, where risks are embraced, well-managed, and mined for opportunities.

Consistency of Model across the Ways The ERM Program Manager, as facilitator of the workshops, must ensure that con- sistent standards are maintained in weighting objectives, defining risks, and deter- mining mitigations and feedback.

A strength of the pm2 model is its robustness. This robustness stems from the model’s system of weighting of strategic goals and objectives. Even if a future City Council drastically changed the prioritization of the goals, the model would auto- matically adjust for this change and update the risk register and other outputs accordingly. Other models would require an in-depth review of each risk in light of such a change.

This weighting system for goals and objectives can potentially be carried over to other management processes as well. For example, the results-based budgeting (RBB) model currently being tested by the City also has a weighting system for city programs to prioritize them. In addition, performance measures can be simi- larly prioritized to determine which ones carry the highest priority and therefore warrant the most scrutiny.

Another strength of the pm2 model is that it does not differentiate between operating and capital items. Often a strategic objective has both a capital and an operating component (e.g., construction of a new recreation center and staffing and maintaining it afterward), which are dealt with in separate operating and capital budget cycles.

Resource Requirements on Department Subject Matter Experts Each step in the ERM framework requires input at a senior management level in each operating department. Cumulatively these time requirements can be mate- rial for senior management already dealing with the resource constraints of their regular duties. The challenge for the ERM and other models is to minimize the time required of city staff to avoid push-back from project fatigue, which would impact the success of the ERM program.

www.it-ebooks.info

300 Implementing Enterprise Risk Management

Department Accountability for Key Risks When key risks are identified, the department in question must take ownership of the model and assign key risks to designated risk owners. These individuals will be responsible for devising and implementing mitigation strategies and reporting results at appropriate intervals.

Findings on the Process of Selecting and Implementing a Framework

Implementing an ERM framework typically takes longer than expected. More time seems to be spent getting buy-in for the concept from the C-suite and devising an appropriate model than one could ever predict. Rarely do off-the-shelf frameworks exist that can be employed in short order; plans usually have to be tailored to fit the organization’s unique circumstances. Some of Edmonton’s learnings from this ERM implementation include the following.

There is no perfect system. What works for one organization may not work for another. What is necessary is flexibility. Any system must be simple enough to understand, robust enough to be usable in any area of the organization, and pow- erful enough to add value in decision making. In addition, it may be preferable to create a hybrid approach, taking the best parts of two or more competing systems to create one that best meets the organization’s needs.

No matter how good an ERM framework is, if senior leadership does not buy in to the framework, it cannot succeed, as management will need to see the use- fulness and cost justification. Three frameworks were presented to senior leader- ship between 2005 and 2013; all were sound and based on extensive research and knowledge of risk management principles. All were found by senior leadership to be either too complex or not a fit to Edmonton’s needs.

It may be problematic to try to roll out an entire system at once. In the ini- tial ERM planning phases there seems to be a tendency to try to hit a home run; that is, to roll out a perfect ERM system at strategic, project, and operating levels all at once. It may be the most efficient in theory, but in practice it requires a pro- hibitive amount of up-front resources. It ignores the learning curve managers have in learning about ERM, how it applies to them, and how to do it. This leads to the next point.

It may be preferable to introduce one phase of ERM at a time. In Edmonton’s case, previous attempts at an ERM framework were unsuccessful because they went against the stated wishes of the Corporate Leadership Team (CLT). One of the CLT’s main drivers for action on ERM was the 2005 city auditor’s report, which identified issues mainly with strategic risk. With this in mind, the CLT wanted primarily to focus just on strategic risk, not on an overall framework. In terms of a corporate rollout, then, phase 1 was to be strategic risk; project risk and operational risk could be dealt with later, as these were lower priorities for the CLT and the city auditor.

When working with operating departments on a framework (even a pilot), it is important to define clearly what you want to accomplish with the operating departments in question. In this case, it was clearly defined that the department owned the risk register and was responsible for its content; the ERM team’s role was to maintain it. Going forward, the ERM team’s role was also that of facilitator, coach, and mentor to the department staff.

www.it-ebooks.info

EMBEDDING ERM INTO STRATEGIC PLANNING AT THE CITY OF EDMONTON 301

CONCLUSION At time of writing, the recommended strategic ERM model was being fine-tuned for the remaining Ways documents, pending feedback from the teams involved in the two pilot Risk Scorecards.

In the longer term, the ERM Program Manager recommended further consol- idation of the ERM model by ensuring links to project risk management, and by harmonizing operations’ risk management practices with the ISO 31000 risk man- agement standard, to provide consistent risk management methods to all areas, many of which are already practicing ERM, but using different formats.

Finally, the process of ERM needs to be tied to the process of performance measurement going forward. As strategic performance measures are created or amended, the risks to achieving them need to be identified at the same time, to provide the most efficient and effective means of ensuring that the measures of success can be achieved.

APPENDIX: SUMMARY OF THE WAY AHEAD, EDMONTON’S STRATEGIC PLAN The City of Edmonton developed a strategic plan in 2008 called The Way Ahead. It contains:

� A 30-year citizen-built City vision, describing Edmonton’s future � Six 10-year strategic goals: Transform Edmonton’s Urban Form; Shift

Edmonton’s Transportation Mode; Improve Edmonton’s Livability; Pre- serve and Sustain Edmonton’s Environment; Ensure Edmonton’s Financial Sustainability; and Diversify Edmonton’s Economy

� Corporate outcomes, performance measures, and targets

The Way Ahead was developed using the principles of integration, sustainabil- ity, livability, and innovation. It was built on a strong base of programs and services that already exist.

The Way Ahead has provided a foundation for prioritization and decision mak- ing. Since 2008, continual improvement has been made to the plan.

To better understand and measure how Edmonton is advancing the vision and 10-year goals, corporate outcomes for all six 10-year goals and performance mea- sures for five of the six goals were developed in 2010. Performance measure targets for three of the six goals were approved in 2011. The Way Ahead was updated in 2011 to reflect this progress.

Over the past five years, the city has developed several directional plans to help achieve The Way Ahead.

Directional plans, referred to as the Ways plans, have been established to focus the city’s work in both the achievement of the 10-year strategic goals and in deliver- ing existing services to citizens. Accompanying Ways implementation plans were also developed to outline specific initiatives and actions that contribute signifi- cantly to the achievement of the Ways plans. The following chart shows each of the plans and when they were created.

www.it-ebooks.info

302 Implementing Enterprise Risk Management

Directional Plans Implementation Plans

� The Way We Grow: Municipal Development Plan (2010)

� The Way We Move: Transportation Master Plan (2009)

� The Way We Live: Edmonton’s People Plan (2010)

� The Way We Green: Edmonton’s Environmental Strategic Plan (2011)

� The Way We Finance: Edmonton’s Financial Sustainability Plan (under development)

� The Way We Prosper: Economic Development Plan (2013)

� The Way We Grow Implementation Plan (2013 to Council)

� The Way We Move Implementation Plan (2012)

� The Way We Live Implementation Plan (2012)

� The Way We Green Implementation Plan (2013 to Council)

� The Way We Prosper Implementation Plan (under development)

In addition, the city is taking a results-based approach to aligning resources with the vision and 10-year strategic goals. Results-based budgeting is about emphasizing performance and accountability.

The following chart shows the alignment between The Way Ahead, Ways plans, and operational planning.

www.it-ebooks.info

EMBEDDING ERM INTO STRATEGIC PLANNING AT THE CITY OF EDMONTON 303

QUESTIONS 1. What other strategic processes are closely tied to ERM? 2. What three kinds of risks are identified within the City of Edmonton? 3. What two criteria must be balanced in a successful ERM model? 4. Who is responsible for dealing with and mitigating risks? 5. To what body must the City’s strategic risks be reported?

NOTES 1. Chris Hadfield, An Astronaut’s Guide to Life on Earth (Toronto: Random House Canada,

2013). 2. Conference Board of Canada, “Economic Insights into 13 Canadian Metropolitan

Economies,” August 20, 2013. 3. City of Edmonton, “Economic Insights, Economic Outlook 2012–2013,” October 26, 2012. 4. City of Edmonton, Corporate Services, Human Resources Branch, HR Research, Statistics

& Reporting Group, November 25, 2013. 5. City Auditor Report, “ERM Corporate Business Risk Planning,” August 25, 2005. 6. Ibid.

ABOUT THE CONTRIBUTOR Ken Baker is ERM Program Manager for the City of Edmonton. He is responsible for developing and implementing a strategic ERM model for the city. In addition to strategic risk, he also liaises with other areas of risk management within Edmon- ton to find areas of commonality, to assist with project risk management, and to investigate standardization of operational risk management among city depart- ments. Finally, he acts as mentor and subject matter expert for areas requesting ERM expertise, as well as implementation of risk management into other business planning models such as operating budgets, operating business plans, and capital plans.

Ken is a Certified Management Accountant (Alberta) and serves on the Finance Committee of the Risk and Insurance Management Society (RIMS). Prior to his work with the City of Edmonton, he was Controller at the Alberta Urban Munic- ipalities Association, where ERM development was included in his mandate. He also held a number of accounting positions in Canada and Sweden. Ken has a bach- elor of commerce degree from the University of Alberta School of Business.

www.it-ebooks.info

www.it-ebooks.info

CHAPTER 16

Leveraging ERM to Practice Strategic Risk Management JOHN BUGALLA Managing Principal, ermINSIGHTS

JAMES KALLMAN Assistant Professor, St. Edward’s University

Enterprise risk management (ERM) emerged more than 15 years ago as anall-encompassing alternative to the then traditional fragmented approachto risk management. This previous disjointed style is sometimes referred to as managing individual risks in stand-alone silos or stovepipes. Risk management practitioners started to flesh out and test the theory. Early practical applications took the form of integrated risk programs that combined selected hazard risks and financial risks.1

As the ERM process was debated and matured, practitioners started to include operational risks within their portfolio. Risk registers emerged that organized the various identified risks into categories that now included hazard, financial, and operational risks. Hazard risk examples include fires, lawsuits, and strikes. Financial risk examples include commodity price volatility, inflation, and currency exchange rate fluctuations. Operational risk examples include process disruptions, compliance failures, and technology breakdowns.2

ERM practitioners began encountering internal organizational push-back because the process was inappropriately seen as (1) reactionary and (2) an unneces- sary expansion of audit and compliance. Peter Drucker once stated, “The purpose of business is to create and keep a customer.”3 Recognizing the corporate imper- ative to grow the business, proponents of ERM postulated that they could indeed bring new utility to the process by aligning with, and supporting, corporate busi- ness goals, rather than just focusing on the downside of risk management. The methodology utilized to integrate ERM into alignment and support of overall busi- ness goals is to incorporate the ERM process into longer-range strategic planning and annual business plans. ERM practitioners added another new risk category to their portfolio: strategic risks. Strategic risk examples include social, technological, economic, environmental, and political situations that are much broader in scope and longer in impact. The expanded risk portfolio is far more vibrant because it inserts the ERM process into the growth side of the business. ERM moves from

305

www.it-ebooks.info

306 Implementing Enterprise Risk Management

supporting only a defensive function to include a more balanced approach that supports growing the business.

The original vision of ERM as an all-encompassing alternative to traditional risk management expands if executive management utilizes the ERM process to support improved decision making to both protect and grow the business. Practic- ing strategic risk management requires risk-adjusted decision making.4 However, leveraging ERM to practice strategic risk management depends on executing on three different, but related, variables:

1. Executive managements’ willingness to reexamine the purpose of ERM— away from purely control and compliance to a strategic function

2. Positioning and leveraging ERM within the organization to support longer- range strategic planning and annual operational business goals

3. Making risk-adjusted decisions and practicing strategic risk management by utilizing new tools and techniques to measure the value created or pro- tected by adopting the ERM process

ERM: A REEXAMINATION OF PURPOSE Metaphorically, ERM can be compared to a tree5 with branches growing in vari- ous directions. The enterprise risk management process has emerged from its fun- damental risk management roots: preserving assets, protecting people, and com- plying with laws and regulations. The ERM tree developed several new branches growing in multiple directions during its initial growth period.

A standard ERM framework does not yet exist. After more than a decade of evolution, the various different national standards or artificially created frame- works and differing lexicons for marketing and commercial purposes that had existed have been reduced to two.6 There is the framework developed by the Committee of Sponsoring Organizations (COSO) and the framework and lexi- con developed by the International Organization for Standardization (ISO). These two different frameworks have different DNA. The COSO sponsoring organiza- tions are (1) the American Accounting Association, (2) the American Institute of CPAs, (3) Financial Executives International, (4) the Association of Accountants and Financial Professionals in Business, and (5) the Institute of Internal Auditors. COSO’s DNA is the financial reporting scandals of the early twenty-first century. ISO 31000:2009 is designed to be the standard principles and guidelines; it pro- vides principles, framework, and a process for managing risk. However, actual risk management practice by a cross section of organizations indicates that hybrid frameworks are being utilized because some organizations reject strict adherence to either of the two self-proclaimed standards.7 The hybrid idea is that the best parts of both frameworks produce a more customized model that better serves the needs of an organization, such as providing a unique competitive advantage. There also is still considerable confusion over the purpose of ERM. Some organizations view ERM as a strategic function, while others still see ERM as only a control and compliance function.

Another reason ERM has lacked a uniform standard is the way commercial firms sell ERM. The marketing of ERM by professional services firms mirrors the services and product offerings that are the core business services of those firms. For

www.it-ebooks.info

LEVERAGING ERM TO PRACTICE STRATEGIC RISK MANAGEMENT 307

example, accounting and audit firms view ERM through the lens of audit, compli- ance, and control, whereas insurance brokers see ERM through the supply chain lens that leads them to a range of insurance-based products. Financial institutions, such as banks, see ERM as a methodology to comply with laws and regulations. And consulting firms focus on utilizing ERM in strategy and organizational struc- ture. Additional branches on the ERM tree have been created by other specialties such as information technology (IT), business continuity, and crisis management.

The shape of ERM within organizations is largely dependent upon which branch of the ERM tree it emerged from. The practice of ERM will be biased toward the partisan internal forces claiming ownership of the process. For exam- ple, accounting firms may place compliance at the top of the tree. In contrast, insur- ers put financial outcomes and statutory regulatory requirements at the top, sub- jugating all other actions to creating economic value. As another example, utilities place reliability at the pinnacle of the ERM tree, knowing that is their core mission.

The lowest branch on the tree closest to the base represents the earliest forms of ERM. They were called ERM programs in the financial press, but were in actuality integrated risk programs. One such program that received a great deal of attention in the financial press in the late 1990s was the United Grain Growers (UGG) ERM program.8 The fruit of this branch was creative financing of historically heteroge- neous risk categories into new blended programs (i.e., volume risk combined with hazard risks). Creative financing came from aggregating these different kinds of risks into a blended multiyear basket, sometimes coupled with an exotic trigger.

Two additional limbs appeared in quick succession in 2001 and 2002. In the wake of 9/11, the business continuity planning branch emerged with a focus on disaster preparedness and emergency response planning. A renewed empha- sis on physical security and system redundancy was accompanied by terrorism risk assessments, modeling of man-made disasters, and the passage of the Ter- rorism Risk and Insurance Act (TRIA).9 IT departments and asset managers led the way in nurturing these branches. Another compliance-related branch grew out of the Enron implosion and other issues of corporate fraud. These fiduciary breaches led ultimately to the Sarbanes-Oxley Act,10 the creation of the COSO ERM Framework,11 and passage of the Dodd-Frank Wall Street Reform and Consumer Protection Act.12

Yet another branch in the compliance and audit family that emerged over the past few years is called governance, risk, and compliance (GRC). This branch focuses on blending the ERM approach to include corporate governance and risk management requirements from entities such as the New York Stock Exchange. This branch gains its support from audit firms and information technology providers.

As the United States embraces the general concept of sustainability, a new ERM branch has grown to include the green movement. One such branch includes John Elkington’s concept of the triple bottom lines of profit, people, and planet.13

From this perspective, ERM is seen as being more holistic about the risks faced by businesses in executing their strategies. In addition to managing variation in a business’s economic performance, this ERM approach also includes assessing the impact on social justice performance and environmental stewardship. The social justice aspect requires an analysis of how risks impact stockholders, but also customers, vendors, governments, and employees. The environmental aspect has

www.it-ebooks.info

308 Implementing Enterprise Risk Management

broadened the vocabulary of ERM. Terms like cap and trade, carbon footprint, and sustainable development have worked their way into the risk management lexicon. Company stakeholders have expanded far beyond employees, owners, and cus- tomers to encompass literally the entire world.

Several years ago another new branch started to grow where the idea was that the ERM process could support the addition of new measurable value to an orga- nization. Adherents to this philosophy view ERM as encompassing both threats and opportunities. The practitioners in this camp consider leveraging risk to take advantage of the upside of opportunities, while at the same time addressing the traditional downside of risk. While some of the opportunities identified can be transactional or product-related in nature, by and large ERM should be focused on supporting business strategies. In this way ERM can be utilized to take advantage of operating conditions by aligning business growth opportunities with agreed risk appetites and tolerances to overall organizational goals: risk-adjusted deci- sion making. Executive managements’ willingness to reexamine the purpose of ERM is the first key element toward recognizing that it is a strategic function that supports reducing the impact of adverse advents and exploiting opportunities to achieve better outcomes.

REGULATORY ENVIRONMENT The metaphoric ERM tree, like its counterpart in nature, must adapt to its environ- ment in order to thrive. The ERM tree is growing in an environment of increased regulation by various federal agencies. Reacting to the consequences of the recent Great Recession, provoked mainly by the financial crisis of 2008–2009, the two most important new (2010) regulations (at least in the United States) affecting both the growth and practice of ERM are (1) Securities and Exchange Commission (SEC) Amended Rule 33-9089,14 and (2) the Dodd-Frank Wall Street Reform and Con- sumer Protection Act.15

SEC 33-9089 clearly places the oversight of risk management with the board of directors at publicly traded companies. Dodd-Frank’s Section 165 mandates the formation of a stand-alone board-level risk committee consisting of independent directors, practicing enterprise-wide risk management, and requiring a chief risk officer (CRO) within the financial sector.

More recently (January 5, 2012), the Board of Governors of the Federal Reserve proposed “Enhanced Prudential Standards and Early Remediation Requirements for Covered Companies.”16 Far more prescriptive and detailed mandates have been added to the original Section 165 that include:

� Board-level risk committees to be chaired by an independent director for bank holding companies over $10 billion, increasing the reach of the legis- lation to a greater number of institutions than the originally announced $50 billion

� A specific list of “Responsibilities of Risk Committee” � “Appointment of CRO” who will report directly to the chief executive officer

and board-level risk committee � A specific list of responsibilities and actions by the CRO

The proposed “Enhanced Prudential Standards and Early Remediation Requirements for Covered Companies [R-1438],” provides not only the detailed

www.it-ebooks.info

LEVERAGING ERM TO PRACTICE STRATEGIC RISK MANAGEMENT 309

responsibilities of the risk committee of the board of directors, but insights into just how deep the Federal Reserve is attempting to reach within the governance structure of publicly traded companies within the broader financial sector.

The requirement for a separate and stand-alone risk committee of the board of directors with a CRO, reporting directly to the risk committee and the CEO, indi- cates the high level of importance the Federal Reserve is giving to the implementa- tion and administration of enterprise-wide risk management. Tearing down indi- vidual internal risk silos that inhibit collaboration and communication across the enterprise about identified risks and intelligence about emerging risks and oppor- tunities should be a priority on the risk management agenda.

� “[T]he board proposes that covered company and over $10 billion bank hold- ing company risk committee must be chaired by an independent director. The board views the active involvement of independent directors as vital to robust oversight of risk management and encourages companies gener- ally to include additional independent directors as members of their risk committees.”17

� “Specifically, the Board believes that best practices for covered companies require a risk committee that reports directly to the Board and not as part of or combined with another committee.” Thus, “the proposed rule would require a covered company’s risk committee not be housed within another committee or be part of a joint committee.” In addition, “the proposed rule would require a covered company’s risk committee to report directly to the covered company’s board of directors.”18

� A separate stand-alone risk committee, not a part of or combined with the existing audit committee, is a signal or reminder by the Federal Reserve that the two committees (audit and risk) have different functions and respon- sibilities. The risk committee’s responsibilities are to document and oversee the enterprise-wide risk management policies and practices of the company.

The risk committee’s agenda is:

[to review and approve] an appropriate risk management framework that is commensurate with the company’s capital structure, risk profile, com- plexity, size, and other appropriate risk-related factors. The proposed rule specifies that a company’s risk management framework must include: risk limitations appropriate to each business line of the company; appropriate policies and procedures relating to risk management governance, risk man- agement practices, and risk control infrastructure; processes and systems for identifying and reporting risks, including emerging risks; monitoring compliance with the company’s risk limit structure and policies and proce- dures relating to risk management governance, practices, and risk controls; effective and timely implementation of corrective actions; specification of management’s authority and independence to carry out risk management responsibilities; and integration of risk management and control objectives in management goals and the company’s compensation structure.19

� Appointment of a chief risk officer (CRO): “. . . in ensuring the effective implementation of a covered company’s risk management practices, the pro- posed rule would require a covered company’s CRO to report directly to the risk management committee and the chief executive officer.”20

www.it-ebooks.info

310 Implementing Enterprise Risk Management

As the name Dodd-Frank Wall Street Reform and Consumer Protection Act states, the law is aimed at the financial sector. However, the Act provides a model, or benchmark, of sound risk management practices that could be utilized (with some modification) in all industry sectors. The Federal Reserve model could strengthen ERM’s core trunk if it does indeed become the de facto enterprise risk management standard and migrate from the financial sector to general business. The influence of the Federal Reserve cannot be understated, but adoption of its model by all publicly traded companies will take many more years without a spe- cific push from regulators in other industries.

One example of how Dodd-Frank can extend the Federal Reserve model and reach, and has now done so, is the creation of the Financial Stability Oversight Council (FSOC). This group identifies and monitors excessive risks to the U.S. financial system arising from the distress or failure of large, interconnected bank holding companies or nonbank financial companies. In July 2013, the FSOC named the first nonbank financial companies considered systemically important finan- cial institutions (SIFIs): American International Group and GE Capital. Prudential Financial, Inc. was added to the list in September 2013. These companies will now come under the supervisory standards, including examinations, established by the Board of Governors of the Federal Reserve for the first time.

LEVERAGING ERM TO PRACTICE STRATEGIC RISK MANAGEMENT ERM is a business management support process. For several years, proponents of ERM have been advocating incorporating the ERM process into strategic and busi- ness planning to increase its utility. Their goal is to promote risk-adjusted decision making that can better assist management in addressing the outside forces (such as political, economic, technological, legislative, social, and environmental) that will cause the variations from performance or planned outcomes that will inevitably occur over a multiyear time line. Some outside forces will inhibit success, while others will improve the operating environment. The specific purpose is to reduce the impact of adverse events and be ready to exploit emerging opportunities. The challenge is adapting the ERM process within the existing strategic and business planning methodology.

The word strategy has its roots from the Greek strategos (a compound of stratos, for an encamped army spread out over ground, and agein, to lead,21 which explains its initial definition of “the art of generalship”). Strategy can be defined as a careful plan or method for achieving a particular goal, usually over a long period of time, and the skill of making or carrying out plans to achieve a goal.22 Another defini- tion is: “A company’s strategy is a series of choices, to be effective it must remain consistent with what’s happening in its competitive environment.”23

Organizations that view the ERM process as supporting business strategies should consider positioning it where the primary goals are both to grow the busi- ness and to protect value: corporate planning (longer range) and the business units (annual). Exhibit 16.1 is a model designed by the authors that can be utilized to incorporate ERM into the strategic and annual business planning process. How- ever, before positioning can occur, the entire organization should understand the vision, mission, and purpose of ERM. This can be accomplished by creating a

www.it-ebooks.info

LEVERAGING ERM TO PRACTICE STRATEGIC RISK MANAGEMENT 311

Incorporating ERM into Strategic Planning Model

Longer Range

Strategic Plan

Annual Business

Plans Risk

Owners Identified

Budget Allocation

and Resources

Scenario Planning & SWOT Analysis

Execution

Risk Perception

Map**

Political

Economic

Technological

Socio- Demographic

Environmental

Legislative

Internal Audit Perspective of Controls

ERM Risk

Register

Senior Management’s

Perceived Levels of Risk

and Current

Risk Response

Risk Appetite(s) and Risk Tolerance Statement

What Risks Can We Take? How Much Risk Can We

Take? When Do We Take the Risk?

Who is Willing to Take the Risk?

Value Mapping What Are the Measurable

Benefits to Taking the Risk?

Internal Scan Risk Context

*From Francis J. Aguilar, Scanning the Business Environment (New York: Macmillan, 1967). **From Pedro C. Ribeiro, "Predictable Project Surprises: Bridging Risk-Perception Gaps," Ask Magazine, August 11, 2013.

Assessment Process Articulation

External View PESTLE*

Exhibit 16.1 Incorporating ERM into the Strategic Planning Process Used by permission of John Bugalla and James Kallman, © Copyright 2013, John Bugalla and James Kallman.

formal ERM charter. The ERM charter serves as an internal blueprint for both exec- utive leadership and middle management to follow. The optimal time to create the charter is in the ERM planning stage, before it has been implemented. The charter will set the tone at the top for ERM in one of two directions: (1) Risk management is a strategic support function, or (2) risk management is a control function. In Exhibit 16.1 risk management is a strategic support function.

The initial step comprises three internal scan elements: (1) surveying the C- suite about leaders’ current perceptions about risks and their management, (2) sur- veying Internal Audit about their perspectives on the current level and effective- ness of risk controls, and (3) creating an ERM risk register. The surveys will enable a comparison between the current state of risk management activities and the cor- responding risk control efforts. The ERM risk register is a tool for organizing the identified risks and their internal owners.

The external view serves several purposes. It begins to incorporate the ERM process into strategic planning steps. The external view provides an opportunity to identify the outside forces that present both risks and opportunities to the organization—the two sides of the business decision coin. Coupling risks and opportunities together provides a broader and more complete view that makes for a far better assessment process and decision making. The authors have indicated some of the tools and techniques that can be utilized to complete the assessment process, including a detailed description of a new tool that is presented later in this chapter.

www.it-ebooks.info

312 Implementing Enterprise Risk Management

If the ERM and strategic planning process have been merged, the results should be seamlessly incorporated and articulated into the longer-range strategic and annual business plans. Both plans articulate how the organization will achieve its business goals. However, neither plan provides certainty that the planned per- formance will be achieved—analogous to von Moltke’s statement “No battle plan survives contact with the enemy.”24 The goal is to reduce the impact of adverse events and exploit opportunities to achieve better outcomes around the planned performance objectives.

MANAGING AND MEASURING VALUE CREATION At the enterprise level, a risk identification and assessment exercise at a global company can develop a list of risks sometimes numbering in the hundreds. Such an expansive list of risks requires organization. One approach to organizing the list is to create a risk register. The purpose of a risk register is to sort the risks into categories, describe their characteristics, and rank them. Bringing additional order to a cumbersome risk register is a risk map—a kind of executive summary of the risk register in a pictorial format. A risk map is a graphical snapshot of the key identified risks—usually the top 10 risks. Including all the risks identified on a risk map would render it indecipherable.

The key question practitioners should be asking about these tools is: Who ben- efits from the time-consuming and expensive exercise of creating a risk register that sometimes contains hundreds of risks, and the associated risk map? If the benefit is limited to a single function, that suggests a limited and narrow purpose of the organization’s risk management program.

Traditional risk maps are insufficient for many reasons. One key shortfall is that traditional risk maps do not properly plot risks. The common objective defi- nition of risk in risk management, finance, and statistics—”the variation from an expected outcome over time”25—includes three parameters. Traditional risk maps plot only two variables that make up the expected outcome: (1) the probability of an event and (2) the value of that loss. Rarely do they plot gains. But conspicuously missing from traditional risk maps are variation and time. All four variables must be plotted in order to provide complete information about the risks.

RISK MANAGEMENT FAULT LINE Being in business, however, is about taking risks. Examples include expanding new product lines, investing in research and development, looking for mergers and acquisitions, and exploring geographical expansion. Organizations undertake these and other activities to grow the business. All involve taking risks. None are guaranteed successes. Managing the threats associated with taking risk is required (traditional risk management), but so should identifying and assessing the upside gain of the opportunities associated with taking those risks (speculative risk man- agement). Measuring both the downside and the upside of risk taking in terms of a metric that is meaningful to the organization, such as earnings per share for a publicly traded company, provides a context that can be utilized to determine the type and amount of the resources needed to support the favorable outcomes as projected by the strategic planners and executive management. An additional

www.it-ebooks.info

LEVERAGING ERM TO PRACTICE STRATEGIC RISK MANAGEMENT 313

benefit is that, by analyzing the range of possible outcomes against what was actu- ally achieved, executive management may also gain insights into individual oper- ational performance capabilities.

Identifying and assessing both risks and opportunities simultaneously might seem obvious, but it is atypical—at least in the first decade of the twenty-first cen- tury. One reason is that the two most widely utilized tools and techniques cur- rently employed during the ERM risk identification and assessment process are a risk register and a risk heat map. They received their monikers for a reason. The focus of both is the perceived threats to an organization. There is no consideration of the value that could be created by taking on risks.

Academics have now spent many years researching the benefits of risk regis- ters and risk maps.26 While it is undeniable that risk registers and risk maps do have value, our research and analysis conclude the following:

� If the organizational goal is to respond only to known, identified risks, and the ERM process is viewed as an extension of audit and compliance, then risk registers and traditional risk maps can be useful.

� If the organizational goal is to respond to known threats (risks) and opportu- nities, and also to gain risk intelligence about emerging risks on the horizon, a traditional risk register and risk map fall short. This is because they fail to show both the upside of risk and the relationships between events and volatility.

� If the organizational goal is to grow the business and create value for stake- holders, a traditional risk map is useless. Again, this is because risk maps fail to enable executives to see the upside of taking risks and relationships between risks, and fail to show trends.

� A new tool is required to measure both risks and opportunities—which we call a “value map.”27

VALUE MAPS A value map is a graphical illustration of both threats and opportunities. Because threats and opportunities are two sides of the same coin, a value map also has two sides, as illustrated. Reference points have been added for valuation and measur- ing variation from the expected outcome. Threats are plotted on the left side of the map while opportunities are located on the right side. Rather than plotting a single point on a risk map, the value map illustrates the range of the magnitude of each threat and the potential gain of each opportunity. This is an important consider- ation because operational conditions during the year or years are not stagnant. A value map can also plot the time duration of risks. Some risky events occur and last for only a short period—perhaps a matter of days. Others have long tails and last for many years. Some long-lasting risks can have significant strategic importance. A value map can also plot correlations between risks. Some volatile situations are highly associated with others. For example, the threat of a patent lawsuit may have a strong link to a consequential decrease in revenues. A weather-related catastro- phe may be highly correlated with the chance of personnel being injured, prop- erty damage, business interruption expenses, crisis management, and perhaps a

www.it-ebooks.info

314 Implementing Enterprise Risk Management

Outcome Values Negative Outcomes Positive Outcomes

O u

tc o

m e

Li ke

lih o

o d

H ig

h P

ro ba

bi lit

y Lo

w P

ro ba

bi lit

y

Exhibit 16.2 Value Map Outcomes

declining stock price. These associations can be shown on the value map so senior management is fully aware of the total consequences of an event.

Exhibits 16.2 through 16.4 show how a value map differs from traditional heat maps. Exhibit 16.2 shows that the outcomes from a volatile situation are not neces- sarily negative. In fact, organizations take on risky projects in order to create value. The value map provides cells to record both negative and positive outcomes of business situations. These events may be investments in new products, operating a factory, or providing a customer service.

Exhibit 16.3 plots two risks in their current state. That is, the ellipses show the expected outcomes (the center of the ellipses) as well as the spread of possible outcomes. On the vertical axis, the range of possible probabilities is shown; on the horizontal axis, the range of possible values is shown. This mapping differs significantly from traditional heat maps in that for the first time the variation (the risk) is plotted. The outcome is plotted as the Cartesian product of the event’s value (on the horizontal x-axis) and its likelihood (on the vertical y-axis). This plotting of so-called expected outcomes is typical of all traditional heat maps as well. But where value maps improve on this display is in also showing the range of both inputs. These ranges are shown as ellipses. The wider (on the x-axis) the ellipse

Outcome Values

O u

tc o

m e

L ik

el ih

o o

d

H ig

h P

ro ba

bi lit

y Lo

w P

ro ba

bi lit

y

Negative Outcomes Positive Outcomes

Risk # 2 Current State

Risk # 1 Current State

Exhibit 16.3 Value Map with Two Risks—Current State

www.it-ebooks.info

LEVERAGING ERM TO PRACTICE STRATEGIC RISK MANAGEMENT 315

Outcome Values

O u

tc o

m e

L ik

el ih

o o

d

H ig

h P

ro ba

bi lit

y Lo

w P

ro ba

bi lit

y

Negative Outcomes Positive Outcomes

Risk # 2 Current State

Risk # 1 Current State

Risk # 1 Previous State

Risk # 2 Previous State

Exhibit 16.4 Value Map Showing Risk Evolution

is, the greater the range of outcome values. Risk #1 in Exhibit 16.3 shows such an outcome. The taller (on the y-axis) the ellipse is, the greater the uncertainty of the outcome. Risk #2 in Exhibit 16.3 shows an example of this uncertain outcome. In contrast, a narrow and short ellipse displays an outcome that is certain in both value and probability.

Exhibit 16.4 shows how the risks are evolving over time. There are several methods to include a risk’s time dimension. In this graph, a two-period scale is used. For example, risk #1 has not changed in its possible spread of value outcomes. However, it has become much more likely in the current state. Risk #2 changed in both dimensions. Its probability range has grown, which indicates there is much less certainty in what outcome might occur. In addition, although its values have the same spread, they are all negative in the current state. Risk #2’s situation has drastically degraded. The value map in Exhibit 16.5 shows risk correlations.

ADDITIONAL TOOLS AND TECHNIQUES Making risk-adjusted decisions and practicing strategic risk management by utiliz- ing new tools and techniques to measure the value created or protected by adopt- ing the ERM process is not limited to value mapping. Risk managers now have multiple options that, depending on the potential impact to the organization and its executive management and the level of complexity, could be employed to improve

high

Risk #1 r = .23 Risk #2

med Risk #3

r = .85

low

high med low low med high

lik el

ih oo

d

Impact

Negative Outcome Positive Outcome

Risk #4

Exhibit 16.5 Value Map Showing Risk Correlations

www.it-ebooks.info

316 Implementing Enterprise Risk Management

the quality of their decisions. These tools can be quite sophisticated, and might require outside experts to facilitate a specific project, especially strategic issues that could be a destiny-determining event for the CEO. One example is game theory. Especially useful in situations involving outside suppliers, competitors, and regu- lators, game theory can provide insights and recommended courses of action about the various players’ interests and options. If there are multiple players involved in complex negotiations, competitive strategy, crisis management, and public policy, game theory can be utilized to develop specific strategic and tactical options.

CONCLUSION Risk management is evolving from focusing only on the downside of risks to a far broader understanding that strategic decisions have the potential of producing both downside and upside outcomes. By employing the ERM process at the strate- gic planning level, the organization has a far greater chance of exploiting oppor- tunities that may arise during a typical multiyear planning cycle. Likewise, the organization has a greater chance of protecting organizational value when adver- sity strikes. However, to enable the organization to adopt and adapt the broader view of enterprise risk management and use the ERM process to practice strategic risk management, executive management must:

� Reexamine the purpose of ERM within the organization. � Position and leverage ERM into strategic planning to support business goals. � Utilize value maps to measure the value created or protected as a conse-

quence of practicing strategic risk management.

One way to start or reignite the ERM process within an organization is to cre- ate or redraft an ERM charter. The charter should set forth a vision, mission, and purpose of ERM within the organization as a strategic function. To ensure that all levels of management are speaking a common language when it comes to risk, greater clarity will be attained by including a definition of ERM, risk, and strate- gic management within the charter; then utilizing modern risk registers and value maps will enable executives to better achieve their strategic goals.

QUESTIONS 1. Do you believe that ERM will continue to evolve, and if so, how? 2. Do believe that risk is a two-sided coin with both upside gains and downside losses? 3. How is value measured in your organization and do you believe the ERM process can

add new value? 4. Besides risk maps and value maps, what other tools and techniques are available to man-

age risk and make risk-informed decisions?

NOTES 1. One of the first integrated risk programs to be labeled ERM was United Grain Growers.

It combined selected hazard risks such as general liability and property with a selected economic risk (grain processing volume). (See Chapter 7 of this book.)

www.it-ebooks.info

LEVERAGING ERM TO PRACTICE STRATEGIC RISK MANAGEMENT 317

2. Torben Juul Andersen and Peter Winther Schroder, Strategic Risk Management Practice (New York: Cambridge University Press, 2010).

3. Peter F. Drucker, Goodreads.com. 4. A good discussion of strategic risk management can be reviewed at the Risk and Insur-

ance Management Society (RIMS) website and others. For example, see www.rims.org/ resources/ERM/Pages/StrategicRiskManagement.aspx.

5. John Bugalla, Barry Franklyn, and Corey Gooch, “Climbing the ERM-Enterprise Risk Management Tree,” Risk Management, May 2010; and National Law Review, www.natlawreview.com/article/climbing-erm-enterprise-risk-management-tree.

6. The two major frameworks are ISO 31000, accepted in approximately 25 countries, and COSO, which is mainly utilized in the United States. Other frameworks include those created by AS/NZ 4360 and the Conference Board of Canada.

7. For a discussion of the benefits and disadvantages of ERM standards, there are many articles; for example, see www.niso.org/workrooms/ermreview, www.coso.org/docu ments/coso_erm_executivesummary.pdf and www.theirm.org/ISO31000guide.htm.

8. See “United Grain Growers Limited (A),” Harvard Business School Case Study 9-201- 015, June 11, 2001.

9. For the full Terrorism Risk Insurance Act of 2002 Reauthorization Act of 2013, see http://beta.congress.gov/bill/113th/house-bill/508.

10. To read the full act, Public Law 107-204-July 30, 2002, see www.sec.gov/ about/laws/soa2002.pdf.

11. www.coso.org/-erm.htm, accessed December 8, 2013. 12. www.sec.gov/about/laws/wallstreetreform-cpa.pdf, accessed December 2013. 13. www.johnelkington.com/activities/ideas.asp, accessed December 8, 2013. 14. To read the full rule see: www.gov.rules/final/2009/33-9089.pdf. 15. See www.sec.gov/about/laws/wallstreetreform-cpa.pdf. 16. Federal Register, January 5, 2012. 17. Ibid. 18. Ibid. 19. Ibid. 20. Ibid. 21. Lawrence Freedman, Strategy: A History (NY: Oxford University Press, 2013). 22. www.merriam-webster.com/dictionary/strategy. 23. John R. Wells, www.exed.hbs.edu/assets/Documents/wellsQAsa11.pdf. 24. Helmuth von Moltke, Field Marshal, German military strategist. 25. Stephan R. Leimberg, Donald J. Riggin, Albert J. Howard, James W. Kallman, and Don-

ald L. Schmidt, The Tools & Techniques of Risk Management & Insurance, 2009 supplement (Cincinnati, OH: National Underwriter Co.), 8.

26. Examples of the benefits of risk registers and risk maps include www.interrisk.com.au/ wp-content/uploads/2012/09/Risk_register_September2012.pdf, www.google.com/url?sa=tTMrct=jTMq=TMesrc=sTMsource=webTMcd=7TMved=0CFUQ FjAGTMurl=http%3A%2F%2Fwww.qrc.org.au%2Fconference%2F_dbase_upl%2F,Cri tical_Control_Risk_Registers.docTMei=zCemUvrvG6Xr2QXEhoFITMusg=AFQjCNFWX ZqE8_kS9HA9aK9NZQskOEkpOQTMbvm=bv.57752919,d.b2I, and http://blog .lrenergy.org/the-benefits-of-an-effective-risk-management-process/.

27. John Bugalla and Dr. James Kallman, “How to Map Your Risks,” CFO.com, February 2013.

ABOUT THE CONTRIBUTORS John Bugalla is Principal of ermINSIGHTS, an advisory and training firm spe- cializing in enterprise risk management and strategic risk management. His

www.it-ebooks.info

318 Implementing Enterprise Risk Management

experience includes 30 years in the risk management profession serving as Manag- ing Director of Marsh & McLennan, Inc., Willis Group, Plc., and Aon Corporation before founding ermINSIGHTS. He led the Willis team that negotiated the inte- grated risk program on behalf of United Grain Growers. He is the author or coau- thor of numerous articles in diverse publications such as The Corporate Board maga- zine, CFO magazine, the National Law Review, Credit Union Management magazine, Risk Management magazine, the Journal of Risk Management in Financial Institutions, and the Journal of Risk Education.

James Kallman is Assistant Professor at St. Edward’s University, Austin where he teaches courses in finance, and statistics, and risk management. Dr. Kallman holds a doctoral degree and master’s of science degree in risk management and insurance from the University of Wisconsin, a bachelor of science degree from the University of Minnesota, and an Associate of Risk Management and RIMS Fellow degree. He is author or coauthor of numerous articles in diverse publications such as The Cor- porate Board magazine, CFO magazine, Risk Management magazine, Journal of Risk Management in Financial Institutions, and the Journal of Risk Education.

www.it-ebooks.info

PART IV

Specialized Aspects of Risk Management

www.it-ebooks.info

www.it-ebooks.info

CHAPTER 17

Developing a Strategic Risk Plan for the Hope City Police Service ANDREW GRAHAM Adjunct Professor and National Editor, Case Studies, Institute of Public Administration of Canada, Queen’s University

Hope City is a midsize urbanized community, part of a larger conurbationand therefore part of larger and more complex forces. It is changing interms of demographics and the demands on policing. While there is no central crisis in this case, there are a number of disturbing trends that represent risks to the Police Service business model now in play and to the ability of the Police Service to meet the emerging needs of its community.

The Hope City case is one that forces integrative thinking about risk manage- ment. It is a holistic set of facts and information designed to lead to the creation of a strategic risk management plan for the Police Service of Hope City. It is centered on the qualitative and impressionistic assessment of risk, rather than the quantita- tive. Therefore, coming to an assessment of the risks in this circumstance and ren- dering them relative weights will entail some form of collective, consensus-driven or centrally driven exercise. Further, aside from being a good platform for the effec- tive assessment of risk and the assignment of weights, it is also useful when linked to the creation of a strategic or action plan for the Police Service as a whole. The case lends itself well to group work as well as written analysis.

THE CONTEXT Like most police services, the Hope City Police Service is a busy place. There is no end of activity. Chief Karl Paulson has been in the job for 10 months now and feels that he is getting a handle on the culture and way things are done around Hope City. He came in from another service. This is his first job as chief, although he has held both operational and planning roles at the deputy level elsewhere. He finds working in a growing community of 500,000 like this one interesting. However, at the end of the day, while he fits in fine, he still does not feel in control of things. Being a good police leader and being used to rapidly changing time and resource priorities, he can certainly fit into the “What’s next?” approach to management. He

321

www.it-ebooks.info

322 Implementing Enterprise Risk Management

feels he and his organization are adept at responding and adapting to both opera- tional challenges and changing situations. But is that what it is all about? He is also seeing some changes happening that he is not sure the Police Service is ready for.

Hope City is indeed a growing and changing place. It is situated not far from a larger metropolitan area, one that gives a lot of employment to Hope City res- idents. In fact, about 20 percent of the Hope City working population commutes the 50 to 75 kilometers every day by way of the multilane highway that passes just west of town, the commuter rail link into downtown Benville, or the commuter bus systems. The others work in the large service sector or the many secondary manu- facturing plants on the west side of the city. There is also a community college with extensive programming that employs about 500 people. It really is a regional hub, one that Hope City residents are proud of. Right now, as this community grows and changes, there is a lot to be optimistic about for the future. On the other hand, the more the community changes, the more that future changes. Having been a small city with a homogeneous population and relatively isolated for a long time, it is now becoming part of the growing conurbation around Benville.

Taken at first blush, Hope City seems to be doing well. There is growth in residential and commercial construction as the result of an influx of new workers into the high-tech industries that are growing here. Many of these new workers are new Canadians, often well educated, some of whom come through family sponsor- ships. They have settled primarily in four communities in Hope City, often form- ing fairly close-knit communities. New services are arising to meet their needs, although schools, churches, and social organizations are at capacity.

Working with the notion that it is always best to get ahead of issues before they get ahead of you, Chief Paulson decided to pull together his top managers for a planning session and a bit of a look forward. He is allergic to flip charts, consul- tants, and detailed reports that do not get used. However, he wanted to not just be a good day-to-day chief, but to set the future direction of the Police Service as well. He also had an uneasy feeling that the Police Service needed to get a handle on the challenges that it was facing, develop a better understanding of the communities it was serving, and get a bit savvier on the political developments in the area. All this was also part of his desire to bring along a number of top-notch operational com- manders and broaden their perspective so they could take on more senior roles. Paulson clearly wanted to move to becoming a strategic leader.

The Chief decided to get some help on an environmental scan. He was able to get the help of an old colleague (a consultant) who had retired from a senior police job (not in Hope City) and was known for her ability to talk to people. He asked her to do some interviews in preparation for the senior staff retreat. Her mandate was to gather information and impressions that would help the senior management team identify its challenges and risks. What follows is the result of those interviews.

SOME BACKGROUND ON THE HOPE CITY POLICE SERVICE The Police Service Board is made up of seven people who meet regularly with the Chief. Board members are appointed under the provincial legislation as a mix

www.it-ebooks.info

DEVELOPING A STRATEGIC RISK PLAN FOR THE HOPE CITY POLICE SERVICE 323

of provincial and municipal appointees. Two Hope City Council members sit on the board. Membership tends to turn over every four years, with some continu- ing members serving more than one term. It is this current board that hired Chief Paulson after an executive search process. The board has a legislated responsibil- ity to oversee the direction of the Hope City Police Service, set broad policy and strategy, and monitor the performance of the chief. It has the power to hire and fire the chief.

The Hope City Police Service deployed 790 police officers and 267 civilian members and responded to more than 85,000 calls for service during 2010. Its oper- ating budget for 2010 was $129,600,000. The area covered is 1,382 square kilome- ters, serving a population of 508,000. The police also have an active volunteer pro- gram with 250 volunteers, plus 64 auxiliary officers.

Hope City is governed by a municipal council and mayor. The Police Service is part of the mandated municipal services. Hope City views the Police Service as a department of the city and budgets for it in that manner. This creates some fric- tion, as the police chief reports formally to the Police Service Board, not the city. However, in reality, the chief must also work with the city, most notably the mayor and the Chief Administrative Officer (CAO). Formal and informal lines cross fre- quently, and it requires a certain measure of diplomacy, tolerance, and restraint to make the system work. Generally, it does until the budget crunch, an annual event. The police budget is a significant portion of Hope City’s budget. For 2010, policing will take up 22 percent of the total municipal budget. While these costs are supported generally and there is broad City Council backing of good policing, the city chafes at how little it actually controls these costs. The budget is set by the Police Service Board, and the City Council feels there is little incentive to restrain growth. Further, if there is a disagreement, the board can appeal to the province. Generally, the police win if there is a showdown. However, the process can be messy and leaves a lot of bad feelings.

As a first step in the process of reaching a strategic plan, the work of the con- sultant began with interviews of key players. What follows is the result of those interviews.

WHAT THE CONSULTANT HEARD In setting up the interviews, all those canvassed were informed of the purpose by the consultant: to help the Hope City Police Service develop a strategic plan. What follows is the report offered to the Chief at the end.

The following groups of people were interviewed:

� Chief and all direct reports � Association president � Chair, Police Service Board � Chief Administrative Officer, Hope City � Chair, Hope City Chamber of Commerce � Citizens against Racism Community Group � President, East End Residents Association � Hope City Citizens for Responsible Government

www.it-ebooks.info

324 Implementing Enterprise Risk Management

Chief Administrative Officer of the City

In practical terms such as the formal budget, the Police Service is a department of the city. Therefore, the CAO has responsibility for it. This is clouded by the role of the Police Service Board, a provincially mandated oversight body. This is part of the municipal reality of the province, and the CAO is no stranger to it. However, the dynamic can sometimes create amazing tensions. His first concern about this interview was what this plan would look like in relation to Hope City’s plans. However, he also realizes that working together is ultimately smarter than working apart or at odds. So, he weighed in.

The CAO noted that the demographic shift in Hope City has only just begun. In spite of the lack of some services for recent arrivals, new residents still keep com- ing. He sees some distinct ethnic communities as growing and developing their own infrastructures and identities. Housing starts, especially for townhouses and apartments, are growing. There has also been an increase in the number of youths in these communities. Birthrates in these ethnic communities are generally higher, and there is evidence of that already. In some of the schools in those areas, the majority is now from these recently arrived families. This is creating pressure for more schools and also adjustments in school programming. The issue of English as a second language among the older cohorts of these groups is emerging as a service issue. They hardly use the 311 civic services line.

When asked about city plans that might affect police, the CAO noted that sev- eral new major subdivisions were in the works or already approved. The Police Service will have to expand to provide adequate policing to those expansion areas. He recognizes that this will stress resources to adequately police these areas. He was not certain if the development charges1 would adequately cover the cost of the increase needed for public services. He thought that the Police Service needed to factor this into its capital planning; for example, would a new station be needed? His concerns extended to question whether the emergency services communica- tions infrastructure was going to be sufficient.

The high-use stress on highway infrastructure will mean construction on both of the two main north–south routes over the next two years. There will also be work on downtown main streets, including a long-term restoration of the main city square through which most of the downtown traffic now is routed. The CAO was concerned whether police were up to speed on the implications. This involves work by both the city and the province.2

The CAO noted that several city councilors want to develop a new strategy for the downtown core, which is plagued by many of the usual problems of lower retail presence, some gang activity, and certainly a general degradation. He feels the Police Service needs to come up with some cost-effective safe street strategies or face pressure from both the City Council and neighborhood groups along with retailers. There is certainly a desire to get more condo development downtown.

It was hard to keep the CAO off the issue of money in general. He feels that, while the Police Service takes up a major portion of the municipal budget, there is very little he can do about affecting what it will look like. The City Council does not feel there is adequate control either at the budget time or as the budget is managed over the year. Of course, the City Council theoretically has ultimate control over the budget, but it often feels it is being handed a fait accompli and that the Police

www.it-ebooks.info

DEVELOPING A STRATEGIC RISK PLAN FOR THE HOPE CITY POLICE SERVICE 325

Service Board and the Chief are not really team players, willing to take their hit along with the others. Whether it is the Police Service Board or the Chief, he does not know, but he feels left out of the loop and is often surprised at budget time. He feels it would be easy to say that the budget is too high and that the police get theirs while other services suffer, but he is more annoyed at the process than opposed to good policing. One example he cited was the number of years that overtime bud- gets had been exceeded, forcing a return for funding to the City Council. He could see one or two years and for exceptional circumstances, but he sees a pattern of poor management here—his words. He also noted that this preceded the current chief, but he has not seen much sign of any change. Also, he believes that the polic- ing model, as he calls it, will only drive costs up more. Why are the Police Service Board and the Chief not pushing new ways of doing things?

The CAO also noted that, while there were Provincial Adequacy Standards for police, Hope City did not appear to be following all of them. For instance, he noted that the Police Service did not have a business plan. He thought that would go a long way to making it more credible. He also had a few figures at hand, based on a comparison of most of the cities in the province:

� While the provincial clearance rate3 on violent crime was about 74 percent, Hope City’s was only 53 percent.

� While the provincial median for total crime rate was 5,900 per 100,000, in Hope City it was only 5,300.

He asked how these two facts squared. If you have a lower crime rate, surely you should expect a better clearance rate.

The CAO was concerned that the increase in cross-jurisdictional police teams would lead to problems of financial control. He observed that Hope City had been a big player in the recent regional efforts on biker gangs that the province led. He noted, however, that there seemed to be a disproportionate number of resources devoted to this and very little compensation from the regional funding that was available from the province. He worried that there was not good costing and an aggressive effort to recoup funds to pay the bills. He also wondered about trac- ing costs and responsibilities for such horizontal-type work. Although he noted that he was no expert on these issues, he also pointed out that quite a number of municipalities across the country are complaining about what they see as the fed- eral downloading of costs for policing in new crime areas such as terrorism and cyber crime.

Chair of Police Service Board

The chair of the Police Service Board is appointed by the province for a three-year term. This is her second term and probably her last one.

At the outset, she expressed strong confidence in Chief Paulson and his man- agement team. She felt there was a good working relationship, at least at the level of meetings and sharing information on current issues. She did have some reser- vations about the capacity of the Police Service to adapt, especially around emerg- ing crime patterns, policing methods, and the changing population profile. She reported on what she sees happening in Hope City and the police’s role in it.

www.it-ebooks.info

326 Implementing Enterprise Risk Management

Like the CAO, she sees the city changing. While she sees the rise in ethnic groups, she also sees parts of the city being nothing more than commuter subdivisions. The ones closest to the arterial roads seem to be deserted or ignored as far as active com- munity policing goes. She also notes how there is a lack of community resources and activities to keep youths out of trouble.

She feels that the issues of rising youth crime, vandalism, and drug use are not getting the attention they deserve. She even disputes a lot of the public opinion poll results, saying that these numbers are general and not community based.

The chair is worried about succession planning for the Police Service. She sees an aging service with a lot of senior people ready to retire. More important, as far as she is concerned, she also sees that a lot of seasoned street-wise officers are leaving. She sees this as two issues, not one. In fact, she thinks the loss of street experience is more of a concern than the loss of managers. She also cites the inspector ranks with long experience in areas such as homicide who will be leaving soon. She notes that the rank below this, staff sergeant, is a small cohort populated by “a bunch of guys the same age as the bunch of guys they report to.”

Generally, the Police Service Board feels that Chief Paulson tries to provide the information that is needed for the board to function well. She feels that he is overly protective of his operational role, insisting, for instance, on being the only senior officer to appear before the board. While the board members have plenty of informal interaction with line command staff, they seldom see them performing in a formal way. They miss out on seeing what their potential is. She feels that it is a lost opportunity not to use the board to profile senior staff accomplishments. The Chief argues (not aggressively) that he would rather his command group spend their time on operational priorities and he would handle external relations. The board members’ view is that they are not external.

The budget is a concern of the Police Service Board. The board supports the need for the best resourcing, but feels that the lack of a long-term perspective, espe- cially for big-ticket items like computer systems and vehicle replacement, always puts them in opposition to the City Council. The board is responsible for setting the budget, but worries about whether the Police Service knows what it will need in the longer term to be sustainable. No matter what anyone says about who is responsible for what, the board needs the chief’s advice in these areas. The board is concerned about the level of good professional advice on the financial and admin- istrative side. The board feels it is often surprised by budget requirements. Board members are also aware that this surprise and its negative consequences are some- thing the City Council and city staff note about the Police Service.

She feels the police are responsive and professional. However, they are not as active in pursuing preventive measures generally associated with community- based problem solving as they might be. To date, she sees only token efforts; for example, even the community liaison officers, it would seem, are appointed only as a break from their car and street duty, and not with a strong mandate. She has also become aware of the move in some Canadian and American communities toward what is called intelligence-led policing, which is the application of computer ana- lytics to both crime and police contact information to better understand trends, hot spots, and key priorities. She has seen demonstrations of this and was impressed.

She also pointed out that the growing ethnic communities have little for- mal or informal contact with the Police Service. In fact, the gulf appears to be

www.it-ebooks.info

DEVELOPING A STRATEGIC RISK PLAN FOR THE HOPE CITY POLICE SERVICE 327

widening. She pointed to the number of comments that some ethnic community leaders make to the press about police insensitivity, even though she has no evi- dence of it. She wonders what the Police Service actually knows about these com- munities and what crime potential they pose (e.g., terrorism).

The chair wonders how well some hot spot issues are being addressed. For instance, she noted that some neighboring communities had developed aggressive antigraffiti programs to increase community mobilization. She did not think that the Police Service had to do it on its own but should be open to partnerships.

The chair felt that Chief Paulson was open to the public, but that the Police Ser- vice as a whole was not as active in such matters as consultation and outreach as it could be. She worried that the ethnic changes in Hope City had left the Police Ser- vice behind. Further, she often gets complaints from business groups that they are not being heard by the police, especially around issues of graffiti, and also youth in the downtown area who are intimidating seniors who shop there.

Finally, she cited the relatively poor performance of the Hope City Police Ser- vice in comparison with other services, based on the Provincial Adequacy Stan- dards program that uses performance data to compare services. She noted dete- rioration in some response time issues and the number of uncleared major crime cases. “I’m not one to proclaim we are the best. But it is not exactly satisfying pro- claiming we are happily stuck in the middle.”

Interviews within the Police Service

A number of trends emerged from these interviews. First and foremost was the aging workforce challenge. It appears that recruitment is not keeping pace with departures, or rather, while there was a good intake, the promotion rate was not keeping up. Further, the Police Service is losing some valuable organizational know-how without doing anything about it, in terms of either retention or knowl- edge transfer. The expression “too damned busy” kept cropping up. The other factor, given that Hope City was in a cluster of urban development with similar services in nearby cities, was the theft of up-and-coming officers by other services. It was felt that Hope City had a good reputation for training new officers but then lost them to other services. There have been a lot of successes, too, in terms of trans- fers in and promotions. It just seemed to be taking a lot more time staying on top of things. The transaction costs of this churn were considerable.

Several senior officers expressed concerns about emerging crime issues. Some were evident already. Some may or may not be on the horizon. For instance, com- puter pornography and child exploitation seemed to be on the rise. There was some notion that some is based in Hope City although there was no firm evidence to con- firm this. Certainly, at this point the Police Service did not devote many resources in this area. Some officers had become more skilled in this area, but the Service had yet to move on creating a unit devoted to investigating child pornography. On the other hand, the concern about the potential for the development of terrorist- type activity in some of the newly opened ethnically focused private schools was an issue. Senior staff members were very worried about this in two ways. If they focused on it too much, they might be accused of profiling and lose any hope of building the intelligence and confidence links they needed with emerging ethnic communities. If they did not take some reasonable steps to inform themselves of

www.it-ebooks.info

328 Implementing Enterprise Risk Management

the kind of new policing challenges the world was bringing to their doorsteps, they would be negligent in active policing.

As a summary, the following crime rate trends were recorded:

� Generally following national and regional trends but rates slightly lower than the provincial patterns

� Overall decrease in the number of crimes, especially assaults on persons � Decrease in homicide and related crime � Slight increase of sexual assault, in isolated areas � Decrease in robberies � Increase in car thefts but a shift from individual thefts to more systematic

patterns, suggesting a more organized approach � Increase in credit card fraud � Sharp increase in complaints or inquiries about identity theft with no real

pattern emerging in the statistics � Youth-on-youth assaults up, especially in a number of both ethnic and

nonethnic housing projects that have police presence but little interaction with the community

� Increase in hate/bias crimes and complaints—full range from graffiti to per- sonal threats

� Sharp increase in illegal ATM bank entries with a strong suspicion of orga- nized crime involvement

More and more of the budget and management time are going to the informa- tion technology (IT) infrastructure. While direct entry from patrol vehicles has been in place for a couple of years now, it is mostly used by officers to download infor- mation that is already on the system rather than for direct input from their cars and station points. Summary data on contacts that would establish patterns of interac- tion, most notably among gang members and between gangs, is not yet regularly input. Further, the ability of Hope City to go anywhere on a COMSTAT4-type infor- mation management system is very low. Senior staff receive crime statistics on a weekly or monthly summary basis. The roll-ups are always questioned because of the amount of so-called dirty data they contain. This may also be why Hope City looks so bad in comparison with others. On the other hand, there was resentment of the amount of time that these administrative matters took. Reports and paper- work seem to have precedence over face time and street presence. Chief Paulson and his deputy were certainly aware of emerging technology trends, but to date there has been little internal interest in trying them out. This contrasts with one neighboring police service that has gone full tilt on geospatial intelligence analyt- ics. This positions crime patterns onto maps to link trends to location. It also drives resource distribution.

Senior service personnel felt that they had real strengths in the area of joint task force work and collaboration with other police services. They pointed with pride to their major contribution on the recent biker initiatives, which saw several of the key biker houses or chapters closed down as well as some important arrests. They felt that they were not encumbered by a “my turf or else” mentality. They saw this as a plus for the line officers who got to work with counterparts. They also saw it as a link to public security issues at the national level, such as the protection of

www.it-ebooks.info

DEVELOPING A STRATEGIC RISK PLAN FOR THE HOPE CITY POLICE SERVICE 329

critical infrastructure that the bikers had targeted for copper wire and electricity diversion for grow operations.

President of the Police Association

The president had a lot of praise for Chief Paulson and his personal openness. However, she felt that this was personal and that it was not being pushed into the senior ranks. She also felt that most consultations were a joke, usually more of an announcement than a real effort to consult, which should involve, in her view, actually asking for and listening to the other party’s opinion.

In general, working conditions were good for most of the officers. She noted that one recent survey of sworn officers indicated that 60 percent reported they had enough time to do their work. She was surprised at that.

The president felt that the Police Service was like all the rest—mostly white men—at a time when society was changing. However, she acknowledged that there were no ready answers and that she would speak for all her members, even the white men. However, the hiring practices should beef up recruitment of minori- ties, but without sacrificing standards. She has a personal focus on harassment in the workplace and had personally filed complaints about inappropriate sexual comments by senior staff.

The Police Service just seems to be keeping up to the minimum of training requirements. It is always scrambling to meet standards without thinking about staff development. As such, there is a rush for the mandatory training and very little else. She feels the Police Service should be working harder on such issues as diversity awareness, use of technology, and emerging crime issues. Often the younger staff members are way ahead of the senior people on computer crime, but their capabilities are never used.

The president doesn’t feel that the Chief does enough to build up the image of frontline staff. He is too quiet with the media and seems to be responsive but not proactive on issues. He seems cautious in defending officers when something goes wrong. He should be more aggressive.

While she has been with the Police Service for 12 years, the president says she feels like an old-timer. That’s because she is. She is worried about the influx of younger officers who lack experience. She is also seeing promotions much earlier in people’s careers than in the past. She supports the members getting ahead, but all this change can destabilize the Police Service. She sees management as responsible for making sure that these people succeed.

Chair of Hope City Chamber of Commerce

Members of the Hope City Chamber of Commerce, too, are noticing the changing face of Hope City and are concerned that the Police Service is not intervening before things get out of hand. They know from their own surveys that many people are retiring there to get out of the big city, and young families want a safe community in which to raise their families. The problem is that some of the harbingers of big city youth issues are just beginning to surface—things like graffiti and increased vandalism—and the chamber of commerce feels that the police are not taking an aggressive enough approach to the problem.

www.it-ebooks.info

330 Implementing Enterprise Risk Management

In fact, the chamber of commerce is looking at increasing its use of private security firms and will ask the city to deduct some of these costs from the Police Service budget—the chamber members are that upset. They want a more visible presence and a more serious arrest policy, not just giving these young criminals a talking-to and a ride home.

The chamber of commerce invests a lot of energy into promoting the city as safe, and encouraging folks to come downtown for shopping and other social activ- ities. If people begin to feel threatened, business will suffer. The chamber is seeing this in a number of instances in the downtown core.

In addition, the chamber of commerce is concerned about upcoming road con- struction and traffic diversion projects that will disrupt shopping patterns and the routine functions of businesses. At this point, time lines for construction, both the “when” and “for how long,” have not been firmly set, or if set, not communicated to the chamber. Chamber members wonder about the challenges of policing busi- ness areas that have closed or impeded roads. In particular, they are concerned about the increased likelihood of vandalism and other crimes in these areas, and the likelihood of longer response times by police to emergency calls from busi- nesses there. They feel that they have not been adequately consulted by the city or adequately reassured by police as to what steps will be taken to mitigate potential problems arising from the major traffic disruptions that are anticipated.

Editor of the Hope City Telegraph

The editor expressed the view that overall the Police Service is run well but not very much in line with more modern views of community involvement. The Chief does not often volunteer to speak with the press but waits to be asked. As a result, not too many of the key newspaper reporters and editors know him or his deputies very well. In other cities, chiefs and deputies have adopted a more proactive approach and are coming to the press with news and issues—not just the usual press release stuff designed to make them look good.

Situating his paper as a watchdog over municipal spending, the editor noted that the Telegraph frequently takes issue with growing municipal expenditures, of which police expenditures represent an ever-increasing portion. In particular, he noted that overtime expenditures appear to be out of control, and that the annual ritual of demanding extra money to cover these growing costs suggests that the police budget needs a major overhaul (i.e., better forecasting and more controls).

Citizens against Racism Community Group

The informal leader of this group reported that she feels that the Police Service is often too quick to pick on visible minority youths and men. She does not feel the police are in tune with modern Canadian society, and wants to see a lot more visible minority officers, as well as mandatory diversity training for officers.

She stated that some of the group’s members are getting very upset with this perceived racism and are ready to make this an issue for the courts. They are talking about civil suits and lots of media interviews. She also admits that they have no real data on which to base their conclusions but they know racism when they see

www.it-ebooks.info

DEVELOPING A STRATEGIC RISK PLAN FOR THE HOPE CITY POLICE SERVICE 331

it—and it is clearly in the Hope City Police Service culture. She wants to see fewer arrests of young people and more diversity.

While complaining of police heavy-handedness and racism, she noted that some communities with large ethnic populations are seeing little or no police presence in spite of increased complaints from residents about growing youth problems, including vandalism, noise, and assaults. When pressed on how this increase was recorded, she indicated that this is anecdotal, as many ethnic groups are reluctant to seek formal police help through 911 or even 311. Presumably, she would like any increased police presence to occur in the person of visible minority officers.

Moreover, as an alternative to increased policing to deal with youth problems, she put forth her group’s position that more of the city budget should be going to community-based groups to establish recreational and social programs for young people. She does not view the police as a potential partner in this process. In fact, she and her supporters are actively working with other community groups to make sure they get a bigger piece of the pie and the police get less. They are also actively lobbying city councillors, many of whom she feels seem to be agreeing with them. She intends to make this case to the mayor and CAO before the next budget talks occur.

East End Residents Association

The president of the influential East End Residents Association stated that its mem- bers have been campaigning for the past two years for the police to address traffic problems arising from rapid growth in their part of the city. The association iden- tifies traffic control as the number one policing issue in the city. While the number of vehicles has increased dramatically, road construction has not kept up. What were once rural roads are now used as arterial connectors leading to Benville, or to the expressway ramps to Benville. During commuting hours these roads are often totally gridlocked. Impatient and aggressive drivers add to the problem, and because these roads do not have sidewalks or large shoulder areas, pedestrians and bicycle riders are increasingly at risk.

Further, where there is road construction—and there has been lots of it this year—there seems to have been very little planning on how best to keep traffic moving safely and fluidly, especially to allow the movement of ambulances and fire trucks. The association president maintained that when traffic completely bogs down, particularly at minor accident sites or intersections where lights are out of commission, there is rarely a police presence to sort it out.

The association president complained that he and some of the association’s members have met with community police officers on these and other issues, including increased youth crime, but feel that these officers are not really com- mitted to the exercise and/or have no real power. The president confided that his perception is that community policing officers seem to be “on sabbatical” (i.e., tak- ing a break from real policing) rather than really working with the association’s members to address community policing issues. In closing, he expressed the view that policing in Hope City appeared to be reactive rather than preventive, and com- mitted to token consultation rather than real partnerships.

www.it-ebooks.info

332 Implementing Enterprise Risk Management

Hope City Citizens for Responsible Government

Lowell Black, a local radio talk show host and leader of this group, expressed the view that it is high time that the city and Police Service got their finances in order. He noted that the Hope City police force seems to be trying to do more with less than other like-sized communities (i.e., answer more police calls with fewer officers and less annual money). In response, for years the force has had to make emer- gency appeals to the city for millions of dollars to cover overtime. He says that Hope City’s citizens deserve a sufficiently funded police force, one that forecasts its future expenditures accurately and that does not waste millions of dollars annu- ally on excessive overtime.

Mr. Black maintains that his group has sought meetings with the police chief and the Police Service Board to put forth its views but has yet to get an audience. He is strongly supportive of a well-funded Police Service, but wants it managed in a more businesslike manner.

Other Input

As part of her report, the consultant summarized some recent surveys that Hope City and the Police Service had conducted. These survey results are presented in Exhibit 17.1. She was not asked to draw any conclusions from these; that is the job of the senior Police Service managers.

On the legal front, the Police Service has also faced some challenges. A recent court case found that evidence in a case had been gathered improperly, leading to a City Charter violation. The exclusion of the evidence led to a dismissal of serious criminal charges. In dismissing the case, the judge expressed concern that the Hope City police officers lacked proper knowledge and training in the area of search and preservation of evidence.

The Police Service is in the middle of a human rights complaint from one of its uniformed employees. She claims that she was not properly accommodated as the result of a medical condition that prevented her from riding in patrol vehicles. There is considerable resentment within the ranks of these special forms of accommodation.

Exhibit 17.1 Survey Results for Offense/Complaint Types

Type Very

Concerned Somewhat Concerned

Not Concerned

Noise 10% 28% 62% Suspicious persons 35% 5% 40% Speeding traffic 39% 32% 28% Breaking and entering 18% 45% 37% Theft of property 18% 42% 36% Car theft 15% 40% 46% Vandalism 25% 40% 35% Being assaulted on the street 22% 25% 52% Being verbally abused 19% 22% 58% Domestic disputes 5% 30% 65%

www.it-ebooks.info

DEVELOPING A STRATEGIC RISK PLAN FOR THE HOPE CITY POLICE SERVICE 333

Finally, the consultant listed some developments that she was aware of in her other work in the police community:

� The Provincial Ministry of Public Safety, which supervises policing in the province, is conducting a study on the creation of regional police services, one for the four cities east of Benville and one for the three cities to the west and north. This will be completed sometime in the next year. One of the currently favored options is the creation of two mega-services.

� Police Service Board appointments are up for renewal this year. Many of the current board members have been around for a couple of terms, and change can be expected.

� Vancouver has just launched an aggressive recruitment campaign in this part of the country, and the packages offered for young officers are attractive.

� Benville has launched a job search for two new deputy chiefs. All chiefs in the adjacent areas have been approached by the headhunter, including Chief Paulson. So have a number of deputies.

COMMUNITY VIEWS ON POLICE ISSUES A Community Police Survey of Hope City was completed four months ago. Its objective was: “To gather information from the adult residents in Hope City about their contact with the police; their attitudes regarding the quality of policing ser- vices provided by the police; their level of concern regarding neighborhood crime issues; their attitudes about personal safety; and their home security and protection measures.”

The target population for the survey consisted of people over the age of 18 residing in Hope City. Results are presented in Exhibit 17.2.

Exhibit 17.2 Views on the Police Service

Performance Good Adequate Poor No Opinion

Overall 62% 22% 15% Responding to calls 45% 20% 25% 10% Relating to minority groups 33% 22% 25% 20% Present in my neighborhood 40% 21% 34% 5% Follow-up on complaints 44% 18% 18% 20% Treat all citizens fairly 39% 11% 39% 11% Being approachable 60% 20% 20% Enforce the laws 55% 15% 25% 5% Do good crime prevention 30% 18% 30% 22% Provide enough police

officers in my neighborhood 39% 14% 35% 12% Catch the right criminals 45% 18% 33% 3%

QUESTIONS You have been hired by the Chief of Police of Hope City to assist him in briefing the Police Services Board and the Mayor in understanding the most critical risks to their objective of

www.it-ebooks.info

334 Implementing Enterprise Risk Management

having a best-in-class police service for their citizens. He has asked you to provide him with a report that will provide a risk profile and explain the risks to their objectives and what is being done or should be done to treat these risks. You may make any reasonable assumptions to complement the information given (e.g., priorities). Your report should not exceed five pages or 1,800 words. Figures and charts are welcome.

NOTES 1. Development charges are charges paid by developers that are used to pay for the major-

ity of the cost of new capital projects required as a result of growth (e.g., new roads, parks, trails, community centers, fire stations, etc.). Note that this does not cover addi- tional operational costs, which are to be recovered by taxation of the residents.

2. To date, no formal notification of next year’s street construction plans have been received in the Police Service.

3. Clearance rate is calculated by dividing the number of crimes for which a charge is laid by the total number of crimes recorded. Clearance rates are used by various groups as a measure of crimes solved by the police.

4. COMSTAT is a performance indicator tracking system using fast turnaround of informa- tion for senior manager review based on integrated computer technology. It is seen as being the most advanced accountability system in modern policing.

ABOUT THE CONTRIBUTOR Andrew Graham researches, teaches, and writes on public-sector management, financial management, integrated risk management, and governance. He teaches at Queen’s University School of Policy Studies as well as a variety of international and Canadian venues. He is Series Editor of the Case Study Program of the Insti- tute of Public Administration of Canada, Canada’s leading source of public-sector case studies. Professor Graham had an extensive career in Canada’s criminal jus- tice system and has taught and worked with police services, police boards, and police commissioners in a variety of ways for the past 10 years. He continues to research public safety management issues. He is the author of Canada’s leading textbook on managing public money, Canadian Public-Sector Financial Management (McGill-Queen’s University Press, 2007), which has been adopted by a number of Canada’s leading universities as a text and is used in governments for staff train- ing. He is also the author of Making the Case: Writing and Teaching Case Studies, also available through McGill-Queen’s University Press. He recently edited Innovations in Public Expenditure Management, a publication of the Commonwealth Secretariat, and Canada’s Critical Infrastructure: When Is Safe Enough Safe Enough? for the Mac- donald Laurier Institute of Canada. Professor Graham teaches in both the graduate and professional development programs at Queen’s and elsewhere. He also writes a regular column on management issues, “Briefly Noted,” for Public Management, a periodical of the Institute of Public Administration of Canada. He has taken a spe- cial interest in emerging management issues, including strategic planning, modern police governance, performance measurement, and integrated risk management. He has written extensively in this area, including an e-book, Implementing Risk Man- agement, available free on his website.

www.it-ebooks.info

CHAPTER 18

Blue Wood Chocolates STEPHEN MCPHIE, CA Partner, RSD Solutions Inc.

RICK NASON, PHD, CFA Partner, RSD Solutions Inc., and Associate Professor of Finance, Dalhousie University

This case highlights many issues around enterprise risk management (ERM).It concerns a company that has turned in a satisfactory performance in thepast, although this has been a result, at least in part, of luck rather than design. There is a variety of risk and governance issues that can be discussed. They include prioritization of actions and implementation of an ERM framework when considering how to deal with a diversity of personalities and opinions.

BACKGROUND Sally Holton, the newly appointed chief financial officer (CFO) of Blue Wood Chocolates, gazed from her office window at the sunny scene outside. Her mood was far from sunny, however, as she pondered what seemed like a mountain of urgent issues facing her. It seemed that there were no easy solutions to any of them.

Blue Wood Chocolates makes chocolate products at its plants in the Midwest- ern United States for sale domestically and internationally. The company has deliv- ered a mixed financial performance over the past couple of years with volatility that management has not been able to explain, and that the board of directors and owners consider unsatisfactory. There has been an ongoing debate among board members as to whether the lackluster results are due to operations or the vagaries of the commodities markets.

When the long-serving CFO recently retired, Sally Holton was brought in as an outsider to replace him. Her appointment was controversial among some finance and treasury people in the company who expected an internal appointment. Sev- eral senior, long-serving, and experienced employees were thought to be well qual- ified for the role. However, the CEO, John Ferguson Junior, determined that it was an appropriate time to bring in an outsider with new ideas to shake up the finance and treasury functions. Quarterly results had been variable and unpredictable. Fer- guson felt that the company needed a better planning process and had to improve its ability to explain its performance to shareholders, the board, and the banks.

335

www.it-ebooks.info

336 Implementing Enterprise Risk Management

He considered the main problems the company faced to be due to poor reporting and presentation. Sally wondered whether the problems were more significant and fundamental. In any case, she knew that she needed to make an impression and make an impression fast.

Originally trained as an accountant and auditor working for one of the major accounting firms, Sally left accounting to work for a small mining company. That led to a job with an international mining conglomerate where she was promoted through various treasury and finance roles. Most recently, she had been responsi- ble for managing commodity price and foreign currency risks. This was thought to position her well for dealing with Blue Wood’s exposures to cocoa and sugar prices and foreign currencies. However, her new role was much broader than anything she had experienced before, and she soon realized that she had walked into a job that was going to be far more challenging than she had anticipated.

One of the first major projects Sally was tasked with was to present the latest quarterly results to the board at the end of her first month in the job. From brief con- versations with some board members, she knew that they were concerned about the company’s situation, and she had learned enough to know that she would have difficulty explaining the underlying reasons for the company’s unsatisfac- tory financial position and recent performance shortfalls.

In the middle of her first week at the office, Sally received a call from Robert Klein, who was relationship manager at Blue Wood’s lead bank. He introduced himself and they exchanged a few pleasantries, discovering that their kids attended the same high school, although in different grades. The conversation quickly turned to business. Robert said he was looking forward to working with Sally and seemed sympathetic about the wide-ranging tasks that he knew Sally faced. Unexpectedly, though, he jolted her by expressing his concern about Blue Wood’s risk management practices and how this might be contributing to the company’s unpredictable financial results. It wasn’t just the weak financial results that were troubling; it was the volatility. He mentioned Blue Wood’s inability to explain fluc- tuations adequately to the banks, and noted that the company had been very close to breaching its interest coverage covenant twice in the prior two years and looked like it would actually breach it in the current quarter. Robert was under pressure at his bank to take some form of action, including limiting or reducing exposure to Blue Wood and increasing margins and fees. He told Sally that he needed a report and plan addressing how Blue Wood was going to control and improve the volatility and unpredictability of its financial performance to present internally at his own bank, as well as to the other banks in the lending syndicate. He needed this very soon to determine what mitigating factors could be taken into account in this process.

Sally realized that her brief honeymoon in the new job was over and she needed to get to grips with the company’s problems that appeared much more complex than she had been led to believe at the interview stage. She needed to formulate a comprehensive and detailed plan of action before being forced by the banks into taking certain measures that might not be in Blue Wood’s best inter- ests. She could certainly blame her predecessor for increased margins and fees on the bank financing, but she was determined to limit the extent of this by demon- strating how the company planned to improve controls, reporting, and, she hoped, financial performance.

www.it-ebooks.info

BLUE WOOD CHOCOLATES 337

Over the next few days, Sally spoke to as many executives in different areas of the company as possible. It became clear that there was little ongoing communica- tion between major functions within the company. Areas like purchasing, opera- tions, and sales did not coordinate or discuss current difficulties, future trends, and plans. They each made quarterly contributions to the business plan and got on with their business as they saw it. These contributions appeared manipulated to allow for adjustment when they were told to improve their targets. When plans were not met, which was most of the time, each area blamed the others and reporting was not adequate to identify reasons for shortcomings.

Worse still, the two cocoa purchasers did not get along and bad-mouthed each other to Sally. They were each pursuing their own purchasing strategies in isola- tion. The cocoa and sugar purchasing managers had discretion to use futures and options contracts as well as supply agreements to hedge quantities and prices of commodities, and they were doing this according to their views of the market and information about requirements from the production managers. The only restric- tion was that all contracts had to have a maximum maturity of one year.

Sally also spoke to two of the board members. Irene Dawson had been nomi- nated to the board by one of the private equity funds that had a significant owner- ship stake in Blue Wood. She was not one for small talk, and appeared comfortable only when she had an Excel spreadsheet in front of her and a ruler in hand. She laid out a long list of detailed analysis and information she wanted Sally to provide to the board. Her fund wanted out of Blue Wood, but not at current values. Irene’s mandate was to push Blue Wood to maximize value in the short term.

David Rennie represented a pension fund that had invested in Blue Wood. The fund saw its position as a long-term investment in a sector that promised steady growth, with Blue Wood well positioned to participate in this growth over time. The fund did see some current issues, but David considered these to be little more than a blip. In his view, management had a good grasp of the business and would soon be on top of things again. Each time Sally tried to discuss the business and the company’s strategy, David was quick to steer the conversation in a different direction. He liked to be photographed with the board and attend publicity func- tions. He also appeared to have a weakness for chocolate, constantly feeding his not inconsiderable frame with the stuff. He bemoaned the fact that being a board member did not entitle him to a constant free supply of the company’s product, although he offered the opinion that it was not nearly as good as some of the com- petitors’ products.

Sally learned that discussions about the business plan and results at recent board meetings had degenerated into long and often heated discussions and dis- agreements about Blue Wood’s business strategy and objectives. It seemed the arguments always circled back to the latest financial results.

In her two weeks between jobs, Sally had been reading a book about ERM frameworks and implementation guidance. The sections about the ISO 31000 framework seemed particularly interesting, but there was a variety of other risk management and financial approaches with differing levels of detail. As Sally pon- dered the results of her inquiries, it seemed to her that Blue Wood was sorely and urgently in need of such a framework. But which type of framework would be best for Blue Wood? And how should she go about applying this in practice? She even wondered if this would be a good time to try to implement such a system, with

www.it-ebooks.info

338 Implementing Enterprise Risk Management

her being so new in her role. It would be a lot to explain to many people in a very short period of time in which she had to demonstrate competence.

She worried that if not done properly, implementing ERM would be seen as a bureaucratic exercise and resisted, or at least not applied usefully. How could it be more than a compilation of a list of risks, most of which were already known? Such a list would certainly be useful, as major risks were currently dealt with in different ways by different people and nobody had a big picture view of the company’s risk profile. However, such a list would also be a static snapshot that would soon be out of date.

Upon further reflection, Sally wondered if she should set her sights lower and start by considering implementing a narrower form of financial risk management for the areas directly within her purview. She was certainly more confident of her abilities to understand what would be needed and how to do it. Perhaps a compre- hensive ERM framework encompassing financial risk management would be too much to achieve and could even conflict with the financial risk management part.

THE COMPANY Blue Wood is a midsize producer of bulk chocolate for use in other final products (e.g., candy bars, cereals, cookies, cakes, and desserts) and also has a small business supplying specialty private-label products to a variety of companies. The company has grown steadily from being a small local producer serving local retailers in its home state when it was founded 50 years ago to a midsized international com- pany. However, growth has been unsteady, with many peaks and troughs along the way.

The company was founded by John Ferguson Senior, now in his mid-eighties. He named the company after a distinctive blue-painted barn that was on his family property and where he used to play as a child. Ferguson retains the role of chair- man, but after a heart attack scare five years ago, he reluctantly passed the day-to- day running of the business to his son, John Ferguson Junior. Ferguson Senior is still a dominant and feared figure around the company. Much to the irritation of his son, he is frequently seen around the office questioning people about what they are doing and often berating them for one thing or another. At board meetings his approach is to steamroller any opposition. Woe betide the board member who has not got all his or her facts straight. He believes that the company should stick to its knitting, which brought success when he ran things, and is suspicious of what he considers “newfangled theories like ERM coming from schoolkids just out of diapers.”

Customers are retail businesses, distributors, and food processors that include chocolate in their final products. Around 75 percent of sales are to the domestic U.S. market. The main international customers are located in Canada (8 percent of sales), Mexico (3 percent), the United Kingdom (4 percent), and Eurozone countries (10 percent). Almost all of these sales are denominated in local currencies.

All production is carried out at the company’s two plants in Illinois and Indi- ana. There are local subsidiaries with sales and accounting offices in Canada, Mex- ico, the United Kingdom, and Ireland that each have a small sales force, deal with distribution, and collect sales revenues. These offices retain amounts sufficient to cover local expenses, and the remainder is converted to U.S. dollars with local banks and remitted to the head office monthly. Any shortfall for local expenses,

www.it-ebooks.info

BLUE WOOD CHOCOLATES 339

including expansion of distribution networks and promotional costs, is financed by short-term borrowings from local banks. These borrowings are guaranteed by the parent company.

Blue Wood sources cocoa beans from large producers in Brazil, Ecuador, Costa Rica, and the Dominican Republic, as well as U.S.-based importers. Other main ingredients used in manufacturing the company’s products are sugar and milk, which are sourced from U.S. producers. More minor ingredients include nuts, raisins, lecithin (an emulsifier processed from cellular organisms, including soy- bean and sunflower oils), vanilla, and other flavorings. These are all sourced domestically. Purchases are denominated in U.S. dollars.

The company’s facilities are considered to be in a good state of repair, although they are not up to the standards of the best state-of-the-art facilities used by some of the largest producers. In recent years, there has been no agreement at the board level about investing in new equipment, so excess cash has been paid out in divi- dends, which was in keeping with the short-term focus of most of the company’s investors.

The workforce is unionized and had a history of good industrial relations until two years ago when there was a strike over a change in shift patterns imposed without consultation. The strike was settled after three days by awarding increased shift allowances to affected workers. By chance, inventories were at a high level due to overproduction, resulting from errors in the budgeting and planning processes. This resulted in the strike having no significant effect on customers. However, the unions have since been adopting a noticeably tougher stance in negotiations with management.

Blue Wood is privately owned by the founder, John Ferguson Senior, and family (20 percent), other senior employees (5 percent), a pension fund (20 per- cent), three private equity funds (15 percent each), and certain private investors (10 percent). The outside investors were brought in as the company needed cash to expand. The pension fund made its investment around 15 years ago. The pri- vate equity funds came in seven years ago as a group with the expectation that they would be able to exit through either sale of the company or an initial public offering (IPO) and bond issue within a maximum of five years. Projections were favorable and there was a plan to prepare the company for this outcome, includ- ing a focus on improving corporate governance and risk management as well as reinvesting funds in improved sales and production. However, implementation of the plan was halfhearted at best. Funds continued to be paid out in dividends rather than reinvested internally. Little was done on the governance and risk man- agement side, and fairly weak financial performance precluded marketability of an IPO/bond issue as well as making any possible sale price highly unattrac- tive for the fund managers. Additionally, the rating agencies had indicated that they would not be able to give Blue Wood a favorable rating under the current circumstances.

The private equity funds would like to exit their investment but consider that they would not receive full value. They are of the view that value could be sub- stantially improved and are pushing for a strategy to maximize profitability in the short term. This could make the company a takeover target for a larger producer. However, the private equity funds are concerned about succession. They consider Ferguson Junior to be a weak CEO who is dominated by his father and unable to make major decisions without his father’s approval.

www.it-ebooks.info

340 Implementing Enterprise Risk Management

The pension fund sees its investment as a long-term growth prospect and would like to see a stabilization and steady improvement in performance. It con- siders the steady and significant dividends paid by Blue Wood as a stable and important flow of cash, reflective of a good investment. The pension fund favors a conservative strategy with possible retrenchment in the domestic market and with- drawal from European markets that have not been profitable in the recent past.

Ferguson Junior is in his early sixties and would like to monetize the fam- ily holdings and retire. However, given Blue Wood’s recent results, he does not believe the family would obtain full value for its holdings. He would face the addi- tional difficulty of having to dispose of the family holdings “over his father’s dead body.” Proud of his role in developing the company, he is frustrated that profitabil- ity has not been better and blames operating and financial staff for forays into new foreign markets and what he sees as fads like fair trade1 and organic products.

MARKET OVERVIEW The chocolate market has experienced steady growth in recent years. North Amer- ica and Western Europe still dominate, but growth has been very strong in the BRIC countries (Brazil, Russia, India, and China). Significant growth in the latter markets has the potential to cause supply shortages of cocoa and hence increas- ing prices. Brand loyalty, reinforced by advertising by major producers, is strong. Consumers often stick to their favorite brands, and chocolate has proven to be rel- atively recession proof.

In the traditional areas, where markets are saturated, emphasis has switched to differentiating products, with new flavor combinations and bolder health claims, as well as vegetarian, organic, and premium offerings. In the developing world, market growth is expected to mirror growth in personal disposable incomes.

There is a big seasonal boost in demand at Easter, in particular, and also at Christmas. Chocolate’s popularity as a gift has increased. With more premium products available, it is a relatively cheap luxury item. This helps keep demand up in times of recession when people tend to forgo more expensive luxuries. As choco- late has a relatively long shelf life, online sales have been an avenue of growth. Unlike perishable food products, delivery times for online sales of chocolate are not a problem.

Major Competitive Factors

The market is dominated by a few large producers (e.g., Kraft, Hershey, Mars, and Nestlé) with advertising being a major driver. Barriers to entry are quite high, as new operations require major capital investment. Competition is strong in the pre- mium segment, with less domination by large producers and better opportunities to set premium prices with brand recognition. However, the large producers are increasingly entering the premium segment and are also expected to acquire many of the small producers.

Brand recognition and reputation are important at the premium end of the market where chocolate is increasingly seen as having health benefits, and many craft producers have sprung up in recent years. This portion of the market is rela- tively small but growing.

www.it-ebooks.info

BLUE WOOD CHOCOLATES 341

Conversely, nonpremium products and desserts with higher sugar content are under attack from health professionals and governments concerned about health and obesity. Quality control is important—a brand can be ruined if an inferior batch enters the supply chain and causes mass sickness. As a food producer, Blue Wood is regulated by the U.S. Food and Drug Administration (FDA).

A further factor that is increasing in importance is a greater focus on the plight of cocoa farmers who receive only a tiny fraction of the retail price, as well as on the use of child labor in developing countries. In fact, few cocoa farmers are thought to have ever actually tasted the end product of their labors. Fair trade products have sprung up in recent years to salve consumers’ consciences in this regard.

Selling prices are a factor for mainstream products. Not only can people switch to other chocolate brands, but there are many other candy, dessert, and snack food products around that they can select. At the premium end of the market, price com- petition is less of a factor than perception of quality and luxury based on product branding.

Cocoa prices depend on demand and supply and can be heavily affected by factors such as weather and politics. U.S. sugar prices are inflated compared to world prices due to market manipulation through price support for U.S. produc- ers, domestic market controls that limit production by individual producers, and tariff rate quotas applied to sugar imports.2 This puts domestic chocolate manu- facturers at a competitive disadvantage to foreign competitors. Prices have also been affected on occasion by speculators buying large positions of physical prod- uct or futures. Much of the world’s supply comes from countries with a history of political instability, and this can cause (and has caused) supply disruptions.

Cocoa Markets Overview

Cocoa (or cacao) trees grow in a limited region approximately 20 degrees north and south of the equator. Around 70 percent of world production is grown in West Africa, with Ivory Coast and Ghana accounting for around 40 percent and 20 per- cent, respectively. Next is Indonesia with around 14 percent of world production. Cameroon, Nigeria, Brazil, and Ecuador are the next largest producers but with much smaller volumes.

Most cocoa is grown on small family farms. The farmers receive only a very small proportion of the international price of cocoa, and this has been falling in both absolute and real terms. Chocolate demand has been increasing steadily, helped by belief in its added health benefits. However, increasing attention is being paid in consuming countries to the poor conditions of the farmers and the use of child labor in cocoa farming. This has led to increasing sales of fair trade products.

Cocoa pods, which each contain 20 to 50 cocoa beans on average, are har- vested from cocoa trees throughout the year and split open by hand (usually using a machete), and the beans are extracted along with the pulp. They are laid out for several days undergoing “sweating” when the pulp flows away. The beans are then taken to a facility where they are fermented and dried for four to seven days on trays or grates under the sun or artificial heat, after which the beans are trodden on and shuffled about (often with bare feet). Once dry, the beans can be shipped.

Beans are roasted and processed in factories to make final chocolate products. Once roasted, the beans are winnowed to remove their shells, leaving cocoa nibs.

www.it-ebooks.info

342 Implementing Enterprise Risk Management

These are alkalized before, during, or after roasting to determine the color and taste of the cocoa. The nibs are then milled to create cocoa liquor consisting of cocoa particles suspended in cocoa butter in about equal quantities. The liquor is pressed to extract the cocoa butter, leaving cocoa press cake, which is processed into cocoa powder. Cocoa butter is used to make chocolate. Cocoa powder is used in making numerous dessert and confection products.

Although cocoa beans are perishable, they can be held in storage for several years. Consequently, cocoa can be traded as a commodity for profit and change ownership many times over its life.

Cocoa production is currently around 3.5 million metric tons annually and has been steadily increasing. Demand is expected to continue to grow and reach 4.5 million metric tons by 2020. Cocoa prices have been volatile. They reached a 27-year low of $714 per ton in November 2001 mainly due to favorable weather conditions in the Ivory Coast, and a 32-year high of $3,775 per ton in March 2011. High prices from 2006 to 2011 resulted from production deficits and disruption caused by the disputed presidential election in the Ivory Coast in November 2010.

Cocoa beans, cocoa butter, and cocoa powder spot and futures contracts are traded on the NYSE Euronext Exchange in London and the Intercontinen- tal Exchange (ICE) in New York. Cocoa futures and options on futures are traded on the NYSE Euronext Exchange (pounds sterling) and New York ICE (U.S. dollars). Cocoa futures trading volume on the ICE was 4.95 million metric tons in 2011, 750,000 metric tons more than production. Trading volumes on the NYSE Euronext market have traditionally been higher than on ICE, but the gap has been closing. ICE has been known as the market for speculative trading. It is unusual for a commodity to be traded in two major currencies.

NYSE Euronext3 and ICE4 contracts are standardized in 10-ton sizes. Standard contracts specify that future delivery can be made in any of the months of March, May, July, September, and December with 10 future delivery months (i.e., two years) available for trading. However, liquidity falls off sharply beyond delivery months within the first year. Contracts representing product from all country ori- gins can be traded, some at a discount or a premium. Delivery for ICE contracts is at certain U.S. East Coast ports. Delivery for London International Financial Futures and Options Exchange (LIFFE) contracts is at certain specified northern European ports in the Netherlands, the United Kingdom, Germany, Belgium, and northern France. Options on futures are also available for months between the futures deliv- ery months.

Prices are affected by various factors, including weather, crop disease, politi- cal instability, availability and cost of fertilizers and pesticides, or withholding of stocks by producers and speculation.

An illustration of the latter point came in August 2002 when London- based Armajaro Holdings, a hedge fund run and cofounded by Anthony Ward, bought three quarters of the 204,380 metric tons of cocoa delivered through the Euronext.liffe exchange under futures contracts. Cocoa prices soared to a 15-year high. In mid-2010, Armajaro purchased 241,000 tons of cocoa beans representing 7 percent of annual global cocoa production (enough to manufacture 5.3 billion quarter-pound chocolate bars). This was the largest single cocoa trade in 14 years and caused prices to rise to a 33-year high. Armajaro had closed its position by

www.it-ebooks.info

BLUE WOOD CHOCOLATES 343

0

50

100

150

200

250

300

350

400

20112008200520021999199619931990

C en

ts p

er k

ilo g

ra m

Exhibit 18.1 Cocoa Prices, 1990–2013 (Daily Average) Source: International Cocoa Organization Secretariat; World Bank.

the end of the year. Anthony Ward is based in London and started out as a motorcycle dispatch rider before becoming a commodities trader at a series of well- known trading companies specializing in cocoa and coffee. City of London traders are rumored to have nicknamed him “Chocfinger.” He has amassed a considerable personal fortune and lives in a highly expensive area of London.

Exhibit 18.1 shows world cocoa prices from January 1990 to July 2013.

Sugar Markets Overview

Global sugar production for 2013/2014 is forecast at 175 million metric tons,5 very slightly up from the previous year, of which the United States accounts for around eight million metric tons, about 5 percent down from the previous year. Supply has grown steadily from 144 million metric tons produced in 2008/2009. The United States is both the fifth-largest producer and the fifth-largest consumer of sugar. Over the same period, demand grew from 153 million metric tons in 2008/2009 to 167 million metric tons forecast in 2013/2014 (i.e., from a supply shortfall to a surplus).

Exhibit 18.2 shows world and U.S. monthly sugar prices from January 1990 to July 2013. U.S. consumers pay substantially more than world prices for sugar, as the U.S. market is manipulated through price support, domestic market controls, and tariff rate quotas. Better growing conditions and hence cheaper costs of sugar in other producing countries would make U.S. producers struggle to survive with- out such support. Opposition to support, especially among beverage makers, has been increasing in recent years, and both producers and consumers have substan- tially increased their political contributions and lobbying efforts.

www.it-ebooks.info

344 Implementing Enterprise Risk Management

5

15

25

35

45

55

65

75

20112008200520021999199619931990

C en

ts p

er P

o u

n d

World U.S

Exhibit 18.2 Sugar Prices, 1990–2013 (World and U.S. Monthly) World source: London International Financial Futures and Options Exchange (LIFFE); U.S. source: Bureau of Labor Statistics.

Price Support The U.S. Department of Agriculture (USDA) makes loans to producers who can either sell their product to the USDA at the minimum price to repay their loans or to the market if prices are higher. In attempting to avoid anticipated minimum price purchases, the USDA is often an active participant in sugar markets. It recently purchased 15.5 million metric tons of sugar from U.S. producers to bolster low market prices. In 2013, around $1.1 billion of loans were made to 17 producers representing about half of the country’s producers.

Domestic Market Controls Producers are each allotted maximum sales volumes each year. Excess production must be stored until permission is given to sell it in the future. Aggregate allot- ments must amount to at least 85 percent of anticipated demand.

Tariff Rate Quotas Tariff rate quotas are used as a strict control on sugar imports. The USDA estab- lishes quota volumes annually for sugar that can enter at low or zero duty. There is a minimum quota of around 1.1 million tons to satisfy U.S. obligations to the World Trade Organization. This can be increased if shortfalls of domestic produc- tion versus demand are expected.

Milk Markets Overview

Milk has suffered a long-term decline in consumption since its peak in World War II and has fallen by over 30 percent since 1975. Much of the decline has been

www.it-ebooks.info

BLUE WOOD CHOCOLATES 345

offset by increased sales of yogurt, cheese, and other dairy products. The industry has endeavored to combat the decline in milk consumption with measures such as convenient packaging and healthy brands with protein additives. The decline can be attributed, partly at least, to factors such as a lower proportion of children in the population, price increases due to increasing costs of grains fed to cows, and milk no longer being seen as healthy as it once was.

The milk industry is around the size of corn production and second only to beef in the livestock industry. Milk is produced in all 50 states, mostly on family farms that are generally members of cooperatives. The cooperatives collect the milk and deliver it to processors and manufacturers. Dairy farms have been reducing in number and increasing in size, with higher output per cow more than offsetting fewer cows.

As with sugar, the U.S. milk market is heavily regulated and manipulated. There have been federal and state dairy programs since the 1930s, with subsequent programs added and discontinued over the years with changing market condi- tions. There are a number of reasons for the existence of such programs. These include the fact that milk is a highly perishable product that must be harvested daily, while quantities produced can vary daily according to the weather and feed- ing conditions. At the same time, consumption can also vary daily due to consumer shopping patterns.

The two main federal programs are the price support program and the system of milk marketing orders. Under the former, the Commodity Credit Corporation purchases manufactured products like butter and cheese, but not milk, at speci- fied support prices and can sell at prices at least 10 percent above the purchase prices. The marketing orders are intended to establish orderly market conditions by setting the relationship between fluid and manufactured dairy products and a geographic price structure. There is also a program to provide income stabilization payments to producers.

Exhibit 18.3 shows U.S. milk prices from January 1995 to August 2013.

BLUE WOOD FINANCIAL PERFORMANCE Sally Holton examined Blue Wood’s recent results and these are summarized in Appendix I. She could not find many comparable U.S. companies with published financial results. The only ones she could find that were vaguely comparable were The Hershey Company and Rocky Mountain Chocolate Factory, Inc., although these companies were of significantly different scale and scope of operations. Their results are summarized in Appendixes II and III, respectively.

The first things Sally noted were that almost all of Blue Wood’s profitability measures were significantly worse than those of Hershey and Rocky Mountain. Sales growth had been sluggish compared with the others, and Blue Wood’s gross margin was substantially lower. Moreover, Blue Wood’s gross margin was quite volatile. Sally determined that the largest factor causing this volatility was gains, losses, and changes in the fair value of commodity derivatives. The one favorable comparison was selling, general, and administrative (SG&A) expenses.

Discussions with the sales department convinced Sally that the main prob- lem was on the production side, although a drop in sales in the first half of 2013

www.it-ebooks.info

346 Implementing Enterprise Risk Management

U.S. Milk Prices—All Milk $

p er

h u

n d

re d

w ei

g h

t (=

11 2

lb s.

)

Jan-95 0

5

10

15

20

25

Jan-97 Jan-99 Jan-01 Jan-03 Jan-05 Jan-07 Jan-09 Jan-11 Jan-13

Exhibit 18.3 U.S. Milk Prices, 1995–2013 Source: U.S. Department of Agriculture.

was worrying. She had been shown correspondence from customers complain- ing about unreliability of delivery schedules and returns of substandard product due to poor quality control. The sales and marketing department had also pro- vided market research showing that Blue Wood’s published selling prices were broadly in line with those of competitors, although she suspected that discounts might shine a slightly less favorable light on the situation.

Blue Wood’s cash position had been deteriorating over the periods Sally exam- ined. A healthy cash balance had disappeared and the company was now borrow- ing under the bank revolver line. Retained earnings had also been falling. Part of this was due to the high dividend payments, particularly in 2012.

Sally noted that Blue Wood’s long-term debt, both the senior notes and the bank term loan, were to mature in two years’ time. Scheduled reductions of the bank loan had started in 2012. No consideration had been given as to how these may be repaid or refinanced, nor did anyone seem particularly concerned. The CEO, John Ferguson Junior, was confident that the bank would support the company. It had always done so in the past, and he and the bank’s chairman were members of the same golf club. He did refer to the bank’s chairman in rather colorful language that was not particularly respectful of the latter’s intelligence.

On the plus side, Blue Wood had built up a significant balance of investments amounting to around $56 million at the end of June 2013. Sally was informed that this was to enable future payments of dividends in case cash flow was insuffi- cient. These investments were not available to be used in the business. The invest- ments consisted of stocks, bonds, exchange-traded funds, and some investments in private companies. Sally could find little information on the last of these. There

www.it-ebooks.info

BLUE WOOD CHOCOLATES 347

was no company policy regarding management monitoring of investments. Funds were managed and invested upon the recommendation of the chairman’s personal broker. His recommendations had always been followed without exception.

Sally had also learned from speaking to internal counsel that Blue Wood faced a possible $10 million lawsuit from parents of a child who had suffered from severe poisoning after eating one of the company’s products. The parents claimed that the child has had difficulty concentrating and learning and has also become incon- tinent since eating the chocolate. Counsel considered the lawsuit frivolous and recommended resisting it or, at most, offering a small settlement to make it go away without accepting liability and while insisting upon confidentiality. He did agree with Sally that, regardless of the merits of the case, there could be significant adverse publicity if it went to a jury trial, and the result could be a bit of a lottery. When Sally mentioned the potential lawsuit to the CEO, he said he had not heard of it, but was happy to concentrate on running the business while counsel took care of such legal things.

Sally also found that certain foreign exchange futures had been transacted by the previous CFO to hedge his estimate of 50 percent of exposure to Canadian dollars (CAD), euros (EUR), and pounds sterling (GBP) over a one-year horizon. His estimates were essentially back-of-the-envelope approximations and appeared to have little relation to reality. Moreover, some of the local offices had also entered forward contracts with local banks that duplicated what the previous CFO had done. Exhibit 18.4 shows historical exchange rates for CAD, EUR, GBP, and MXN (Mexican peso) against the U.S. dollar. Note: MXN is divided by 10 for scaling to fit the graph.

0.4

0.6

0.8

1.0

1.2

1.4

1.6

20132012201120102009200820072006200520042003200220012000

F o

re ig

n C

u rr

en cy

U n

it s

p er

U S

D o

lla r

CAD EUR GBP MXN/10

Exhibit 18.4 Exchange Rates Source: www.oanda.com.

www.it-ebooks.info

348 Implementing Enterprise Risk Management

CONCLUSION Sally Holton felt she had walked into a hornet’s nest in her new position as CFO of Blue Wood Chocolates. The business was underperforming, and urgent action was required to respond to pressure from the banks and provide an action plan to the board of directors. There was disagreement among senior executives and board members about the strategy and overall objectives the company should pursue, and nobody had a grasp of all major risk factors. There was no oversight of the hedging practices and little effective internal communication among various func- tions, or even within some of the functions.

Sally needed to have an overall view of the corporate objectives before devel- oping and implementing specific operating procedures. She needed to get a grasp on the major risks facing the company so that she could develop appropriate responses to these risks. An ERM framework seemed appropriate. However, this would need buy-in from the top, specifically the CEO, chairman, and the board. She needed to develop an overarching proposal incorporating objectives, strategy, and an ERM outline framework for presentation to the board. She would first need to get the CEO on board, not an easy task given his disinterest in what he consid- ers bureaucratic matters that he hires people like Sally to deal with. The CEO’s domination by his father, the chairman, would also likely be an obstacle.

Operational procedures, including commodity and currency hedging, would be important but would need to be developed within an overall ERM framework. It was time for Sally to get to work. She also needed to determine how financial per- formance could be improved. Profitability seemed lackluster, with a high expense base and no real control on major purchasing inputs. Revenues had held up fairly well but could be under competitive threat if margins continued to fall below the industry average.

Overhanging all other issues was the debt maturity profile. Both the senior notes and the bank term loan had maturity dates falling in mid-2014. No planning or discussion had taken place about how to repay and/or refinance these facilities, and the banks were already indicating dissatisfaction with Blue Wood.

APPENDIX I: BLUE WOOD CHOCOLATES

STATEMENTS OF INCOME AND RETAINED EARNINGS

6 Mos to June 30 Year to December 31

($000’s) 2013 2012 2012 2011 2010 2009

Sales 95,188 97,760 244,387 236,669 231,755 221,925 Cost of sales 62,421 66,109 163,169 166,307 153,671 142,294

Gross profit 32,767 31,651 81,218 70,362 78,084 79,631 Selling, general, and

administrative expenses 29,202 28,227 60,596 58,123 57,252 56,113

www.it-ebooks.info

BLUE WOOD CHOCOLATES 349

6 Mos to June 30 Year to December 31

($000’s) 2013 2012 2012 2011 2010 2009

Income before interest and income taxes 3,565 3,424 20,622 12,239 20,832 23,518

Impairment charge 0 0 0 0 0 (6,222) Interest & other income 1,409 1,035 1,582 1,059 3,715 933 Interest expense (6,000) (6,000) (12,000) (12,000) (12,000) (12,000)

Income before income taxes (1,026) (1,541) 10,204 1,298 12,547 6,229

Provision for income taxes (308) (462) 3,061 390 3,764 1,869

Net income (718) (1,079) 7,143 908 8,783 4,360 Retained earnings start

of period 40,401 54,471 54,471 61,723 60,975 64,522 Dividends (4,187) (4,128) (21,213) (8,160) (8,035) (7,907)

Retained earnings end of period 35,496 49,264 40,401 54,471 61,723 60,975

Gains/(losses) on derivatives included in income statement (370) (211) (259) (3,523) 2,072 207

FINANCIAL RATIOS

6 Mos to June 30 Year to December 31

2013 2012 2012 2011 2010 2009

Sales growth −2.6% 3.3% 2.1% 4.4% Gross margin 34.4% 32.4% 33.2% 29.7% 33.7% 35.9% SG&A expense growth 3.5% 4.3% 1.5% 2.0% SG&A/Sales 30.7% 28.9% 24.8% 24.6% 24.7% 25.3% Operating margin 3.7% 3.5% 8.4% 5.2% 9.0% 10.6% EBITDA/Interest coverage 1.3 1.3 2.5 1.7 2.4 2.8 Debt/Equity 2.0 1.7 1.9 1.7 1.5 1.5 Current ratio 1.8 2.0 1.8 2.4 3.3 3.3

STATEMENTS OF CASH FLOWS

6 Mos to June 30 Year to December 31

($000’s) 2013 2012 2012 2011 2010 2009

Operating Activities Net Income (718) (1,079) 7,143 908 8,783 4,360 Adjustments for noncash items 5,212 4,977 10,474 9,195 8,508 10,141

www.it-ebooks.info

350 Implementing Enterprise Risk Management

6 Mos to June 30 Year to December 31

($000’s) 2013 2012 2012 2011 2010 2009

Changes in operating assets and liabilities (1,276) 736 9,547 (4,469) 2,705 1,049

Cash from operations 3,218 4,634 27,164 5,634 19,996 15,550

Investing Activities Additions to property, plant,

and equipment (2,649) (2,388) (3,949) (7,267) (5,695) (9,258) Net purchases of

trading securities (1,008) (963) (1,331) (1,437) (1,290) (761) Purchase of available for

sale securities (8,441) (8,920) (17,340) (7,445) (4,134) (5,036) Sale and maturity of available for

sale securities 8,236 1,375 4,649 3,413 3,648 7,783

Net cash used in investing activities (3,862) (10,896) (17,971) (12,736) (7,471) (7,272)

Financing Activities Bank term loan repayments (5,000) (5,000) (5,000) 0 0 0 Dividends paid (2,111) (4,123) (23,303) (8,181) (8,058) (7,922)

Net cash use in financing activities (7,111) (9,123) (28,303) (8,181) (8,058) (7,922)

Net increase/(decrease) in cash (7,755) (15,385) (19,110) (15,283) 4,467 356

Opening (bank revolver)/Cash (2,278) 16,832 16,832 32,115 27,648 27,292

Closing (bank revolver)/Cash (10,033) 1,447 (2,278) 16,832 32,115 27,648

BALANCE SHEETS

6 Mos to June 30 Year to December 31

($000’s) 2013 2012 2012 2011 2010 2009

ASSETS Current Assets

Cash and cash equivalents 0 1,447 0 16,832 32,115 27,648 Investments 11,052 5,698 8,332 4,842 3,554 3,850 Receivables 17,905 10,358 20,513 17,375 15,320 15,318 Prepaid expenses and other

receivables 2,352 2,319 2,457 2,935 7,396 3,732 Inventory Finished goods and WIP 30,984 27,941 16,465 18,967 15,740 15,809

Raw materials 13,263 14,716 11,261 12,926 9,438 8,854 Deferred income tax 2,193 257 207 257 306 608 Prepayments and other 987 2,568 1,844 2,253 2,888 7,391

Total Current Assets 78,736 65,304 61,079 76,387 86,757 83,210

www.it-ebooks.info

BLUE WOOD CHOCOLATES 351

BALANCE SHEETS (continued)

6 Mos to June 30 Year to December 31

($000’s) 2013 2012 2012 2011 2010 2009

Property, plant, and equipment at cost 208,144 204,680 206,101 202,265 195,988 190,043 Less accumulated

depreciation (120,368) (112,348) (116,639) (107,971) (100,214) (91,945)

Net property, plant, and equipment 87,776 92,332 89,462 94,294 95,774 98,098

Goodwill and trademarks 80,338 80,338 80,338 80,338 80,338 80,338 Investments 45,000 41,062 45,416 32,739 28,650 25,838 Split dollar life insurance 18,400 31,357 29,737 32,982 33,085 33,174 Equity method investments 721 1,453 945 1,749 1,891 2,205 Deferred income tax 2,634 3,432 2,765 3,429 4,090 5,147

Total Assets 313,605 315,278 309,742 321,918 330,585 328,010

LIABILITIES AND STOCKHOLDERS’ EQUITY Current Liabilities

Bank revolver 10,033 0 2,278 0 0 0 Payables and accruals 25,512 25,450 24,041 23,890 23,989 22,937 Dividend payable 2,121 2,095 0 2,046 2,013 1,981 Current portion of bank

term loan 5,000 5,000 5,000 5,000 0 0

Postretirement health care and life insurance

247 255 247 255 0 0

Accrued income taxes 111 0 2,719 0 0 0

Total Current Liabilities 43,024 32,800 34,285 31,191 26,002 24,918 Long-term debt—senior note

8% due 2014 100,000 100,000 100,000 100,000 100,000 100,000

Bank term loan due 2014 35,000 40,000 40,000 45,000 50,000 50,000 Postretirement health care

and life insurance 12,528 12,023 11,923 11,348 9,195 7,411

Liability for uncertain tax positions

3,672 3,369 3,496 3,709 4,371 8,199

Deferred income taxes 19,050 19,249 17,221 19,343 21,273 19,814 Deferred compensation and

other liabilities 27,085 22,953 24,541 21,374 20,514 17,706

Total Liabilities 240,359 230,394 231,466 231,965 231,355 228,048

www.it-ebooks.info

352 Implementing Enterprise Risk Management

BALANCE SHEETS (Continued)

6 Mos to June 30 Year to December 31

($000’s) 2013 2012 2012 2011 2010 2009

Stockholders’ Equity Common stock and

additional paid in capital 44,000 44,000 44,000 44,000 44,000 44,000 Retained earnings 35,496 49,264 40,401 54,471 61,723 60,975 Other comprehensive

income/(loss) (6,250) (8,380) (6,125) (8,518) (6,493) (5,013)

Total Stockholders’ Equity 73,246 84,884 78,276 89,953 99,230 99,962

Total Liabilities and Stockholders’ Equity 313,605 315,278 309,742 321,918 330,585 328,010

STATEMENTS OF OTHER COMPREHENSIVE INCOME

6 Mos to June 30 Year to December 31

($000’s) 2013 2012 2012 2011 2010 2009

Other Comprehensive Income/(Loss) Net of Tax Foreign currency

translation (45) 152 579 (1,109) 380 (487) Pension and postretirement plans

Gains/(losses) 0 0 474 (1,597) (1,393) 811 Reclassification to

earnings 0 0 460 223 57 328

Unrealized gains/(losses) on investments (80) (14) 880 458 (524) 1,207

Total other comprehensive income net of tax (125) 138 2,393 (2,025) (1,480) 1,859

Opening other comprehensive income (6,125) (8,518) (8,518) (6,493) (5,013) (6,872)

Closing other comprehensive income (6,250) (8,380) (6,125) (8,518) (6,493) (5,013)

Derivatives included in OCI Opening balance (49) 115 115 2,334 1,028 98

Unrealized gain/(loss) (770) (86) (151) (176) 3,250 1,929 Reclassified to earnings 400 (125) (108) (3,347) (1,178) (451)

Net (370) (211) (259) (3,523) 2,072 1,478 Tax effect 134 78 95 1,304 (766) (548)

Closing balance (285) (18) (49) 115 2,334 1,028

www.it-ebooks.info

BLUE WOOD CHOCOLATES 353

APPENDIX II: THE HERSHEY COMPANY CONSOLIDATED STATEMENTS OF INCOME AND RETAINED EARNINGS

6 Months to Year to December 31

June 30 July 1 ($000’s) 2013 2012 2012 2011 2010 2009

Sales 3,335,940 3,146,508 6,644,252 6,080,788 5,671,009 5,298,668

Cost of sales 1,768,029 1,784,591 3,784,370 3,548,896 3,255,801 3,245,531 Selling, general, and

administrative expenses

896,739 796,967 1,703,796 1,477,750 1,426,477 1,208,672

Business realignment and impairment charges

10,438 8,149 44,938 (886) 83,433 82,875

Total costs and expenses 2,675,206 2,589,707 5,533,104 5,025,760 4,765,711 4,537,078

Income before interest and income taxes

660,734 556,801 1,111,148 1,055,028 905,298 761,590

Interest and other income 1,413 1,350 2,940 2,597 1,270 877 Interest expense (46,140) (49,718) (98,509) (94,780) (97,704) (91,336)

Income before income taxes

616,007 508,433 1,015,579 962,845 808,864 671,131

Provision for income taxes 214,597 174,097 354,648 333,883 299,065 235,137

Net income 401,410 334,336 660,931 628,962 509,799 435,994 Retained earnings start

of period 5,027,617 4,699,597 4,707,892 4,383,013 4,156,648 3,984,057

Dividends (182,895) (167,094) (341,206) (304,083) (283,434) (263,403)

Retained earnings end of period

5,246,132 4,866,839 5,027,617 4,707,892 4,383,013 4,156,648

FINANCIAL RATIOS

6 Months to Year to December 31

June 30 July 1 2013 2012 2012 2011 2010 2009

Sales growth 6% 9% 7% 7% Gross margin 47% 43% 43% 42% 43% 39% SG&A expense growth 13% 15% 4% 18% SG&A/Sales 27% 25% 26% 24% 25% 23% Operating margin (excluding

realign. & impair.) 20% 18% 17% 17% 17% 16%

EBITDA/Interest (excluding realign. & impair./including capitalized interest)

16.9 13.7 14.7 14.6 12.4 11.6

Debt/Equity 1.7 1.8 1.8 2.1 1.9 2.0 Current ratio 1.8 1.4 1.4 1.7 1.5 1.5

Source: www.thehersheycompany.com/investors/financial-reports.aspx.

www.it-ebooks.info

354 Implementing Enterprise Risk Management

CONSOLIDATED STATEMENTS OF CASH FLOWS

6 Months to Year to December 31

($000’s) June 30 2013 July 1 2012 2012 2011 2010 2009

Operating Activities Net Income 401,410 334,336 660,931 628,962 509,799 435,994 Adjustments for noncash

items 60,127 114,940 234,364 270,762 260,926 178,671

Changes in operating assets and liabilities

(112,091) (135,118) 199,532 (311,857) 130,698 451,084

Net cash provided from operating activities

349,446 314,158 1,094,827 587,867 901,423 1,065,749

Investing Activities Capital additions (151,735) (139,488) (258,727) (323,961) (179,538) (126,324) Capitalized software

additions (6,854) (8,319) (19,239) (23,606) (21,949) (19,146)

Proceeds from sale of property, plant and equipment

15,107 76 453 312 2,201 10,364

Proceeds from sale of trademark licensing rights

0 0 0 20,000 0 0

Loan to affiliate (16,000) (16,000) (23,000) (7,000) 0 0 Business acquisitions 0 (172,856) (172,856) (5,750) 0 (15,220)

Net Cash Used by Investing Activities

(159,482) (336,587) (473,369) (340,005) (199,286) (150,326)

Financing Activities Net (decrease)/increase

in short-term debt (13,624) 95,130 77,698 10,834 1,156 (458,047)

Long-term borrowings 249,785 49 4,025 249,126 348,208 0 Repayment of long-term

debt (250,143) (2,134) (99,381) (256,189) (71,548) (8,252)

Proceeds from lease financing agreement

0 0 0 47,601 0 0

Cash dividends paid (182,895) (167,094) (341,206) (304,083) (283,434) (263,403) Exercise of stock options 114,157 185,600 261,597 184,411 92,033 28,318 Excess tax benefits

from stock-based compensation

36,938 23,849 33,876 13,997 1,385 4,455

Payments from/(to) noncontrolling interests

1,470 1,470 (12,851) 0 10,199 7,322

Repurchase of common stock

(305,564) (218,345) (510,630) (384,515) (169,099) (9,314)

Net cash used by financing activities

(349,876) (81,475) (586,872) (438,818) (71,100) (698,921)

www.it-ebooks.info

CONSOLIDATED STATEMENTS OF CASH FLOWS (Continued)

6 Months to Year to December 31

($000’s) June 30 2013 July 1 2012 2012 2011 2010 2009

Increase/(Decrease) in Cash and Equivalents

(159,912) (103,904) 34,586 (190,956) 631,037 216,502

Opening cash and equivalents

728,272 693,686 693,686 884,642 253,605 37,103

Closing Cash & Equivalents

568,360 589,782 728,272 693,686 884,642 253,605

CONSOLIDATED BALANCE SHEETS

6 Mos to Year to December 31

June 30 July 1 ($000’s) 2013 2012 2012 2011 2010 2009

ASSETS Current Assets

Cash and cash equivalents

568,360 589,782 728,272 693,686 884,642 253,605

Receivables—trade 366,288 353,337 461,383 399,499 390,061 410,390 Inventories 778,988 791,805 633,262 648,953 533,622 519,712 Deferred income taxes 102,762 121,192 122,224 136,861 50,655 34,763 Prepaid expenses 182,489 237,457 168,344 167,559 141,132 161,859

Total Current Assets 1,998,887 2,093,573 2,113,485 2,046,558 2,000,112 1,380,329

Property, plant, and equipment at cost

3,650,777 3,564,028 3,560,626 3,588,558 3,324,763 3,242,868

Less accumulated depreciation

(1,941,431) (1,980,724) (1,886,555) (2,028,841) (1,887,061) (1,838,101)

Net property, plant, and equipment

1,709,346 1,583,304 1,674,071 1,559,717 1,437,702 1,404,767

Goodwill 578,906 589,464 588,003 516,745 524,134 571,580 Other intangibles 202,495 219,028 214,713 111,913 123,080 125,520 Deferred income taxes 30,925 28,072 12,448 33,439 21,387 4,353 Other assets 176,309 154,531 152,119 138,722 161,212 183,377

Total Assets 4,696,868 4,667,972 4,754,839 4,407,094 4,267,627 3,669,926

LIABILITIES AND STOCKHOLDERS’ EQUITY

Current Liabilities Accounts payable 413,144 388,472 441,977 420,017 410,655 287,935 Accrued liabilities 564,080 569,902 650,906 612,186 593,308 546,462 Accrued income taxes 4,585 1,930 2,329 1,899 9,402 36,918 Short-term debt 99,081 139,356 118,164 42,080 24,088 24,066 Current portion of long-term

debt 3,316 347,312 257,734 97,593 261,392 15,247

Total Current Liabilities 1,084,206 1,446,972 1,471,110 1,173,775 1,298,845 910,628

www.it-ebooks.info

LIABILITIES AND STOCKHOLDERS’ EQUITY (Continued)

6 Mos to Year to December 31

June 30 July 1 ($000’s) 2013 2012 2012 2011 2010 2009

Long-term debt 1,794,493 1,498,669 1,530,967 1,748,500 1,541,825 1,502,730 Other long-term

liabilities 663,519 608,664 668,732 603,876 481,061 487,934

Deferred income taxes 32,923 27,696 35,657 0 0 0

Total Liabilities 3,575,141 3,582,001 3,706,466 3,526,151 3,321,731 2,901,292

Stockholders’ Equity Common stock and

additional paid-in capital

987,292 917,293 952,876 850,718 794,766 754,579

Retained earnings 5,246,132 4,866,839 5,027,617 4,707,892 4,383,013 4,156,648 Treasury common

stock at cost (4,740,944) (4,324,278) (4,558,668) (4,258,962) (4,052,101) (3,979,629)

Accumulated other comprehensive loss

(380,658) (395,527) (385,076) (442,331) (215,067) (202,844)

Noncontrolling interests in subsidiaries

9,905 21,644 11,624 23,626 35,285 39,880

Total Stockholders’ Equity

1,121,727 1,085,971 1,048,373 880,943 945,896 768,634

Total Liabilities and Stockholders’ Equity

4,696,868 4,667,972 4,754,839 4,407,094 4,267,627 3,669,926

Note: 2009 and 2010 as restated.

CONSOLIDATED STATEMENTS OF OTHER COMPREHENSIVE INCOME

6 Months to Year to December 31

June 30 July 1 ($000’s) 2013 2012 2012 2011 2010 2009

Other Comprehensive Income/(Loss) Net of Tax Foreign currency

translation (18,981) 1,662 7,714 (21,213) 14,123 38,302

Pension and postretirement plans

13,621 12,608 (9,634) (85,823) 5,130 38,643

Cash flow hedges Gains/(losses) on

derivatives 4,010 (769) (868) (107,713) 1,001 78,257

Reclassification adjustments

5,768 33,303 60,043 (12,515) (32,477) 1,862

Total other comprehensive income net of tax

4,418 46,804 57,255 (227,264) (12,223) 157,064

Opening Other Comprehensive Income

(385,076) (442,331) (442,331) (215,067) (202,844) (359,908)

Closing Other Comprehensive Income

(380,658) (395,527) (385,076) (442,331) (215,067) (202,844)

www.it-ebooks.info

BLUE WOOD CHOCOLATES 357

APPENDIX III: ROCKY MOUNTAIN CHOCOLATE FACTORY, INC.

CONSOLIDATED STATEMENTS OF INCOME AND RETAINED EARNINGS

3 Months to May 31 Year to February 28

($000’s) 2013 2012 2013 2012 2011 2010

Revenues 10,178 9,658 36,315 34,627 31,128 28,437

Cost of sales 5,027 5,022 18,955 18,309 16,228 14,911 Other costs and expenses 3,333 3,013 12,174 10,465 8,950 7,883 Loss on asset sales and

restructuring charges 0 0 2,647 0 0 0

Total Costs and expenses 8,360 8,035 33,776 28,774 25,178 22,794 Income before interest and

income taxes 1,818 1,623 2,539 5,853 5,950 5,643

Interest and other income 12 11 44 59 59 27 Income before income

taxes 1,830 1,634 2,583 5,912 6,009 5,670

Income tax expense 584 571 1,233 2,036 2,098 2,090 Net income after income

taxes 1,246 1,063 1,350 3,876 3,911 3,580

Attributable to noncontrolling interest

(67) 0 128 0 0 0

Net income attributable to RMCF

1,179 1,063 1,478 3,876 3,911 3,580

Retained earnings start of period

8,642 9,838 9,838 8,412 6,924 5,751

Dividends (668) (676) (2,674) (2,450) (2,423) (2,407)

Retained earnings end of period

9,153 10,225 8,642 9,838 8,412 6,924

Source: www.irdirect.net/RMCF/sec_filings/view.

FINANCIAL RATIOS

3 Months to May 31 Year to February 28

2013 2012 2013 2012 2011 2010

Sales growth 5% 5% 11% 9% Gross margin 51% 48% 48% 47% 48% 48% Other costs and expense growth 11% 16% 17% 14% Other costs and expenses/sales 33% 31% 34% 30% 29% 28% Operating margin (excluding loss on

asset sales and restructuring charges)

18% 17% 14% 17% 19% 20%

www.it-ebooks.info

358 Implementing Enterprise Risk Management

FINANCIAL RATIOS (Continued)

3 Months to May 31 Year to February 28

2013 2012 2013 2012 2011 2010

EBITDA/Interest n/a n/a n/a n/a n/a n/a Debt/Equity n/a n/a n/a n/a n/a n/a Current ratio 3.2 4.7 2.6 4.0 3.7 3.7

CONSOLIDATED CASH FLOW STATEMENTS

3 Months to May 31 Year to February 28

($000’s) 2013 2012 2013 2012 2011 2010

Operating Activities Net Income 1,179 1,062 1,478 3,876 3,911 3,580 Adjustments for noncash

items 409 406 2,767 2,409 1,569 1,187

Changes in operating assets and liabilities

(776) 663 2,126 (138) (1,685) 767

Net cash provided by operating activities

812 2,131 6,371 6,147 3,795 5,534

Investing Activities Additions to property, plant,

and equipment (58) (253) (743) (3,261) (1,298) (499)

Proceeds from sale or distribution of assets

3 0 889 53 19 117

Franchising rights 0 0 (802) 0 0 0 Other (59) 21 (320) 85 (518) (260)

Net cash used in investing activities

(114) (232) (976) (3,123) (1,797) (642)

Financing Activities Dividends paid (668) (616) (2,623) (2,441) (2,418) (2,403) Tax benefit of stock option

exercise 20 6 58 25 11 0

(Repurchase)/Issue of common stock

0 (363) (1,633) 173 10 0

Net cash used in financing activities

(648) (973) (4,198) (2,243) (2,397) (2,403)

Net Increase/(Decrease) in Cash and Equivalents

50 926 1,197 781 (399) 2,489

Opening Cash and Equivalents

5,322 4,125 4,125 3,344 3,743 1,254

Closing Cash and Equivalents

5,372 5,051 5,322 4,125 3,344 3,743

www.it-ebooks.info

BLUE WOOD CHOCOLATES 359

CONSOLIDATED BALANCE SHEETS

May 31 February 28 ($000’s) 2013 2012 2013 2012 2011 2010

ASSETS Current Assets

Cash and cash equivalents 5,372 5,051 5,322 4,125 3,344 3,743 Receivables 3,413 3,488 4,113 4,362 5,194 4,519 Inventory 4,175 3,744 4,221 4,119 4,125 3,281 Deferred tax 644 677 629 1,212 565 461 Prepayments and other 658 741 259 281 279 220

Total current assets 14,262 13,701 14,544 14,099 13,507 12,224

Property, plant and equipment at cost

17,571 18,004 17,490 17,835 15,254 13,797

Less accumulated depreciation

(10,942) (9,552) (10,713) (9,319) (8,978) (8,610)

Net property, plant, and equipment

6,629 8,452 6,777 8,516 6,276 5,187

Goodwill 1,047 1,047 1,047 1,047 1,047 1,047 Other intangibles 800 20 801 22 59 110 Other assets 733 457 665 479 550 352

Total Assets 23,471 23,677 23,834 24,163 21,439 18,920

LIABILITIES AND STOCKHOLDERS’ EQUITY

Current Liabilities Payables 1,246 924 1,999 1,356 1,541 878 Accruals and deferred

income 2,538 1,314 2,897 1,570 1,528 1,814

Dividend payable 669 676 668 616 607 603

Total Current Liabilities 4,453 2,914 5,564 3,542 3,676 3,295 Deferred income taxes 859 1,862 882 1,885 1,109 894

Total Liabilities 5,312 4,776 6,446 5,427 4,785 4,189

Stockholders’ Equity Common stock and

additional paid in capital 7,905 8,676 7,741 8,898 8,242 7,807

Retained earnings 9,153 10,225 8,642 9,838 8,412 6,924 Noncontrolling interest 1,101 0 1,005 0 0 0

Total Stockholders’ Equity

18,159 18,901 17,388 18,736 16,654 14,731

Total Liabilities and Stockholders’ Equity

23,471 23,677 23,834 24,163 21,439 18,920

www.it-ebooks.info

360 Implementing Enterprise Risk Management

QUESTIONS The following questions are intended to guide discussion about Blue Wood and how such a company can face up to and deal with issues of risk management throughout the enterprise. The questions are not necessarily exhaustive for the case and it is intended that examination and discussion can be developed further if desired.

Discussion can center on the importance of culture within an organization, how to change it, how to set priorities, how much is possible and how fast, as well as the related costs and benefits. 1. What are the prospects and consequences for Blue Wood if it carries on the way it has

been? 2. Are corporate objectives and strategy important and if so, why? 3. Discuss why and how either an FRM (financial risk management) or an ERM framework

might benefit a company like Blue Wood. 4. What are the main challenges in developing and implementing a risk management

framework for Blue Wood? How does the ownership structure affect these challenges? 5. If the company is to develop a risk management framework, who should lead the pro-

cess? Should a Chief Risk Officer (CRO) be appointed? If so, to whom should he/she report and have access to? How could smaller companies without the resources for a dedicated CRO deal with ERM? What is the role for the board in such a process?

6. Should Blue Wood hedge its exposures to commodities and foreign currencies? If so, how should it go about hedging; for example, in terms of: � managing, monitoring, and evaluating the hedging program � amounts hedged � time horizon of the hedges � instruments used � budget for option premiums � accounting and reporting the hedging program

7. Are there other areas where Blue Wood should consider a risk management program?

NOTES 1. “Fair trade” products are food products that are marketed under the auspices of a Fair

Trade organization. A core objective of the organization is to promote better prices and working conditions, and secure the rights of food producers and workers in developing countries. The food is packaged with the distinctive Fair Trade logo. This branding has become popular among consumers having a social conscience.

2. See: http://sugarcane.org/global-policies/policies-in-the-united-states/sugar-in-the- united-states. See also, for example, www.nytimes.com/2013/10/31/us/american- candy-makers-pinched-by-inflated-sugar-prices-look-abroad.html?_r=0 and http:// commodities.about.com/od/researchcommodities/a/The-Two-Sugar-Markets-Us- Sugar-And-World-Sugar.htm.

3. NYSE Euronext contract summary: https://globalderivatives.nyx.com/products/ commodities-futures/C-DLON/contract-specification.

4. ICE contract summary: https://www.theice.com/productguide/ProductSpec.shtml? specId=7.

5. http://usda01.library.cornell.edu/usda/current/sugar/sugar-05-23-2013.pdf.

ABOUT THE CONTRIBUTORS Stephen McPhie, CA, in his current position as partner of RSD Solutions Inc., advises businesses internationally on various aspects of financial strategy and risk mitigation. From 2000 to 2004, Stephen worked in London for Italy’s largest

www.it-ebooks.info

BLUE WOOD CHOCOLATES 361

bank. In the financial engineering group, he successfully created innovative cross- border financing structures that included private equity instruments with embed- ded derivatives. Previously he structured and distributed primary market debt and traded distressed and near-par debt in secondary markets. Prior to 2000, Stephen held various positions in the United States, Canada, and the United King- dom with a “big five” Canadian bank. His experience stretches from structur- ing and distributing leveraged and investment grade corporate transactions to relationship management, par and distressed secondary market trading, struc- tured credit derivative products, workouts and credit and financial mandates, structuring and negotiating transactions (including leveraged, project finance, and recapitalization of distressed situations), as well as negotiating complex legal documentation.

Stephen holds a BA in economics from Heriot-Watt University in Edinburgh, Scotland, and has qualified as a Chartered Accountant in both the United King- dom and Canada. In this respect he worked for one of the large accounting firms carrying out assignments in the fields of audit, consultancy (including business valuations), and taxation.

Rick Nason, PhD, CFA, has an extensive background in the capital markets and derivatives industry, having worked in equity derivatives and exotics, credit derivatives, and capital markets training in a senior capacity at several different global financial institutions. Rick is a founding partner of RSD Solutions, a risk management consultancy that specializes in financial risk management consult- ing and training for corporations, investment funds, and banks. Dr. Nason is also an Associate Professor of Finance at Dalhousie University in Halifax, Nova Scotia, where he teaches graduate classes in corporate finance, investments, enterprise risk management, and derivatives. He has been awarded several teaching awards as well as being selected MBA Professor of the Year several times. His research interests are in financial risk management, enterprise risk management, and com- plexity.

Rick has an MSc in physics from the University of Pittsburgh and an MBA and a PhD in finance from the Richard Ivey Business School at the University of Western Ontario. Additionally, he is a Chartered Financial Analyst charterholder. In his spare time he enjoys practicing risk management principles as he plays with his collection of pinball machines.

www.it-ebooks.info

www.it-ebooks.info

CHAPTER 19

Kilgore Custom Milling RICK NASON, PHD, CFA Partner, RSD Solutions Inc., and Associate Professor of Finance, Dalhousie University

STEPHEN MCPHIE, CA Partner, RSD Solutions Inc.

This case study provides a broad spectrum of issues—both opportunities andpotential threats—that arise from creating growth opportunities. Many riskscan be explored and debated as part of various approaches to enterprise risk management (ERM), including using strengths, weaknesses, opportunities, and threats (SWOT) analysis and risk profiles. In particular, this case focuses on financial risk management as taught in Chapter 14, “Market Risk Management and Common Elements with Credit Risk Management,” in Enterprise Risk Manage- ment: Today’s Leading Research and Best Practices for Tomorrow’s Executives, edited by John Fraser and Betty J. Simkins (John Wiley & Sons, 2010). Thus, teachers of ERM can focus at the corporate level and include all risks, or delve more specifically into financial risks, or go even more specifically into liquidity or foreign exchange risks.

BACKGROUND “Hope is not a risk strategy! Wishful thinking is not the best we can do, and fur- thermore we can’t repeat the mistakes of the past if we want to move to the next level. We need to think this through more carefully!” Cathy Williams was growing ever more tired and frustrated. She and her four-person treasury team had been struggling with various aspects of the new supply contract for weeks, and all that remained was how the company would hedge the resulting currency risk. This issue had been highlighted as part of the management team’s discussions about risk management generally, and it was still an issue as to how this aspect of cur- rency hedging would fit into the firm’s attempt at creating an enterprise risk man- agement framework. As she sat with her boss, Steve MacLinden, and the rest of the company’s senior management team, it was clear that they were not any further ahead than they had been when the financial hedging strategy meeting began over two hours ago.

Kilgore Custom Milling was a small private manufacturer of power win- dow assemblies for automobile manufacturers’ plants based in southern Ontario,

363

www.it-ebooks.info

364 Implementing Enterprise Risk Management

Canada. Just over a year ago, as part of a strategic planning session, the company made a decision to seek out contracts to supply plants in the United States. Due to the successful efforts of the entire management team, they were in the final stages of finalizing a contract to supply a Japanese car company that was expanding its operations in Michigan. The deal included a possible extension to supply a plant in Tennessee and one in Mexico that would be coming on line in nine months. Supplying plants in the United States was a major move for the company, a move it had tried before but which had produced results that almost bankrupted the company.

The process of securing the contract had been an exhausting exercise. The Japanese manufacturer involved was very thorough in its due diligence of its sup- plier agreements. Additionally, in the current economic manufacturing environ- ment, the competition was tough. The five-year contract, with an option to extend to eight years, could potentially mean the difference between a supplier such as Kilgore staying in business and it failing. The operational and technical demands of the Japanese manufacturer were high, but the main point of competition was price, as several different suppliers had the necessary track records and operational platforms to satisfy the conditions and standards necessary to win. In the 1990s, Canadian manufacturers such as Kilgore could rely on the relatively weak Cana- dian dollar to help them win price-based contracts. That advantage was now gone with the Canadian dollar near parity to the U.S. dollar, and thus it was manufactur- ing ability and geographical placement that were key determining factors—along with the bottom-line pricing, of course.

The prospect of selling to a U.S.-based manufacturer for the first time in almost 25 years was very exciting, but also scary. Kilgore had supplied a U.S.-based plant in the late 1980s for a while, but exchange rate volatility had caused Kilgore trouble and had led to significant losses. As a result, Kilgore made a decision to stick with supplying Canadian-based manufacturers. Many of its competitors in the automo- tive supply industry continued to focus on supplying the large U.S. manufacturing plants. Over this period of time, the focus on Canadian sales had provided Kilgore with a stable and profitable stream of business. However, with the changing man- ufacturing strategies of global manufacturers after the 2008 financial crisis, Kilgore needed to rethink its own strategy.

The contract was to be finalized in less than a week, with shipments to begin in six months, but exactly how Kilgore Custom Milling was going to be able to deliver profitably on the contract was still in doubt. To be sure, the operational and manufacturing details were set, but the contract was finely priced based on the competition. Any hiccups in production or in managing the exchange rate risk could turn the five-year, and possibly eight-year, contract into a guaranteed loss for Kilgore.

“Okay, I think we should all take a break for the weekend and tackle this with fresh minds on Monday,” said Steve MacLinden, the CEO and cofounder of the company. “That’s just great,” thought Cathy. “What he really means is that I have to spend the weekend coming up with a solution for first thing Monday!” With that the meeting broke up with pleasantries exchanged for everyone to have a nice weekend—a weekend that Cathy knew she would be spending coming up with a workable plan for managing the currency risk that Kilgore would be taking on with this new phase of the company’s evolution.

www.it-ebooks.info

KILGORE CUSTOM MILLING 365

KILGORE CUSTOM MILLING Kilgore Custom Milling began in late 1980. Steve MacLinden and a fellow busi- ness school graduate were wondering what sort of a career they should embark on when they came up with the idea of getting into manufacturing. Before earning his MBA, Steve had worked for five years with a major accounting firm. He went back to business school looking for a way to expand his horizons and thinking he wanted to work in marketing for a multinational company. Upon graduation, however, he thought it might be more of an adventure to be his own boss as an entrepreneur. Along with a classmate, Steve began to explore opportunities. With a government grant for young entrepreneurs, monies from an inheritance, and loans from family and friends, the two young men were able to buy a working tool and die company that had 11 employees; it made custom parts for various repair shops and had a few small contracts with various manufacturing companies. Steve was a big fan of the novelist Kurt Vonnegut, so they renamed the company Kilgore Cus- tom Milling after a recurring character who appeared in several Kurt Vonnegut novels.

For the first few years the company struggled and relied on heavy levels of bank debt and personal loans to stay in business. Steve’s business school buddy wanted out as a partner and sold his interest to Steve for a single dollar and a release from the debt obligations of the company. By then the workforce was down to four employees on a full-time basis who were supported by the occasional hir- ing of short-term contract workers when the work orders required them. While the company started to eke out a very modest profit, its long-term viability was far from guaranteed. It was at this point that the company caught a lucky break when a fire at a competing small auto parts manufacturer caused the latter to cease produc- tion for two months. Kilgore stepped in and secured a contract to become a short- term supplier of parts required for power windows in automobiles. That contract provided a springboard for further contracts, and soon the operations and business of the company were streamlined to focus solely on power window assemblies for direct supply to several auto manufacturers based in southern Ontario. The com- pany grew to employ 128 workers at the company’s two manufacturing facilities and a separate warehouse facility. Recent financial statements for Kilgore are pro- vided in Exhibit 19.1.

The production of power window assemblies was a relatively simple task, and the technology was widely available and considered a commodity. The production of a power window consisted of a small electric motor (which Kilgore purchased from a variety of Canadian suppliers), a support bar on which the glass rode, a series of gears, and a variety of metal and plastic components to ensure smooth operation. See Exhibit 19.2 for an illustration of a power window assembly.

Kilgore became a relatively successful manufacturer in the original equipment manufacturer (OEM) field mainly because of its focus on low-cost manufacturing, which in large part was due to the relatively large pool of skilled manufacturing workers available in the Windsor area of southwest Ontario.

Based in southern Ontario, which was also home to the majority of Canada’s OEM industry, Kilgore had ready access to labor and, based on operational effi- ciencies and a focus on a single product, also had a low cost of manufactur- ing. Indeed, since power window assemblies were low-tech and considered a

www.it-ebooks.info

366 Implementing Enterprise Risk Management

Exhibit 19.1 Kilgore Custom Milling Financial Statements

INCOME STATEMENT (CAD MM) 12/31/12 12/31/11 12/31/10 12/31/09

Net sales 204.8 184.8 154.6 158.4 Costs of goods sold 190.1 169.4 141.0 141.3 Selling, general, and administrative

expenses 8.6 8.9 7.8 8.9

Operating income 6.0 6.5 5.8 8.2 Interest expense 2.9 2.5 2.4 2.4 Net nonoperating loss (gain) 2.3 0.0 0.0 0.0 Income tax expense 0.1 1.0 1.0 1.7

Net income 0.6 3.0 2.3 4.1 Common dividend (total cash) (0.6) (2.3) (2.3) (2.9) Opening retained earnings 19.1 18.4 18.4 17.2

Closing retained earnings 19.2 19.1 18.4 18.4

CASH FLOW STATEMENT (CAD MM) 12/31/12 12/31/11 12/31/10 12/31/09

Operating activities Net income 0.6 3.0 2.3 4.1 Depreciation 5.1 4.8 4.7 4.6 (gain)/loss on fixed asset

disposals 0.5 0.1 0.0 (1.9) Cash from/used for working

capital 3.7 (1.5) 0.1 (4.6)

Cash from operating activities 9.9 6.5 7.2 2.2

Investing activities Additions to fixed assets (6.5) (3.4) (1.9) (1.9) Fixed asset disposal proceeds 1.4 0.0 0.6 1.9 Other LT assets (13.7) (3.0) (10.8) (4.2)

(18.8) (6.4) (12.1) (4.1)

Financing activities Short-term borrowings 3.0 0.0 0.0 0.0 LT borrowings (0.8) (0.8) (0.8) (0.5) Other LT liabilities 8.6 0.1 1.6 0.7 Dividend paid (0.6) (2.3) (2.3) (2.9)

10.2 (3.0) (1.5) (2.7)

Net cash change in year 1.3 (2.9) (6.5) (4.6) Opening cash balance 3.0 6.0 12.5 17.1

Closing cash balance 4.3 3.0 6.0 12.5

www.it-ebooks.info

KILGORE CUSTOM MILLING 367

Exhibit 19.2 Power Window Assembly Source: www.monsterauto.com.

commodity, cost factors largely dictated the degree of success of a firm in winning orders from the major auto manufacturers.

A second competitive factor was quality. Power window assemblies were not seen by the car purchaser, and thus cosmetics, fit, and finish were not an issue. However, a faulty assembly was expensive to repair and considered a serious and annoying quality flaw by car buyers. Although not a drive-train part, the power window was still a moving part and could experience relatively heavy or abu- sive use. Thus a reputation for building sturdy and reliable quality parts was a key aspect of winning supply bids. With an experienced and dedicated workforce, Kilgore had built an enviable reputation as a reliable supplier of quality assemblies. However, given the simplicity of the technology, this was a difficult competitive advantage on which to differentiate the company from its competitors. The tech- nology of window assemblies had changed little in the past 10 years and was not expected to change much going forward.

A third competitive factor for Kilgore was its philosophy of “sticking to its knit- ting,” a favorite phrase of Steve MacLinden. Before settling on the manufacture of power windows, Kilgore had tried custom manufacturing as well as an expansion of the types of components manufactured for the OEM industry. The operational and financial results were mediocre at best. With a small management team and no special expertise in operations management, the operational and innovation demands of nonspecialization proved too challenging for Kilgore to manage suc- cessfully.

An additional argument for “sticking to its knitting” was Steve’s lack of a back- ground in engineering or operations. By staying with the production of a commod- ity product that was sold on the basis of cost and reliability and not innovation or changing functionality, Kilgore did not have to concern itself as much with the ongoing maintenance of a joint venture type of relationship with its customers. Par- ticipating in the major industry trade shows and Steve’s natural inclination toward sales were generally enough contact with customers to keep Kilgore in the loop and competitive. In this way Kilgore was able to fly below the radar of the large consolidated OEM manufacturers and survive within its niche.

In terms of its own suppliers, Kilgore utilized Canadian specialty manu- facturers and raw metal suppliers. This kept the company’s own supply issues simple, and allowed it to work with lower levels of inventory, which in turn

www.it-ebooks.info

368 Implementing Enterprise Risk Management

helped alleviate at least some of its cash flow problems. For heavy demand peri- ods, many potential U.S.-based suppliers existed, but had been used only spar- ingly. Buying in bulk from Asian suppliers was attractive in terms of pricing, but financing such transactions was difficult and Steve preferred having strong local connections in case any issues arose. Steve was well aware of the horror stories that were common in the industry of trying to fix a problem with a foreign sup- plier who spoke a different language, was in a time zone that was different by 12 hours, and was at least an 18-hour plane flight away from a potential meeting. Additionally, the use of foreign suppliers complicated exchange rate transactions, which was another management hassle that historically the management team did not feel was justified or necessary. Going forward, Steve believed that Kilgore’s existing suppliers would be able to fulfill the company’s increased needs with the new contract.

THE MANAGEMENT TEAM The management team at Kilgore was led by Steve MacLinden, who was now in his late fifties; his role was that of owner and chief executive officer. Although he participated in all major decisions of the company, he basically left the day-to-day operations of the company to the rest of the management team and focused on customer relationships and making sure the company kept a good profile in the industry.

Another member of the senior management team was Rory Sullivan, who was in his late sixties and was a long-term veteran of auto manufacturing. Rory had an engineering background and had worked his way up to plant manager for one of the big three auto manufacturers before joining Kilgore upon his retirement. Rory was responsible for all manufacturing and plant operations.

Casey Dobbelstyn was the youngest and also the newest member of the man- agement team. Casey, who had a background in international heavy equipment sales, was in charge of sales and client relationships. He also managed supplier relationships.

Completing the management team was Cathy Williams, who was the treasurer and de facto chief financial officer. After graduation from university, Cathy started her career with one of the large accounting firms and quickly obtained her Char- tered Accountant qualifications. However, rather than continue within the con- fines of a large firm, Cathy set up a small independent accounting firm with a few like-minded colleagues so she could focus on her family and maintain what she believed was a better work/life balance. When her children started in university, Cathy returned to a large accounting firm where she was involved in a number of different accounting and auditing roles. She was being considered for partnership in the accounting firm when she was approached three years ago by her B-school acquaintance Steve MacLinden to fill the vacancy of treasurer at Kilgore. Cathy was easily persuaded that life in a large firm was not for her and jumped at the chance to embark on what she considered a more challenging future and one where she could help shape strategy. Cathy had built up the treasury team from two to five persons, including herself, and had gained the respect of all team members as smart and capable. One of her major decisions as treasurer was to implement a cash management system that significantly helped to reduce, but not eliminate,

www.it-ebooks.info

KILGORE CUSTOM MILLING 369

the chronic cash flow problems that plagued Kilgore. She also played a major role in Kilgore’s decision to implement enterprise risk management that was a slightly modified version of ISO 31000.

THE COMPANY Kilgore is a private company 100 percent owned by Steve MacLinden. Steve’s long- term plan is to exit the business when he is ready to retire in probably five to 10 years. Steve’s only child is a daughter who has gone into acting and has no desire to join the company. Therefore, Steve’s view is that the company must either be sold to one of the large publicly traded OEM manufacturers or be floated as a public company as a way for him to exit the company profitably. Either way, the next few years would be pivotal in ensuring that the business is on a sound footing and increasingly profitable, and hence has an enhanced exit value. It is also in his plans, if possible, to leave a portion of the company through a share distribution to the employees who stayed with him throughout the years and who helped him keep the company a going concern.

The main focus of the company had always seemed to be cash flow manage- ment. While the business had managed to be profitable on an accounting basis over the past five years, it seemed that Kilgore was always short of cash at criti- cal times of the year. In part this was due to thin margins and generous payment terms demanded by the auto manufacturers that were Kilgore’s key clients. With tight market conditions, the major auto manufacturers were able to demand and get extended payment terms. Thus management of cash flow was a key function for Cathy Williams and her treasury team to focus on. While economic conditions in the automobile industry had improved dramatically since the depths of the 2008 financial crisis, banks were still wary of extending operational lines of credit. Many industry observers felt that the overall market conditions were still shaky and the recent increase in automobile sales and profits might be a consequence of neces- sary replacement of aging vehicles, rather than a sustained improvement in the mind-set of consumers, as many consumers delayed new car purchases as a result of the 2008 crisis. A chart of U.S.-based auto sales is shown in Exhibit 19.3.

The new U.S. auto supply contract held the risk of dramatically increasing the concerns about cash flow management. While the addition of accounting and con- trol systems that Cathy and her team had implemented had improved the cash flow situation significantly, the net profit margins were still quite tight. The added uncertainty of exchange rate fluctuations might throw things out of balance, and the company would be forced to scramble on a monthly basis to make payroll as it had done previously.

THE NEW CONTRACT The new contract would dramatically increase the existing sales of Kilgore, and if all of the embedded options were exercised, the effect on Kilgore could be an addi- tional increase in sales over the next five years of more than 100 percent. In terms of the potential for enhancing the valuation of Kilgore, and Steve’s considering liq- uidating at least some of his sole ownership in the company in 5 to 10 years, the timing of the deal could not be better.

www.it-ebooks.info

370 Implementing Enterprise Risk Management

0

5

10

15

20

25

12/1/2000 1/2/2003 1/2/2005 1/2/2007 1/2/2009 1/2/2011 1/2/2013

Exhibit 19.3 U.S. Monthly Auto Sales, Million of Units Source: Bloomberg LLC.

While the technical specifications of the contract seemed highly complex and exacting, they basically laid out the design specifications for power window assemblies that Kilgore had extensive experience in producing. Some of the more complex parts of the contract dealt with unexpected, but potential, implications of significant design and production changes. In essence the contract had provisions that compensated Kilgore for any necessary modifications in the technical details of what would be produced. Thus, in terms of operational risk, it was felt that the contract was of low risk to Kilgore. While changes would have to be made to manufacturing processes and capacity, it was expected that these would proceed relatively smoothly given Rory’s experience.

The more troubling aspects of the contract were financial, and more specifically the need to manage the financial risk. Under the terms of the contract, all proceeds to Kilgore were to be in U.S. dollars, even though virtually all of Kilgore’s expenses were in Canadian dollars. The Japanese car manufacturer was setting up a plant to supply the U.S. market and in turn demanded that all supply contracts also be denominated in U.S. dollars. Part of the reason for doing so was to mitigate its own potential cyclical profitability due to exchange rate cycles. A second reason was the need for geographic diversity. The 2011 earthquake and tsunami in Japan had exposed a weakness of basing too much of a company’s supply chain within a single region. While it wanted to diversify its supply chain across North America and utilize not only U.S. but also Mexican and Canadian suppliers, it did not want to incur currency risk.

www.it-ebooks.info

KILGORE CUSTOM MILLING 371

0.00

0.20

0.40

0.60

0.80

1.00

1.20

11/1/2000 11/1/2002 11/1/2004 11/1/2006 11/1/2008 11/1/2010 11/1/2012

Exhibit 19.4 USD/CAD Exchange Rate Source: Bloomberg LLC.

Additionally, the contract had several built-in options whose exercise would benefit the Japanese manufacturer. For example, the contract could be extended by an additional three years. While there were provisions for payment of devel- opment expenses of retooling for any unforeseen model changes, the base profit margin in U.S. dollars was fixed. A second option embedded in the contract would allow the Japanese manufacturer to increase the number of units bought per year by up to 50 percent at the same fixed price. If the full range of options were exer- cised, this one supply contract would comprise almost 60 percent of Kilgore’s total sales.

A major concern of Cathy Williams was the potential profitability of the con- tract, particularly when the embedded options were considered. With current U.S./Canadian dollar exchange rates, the contract was relatively profitable for Kil- gore. Cathy calculated that there was approximately an 8 percent net profit mar- gin built into the contract, which was only slightly below industry standards. The lower profit margin was considered to be a trade-off for the longer-term stability of the contract. However, a shift to a stronger Canadian dollar could quickly elim- inate any profitability and potentially even lock Kilgore into a long-term loss. A chart of the history of the USD/CAD exchange rate is shown in Exhibit 19.4. Of particular concern was the potential for the Canadian dollar to creep above par as it had done periodically over the past five years.

A second concern was the potential for any inflation differentials between Canada and the United States. The contract had a built-in quarterly pricing adjust- ment based on the U.S. Producer Price Index (PPI). Kilgore’s manufacturing costs, however, were more closely linked to the Canadian PPI, particularly as Kilgore’s

www.it-ebooks.info

372 Implementing Enterprise Risk Management

-10

-8

-6

-4

-2

0

2

4

6

8

10

12 CDN PPI

US PPI

12/1/2000 1/2/2003 1/2/2005 1/2/2007 1/2/2009 1/2/2011 1/2/2013

Exhibit 19.5 U.S. and Canadian Producer Price Indexes Source: Bloomberg LLC.

union contract was linked to Canadian PPI, as were the union contracts of most of its own suppliers. While the U.S. PPI and the Canadian PPI were closely linked, the relationship was not perfect. Political events on either side of the border could potentially change the economics of the deal for Kilgore. The respective PPIs for the United States and for Canada are shown in Exhibit 19.5.

If the full range of embedded options were exercised, and if exchange rates or inflation differentials moved adversely, the contract could potentially lock Kilgore into a long-term loss and essentially scuttle any plans to take the company public or to sell it as a going concern. Conversely, if the profitability of the contract could be maintained, it had the potential to significantly alter the profitability of Kilgore and give it the scope and economy of scale necessary to seek out other opportunities and to provide Steve MacLinden with a very attractive valuation for his company.

THE FINANCIAL RISK MANAGEMENT MEETING To deal with the financial risk arising from the new contract, Cathy and her team had been discussing the issues and ideas for managing them with Steve since the start of negotiations with the Japanese manufacturer. Everyone recognized the cen- tral importance of getting the risk management strategy right, even if the nuanced details of how to hedge created a series of quandaries. That led to Steve bring- ing in Rory and Casey to apply a fresh perspective to the problem. However, they proved to be of limited help, and Cathy thought they made the discussion regress with their questions about how the various hedging products worked.

Up until now, Kilgore did not have to concern itself much with currency hedg- ing. With sales and expenses almost exclusively in Canadian dollars, there was lit- tle need for it. Likewise, the low Canadian dollar from the mid-1990s through 2004

www.it-ebooks.info

KILGORE CUSTOM MILLING 373

had meant that the threat of U.S.-based suppliers entering the Canadian OEM mar- ket was minimal. That all changed of course with the new contract and with the Canadian dollar close to par with the U.S. dollar.

Cathy and her team had been discussing the various issues and how best to handle them for a couple of weeks, but in the process they were generating more questions than answers. That had precipitated the meeting with the management team that had begun two hours before. Steve was a little lost, and frankly intimi- dated by the choices that Cathy and her team had put forward. While conceptually Steve understood options, forwards, and swaps, the details and the implications of using the different contracts were confusing to him. Deep down he liked making things and selling things, and preferred to leave the finer financial details to others.

Casey, the sales manager, for the most part stayed out of the discussion. He felt that currency risk was something that was beyond both his control and his area of expertise. However, he did appreciate how a sound hedging strategy could give him an edge in negotiating new sales contracts with other foreign customers.

Rory, however, pounced on the opportunity to give his opinion about a hedg- ing strategy. He liked the certainty of cost projections and believed that entering into long-term swap contracts would be best. He particularly favored doing a cur- rency swap, which would allow Kilgore to fix the exchange rate at which it would exchange a set amount of U.S. dollars for Canadian dollars throughout the period of the contract. Cathy, however, was concerned that it could lock them in too much and potentially eliminate the opportunity for bigger upside profits. Casey at this point wondered aloud if it was possible to just hedge 50 percent of the size of the contract: “That way we will be right on at least half of the hedge.” Cathy just glared at him for that comment, and thus Casey remained quiet thereafter.

There was also the issue of how to structure a swap to account for the embed- ded options in the manufacturing contract. If the options in the manufacturing con- tract were exercised by the customer, a standard swap could leave Kilgore exposed at unfavorable rates. Conversely, if Kilgore entered into swaps expecting the con- tract options to be exercised and they weren’t, then it exposed Kilgore to being overhedged.

While he didn’t fully appreciate all the nuances, Steve did recognize that they could be at a significant disadvantage on new contracts to U.S. competitors (and even Asian competitors) if the Canadian dollar appreciated in the long term and they were locked into a long-term currency swap agreement. This could dramati- cally affect the value of any exit strategy he might choose.

Cathy explained that an alternative to a swap would be to use short-term for- ward contracts. These would have to be rolled over on a frequent basis due to their shorter term; however, they would provide more flexibility and would not lock in Kilgore for more than a year, or even less if shorter-term contracts were utilized. However, this created a new form of uncertainty as rates on forwards several years into the contract would be unknown, and thus Kilgore could be locking in at either more advantageous or more disadvantageous rates in future hedges. There was also the concern that doing forwards or swaps would use up Kilgore’s borrowing capacity at the bank. Having financial flexibility and borrowing capacity would be crucial until Kilgore got a handle on the cash flow implications. For this reason Cathy and her team explored the use of currency futures contracts. While these contracts had the advantage of being exchange traded, the maintenance of margin

www.it-ebooks.info

374 Implementing Enterprise Risk Management

requirements would be another issue for Cathy’s team to manage, to say nothing of the potential short-term implications of margin calls on cash flow concerns.

A third alternative was to use currency options. The advantage of options is that they would provide the most flexibility and would permit Kilgore to have windfall gains from advantageous movements in the Canadian dollar. This advantage, however, was offset by the fact that options incur an up-front cost—a cost that Rory argued would eat into the profitability of the contract. Belinda, a member of Cathy’s team, had made some initial inquiries with Kilgore’s bankers and calculated that the cost of three-month currency put options on the U.S. dollar would be approximately 1.3 percent of the notional amount of the contract.

A host of other issues remained to be examined as well. There were several operational issues such as who would be responsible for managing the hedges and choosing counterparties. There was also an issue of how any financial risk would be accounted for in the company’s slowly developing commitment to an enterprise risk management framework.

It was near the end of the meeting when Steve asked if it was reasonable to not hedge at all and just “hope for the best.” “After all,” he added, “if things work out as they have been going, the contract should be quite profitable as it is. Why mess with something until it is broken?” That comment led to Cathy emphatically stating that “Hope is not a risk strategy!”

Therefore, there was a multitude of issues. The main concerns from Cathy’s point of view were: (1) what products should be used to hedge the exchange rate risk, (2) whether the company should hedge the full exposure, (3) who should make the hedging decisions and take ultimate responsibility for them, (4) whether the company should use exchange-traded products or over-the-counter bank prod- ucts, (5) how they should take into account the embedded options in the contract, and (6) how they should assess the effectiveness of the hedging that they were doing—what reports would they need to produce, and how would the analysis fit into an ERM framework? Cathy suspected that there were other issues, but these seemed to be the main issues that the discussions seemed to be coming back to.

Leaving the meeting, Cathy knew there were more loose ends than solutions. She needed to build a financial risk management process that was effective, easy to operate, and easy for everyone to understand. It also had to see the company through to the conclusion of the contract and any other long-term plans that Steve had for the company, and for himself. There was a lot riding on this, both for the company and for her career.

QUESTIONS 1. Assume that the management team has hired you to advise them on their overall risk

profile and has asked you to prepare a SWOT analysis for their review and as input to the upcoming strategic planning session. What would you put into your analysis? Additionally, how does your analysis affect the risk management strategies that Kilgore might choose to utilize?

2. What are the main financial risk management issues that Cathy and the rest of the man- agement team at Kilgore need to focus on?

3. What kind of a financial risk management strategy would you create to solve those issues?

www.it-ebooks.info

KILGORE CUSTOM MILLING 375

4. What are the major opportunities and downside risks with the hedging framework that you suggest?

5. Besides hedging the Japanese manufacturer contract, how else might Kilgore effectively use financial risk management?

6. What factors need to be considered when integrating financial risk management into an enterprise risk management framework?

ABOUT THE CONTRIBUTORS Rick Nason, PhD, CFA, has an extensive background in the capital markets and derivatives industry, having worked in equity derivatives and exotics, credit derivatives, and capital markets training in a senior capacity at several different global financial institutions. Rick is a founding partner of RSD Solutions, a risk management consultancy that specializes in financial risk management consult- ing and training for corporations, investment funds, and banks. Dr. Nason is also an Associate Professor of Finance at Dalhousie University in Halifax, Nova Scotia, where he teaches graduate classes in corporate finance, investments, enterprise risk management, and derivatives. He has been awarded several teaching awards as well as being selected MBA Professor of the Year several times. His research interests are in financial risk management, enterprise risk management, and complexity.

Rick has an MSc in physics from the University of Pittsburgh and an MBA and a PhD in finance from the Richard Ivey Business School at the University of Western Ontario. Additionally, he is a Chartered Financial Analyst charterholder. In his spare time he enjoys practicing risk management principles as he plays with his collection of pinball machines.

Stephen McPhie, CA, in his current position as partner of RSD Solutions Inc., advises businesses internationally on various aspects of financial strategy and risk mitigation. From 2000 to 2004, Stephen worked in London for Italy’s largest bank. In the financial engineering group, he successfully created innovative cross- border financing structures that included private equity instruments with embed- ded derivatives. Previously he structured and distributed primary market debt and traded distressed and near-par debt in secondary markets.

Prior to 2000, Stephen held various positions in the United States, Canada, and the United Kingdom with a “big five” Canadian bank. His experience stretches from structuring and distributing leveraged and investment grade corporate trans- actions to relationship management, par and distressed secondary market trading, structured credit derivative products, workouts and credit and financial mandates, structuring and negotiating transactions (including leveraged, project finance, recapitalization of distressed situations, etc.), as well as negotiating complex legal documentation.

Stephen holds a BA in economics from Heriot-Watt University in Edinburgh, Scotland, and has qualified as a Chartered Accountant in both the United King- dom and Canada. In this respect he worked for one of the large accounting firms carrying out assignments in the fields of audit, consultancy (including business valuations), and taxation.

www.it-ebooks.info

www.it-ebooks.info

CHAPTER 20

Implementing Risk Management within Middle Eastern Oil and Gas Companies ALEXANDER LARSEN Fellow, Institute of Risk Management (FIRM) and Honors Degree in Risk Management, Caledonian University, Glasgow, Scotland

This case study is based on real-life examples of Middle Eastern oil and gascompanies where risk management has been put into place. The case studyis a consolidation of the various approaches and captures the challenges of implementing risk management in the Middle East. For the purposes of this case study, the name MECO has been chosen to represent the numerous companies used to gather this data. Risk management has not yet been fully implemented in any of these companies, and they have had varying degrees of success. This case study is by no means intended to present a successful risk management implemen- tation or best practices. Instead, it is meant to show the challenges in implement- ing and sustaining a successful program and the types of things that can lead to a breakdown of risk management.

COMPANY BACKGROUND MECO is a national oil company established in 1940 when a Middle Eastern gov- ernment granted a concession to a Western company in preference to a rival bid from a variety of Middle Eastern oil companies. It is among the world’s most valu- able companies, with an estimated value of $5 trillion to $10 trillion (U.S. dollars). MECO has some of the largest proven crude oil reserves, and is one of the largest daily oil producers across more than 100 oil and gas fields in the Middle East.

Currently, MECO has an exclusive right to explore in key countries across the Middle East, although there has recently been a huge interest in entry to the coun- tries by large international oil companies (IOCs). This interest comes despite the political unrest across the region and the constant threat of wars. Additionally, while in the past there has been little threat of IOCs receiving rights to explore, recently there has been pressure on MECO to improve efficiency, as it lags signifi- cantly behind the IOCs.

377

www.it-ebooks.info

378 Implementing Enterprise Risk Management

Despite having exclusive rights, there is also the concern about diminishing reserves, and therefore a key focus for the organization is exploration and find- ing new oil fields. This, alongside its strategic decision to expand through new ventures, from partnering with international oil companies to acquiring foreign companies, means that the organization is in a major state of change.

Being a government-run organization, one of its key objectives is to provide energy to the populations of the countries in which it operates. This is provided at no profit. Recently, there has been a boom in population alongside an increase in car ownership and country expansion plans, which have pushed MECO’s profits down. The more oil required to be delivered to the countries it operates in, the less oil there is to sell. This is another reason for the decision to expand and explore.

ORGANIZATION CULTURE The culture of MECO is very much driven by its geography, history, and employ- ees. Like many organizations in the region, being essentially a public-sector com- pany, it is a large employer of Middle Eastern nationals while also relying heavily on a large expat population of which the majority are Westerners.1 This goes back to the organization’s origins of being a Western company in the 1940s.

The company provides highly secure and lucrative employment in which ben- efits are vast, and most expats stay until retirement. It is not unusual to meet expats who have been with the company for decades. The same goes for the local Middle Eastern employees, who have often been educated by MECO and have continued their careers within the organization, never having experienced working anywhere other than at MECO.

In terms of career progression, it is very much judged on age and years at the company as opposed to merit, while the majority of very senior positions go to local Middle Eastern employees.

There is an aging workforce, with most employees having been with the com- pany for over 20 years and being reluctant to change. Their view tends to be: “We have made a profit for 70 years, so why do we need risk management?” Due to a number of reasons during the late 1990s and early 2000s, including an oil price crash and regional instability due to the war in Iraq, MECO went through a period of being unable to recruit, and as a result, the organization now has an employee demographic of many young local workers and aging expat workers, with little in between. Due to the highly secure employment environment, there is often a lack of drive, innovation, and progress in terms of career development, and this can lead to serious change management issues.

LOCAL CULTURE From a local culture perspective, not wanting to lose face is often an issue that comes up, and very often admitting to having risks in your workplace is considered a failure to do your job successfully. This being the case, it is not unusual to find that certain parts of the organization like to portray themselves as having no risks.

Another key factor tends to be the fact that nobody wants to be the bearer of bad news, which goes back to losing face. There have been instances where people turned up for a meeting but key individuals ended up not attending. No advanced

www.it-ebooks.info

IMPLEMENTING RISK MANAGEMENT WITHIN MIDDLE EASTERN OIL 379

warning was given by these key individuals, as it would have required them to “reject” the invitation, which is seen as negative.

Local culture is also very tribal, with a director having varying degrees of respect from employees or other directors based on their family ties. This can be a key area of opportunity for a risk management team trying to get buy-in for risk management if the team can capture the attention of the right directors. Tribalism also translates very often into the supply chain, where much of the supply chain is made up of regional players. While this can be advantageous in terms of having a good relationship with suppliers and allowing organizations to know who they are dealing with, it also opens up a huge risk of potential fraud.

There have been a few cases of fraud in Iraq and Kuwait that involved theft of oil through supply chains/relationships, or sabotage of foreign diesel shipments being delivered to project sites in order to ensure that organizations could get diesel only from local tribes.

It is important also to note that culturally, things move slowly and there is rarely a sense of urgency in getting work done; the locals prefer to put family, customs, and traditions first. What might seem like straightforward contract nego- tiations to more Western cultures will end up in long discussions and negotiations on various minor points of a deal over several long meetings. While this may seem counterproductive and unacceptable in Western organizations, it plays a key part in building up trust among business partners and allows for more flexibility and easier negotiations during later stages of a deal.

MECO STRUCTURE The structure of MECO includes five business lines with about five administrative areas in each. Each administrative area then has divisions, and within these are departments.

For example, there may be an Operational Services business line that has Industrial Services as an administrative area. Within Industrial Services there may be a Marine division and an Aviation division, which both have fleets of either ships or airplanes being managed by various departments within their respective divisions. This provides an indication of the potential size in these divisions. For example, the Marine division and Aviation division are the size of some small to medium-sized companies that are in existence today.

MECO RISK MANAGEMENT BACKGROUND Early in 2006, after concluding a study on enterprise risk management (ERM), the Management Committee requested that the ERM team pursue formal project risk management (PRM) as a pilot under the ERM effort within the project manage- ment department. Scoping of the pilot began in late 2006 with pilot completion in March 2008. Since 2006, the ERM team has also been following up with other parts of the organization, such as information technology (IT) on its development and implementation of risk management within its organization.

Both project management and IT put together policy and procedure documen- tation, which was signed off by their division heads, as well as setting up project teams within their departments. These teams included a full-time member and a

www.it-ebooks.info

380 Implementing Enterprise Risk Management

few part-time members. Within both departments, a Risk Committee was set up that consisted of members from the division as well as department heads whose responsibility would be to escalate those risks that were deemed to be outside their control and to ensure that existing risks were being managed.

In both instances, the project teams eventually transitioned into risk manage- ment functions within each department and have now started looking at other aspects of risk such as business continuity and quantitative risk analysis.

The successful implementation of risk management within the project manage- ment and IT departments, which was reported in 2009, went a long way to convince the Management Committee to implement a companywide approach to ERM. This companywide approach would mirror the approaches taken in the two depart- ments. In 2009, the CEO, after announcing himself as chief risk officer, instructed Internal Audit to champion ERM with the specific remit of identifying the com- pany’s top risks from a bottom-up approach but without the use of consultants.2

Once work had been completed, it was expected that the risk management project team would come back to the Management Committee to report what the top 10 risks were.

In early 2010, Internal Audit put together an ERM project team made up of one full-time member and four part-time members (all with the title “auditor”). By the end of 2011, they had recruited a second full-time member, also under the title “auditor,” while the part-time members ceased to work with the team.3

The team was tasked with identifying the top risks facing the company from a bottom-up approach. The project leader did acknowledge that there should be some sort of framework in place and, despite not being part of the remit, he asked the team to consider a Risk Framework that could be suggested briefly to the Man- agement Committee at the same time as the presentation of the top 10 risks. Assum- ing Management Committee agreement, this Risk Framework could then be imple- mented at a later date as part of a second phase.

It is important to note that in the Middle East it is commonplace to see risk management sitting within Internal Audit. This is mainly due to Internal Audit being among the first to be exposed to the concept of risk management as well as the fact that the major auditing firms see risk as a way to secure more business with their clients and will sell risk management as an auditing function. Approaches that would be frowned upon by these firms in Europe, Asia, or North America are widely accepted in the Middle East. This is also a major topic of argument between risk managers and auditing firms at ERM conferences across the region.

RISK MANAGEMENT PRACTICES WITHIN MECO Information Technology

The risk management program has been in place for the past four years and has been driven by the vice president, who heads up Administrative Area 3 (see Exhibit 20.1) and sees the value in risk management. Each IT department identifies risk, and this forms part of the IT division’s risk register. This is then reported up to the administrative area through the IT Risk Committee and eventually to the vice pres- ident. This is the most advanced administrative area in MECO with regard to risk

www.it-ebooks.info

IMPLEMENTING RISK MANAGEMENT WITHIN MIDDLE EASTERN OIL 381

MECO Corporate

Admin Area 1 Admin Area 2 Admin Area 3

Procurement Finance Project Management

Risk Management

DatabaseSecurity

Environmental Contracts

Law IT

Exhibit 20.1 MECO Corporate Organization Chart

management; it has been improving its risk management capabilities consistently over the years, and continues to make improvements to the program.

Other divisions within Administrative Area 3, such as Law, have not yet started a risk management program. However, due to the success of IT’s risk man- agement, the vice president has requested that other divisions take a lead from IT. IT will then work as consultants alongside the risk management project team and will be involved in setting it up throughout the administrative area.

IT has a Steering Committee, which oversees the risk to the division and esca- lates risks where appropriate (e.g., where they have no control of the risk or a deci- sion needs to be made at a higher level). They ensure there is documentation in place as well as appropriate reporting lines.

The biggest risk that IT has is that of a severe cyber attack. Operations are linked to the main servers, which means that if the main IT system is down, that could affect operations, leading to a shutdown of facilities. This risk was identified and IT security was put in force in order to manage this risk. However, despite best efforts, there are about 150 hacking incidents a day, and not all of them are successfully stopped.

IT has 10 dedicated staff members, including their business continuity plan- ning team, which is very strong for a division’s risk function and shows the sup- port that the program has within Administrative Area 3. The risk management project team is hopeful that once all divisions within the administrative area have risk management in place, other administrative areas will follow suit and replicate their success.

Project Management

Project management was one of the pilot exercises for ERM within MECO. Risk management was introduced as a requirement for projects within the team, and Activity Risk Holder (ARH) was purchased as a result. ARH is a risk management software tool that allows risks and actions to be captured across an organization and projects.

Risks have been identified and assessed across a large number of projects over the past couple of years, and extensive documentation has been developed to support the process. This has mainly been built, developed, and managed by one project risk manager. This manager has worked hard to build a substantial

www.it-ebooks.info

382 Implementing Enterprise Risk Management

database of risks that the organization can use as lessons learned for future projects, as well as a decision making support function for project and investment decisions. Unfortunately, due to key elements not being in place, the risk management drive has been lost and the process has essentially been reduced to nothing.

The failures have come as a result of:

� Lack of active management support � Lack of resourcing � Lack of corporate Risk Framework that allows key project risks to be esca-

lated � Lack of key performance indicators (KPIs), risk appetite, or tolerances set at

corporate levels

Finance

Finance risk management involves risk financing. Currently, the department iden- tifies risks and assets of an insurable nature and makes sure that all insurances are in place. They have a captive insurance company and manage limits and expo- sures. There is a desire to be more aligned to an overarching ERM process in which to identify further insurable risks as well as provide support for risk financing needs of the company. The key challenge to making the risk management func- tion more effectively is that there is no risk appetite or tolerance set at a corporate level.

Environmental Protection Department

Environmental protection plays a key part in managing risk within the organiza- tion. It is divided into three main functions:

1. Environmental 2. Occupational health 3. Community health

Environmental protection deals with ensuring compliance to regulations, improving performance, and exceeding standards. Using a cradle-to-grave approach, it is involved at the start of projects or any potential use of new land. It has already been involved in moving the physical sites of major projects due to environmental issues. Environmental protection looks at site selection and consid- ers wastewater, offshore versus onshore, emissions, and so on. It focuses on audit and monitoring.

If there is a need or a focus on, for example, old infrastructure, then it will identify project management as a key stakeholder and involve that department for certain improvements. This is reported into the environmental master plan, which covers these specific issues and has assigned budgets. Any gaps that need to be filled will be undertaken within this instrument.

Environmental protection monitors oil spills, and any oil spill is considered unacceptable. An oil spill is any spill of oil that is not part of normal operations (e.g., sweeping oil off a rig into the ocean is an oil spill).

www.it-ebooks.info

IMPLEMENTING RISK MANAGEMENT WITHIN MIDDLE EASTERN OIL 383

The department has already identified aging pipelines as the major cause of spills, and all aging pipelines will be replaced. It has independent reporting lines and authority. During a crisis it acts as a resource in an advisory capacity.

Change in regulation is managed through formal channels. MECO acts as an adviser to the ministries nationally for potential regulation, balancing the pub- lic’s needs with MECO’s needs. Environmental protection provides input into all national environmental council suggestions.

Internationally, MECO has full-time employees working with ministries to support them when in meetings at the United Nations and so on. The Ministry of Petroleum usually attends.

Environmental protection uses a 3 × 3 matrix for effort and impact but does not capture risks in a traditional risk register.

Law

The law department currently has 25 or 26 members of staff within MECO. In most other major organizations, however, there can be hundreds of legal staff. There is an employee expansion initiative that will see an increase in legal staff of 50 percent over the next year.

Law gets involved with joint ventures, subsidiaries, government projects, and supporting due diligence. It plays a key part in contracts, as all contracts must be signed off by the law department.

The key functions are:

� Reviewing of contracts � Setting up of contracts for joint ventures and so on � In-country litigation and claims � Out-of-country litigation and claims � Antitrust (price fixing, etc.) � Contract disputes � Medical malpractice � Tax and regulation � Captives management � Conflicts of interest/business ethics � Patent filing and prosecution, mainly in the United States � Boundary issues � Mergers and acquisitions � Aviation � Corporate secretarial support for board, joint ventures, and so on

CORPORATE RISK EXERCISE Risk Management Information Gathering Exercise (January 2010 to June 2011)

MECO undertook an extensive risk management information gathering exercise in order to provide the Management Committee with the key corporate risks. The risk

www.it-ebooks.info

384 Implementing Enterprise Risk Management

management team had requested a workshop approach to the meeting in order to share the risks and get involvement from the Management Committee. However, this was rejected and a one-hour presentation was scheduled instead.

The ERM team met with the administrative areas’ representatives. The team:

� Went over the history of ERM and outlined the purpose and key definitions � Clarified the data collection form � Consolidated this input to business line level, as appropriate, once input was

received from all administrative areas and their divisions

The team had further discussion with compliance functions and key organi- zations. This step was necessary to help consolidate and prioritize business line risks to arrive at corporate-level risks. The team also integrated corporate plan- ning input, which included particulars of internal and external risks as well as risks gathered from various publications. All this information made up the content of the Corporate Risk Register, which was used to derive MECO’s risk profile.

The template used can be seen in Exhibit 20.2. This is the template that was designed to collect the administrative area’s and

its divisions’ risks. To ensure consistency of understanding, the team clarified each data entry column in a two-page document.

The key was to have the administrative area provide a risk number and a risk description; probability (in percentage terms); a source of the risk (internal, exter- nal, or shared); whether or not controls exist, and how effective these are (highly, partially, barely); and the risk priority (listing from 1 being the top risk, followed by 2, 3, and 4 for subsequent risks).

Exhibit 20.3 provides an example of the information received by the ERM team from the business.

In this example, the risk, its cause, and its impact are all clear. Using the risk description and data in the remaining columns, the team analyzed the data in such a way that it helped them consolidate and prioritize the risks, to arrive at the rele- vant business line level and later at corporate level.

Consolidation

Receiving more than 400 risks from the administrative areas, consolidation was undertaken at a business line level to arrive at about 100 risks. This list was shared with compliance functions and corporate planning as well as considering various published resources and surveys to come to a final 10 risks. These risks were to be

Probability 100% >80%

60–80% 30–50% 10–30%

<10%

Issue (already existing) Probable

Risk Priority

Controls Exist?Risk Description#

S ou

rc e

H ow

e ffe

ct iv

e ar

e th

e E

xi st

in g

C on

tr ol

s?

P ro

ba bi

lit y

(% )

Quite Possible Might Happen Unlikely Almost Impossible

Exhibit 20.2 MECO Corporate Risk Register Template

www.it-ebooks.info

IMPLEMENTING RISK MANAGEMENT WITHIN MIDDLE EASTERN OIL 385

Risk Description

Sudden or compounded failure of aging offshore trunk lines can impact meeting field production requirements. Some of the older offshore lines are telescoped and therefore cannot be intelligently scraped to detect actual condition and justify replacement.

Controls Exist?

Risk Priority

Barely effective

Internal + Between

Orgs. 1Y>80

P ro

ba bi

lit y

(% )

E ffe

ct iv

en es

s of

C on

tr ol

s

S ou

rc e

#

Exhibit 20.3 Example of Risk Information Reviewed by the ERM Team

presented to the Management Committee in an hour-long presentation for consid- eration and confirmation as being the company’s top risks. The approach can be seen in Exhibit 20.4.

Risk Framework

While the top risks had been collected, consolidated, and reviewed by 2011, work also began in early 2011 to put together a proposed Risk Framework. This had not been part of the team’s initial remit; however, it was felt that having a one-hour presentation with the Management Committee was too good an opportunity to pass up. By presenting this element to the Management Committee alongside the top risks as a way to ensure that an ongoing process of identifying risks was in place, this would add value to the presentation.

CORPORATE

BUSINESS LINE

ADMIN AREA

Suggested list of 10 risks to

support Top Management

Consolidation

Consolidation

100 Risks

400 Risks

Management Committee

2. Risk Committee

1. Corporate Planning 2. Compliance Functions 3. Published Resources

1.

Exhibit 20.4 Risk Analysis and Consolidation Approach

www.it-ebooks.info

386 Implementing Enterprise Risk Management

Risk Management Approach

The risk management approach that the risk management project team put together considered such things as which standards to adopt and how risk man- agement would flow through the organization (ISO 31000 was the eventual deci- sion due to the high regard for ISO in the Gulf region, which would support imple- mentation of risk management in the long run).

The key documents that were drafted were risk policy, Risk Committee, risk maturity model, risk procedure, risk training material, and risk maturity matrix.

Risk Policy The risk policy included key sections such as:

� Background and purpose � Objectives � Scope � Definitions � Policy statement � Risk philosophy

A traffic light system had essentially been suggested within the framework in the form of a 5 × 5 risk matrix that would help identify the organization’s key risks. The matrix is shaded to indicate high, medium, and low importance. See Exhibit 20.5 for the risk matrix. Although this is a good system to use, the organi- zation’s risk tolerance and appetite had not been reviewed or set.

In order to set a risk tolerance, there needs to be a top-level decision as to what should be managed and what should not. Some interviews and a short workshop to assess and set the risk appetite and various tolerance levels were therefore dis- cussed among the risk project team, which led into further discussions relating to having a Risk Committee.

Likelihood: (In the next 12 months)

Impact:

EDC

Likelihood

Im pa

ct

BA

1

2

3

4

5 A B C D E

Almost Impossible Low Medium High Almost Certain

Negligible Marginal Moderate Major Catastrophic

I II III IV V

Exhibit 20.5 Risk Matrix

www.it-ebooks.info

IMPLEMENTING RISK MANAGEMENT WITHIN MIDDLE EASTERN OIL 387

Internal Audit had already noted to the Management Committee in previous meetings that it was difficult to meet with the Management Committee and that in order to implement risk management the team would need access to an over- arching body that could make decisions on behalf of the Management Committee. The risk management team could then, along with a Risk Committee, set the tol- erance level for the organization as well as approve and make changes to any risk documentation that was being developed.

While other more scientific methods of setting a risk tolerance and appetite were available, they would have required more time and the use of consultants, which had already been ruled out by the Management Committee.

Risk Committee The risk management team was keen to establish a Risk Committee. The team understood the importance of the Risk Committee in supporting the implemen- tation of the Risk Framework should the Management Committee agree to imple- ment it.

The Risk Committee would be the link between the corporate risk register and the business lines and would act as a filter for the Management Committee. Risks from the business line risk registers could feed into the Risk Committee for consid- eration toward the corporate risk register. Equally, any major project risks or joint venture (JV)/partner risks could feed through the Risk Committee, too.

Risk Maturity The team agreed that in order to progress with risk management, consideration needed to be given as to where they were now and where they wanted to be in terms of risk maturity. Additional work was therefore undertaken to create a risk maturity model specific to MECO, which can be seen in Exhibit 20.6.

Risk Procedure The risk procedure essentially expanded on the risk policy and gave a much more detailed account of the process of risk management, such as the traffic light system mentioned earlier in Exhibit 20.5, which was called a risk matrix.

The procedure also came with attachments such as: reporting structure, Risk Committee charter, assessment criteria (which expanded upon the 5× 5 matrix and quantified it to an extent), example risk register, and example action plan.

Risk Training Material The risk management team had been providing various training to the organiza- tion for some time, and it was agreed that something more formal should be put in place. First, training presentations were gathered from around MECO and consoli- dated into one agreed training presentation. Second, the team started the process of making it align with the Institute of Risk Management (IRM), which has a strong presence in the region as well as in Europe. The idea was to create training that would provide delegates with a certificate of attendance from the IRM to make it more attractive and beneficial. There were also tiers of training to be provided depending on the audience (managers, general staff, project managers, and risk coordinators).

www.it-ebooks.info

R eq

u ir

em en

ts t

o M

ee t

V ar

io u

s L

ev el

s o

f M

at u

ri ty

L ev

el 5

: O

p ti

m iz

ed L

ev el

4 :

E m

b ed

d ed

L ev

el 3

: E

st ab

lis h

ed L

ev el

2 :

F o

rm al

iz ed

L ev

el 1

: U

n d

ev el

o p

ed

M at

u ri

ty L

ev el

D ef

in it

io n

s

N o

st ru

ct ur

ed a

pp ro

ac h

fo r

id en

tif yi

ng a

nd m

an ag

in g

ris ks

.

P ol

ic ie

s an

d pr

oc es

se s

be in

g es

ta bl

is he

d.

R M

is im

pl em

en te

d in

to r

ou tin

e bu

si ne

ss p

ro ce

ss es

. A

p ro

ac tiv

e ap

pr oa

ch to

th e

m an

ag em

en t

of r

is ks

e xi

st s

at a

ll le

ve ls

o f t

he o

pe ra

tin g

co m

pa ny

.

C on

tin uo

us im

pr ov

em en

t a nd

fu

ll ra

ng e

an d

cy cl

e of

p ro

gr am

ac

tiv iti

es b

ei ng

a cc

om pl

is he

d.

R is

k M

an ag

em en

t E

le m

en t

T o

be co

m e

"F or

m al

iz ed

," th

e fo

llo w

in g

m us

t b e

ac hi

ev ed

: T

o be

co m

e "E

st ab

lis he

d, "

th e

fo llo

w in

g m

us t b

e ac

hi ev

ed :

T o

be co

m e

"E m

be dd

ed ,"

th e

fo llo

w in

g m

us t b

e ac

hi ev

ed :

T o

be co

m e

"O pt

im iz

ed ,"

th e

fo llo

w in

g m

us t b

e ac

hi ev

ed :

G o

ve rn

an ce

a n

d

In fr

as tr

u ct

u re

1. 1.

1 A

R is

k M

an ag

em en

t P

la n

do es

n ot

e xi

st fo

r th

e or

ga ni

za tio

n/ pr

oj ec

t.

1. 1.

2 R

es po

ns ib

ili ty

fo r

ris k

m an

ag em

en t (

R M

) ha

s no

t be

en e

st ab

lis he

d.

1. 1.

3 N

o pr

ov is

io n

fo r

R M

ac

tiv ity

in th

e bu

dg et

. 1.

1. 4

N o

re vi

ew o

f t he

ef

fe ct

iv en

es s

of a

ny R

M

ac tiv

ity .

1. 1.

5 N

o im

pr ov

em en

t pr

oc es

s fo

r R

M .

1. 1.

6 N

o R

is k

P ol

ic y

in p

la ce

w

hi ch

is s

ig ne

d an

d ap

pr ov

ed by

M an

ag em

en t C

om m

itt ee

(M C

).

2. 1.

1 R

is k

re vi

ew s

ar e

sc he

du le

d fo

r ea

ch b

us in

es s

lin e.

2.

1. 2

A cc

ou nt

ab ili

ty a

nd a

ut ho

rit y

fo r

R M

is fo

rm al

iz ed

. 2.

1. 3

B en

ef its

o f R

M h

av e

be en

co

m m

un ic

at ed

b y

E B

O D

. 2.

1. 4

A n

E R

M d

ep ar

tm en

t h as

be

en e

st ab

lis he

d. R

ol es

a nd

re sp

on si

bi lit

ie s

ar e

cl ea

r w

ith

sp ec

ifi c

ar ea

s of

r es

po ns

ib ili

tie s

as si

gn ed

( i.e

., B

us in

es s

C on

tin ui

ty , J

oi nt

V en

tu re

s,

O pe

ra tio

ns ).

S om

e ov

er la

pp in

g an

d sh

ar ed

r es

po ns

ib ili

tie s

ar e

m ad

e cl

ea r

(i. e.

, C or

po ra

te R

is k

R eg

is te

r in

fo rm

at io

n ga

th er

in g

an d

co ns

ol id

at io

n, e

tc .)

.

3. 1.

1 D

oc um

en te

d m

et ho

do lo

gy

fo r

R M

w ith

in A

dm in

A re

a pl

an s

an d

ac tiv

ity in

p la

ce .

3. 1.

2 T

he b

en ef

its o

f R M

h av

e be

en c

om m

un ic

at ed

. 3.

1. 3

A r

is k

co m

m itt

ee h

as b

ee n

es ta

bl is

he d

w ith

a c

ro ss

or

ga ni

za tio

na l r

em it.

3.

1. 4

R is

k co

or di

na to

rs h

av e

th e

sk ill

s, tr

ai ni

ng , a

nd r

es ou

rc es

to

de liv

er o

n R

M e

xp ec

ta tio

ns .

3. 1.

5 M

C fo

rm al

ly r

ec ei

ve s

up da

te s

on R

M e

ffe ct

iv en

es s.

3.

1. 6

R M

a lig

ne d

an d

co or

di na

te d

w ith

r el

at ed

a re

as o

f a ct

iv ity

( e.

g. ,

H S

S E

, i ns

ur an

ce , c

ris is

m

an ag

em en

t, ke

y pr

oj ec

ts , e

tc .)

. 3.

1. 7

R is

k M

an ag

em en

t In

fo rm

at io

n S

ys te

m (

R M

IS )

th at

al

lo w

s co

ns ol

id at

io n

an d

in te

rr og

at io

n of

r is

ks a

cr os

s th

e or

ga ni

za tio

n in

p la

ce .

4. 1.

1 T

he R

M a

nd P

ol ic

ie s

an d

P ro

ce du

re s

co nf

or m

w ith

a nd

a re

r ef

er en

ce d

by ot

he r

lo ca

l m an

ag em

en t p

ro ce

ss es

, fo

r ex

am pl

e, a

P ro

je ct

M an

ag em

en t P

la n.

4. 1.

2 A

fo rm

al R

M a

na ly

si s

is r

eq ui

re d

on

al l p

ro je

ct s/

or ga

ni za

tio ns

a s

pa rt

o f t

he

in iti

al e

st im

at io

n/ ap

pr ov

al p

ro ce

ss .

4. 1.

3 T

he R

M p

ro ce

ss is

fu lly

in te

gr at

ed

w ith

a ll

bu si

ne ss

p ro

ce ss

es , f

or e

xa m

pl e,

S tr

at eg

ic P

la nn

in g

(b us

in es

s pl

an )

an d

B ud

ge tin

g.

4. 1.

4 M

C &

R M

c om

m itt

ee r

ec ei

ve fo

rm al

an

nu al

r ep

or ts

o n

th e

ef fe

ct iv

en es

s of

th e

R M

fr am

ew or

k, u

su al

ly d

el iv

er ed

b y

In te

rn al

A ud

it or

a th

ird p

ar ty

. T hi

s is

ba

se d

on s

et r

ev ie

w c

rit er

ia a

lig ne

d to

th e

R M

p ol

ic y

an d

R M

p la

n.

4. 1.

5 R

is k

D ep

ar tm

en t h

as in

de pe

nd en

t re

po rt

in g

lin es

. 4.

1. 6

F or

m al

R M

in fo

rm at

io n

sy st

em in

pl

ac e,

w hi

ch s

to re

s R

M d

at a

ce nt

ra lly

; us

ed to

d ev

el op

s ha

re d

ris k

an d

co nt

ro l.

5. 1.

1 R

is k

in fo

rm at

io n

fo rm

s a

ke y

in pu

t t o

de ci

si on

-m ak

in g

pr oc

es se

s an

d ca

pi ta

l a llo

ca tio

n ac

ro ss

th e

O pe

ra tin

g C

om pa

ny .

5. 1.

2 Im

pr ov

em en

ts a

re

fo rm

al ly

m on

ito re

d ov

er ti

m e.

W

he re

r eq

ui re

m en

ts fo

r im

pr ov

em en

t a re

id en

tif ie

d,

th es

e ar

e re

po rt

ed to

th e

O pe

ra tin

g C

om pa

ny E

xe cu

tiv e

M an

ag em

en t C

om m

itt ee

a s

pa rt

of

in de

pe nd

en t a

ss ur

an ce

ac

tiv ity

a nd

m on

ito re

d.

5. 1.

3 T

he r

is k

fr am

ew or

k is

fo

rm al

ly e

xa m

in ed

in th

e ev

en t

of s

ig ni

fic an

t c ha

ng e

or w

he n

a lo

ss o

cc ur

s.

Id en

ti fi

ca ti

o n

a n

d P

ri o

ri ti

za ti

o n

1. 2.

1 R

is ks

a re

n ot

fo rm

al ly

ca

pt ur

ed a

cr os

s th

e or

ga ni

za tio

n.

1. 2.

2 A

ss es

sm en

t ( if

pe rf

or m

ed )

m ay

n ot

u se

a

sc or

in g

sc he

m e

or m

ay u

se

in co

ns is

te nt

v ar

ia bl

es .

1. 2.

3 N

o de

fin ed

m ea

su re

o f

ris k

ap pe

tit e.

2. 2.

1 A

lte rn

at iv

e m

et ho

ds fo

r ris

k id

en tif

ic at

io n

ar e

co ns

id er

ed

w he

n pl

an ni

ng R

is k

Id en

tif ic

at io

n se

ss io

ns .

2. 2.

2 T

he s

ou rc

es o

f k no

w le

dg e

to b

e us

ed d

ur in

g ris

k id

en tif

ic at

io n

ar e

cl ea

rly

id en

tif ie

d (i.

e. , l

es so

ns le

ar ne

d lo

gs , k

ey w

or ds

, h az

ar d

id en

tif ic

at io

n pr

om pt

li st

s, a

nd

ex te

rn al

fu nc

tio ns

/e xp

er ts

).

2. 2.

3 A

ll bu

si ne

ss li

ne s

ha ve

a R

is k

R eg

is te

r w

hi ch

in fo

rm s

th e

C or

po ra

te R

is k

R eg

is te

r.

2. 2.

4 C

or po

ra te

R is

k R

eg is

te r

in

pl ac

e.

3. 2.

1 R

is ks

a re

c at

eg or

iz ed

. 3.

2. 2

R is

k ow

ne rs

a re

a llo

ca te

d fo

r ea

ch r

is k.

3.

2. 4

R is

k m

ap s

ar e

us ed

to

ill us

tr at

e as

se ss

m en

t r es

ul ts

. 3.

2. 5

R is

ks a

re c

en tr

al ly

co

ns ol

id at

ed a

nd c

ha lle

ng e

pr ov

id ed

w he

re a

pp ro

pr ia

te .

3. 2.

6 E

m er

gi ng

r is

ks a

re fo

rm al

ly

co ns

id er

ed a

nd e

va lu

at ed

. 3.

2. 7

A ll

A dm

in A

re as

h av

e a

ris k

re gi

st er

w hi

ch in

fo rm

s th

e B

us in

es s

Li ne

R is

k R

eg is

te r.

3.

2. 8

R is

k A

pp et

ite is

d ef

in ed

.

4. 2.

1 A

te am

b as

ed a

pp ro

ac h

is u

se d

to

id en

tif y

ris ks

. 4.

2. 2

R is

k id

en tif

ic at

io n

ex er

ci se

s co

nd uc

te d

ou ts

id e

re gu

la r

sc he

du le

( in

ev

en t o

f m aj

or c

ha ng

es ).

4.

2. 3

A ll

em pl

oy ee

s kn

ow w

ho to

r ep

or t

an e

m er

gi ng

r is

k to

, s ho

ul d

on e

be co

m e

ap pa

re nt

. 4.

2. 4

R is

ks a

re a

ss es

se d

in a

q ua

nt ifi

ed

ap pr

oa ch

. 4.

2. 5

O pp

or tu

ni tie

s ar

e id

en tif

ie d

as p

ar t

of th

e R

is k

Id en

tif ic

at io

n pr

oc es

s an

d th

e ris

ks o

f n ot

p ur

su in

g op

po rt

un iti

es a

re

ca pt

ur ed

.

5. 2.

1 A

r is

k as

se ss

m en

t p ro

ce ss

is

in p

la ce

( de

ve lo

pe d

an d

do cu

m en

te d)

th at

c on

si de

rs th

e re

la tiv

e ris

ki ne

ss o

f d iff

er en

t op

tio ns

w he

n m

ak in

g m

an ag

em en

t d ec

is io

ns .

5. 2.

2 R

is k

qu an

tif ic

at io

n ta

ke s

in to

a cc

ou nt

th e

im pa

ct o

n ot

he r

pa rt

s of

th e

or ga

ni za

tio n.

5.

2. 3

K ey

r is

k in

di ca

to rs

( K

R I)

ar

e de

ve lo

pe d

fo r

ea ch

r is

k.

388

www.it-ebooks.info

R is

k T

re at

m en

t 1.

3. 1

A ny

r is

k id

en tif

ie d

is

un lik

el y

to h

av e

tr ea

tm en

t sp

ec ifi

ed , f

un de

d or

tr ac

ke d

to c

om pl

et io

n.

2. 3.

1 A

ll ke

y ris

ks h

av e

as so

ci at

ed

ac tio

n pl

an s.

2.

3. 2

C on

tr ol

e ffe

ct iv

en es

s is

fo

rm al

ly a

ss es

se d.

3. 3.

1 R

is k

T re

at m

en t i

s pl

an ne

d an

d m

on ito

re d.

3.

3. 2

A ss

es sm

en t o

f e ffe

ct iv

en es

s of

p ro

po se

d tr

ea tm

en t i

s pe

rf or

m ed

fo r

al l k

ey r

is ks

( e.

g. ,

co st

-b en

ef it

an al

ys is

, D el

ph i s

ty le

w

or ks

ho p,

e tc

.) .

3. 3.

3 B

us in

es s

C on

tin ui

ty

M an

ag em

en t i

m pl

em en

ta tio

n in

pl

ac e

an d

w or

ki ng

w ith

E R

M

de pa

rt m

en t.

4. 3.

1 T

he p

ro je

ct /o

rg an

iz at

io n

ha s

sp ec

ifi c

fin an

ci al

p ro

vi si

on to

c ov

er

co nt

in ge

nc y

(f al

lb ac

k) p

la ns

a nd

r is

k tr

ea tm

en t s

tr at

eg ie

s.

4. 3.

2 M

C u

nd er

st an

d co

nt in

ge nc

y (f

al lb

ac k)

a ct

io ns

fo r

K ey

R is

ks .

4. 3.

3 T

he a

llo ca

tio n

of fu

nd s

fo r

ris k

tr ea

tm en

t i s

al ig

ne d

w ith

m an

ag em

en t

pr io

rit ie

s an

d de

ci si

on s.

4.

3. 5

C ro

ss b

us in

es s

tr ea

tm en

t p la

ns a

re

de ve

lo pe

d an

d co

or di

na te

d w

he re

ap

pl ic

ab le

.

5. 3.

1 A

n ef

fe ct

iv e

"t hr

ee li

ne s

of

de fe

ns e"

m od

el is

in p

la ce

a nd

fu

lly in

te gr

at ed

w ith

a ll

bu si

ne ss

pr

oc es

se s

en su

rin g

th at

th os

e re

sp on

si bl

e fo

r ta

ki ng

r is

k ar

e su

pp or

te d/

en ab

le d

to m

an ag

e.

5. 3.

2 T

he r

is k

tr ea

tm en

t p ro

ce ss

if

fu lly

in te

gr at

ed w

ith th

e O

pe ra

tin g

C om

pa ny

's

m an

ag em

en t p

ro ce

ss es

. 5.

3. 3

T he

a llo

ca tio

n of

fu nd

s fo

r ris

k- tr

ea tm

en t a

ct io

ns is

in

al ig

nm en

t w ith

m an

ag em

en t

pr io

rit ie

s an

d de

ci si

on s.

R ep

o rt

in g

a n

d

M o

n it

o ri

n g

1. 4.

1 T

he re

is n

o fo

rm al

pr

oc es

s fo

r ke

y ris

k re

vi ew

s.

1. 4.

2 T

he re

is n

o fo

rm al

r is

k es

ca la

tio n

pr oc

ed ur

es /

pr oc

es se

s in

p la

ce .

1. 4.

3 T

he re

is n

o or

ga ni

za tio

na l-w

id e

co m

m un

ic at

io n

on R

M .

2. 4.

1 B

us in

es s

Li ne

R is

k R

ep or

tin g

ha s

be en

e st

ab lis

he d.

2.

4. 2

T he

r is

k re

gi st

er is

r ev

ie w

ed

an d

up da

te d

in a

cc or

da nc

e w

ith

th e

R M

P ol

ic y

an d

P ro

ce du

re .

2. 4.

3 T

he re

is a

fo rm

al

m ec

ha ni

sm fo

r es

ca la

tin g

ris k.

2.

4. 4

E ac

h ris

k tr

ea tm

en t a

ct io

n ha

s a

ta rg

et c

om pl

et io

n da

te

w hi

ch is

a ct

iv el

y an

d ro

ut in

el y

tr ac

ke d.

2.

4. 5

T ho

se in

di vi

du al

s w

ith R

M

re sp

on si

bi lit

ie s

ar e

re gu

la rly

pr

ov id

ed w

ith R

M

co m

m un

ic at

io ns

.

3. 4.

1 T

he re

is a

d ef

in ed

p ro

ce ss

to

r ev

ie w

a nd

r ep

or t r

is k

st at

us

an d

K R

Is , u

si ng

s ta

nd ar

d re

po rt

s,

to k

ey s

ta ke

ho ld

er s

up a

nd d

ow n

th e

or ga

ni za

tio n.

3.

4. 2

R is

k D

as hb

oa rd

s in

p la

ce .

3. 4.

3 R

eg ul

ar c

om m

un ic

at io

n on

"r

is k

st at

us "

is d

is tr

ib ut

ed to

k ey

st

ak eh

ol de

rs a

nd in

te re

st ed

pa

rt ie

s as

d ef

in ed

in th

e R

M

P ol

ic y

an d

P ro

ce du

re s.

3.

4. 3

A lig

nm en

t b et

w ee

n R

M a

nd

in te

rn al

a ud

it pr

oc es

s.

3. 4.

5 R

M p

ro ce

ss a

nd o

ut pu

t in

fo rm

s an

nu al

in te

rn al

a ud

it pl

an

(r is

k ba

se d

au di

t) .

4. 4.

1 R

M is

a s

ta nd

in g

ag en

da it

em in

M C

m

ee tin

gs a

nd d

is cu

ss io

n is

d oc

um en

te d.

4.

4. 2

R is

ks a

nd r

is k

tr ea

tm en

t a ct

io ns

a re

ac

tiv el

y an

d ro

ut in

el y

tr ac

ke d

an d

fin an

ci al

p ro

vi si

on in

g is

a dj

us te

d as

r is

ks

ex pi

re .

4. 4.

3 T

he re

is a

fo rm

al R

M

co m

m un

ic at

io n

pl an

th at

a dd

re ss

es b

ot h

in te

rn al

a nd

e xt

er na

l c om

m un

ic at

io n

re qu

ire m

en ts

. 4.

4. 4

R eg

ul ar

te st

in g

an d

do cu

m en

ta tio

n of

c ris

is m

an ag

em en

t p la

ns a

lig ne

d to

k ey

ris

ks .

4. 4.

5 M

an ag

em en

t a nd

th e

R M

co

m m

itt ee

r ec

ei ve

fo rm

al a

nn ua

l r ep

or ts

on

th e

ef fe

ct iv

en es

s of

th e

F M

fr

am ew

or k,

u su

al ly

d el

iv er

ed b

y In

te rn

al

A ud

it or

a th

ird p

ar ty

.

5. 1.

5 T

he r

is k

m on

ito rin

g an

d co

nt ro

l s ys

te m

is fu

lly

in te

gr at

ed w

ith th

e O

pe ra

tin g

C om

pa ny

’s c

on tr

ol s

ys te

m s,

m

on ito

rin g

pr og

ra m

s, c

os t

m an

ag em

en t a

nd ti

m e

m an

ag em

en t p

ro ce

ss es

. 5.

1. 2

R es

po ns

ib ili

tie s

fo r

ea ch

el

em en

t o f t

he r

is k

m an

ag em

en t p

ro ce

ss h

av e

be en

al

lo ca

te d

an d

in te

gr at

ed in

to

th e

pe rf

or m

an ce

e va

lu at

io n

pr oc

es se

s.

R is

k C

u lt

u re

1.

5. 1

R M

tr ai

ni ng

h as

n ot

be

en p

ro vi

de d

to a

ny

em pl

oy ee

.

2. 5.

1 R

M tr

ai ni

ng is

p ro

vi de

d to

th

os e

w ith

r es

po ns

ib ili

ty fo

r R

M .

2. 5.

2 R

M p

ol ic

ie s

an d

pr oc

ed ur

es ar

e fo

rm al

ly d

oc um

en te

d.

2. 5.

3 R

M is

o w

ne d

at e

nt ity

le ve

l.

3. 5.

1 T

ai lo

re d

R M

tr ai

ni ng

is

pr oa

ct iv

el y

pr ov

id ed

to a

ll in

di vi

du al

s.

3. 5.

2 R

M g

ui da

nc e

(m an

ua ls

, po

lic ie

s/ pr

oc ed

ur es

) re

ad ily

av

ai la

bl e

to a

ll em

pl oy

ee s

(e .g

., in

tr an

et ).

4. 5.

1 R

M tr

ai ni

ng , r

el ev

an t t

o th

ei r

ro le

, i s

em be

dd ed

in th

e pe

rs on

al d

ev el

op m

en t

pl an

s of

r el

ev an

t i nd

iv id

ua ls

. 4.

5. 2

R M

p er

fo rm

an ce

in di

ca to

rs a

re

in cl

ud ed

in p

er so

na l g

oa ls

. 4.

5. 3

D ev

el op

m en

t o f o

pe n,

c ha

lle ng

in g,

an

d le

ar ni

ng -b

as ed

r is

k cu

ltu re

.

5. 5.

1 T

he d

ev el

op m

en t a

nd

se tti

ng o

f b us

in es

s ob

je ct

iv es

is

co m

pl et

el y

al ig

ne d

w ith

th e

ap pl

ic at

io n

of th

e R

M p

ro ce

ss .

5. 5.

2 R

M c

om m

un ic

at io

n is

co

m pl

et el

y in

te gr

at ed

w ith

th e

or ga

ni za

tio n'

s ov

er al

l co

m m

un ic

at io

n pl

an .

5. 5.

3 R

M c

om m

un ic

at io

n to

ex

te rn

al s

ta ke

ho ld

er s

is u

se d

to

in st

ill c

on fid

en ce

in th

e ro

bu st

ne ss

o f t

he o

rg an

iz at

io n.

E xh

ib it

20 .6

M E

C O

R is

k M

at ur

it y

M od

el

389

www.it-ebooks.info

390 Implementing Enterprise Risk Management

Under- Developed

Governance & Infrastructure

Identification, Assessment, &

Prioritization

Risk Treatment & Controls

Reporting, Monitoring, &

Communications

Culture

Partnerships and Projects

1

Formalized

Risk Maturity within MECO

2

Established Embedded Optimized

3 4 5

Exhibit 20.7 Simplified Risk Matrix

Risk Maturity Matrix The risk maturity matrix was to be the key to the future success of risk management implementation. It would provide requirements and a road map to implementing risk management successfully throughout the organization based on the ISO 31000 model. It provided for a five-phase approach with clear and practical requirements to progression that any part of the organization could follow.

Based on the points within the matrix, a self-assessment was carried out in order to map out MECO’s current maturity levels. These were presented in a sim- plified risk matrix in order to present the findings to the Management Committee, which can be found in Exhibit 20.7. The same methodology was used to measure and benchmark what maturity levels other oil and gas organizations had reached. This was mapped in a graphic that would be used to encourage top management to support ERM in order to reach similar maturity levels as competitors. The bench- mark can be found in Exhibit 20.8.

Exhibits 20.9, 20.10., 20.11, and 20.12 provide lists of potential corporate risks that have been identified by other companies (Shell and BP) and organizations (E&Y and AON), which apply to the energy and chemical industries.

Management Committee Meeting, December 2011

The risk management team finally presented the top risks to the Management Committee, as well as their suggested way forward, in a one-hour meeting in December 2011. This was almost two years after the request by the Management Committee. As mentioned earlier, the risk management team had requested a workshop approach to the meeting in order to share the risks and get involvement

www.it-ebooks.info

IMPLEMENTING RISK MANAGEMENT WITHIN MIDDLE EASTERN OIL 391

ERM Benchmark

Some pockets of risk; no

overarching policies or

procedures.

Policies, processes,

and practices defined and formalized across the

organization. Risk

Department in place, risks

reported to a degree.

All Business Lines and

Admin areas have a Risk

Program which identifies,

assesses, and manages risk.

Risks are reported to an established

Risk Committee.

Risks measured,

monitored, and managed with

ownership across the

organization, with links to

all aspects of operations

and decision- making.

processes.

Risks and appetite

quantified, measured, monitored,

managed, and aggregated on an enterprise-

wide basis. Risk

linked to control

systems.

OptimizedEmbeddedEstablishedFormalizedUndeveloped

MECO

Exhibit 20.8 Maturity Level Benchmark

from the Management Committee. However, this was rejected and a one-hour pre- sentation was scheduled instead.

The reactions were mixed, with many of the Management Committee mem- bers dismissing the risks as business issues and others questioning where they had come from (despite having signed off on them following the administrative areas’ initial risks being sent to the risk management team).

The CEO remained positive and understood the need for a more corporate dis- cussion around the identified risks. The group listened to the suggested approach and of having a Risk Committee. However, a majority opposed the idea of another

Exhibit 20.9 Benchmarks from AON Survey

1. Economic slowdown 2. Regulatory/Legislative changes 3. Business interruption 4. Commodity price risk 5. Supply chain failure 6. Exchange rate fluctuation 7. Increased competition 8. Failure to innovate 9. Environmental risk

10. Physical damage

Source: AON Global Chemical Business Survey 2011.

www.it-ebooks.info

392 Implementing Enterprise Risk Management

Exhibit 20.10 Benchmarks from E&Y Survey

1. Access to reserves (political constraints and competition) 2. Energy policies (regulation) 3. Cost containment 4. Worsening fiscal terms 5. HSE risks 6. Human capital deficit 7. New operational challenges (unfamiliar environments) 8. Climate change concerns 9. Price volatility

10. Competition from new technologies

Source: E&Y Global Oil & Gas Survey 2011.

committee being set up, and it was suggested that the risk management team use the Advisory Committee as a Risk Committee in order to progress their Risk Framework documentation and to review and filter the top risks before another meeting with the Management Committee.

The Advisory Committee is essentially a subcommittee of the Management Committee that vets upcoming agenda items and is made up of some Management Committee members.

Following the conclusion of the meeting, the risk management team was unable to get a time slot to see the Advisory Committee for over four months. Therefore, all documentation remained as drafts, and the risk information started to age with no formal process in place to identify and update risks.

Exhibit 20.11 Benchmarks from BP

1. Gulf of Mexico oil spill’s continuing adverse impact on BP 2. The general macroeconomic outlook 3. Renew and reposition of BP portfolio (result of Gulf of Mexico impact on

reputation) 4. Crude oil and gas prices’ fluctuation 5. Climate change and carbon pricing 6. Sociopolitical risks where BP is operating 7. Competition and the need for continuous innovation 8. Poor investment decisions 9. Reserves replacement—inability to progress upstream in timely manner

10. Liquidity, financial capacity, and financial exposure 11. BP’s insurance strategy 12. Ethical misconducts and noncompliance 13. Lack of BP full control over JVs and other contractual arrangements 14. Breach of digital infrastructure security causing serious damage to business

operations 15. Ethical misconducts and noncompliance

Source: BP Corporate Risk Register.

www.it-ebooks.info

IMPLEMENTING RISK MANAGEMENT WITHIN MIDDLE EASTERN OIL 393

Exhibit 20.12 Benchmarks from Shell

1. Change of China leadership 2. Change in the Middle East 3. Government protections in the countries we

operate 4. Budget deficit in Europe and the United States 5. Cyber security 6. New product risk/reputation 7. Natural disasters 8. Democracy 9. Acquisitions

10. Divestment 11. Cost reduction/quality 12. Joint ventures 13. Entering in new countries

Source: Shell Corporate Risk Register.

Operational Excellence, June 2012 to December 2012

During the second part of 2012, a major initiative was put in place to implement Operational Excellence within the organization. The risk management team, still waiting for a meeting with the Advisory Committee, identified this as an oppor- tunity to embed risk management without the need for authority or needing to convince each administrative area of the benefits.

Through relationship building and awareness of risk management, the risk management team managed to incorporate risk management into the Operational Excellence plan as being a key enabler. In other words, upon completion of the ini- tiative in late 2013, and in order to meet its aspiration of Operational Excellence, MECO (all business lines and their administrative areas) would be asked to imple- ment all key enablers of Operational Excellence, one of which, as stated, would be risk management. This would be a major initiative and would require a large num- ber of consultants coming in to work on Operational Excellence implementation.

Previously, the risk management team had been seen as a team with a self- serving purpose who were trying to force new processes on the organization. Oper- ational Excellence was therefore a huge opportunity for the risk management team, who hoped they would now be looked upon as a useful resource that would sup- port the organization when it came to having to implement Operational Excellence requirements.

Risk Management Move to Corporate Planning, December 2012 to Present

By December 2012, over a year after the Management Committee meeting where the risk management team was instructed to use the Advisory Committee in order to progress risk management, a meeting had still not been set up. The CEO realized that risk management needed more authority and as a result instructed the Corpo- rate Planning division, which was a major influencer in the organization and had

www.it-ebooks.info

394 Implementing Enterprise Risk Management

a well-regarded vice president, to set up risk management as a function within that division.

Risk management would now form a part of the corporate planning structure with a manager and the two team members from the project team. The manage- ment would look to recruit up to three new members to the team, and the team’s remit would be to set up an ERM framework, identify the top risks to the company, work on identifying risks to future investments, and form an integral part of the future corporate planning process.

Corporate Planning has a direct line to the CEO and has a large influence within the organization. This helped to ensure that within weeks of creating the function, meetings were set up for February 2013 with the Advisory Committee in order to review and confirm the top risks. Plans were already in place to fast-track the production of the Risk Framework documentation from their draft forms, with the risk management team having the authority to decide much of the approach.

One of the key areas of consideration going forward was implementation of a risk management information system (RMIS), and therefore the risk team started undertaking a RMIS study in order to identify appropriate software for the organization.

Moving the risk management team to an actual department meant that the team members would finally feel part of a real team. They would also have a proper remit and authority to undertake and implement risk management properly, while having much better access to decision-making authorities such as the Advisory Committee. Additionally, the fact that the CEO had made this decision meant that the Advisory Committee would probably fall in line more and support risk man- agement.

Despite these positives, the risk management team would face challenges in terms of meeting the requirements of their remit based on their staffing numbers. Despite aspirations to recruit more members to the team, risk professionals are not easy to come by, and the fact that it takes six months to actually complete the recruiting process means that six months can easily become a year.

By early 2014, MECO was finally able to start filling roles, and it now has a team of 15 risk members at varying levels from analyst and business continuity roles up to manager positions. Another key decision was to allow consultants to support ERM implementation, and invitations to tender have now been sent out for millions of dollars’ worth of consultancy business.

CONCLUSION Risk management in MECO was a lengthy, drawn-out process for a number of rea- sons. The key reasons for the long process were a lack of a clearly defined scope, lack of authority, staffing limitations, slow corporate culture, and resistance to change. Risk management, had it been approached correctly, could have been suc- cessful much earlier. This is reflected in the IT and Project Management examples whereby success was dependent on staffing and buy-in from the top. Management needs to understand the benefits and be seen to support the process.

Within an organization such as MECO, support from the top is vital. Having a framework in place that was bought into by the CEO would have likely increased the chances of success. Additionally, the poor placement of the risk management

www.it-ebooks.info

IMPLEMENTING RISK MANAGEMENT WITHIN MIDDLE EASTERN OIL 395

team was another hindrance. This is all too often the case with risk management not being established as a department from the outset. Few risk professionals will be happy joining a newly formed risk management team or department that doesn’t sit within a relevant and powerful division or have independent reporting lines.

Within MECO, the organization was asked to identify risk without having undertaken training, without a consistent framework or procedure to follow. Also the survey was not scientific in its approach.

Despite the positive move to the Corporate Planning division, the risk man- agement team lost a staff member, who it took a year to replace. This has meant that many of the objectives set out for the team were not met and the organization had started losing faith in the department, setting it back yet again. This makes it a challenge for the newly established team of 15 to regain buy-in from lower levels of the organization despite finally getting support from top levels.

QUESTIONS 1. Prior to the Risk Management Information Gathering Exercise discussed earlier in the

case, consider the challenges of the newly formed project team in undertaking Risk Man- agement in such a situation.

2. (a) Discuss the challenges and how each of the departments might interact with and support Risk Management across the organization.

(b) What are the major differences between IT and Project Management, considering they were both part of the initial Risk Management pilot? How might they have over- come this?

3. (a) What do you think were the major positives of the approach undertaken with regard to the risk management information gathering exercise?

(b) What do you think were the challenges and pitfalls of gathering data in the way that they did?

4. What are the key challenges to the risk framework and risk approach proposed in 2011 by the risk management team?

5. Despite Operational Excellence providing the perfect platform to push Risk Manage- ment, discuss what the potential pitfalls may be.

6. Using the supporting documentation along with the case study information (Exhibits 20.9, 20.10, 20.11, and 20.12), provide a list of potential corporate risks that might have been identified by the project team.

NOTES 1. The word expatriate comes from the Latin words ex (i.e., out of) and patria (i.e., country

or fatherland). An expat (i.e., expatriate) is a person who temporarily or permanently is residing in a country other than that of his or her upbringing.

2. Remit means the mandate, task(s), or area of activity officially assigned to an individual or organization.

3. It takes, on average, three to six months to hire a candidate once all interviews and con- tract negotiations have been undertaken, due to long visa requirement periods.

ABOUT THE CONTRIBUTOR Alexander Larsen, Fellow, Institute of Risk Management (FIRM), holds a degree in risk management from Glasgow Caledonian University and has more than 10 years

www.it-ebooks.info

396 Implementing Enterprise Risk Management

of experience within risk management across a wide range of sectors, including oil and gas, construction, utilities, finance, and the public sector. He has consider- able expertise in training and working with organizations to develop, enhance, and embed their enterprise risk management (ERM), business continuity management (BCM), and partnership management processes.

Alexander spent the first half of his career in the United Kingdom working in senior risk consultancy roles with Marsh and Zurich before leaving to join Det Norske Veritas (DNV) in Malaysia and the United Arab Emirates with responsi- bility of developing their risk management services for the energy sector in the Middle East and Asia.

Since leaving DNV he has worked in the Middle East in a variety of roles. Prior to joining Lukoil, where he is currently Risk Manager for the West Qurna 2 Asset in Iraq, Alexander worked with a number of oil and gas companies, developing and implementing ERM frameworks and business continuity management within the Qatar Foundation.

www.it-ebooks.info

CHAPTER 21

The Role of Root Cause Analysis in Public Safety ERM Programs ANDREW BENT Risk Manager

This chapter provides an overview of how root cause analysis (RCA) tech-niques can be used by public safety and law enforcement agencies to supporttheir enterprise risk management (ERM) programs. It provides an introduc- tion to several of the more commonly used tools, and uses a series of case studies to illustrate how these can be applied in the public safety environment.

POLICING AND RISK Public safety agencies (such as local police departments) have a long tradition of operational risk management—after all, almost everything they do has an enhanced level of risk associated with it. Police officers respond to situations where emotions are often running high, and where the threat of physical violence is never far from the surface. It is perhaps not surprising that conversations around risk often gravitate toward issues of officer and public safety, and rarely toward more mundane issues of business process or budget risk.1

In many ways, ERM is a natural fit for public safety agencies due to their risk-aware culture. One of the largest challenges in adopting ERM within a law enforcement agency is the need to redirect police officers’ natural inclination to immediately solve the risk, rather than methodically analyzing it to understand its true nature. This is perhaps not surprising given the way most police officers are trained: observe a problem, evaluate the options, and then apply the best solution as rapidly as possible. Root cause analysis is one of the tools that can be used to overcome this hurdle, and it provides a means for law enforcement agencies to achieve even greater social returns on investment than would be otherwise possible.

Getting to the Root of the Problem

Root cause analysis has often been viewed as a tool best applied following sig- nificant or serious losses; it is typically applied to understand why risk events

397

www.it-ebooks.info

398 Implementing Enterprise Risk Management

occurred, and to provide insight into future preventive actions. More recently, ERM practitioners have begun to recognize the value of using root cause analy- sis (RCA) tools and techniques as part of a proactive risk management approach. By understanding the root causes of their potential risks, organizations are better able to build strategies and plans that proactively address these risks and support the planned exploitation of opportunities.

Root cause analysis defines a loosely grouped collection of analytical tools, many of which have evolved from the fields of process safety and engineering. While the majority of these tools have traditionally been used to evaluate postevent losses, in many cases they are also capable of supporting proactive future risk plan- ning. Both contexts will be discussed here in terms of how they can be used to sup- port an enterprise risk management program, with the key being to remember that many of the approaches can be used in both reactive and proactive modes. Com- mon RCA Tools lists 10 of the more common RCA tools in everyday use, with the first six of these discussed in the order they are listed.

Common RCA Tools

� Five whys analysis � Cause and effect (Ishikawa) analysis � Failure mode, effects, and criticality analysis (FMECA) � Force field analysis � Influence diagrams � Concept fans � Hazard and interoperability studies (HAZOP) � Solution effects analysis � Life cycle value analysis � Hazard identification/environmental identification (HAZID/ENVID)

FIVE WHYS ANALYSIS If you have spent any period of time around small children (generally those between the ages of three and eight years old), it is almost impossible to avoid the “why” game. The game starts with the child asking why something happened (or why the child isn’t allowed to do something)—and is rapidly followed up by a barrage of further “why” questions until either the child’s curiosity is satisfied or the exasperated adult gives up and throws out the infamous “Because I said so” answer so well known to most parents.

What is really happening during this game is that the child is employing one of the most effective and straightforward techniques available to gain meaningful insights into compounded situations. The asking of successive “why” questions enables the child to go beyond a simple sequential understanding of the situation, and develop a cause-and-effect-based understanding of how the situation got to its end point in the manner that it did.

www.it-ebooks.info

THE ROLE OF ROOT CAUSE ANALYSIS IN PUBLIC SAFETY ERM PROGRAMS 399

To understand the effectiveness of this approach, consider the not-so uncom- mon policing situation related in Five Whys Analysis.

Five Whys Analysis

A police officer is dispatched to a disturbance outside a bar. On arrival, the officer discovers two males being restrained by security, and clear signs of a recent fight between the two men. The officer asks one of the men the following series of “why” questions:

Police Officer (PO): “Why were you guys fighting?” Subject: “Because he called me [insert descriptive word].” PO: “Why did he call you that?” Subject: “Because I spilled a drink on him as I walked past.” PO: “Why did you spill the drink on him?” Subject: “Because I tripped over his girlfriend’s handbag that was

sitting on the floor.” PO: “Why did you not see the bag?” Subject: “Well, I . . . may have had a few drinks tonight . . . I

guess.” PO: “Why were you out drinking tonight?” Subject: “Well, um, I had a fight with my girlfriend at home so I

decided to go drown my sorrows.”

By asking a series of “why” questions, the officer is better able to under- stand what actually caused the fight to occur (the individual being emotionally distressed over the fight with his girlfriend), rather than the superficial reason (he got called a name because he spilled a drink—not an uncommon event in a busy bar). This would enable the officer to make better choices about how to deal with the situation, including deciding the level of intervention that is actually required. It could also provide insight into the individual’s intent—a crucial element in successfully prosecuting many criminal code offenses.

While the technique is referred to as “five whys,” there is no reason to delib- erately extend (or restrict) the process to five questions. When there is no further viable answer to why an event occurred, it is likely that the root cause has been reached—irrespective of whether this takes three or 23 questions.

The Five Whys technique does have some limitations on its use. It is most use- ful in relatively simple situations that have a single, unbranched chain of events. If there are multiple possible “whys” identified at any level of the questioning pro- cess, it may be more useful to adopt one of the other techniques outlined next, to ensure that all the possible event chains are adequately captured and evalu- ated. It can also be highly subjective, and is typically restricted to the informa- tion known by (or available to) the questioner at the time. Consequently, the use of small groups that have a diversity of perspectives on the issue at hand can be helpful to overcome any inherent bias that individual participants may bring.

www.it-ebooks.info

400 Implementing Enterprise Risk Management

CAUSE AND EFFECT ANALYSIS2

The cause and effect analysis technique is applied by first identifying the issue or problem to be addressed, and writing it in a box on the right-hand side of the diagram. A series of branching lines are then drawn off a central line connected to this problem box. Each branching line is then headed by a single source type that represents a major source or cause of risk relevant to the problem. Commonly used source types include:

� Equipment—The role of equipment (general or specialized) on the problem, including the lack of equipment, as it impacts the problem

� Environment—The role of the physical or contextual environment as it impacts the problem

� Finance—The role of finance (or lack of finance) as it impacts the problem � Materials—The role of nonequipment materials (including the lack of mate-

rials) on the problem, including the quality of the materials used � Measurement—The role of data such as performance or quality metrics as

they impact the problem, including the ability to identify impacts through the data

� People—The role of people as they impact the problem, including issues such as capacity, capability, and culture

� Process—The role of organizational or individual processes as they impact the problem, including the lack of, or overabundance of, effective processes

Not all problems will include all of these source types, and some problems may be better defined using other major cause headings. Irrespective of this, the pur- pose is to identify as wide a range of potential sources of risk as possible in order to develop a wide-ranging understanding of the problem. Once the major sources of risk have been identified, it is possible to use techniques such as brainstorming or five whys analysis to identify root causes that contribute to the problem that relate to each of the headings.

Example: Cause and Effect Analysis on Homelessness and the Criminal Justice System

In the North American law enforcement community, homelessness is often a major source of problems. Homeless people tend to be dramatically overrepresented both as victims and as perpetrators of crime. Issues of homelessness are often under- scored by health, financial, and environmental conditions that make finding effec- tive solutions a major challenge. Applying a simplistic five whys approach would likely lead to major risk factors being ignored or overlooked, which in turn could lead to the development of ineffective or inefficient solutions.

In applying the cause and effect analysis approach to this problem, some police agencies have been able to not only define their own role in addressing homeless- ness, but also better link in with the social and health agencies that have an impor- tant role to play in the solution.

Let’s consider how a police agency might deal with this problem using the cause and effect approach.

www.it-ebooks.info

THE ROLE OF ROOT CAUSE ANALYSIS IN PUBLIC SAFETY ERM PROGRAMS 401

Step 1: Define the Problem By brainstorming, we might settle on this problem definition, which is presented from the perspective of the police agency: “Homeless individuals are overrepre- sented as both victims and perpetrators within the criminal justice system.”

Step 2: Identify the Major Causes In considering these issues, we may choose to use the following major headings:

� People—What role do homeless people themselves, and the employees of social and justice agencies, have in the overrepresentation of homeless peo- ple in the criminal justice system?

� Process—What processes used by police and justice and social agencies impact (both positively and negatively) the overrepresentation of homeless people in the criminal justice system?

� Measurement—What data do we have available (or is missing) that could help tell us why homeless people are overrepresented in the criminal justice system?

� Materials—What physical resources are available (or are missing) to help address the overrepresentation of homeless people in the criminal justice system?

� Finance—What and how are financial resources used (or could be used) to address the issue of homelessness as it impacts the criminal justice system?

Step 3: Identify the Subcauses of Risk By brainstorming, followed by the use of a structured five whys approach, we could come up with a diagram that looked a little like Exhibit 21.1.

Homeless individuals are overrepresented as

both victims and perpetrators within the criminal justice system

Materials

Measurement Finance

People Process

Justice sector staff is not fully trained in dealing with

mental health issues

Some homeless people distrust external / government help

Police statistics may not provide details of underlying

health / social issues

“Tough on Crime” measures may drive more money to

enforcement than prevention

Process-driven police practices may focus on enforcement of other

assistance if it takes longer

There may be insufficient available housing to home all

homeless people in need

Insufficient mental and physical health facilities equipped to deal

with issues of homelessness Police funding is often tied to reported crime levels— more crime = more money

Exhibit 21.1 Cause and Effect Diagram

www.it-ebooks.info

402 Implementing Enterprise Risk Management

While this diagram represents a very light touch on the very important issues that impact homelessness, it could be significantly expanded by considering each major source in turn. It is also important to note that some root causes may be driven by two or more factors. In Exhibit 21.3, for example, the way that crime is reported is seen to be intimately tied to how police agencies are funded. Therefore, by changing the method of data collection (perhaps to include prevention metrics), it may be possible to develop a funding model that better reflects the full range of police responsibilities. Understanding not only the risks but also these intercon- nections is necessary to come up with a truly effective solution.

FAILURE MODE, EFFECTS, AND CRITICALITY ANALYSIS3

While failure mode, effects, and criticality analysis (FMECA) was originally devel- oped to consider engineering process risks, it can also be applied to any form of process—even if the process deals exclusively with intangible or people-based risks. Before we consider how to apply this technique to a so-called soft process, it is perhaps most useful to look at an example that comes from a traditional engi- neering context so that we can understand the analytical process.

FMECA Example 1: Engineering Process4

A large milk factory has a unit that is designed to pasteurize milk prior to bot- tling. Pasteurization is a process that heats milk to a specific temperature (typically 71.7◦C/161◦F) for a period of approximately 15 to 30 seconds. It is used to reduce the level of contamination from microorganisms that naturally occur in raw milk products. This process enables milk to be stored for a period of several weeks with- out spoiling if it is adequately refrigerated. The basic process sees raw milk forced between a series of heated plates, with the heat from the plates being transferred into the milk at a specific rate to achieve the desired pasteurization temperature. The plates themselves are heated either by forcing heated water or steam through the interior of the plates, or by running heated liquids through a parallel path that runs counter to the flow of the milk.

Step 1: Identify Failure Modes The first step is to identify the potential ways that the system could fail. These are typically described very simply by identifying the way that the failure could occur. While this can be done directly, it may also include inputs from other types of analysis, such as HAZOP or fault tree analysis (not discussed in this chapter). For our milk pasteurization example, some of the potential failure modes are identified in the second column of Exhibit 21.2.

Step 2: Identify the Potential Effects Once we have identified our potential modes of failure, we can identify the effects of those failures. These can be both local failures as well as systemwide impacts. As part of this analysis, we also need to consider the potential causes of the failure. For our milk pasteurization example, we might identify the effects for our failure modes from step 1, as shown in Exhibit 21.3.

www.it-ebooks.info

E xh

ib it

21 .2

Fa ilu

re M

od es

— E

xa m

pl e

1

P ar

t: H

ea tt

ra n

sf er

u n

it Fu

nc ti

on :T

ra ns

fe r

of he

at to

m ilk

pr od

uc ts

in or

d er

to ac

hi ev

e pa

st eu

ri za

ti on

It em

Fa il

u re

M od

e L

oc al

E ff

ec t

S ys

te m

E ff

ec t

P ot

en ti

al C

au se

C u

rr en

tC on

tr ol

O S

D R

P N

R ec

om m

en d

ed A

ct io

n 1

H ea

ti ng

w at

er to

o co

ld 2

H ea

ti ng

w at

er to

o ho

t 3

N o

he at

in g

w at

er fl

ow 4

H ea

ti ng

w at

er in

m ilk

fl ow

5 St

ru ct

ur al

ru pt

ur e

403

www.it-ebooks.info

E xh

ib it

21 .3

Fa ilu

re M

od es

an d

E ff

ec ts

— E

xa m

pl e

1

P ar

t: H

ea tt

ra n

sf er

u n

it Fu

nc ti

on :T

ra ns

fe r

of he

at to

m ilk

pr od

uc ts

in or

d er

to ac

hi ev

e pa

st eu

ri za

ti on

It em

Fa il

u re

M od

e L

oc al

E ff

ec t

S ys

te m

E ff

ec t

P ot

en ti

al C

au se

C u

rr en

tC on

tr ol

O S

D R

P N

R ec

om m

en d

ed A

ct io

n 1

H ea

ti ng

w at

er to

o co

ld Pl

at es

d o

no tg

et ho

te no

ug h

Pa st

eu ri

za ti

on is

no ta

ch ie

ve d

H ea

ti ng

un it

te m

pe ra

tu re

co nt

ro ls

in op

er ab

le 2

H ea

ti ng

w at

er to

o ho

t Pl

at es

ge tt

oo ho

t M

ilk is

sp oi

le d

w he

n pr

ot ei

n is

d en

at ur

ed

H ea

ti ng

un it

te m

pe ra

tu re

co nt

ro ls

in op

er ab

le 3

N o

he at

in g

w at

er fl

ow Pl

at es

d o

no t

he at

at al

l Pa

st eu

ri za

ti on

is no

ta ch

ie ve

d W

at er

pu m

p is

in op

er ab

le 4

H ea

ti ng

w at

er in

m ilk

fl ow

M ilk

fl ow

is co

nt am

in at

ed M

ilk pr

od uc

t ha

s to

be d

um pe

d

L ea

k in

se al

s be

tw ee

n pl

at es

5 St

ru ct

ur al

ru pt

ur e

L os

s of

m ilk

pr od

uc ta

nd he

at in

g w

at er

M ilk

pr od

uc ti

s lo

st /

ha s

to be

d um

pe d

H ea

ti ng

pl at

es ar

e no

ts tr

on g

en ou

gh

404

www.it-ebooks.info

THE ROLE OF ROOT CAUSE ANALYSIS IN PUBLIC SAFETY ERM PROGRAMS 405

Step 3: Identify the Criticality of the Failure Once we have identified our potential modes of failure and the effects these might have on our process, we need to consider how critical these effects might be to our objective (in this case, the pasteurization of milk). This step provides us with a good understanding not only of our risks, but also of those risks we may want to address first. To complete this step, we need to consider what existing controls we already have in place, as well as:

� The likelihood of occurrence (O) of the effect � The severity (S) of the effect if it were to occur � The probability of detection (D)—how likely we are to know that the effect

has occurred

Each of these factors is usually given a score from 1 to 10 (or any other relevant scale), with the higher scores representing greater levels of risk. Once each element is scored, they are summed to produce an overall risk score, which is represented by the risk priority number (RPN). While the absolute number produced is less important than the difference between the numbers for each effect, it can also be a useful way of aligning your risk treatment plan with your organizational risk appetite or tolerance levels. Once the RPN analysis is completed, the final step is to identify what corrective actions you might need to take to address the risk.

For our milk pasteurization example, we might make an assessment based on our failure modes and effects from the first two steps, as shown in Exhibit 21.4.

We can see from our example that if the milk gets too hot the factory will have to dump it as unfit for consumption. We can probably address this risk relatively easily by installing a centrally monitored temperature gauge (rather than relying on periodic physical checks), which will also let us monitor the high temperature condition.

The engineering example has shown how we would apply this technique to a hard or physical process. Now we will look at how we can apply the same tech- nique to a soft process encountered in the law enforcement environment.

FMECA Example 2: Operational Tactics Review Process

Like most organizations, police agencies have a number of predetermined pro- cesses that they use regularly to achieve their objectives. Also like most organi- zations, police agencies need to review their processes periodically to make sure they are still effective. This might occur as part of a regular review cycle, or may be brought about due to the manifestation of a risk that the process was not able to effectively deal with. In this example, we consider the process that an agency uses to deploy its uniformed patrol officers in a geographic area. Many North American police agencies deploy their uniformed officers based on the number of calls for service located in a geographic space (either a neighborhood or a collec- tion of neighborhoods), and use metrics such as the time taken to respond to a call to define how many officers they need to meet these predetermined standards.

Step 1: Identify Failure Modes For our patrol deployment example, some of the potential failure modes we might see are identified in the second column of Exhibit 21.5.

www.it-ebooks.info

E xh

ib it

21 .4

Fa ilu

re M

od e,

E ff

ec ts

,a nd

C ri

ti ca

lit y

A na

ly si

s— E

xa m

pl e

1

P ar

t: H

ea tt

ra n

sf er

u n

it Fu

nc ti

on :T

ra ns

fe r

of he

at to

m ilk

pr od

uc ts

in or

d er

to ac

hi ev

e pa

st eu

ri za

ti on

It em

Fa il

u re

M od

e L

oc al

E ff

ec t

S ys

te m

E ff

ec t

P ot

en ti

al C

au se

C u

rr en

tC on

tr ol

O S

D R

P N

R ec

om m

en d

ed A

ct io

n 1

H ea

ti ng

w at

er to

o co

ld Pl

at es

d o

no tg

et ho

te no

ug h

Pa st

eu ri

za ti

on is

no ta

ch ie

ve d

H ea

ti ng

un it

te m

pe ra

tu re

co nt

ro ls

in op

er ab

le

L oc

al te

m pe

ra tu

re ga

ug e,

m on

it or

ed ho

ur ly

6 6

5 18

0 In

st al

lc en

tr al

ly m

on it

or ed

te m

pe ra

tu re

ga ug

e w

it h

lo w

te m

pe ra

tu re

al ar

m

2 H

ea ti

ng w

at er

to o

ho t

Pl at

es ge

tt oo

ho t

M ilk

is sp

oi le

d w

he n

pr ot

ei n

is d

en at

ur ed

H ea

ti ng

un it

te m

pe ra

tu re

co nt

ro ls

in op

er ab

le

L oc

al te

m pe

ra tu

re ga

ug e,

m on

it or

ed ho

ur ly

6 8

5 24

0 In

st al

lc en

tr al

ly m

on it

or ed

te m

pe ra

tu re

ga ug

e w

it h

hi gh

te m

pe ra

tu re

al ar

m

3 N

o he

at in

g w

at er

fl ow

Pl at

es d

o no

t he

at at

al l

Pa st

eu ri

za ti

on is

no ta

ch ie

ve d

W at

er pu

m p

is in

op er

ab le

W at

er pr

es su

re ga

ug e

m ou

nt ed

to pu

m p

4 6

5 12

0 In

st al

ll ow

fl ow

al ar

m on

in le

tp ip

e fr

om pu

m p

to he

at in

g un

it 4

H ea

ti ng

w at

er in

m ilk

fl ow

M ilk

fl ow

is co

nt am

in at

ed M

ilk pr

od uc

t ha

s to

be d

um pe

d

L ea

k in

se al

s be

tw ee

n pl

at es

Ph ys

ic al

ob se

rv at

io n

of le

ak ag

e

3 10

3 90

In st

it ut

e se

al re

pl ac

em en

t sc

he d

ul e

as pa

rt of

m ai

nt en

an ce

pr og

ra m

5 St

ru ct

ur al

ru pt

ur e

L os

s of

m ilk

pr od

uc ta

nd he

at in

g w

at er

M ilk

pr od

uc ti

s lo

st /

ha s

to be

d um

pe d

W at

er an

d /

or m

ilk ov

er pr

es -

su ri

ze d

;h ea

ti ng

pl at

es ar

e no

t st

ro ng

en ou

gh

Pl at

es d

es ig

ne d

to w

it hs

ta nd

d ou

bl e

no rm

al pr

es su

re s

2 10

8 16

0 In

st al

lp re

ss ur

e se

ns or

s an

d al

ar m

s on

m ilk

an d

he at

in g

w at

er in

le tp

ip es

406

www.it-ebooks.info

E xh

ib it

21 .5

Fa ilu

re M

od es

— E

xa m

pl e

2

P ro

ce ss

:P at

ro ld

ep lo

ym en

tm od

el Fu

nc ti

on :T

o pr

ov id

e po

lic e

re sp

on se

to co

m m

un it

y ca

lls fo

r se

rv ic

e in

lin e

w it

h co

m m

un it

y an

d ag

en cy

ex pe

ct at

io ns

It em

Fa il

u re

M od

e L

oc al

E ff

ec t

S ys

te m

E ff

ec t

P ot

en ti

al C

au se

C u

rr en

tC on

tr ol

O S

D R

P N

R ec

om m

en d

ed A

ct io

n 1

R es

po ns

e to

o sl

ow 2

R es

po ns

e to

o fa

st 3

N o

re sp

on se

pr ov

id ed

4 W

ro ng

re sp

on se

pr ov

id ed

5 T

oo m

uc h

re sp

on se

pr ov

id ed

407

www.it-ebooks.info

408 Implementing Enterprise Risk Management

Step 2: Identify the Potential Effects Considering our potential failure modes, we can see that the crux of the issue is going to be matching the expected response (based on community and agency expectations) with the resources required to provide that response. Stepping through our effects analysis, we can identify what the impacts of getting it wrong might look like, as shown in Exhibit 21.6.

Step 3: Identify the Criticality of the Failure Using the same approach as was outlined in the first example, we need to consider what existing controls we already have in place, as well as:

� The likelihood of occurrence (O) of the effect � The severity (S) of the effect if it were to occur � The probability of detection (D)—how likely we are to know that the effect

has occurred

To score these elements (and ultimately develop our RPN) we may be able to use existing data sources to determine how often each of the failure modes has occurred in the past. Police agencies tend to keep a range of detailed records on what calls they have dispatched their officers to attend, as well as the time it took for them to arrive and deal with the situation. Where more quantitative data of this type is available, it may be possible to determine very accurately what each level of our O, S, and D scales represents. By applying a consistent approach of this type, it is likely that more confidence would be placed on the results by key decision makers.

For our patrol response example, we might make an assessment based on our failure modes and effects from the first two steps, as shown in Exhibit 21.7.

In this case, we can see how a process can be examined using the FMECA tech- nique, with this analysis used to identify not only how it might perform compared to expectations, but also how any modes of failure errors could be reduced or cor- rected. Coupling this approach with a technique such as six sigma can be used to drive down the level of errors, as well as increase the overall performance of the process or system.

FORCE FIELD ANALYSIS A common challenge when dealing with process issues is developing an under- standing of how the interplay between factors impacts the overall risk situation. This can be particularly true when dealing with soft processes where human emo- tions, insecurities, judgments, and interests play a prominent role in determining the success or failure of an initiative.

Force field analysis is a technique used to identify those forces (or factors) that tend to support the status quo (which are known as restraining forces) as well as those forces that tend to support movement away from the status quo (which are known as driving forces). This approach can be used both to analyze those instances where you want to retain the status quo, as well as to provide insights into how you can deliberately move away from the status quo by manipulating either the restraining or the driving forces.

www.it-ebooks.info

E xh

ib it

21 .6

Fa ilu

re M

od es

an d

E ff

ec ts

— E

xa m

pl e

2

P ro

ce ss

:P at

ro ld

ep lo

ym en

tm od

el Fu

nc ti

on :T

o pr

ov id

e po

lic e

re sp

on se

to co

m m

un it

y ca

lls fo

r se

rv ic

e in

lin e

w it

h co

m m

un it

y an

d ag

en cy

ex pe

ct at

io ns

It em

Fa il

u re

M od

e L

oc al

E ff

ec t

S ys

te m

E ff

ec t

P ot

en ti

al C

au se

C u

rr en

tC on

tr ol

O S

D R

P N

R ec

om m

en d

ed A

ct io

n 1

R es

po ns

e to

o sl

ow In

cr ea

se d

le ve

l of

vi ct

im iz

at io

n or

in ju

ry to

ca lle

rs

In cr

ea se

d co

st /

lo ss

to so

ci et

y to

d ea

l w

it h

m or

e se

ri ou

s cr

im es

In su

ff ic

ie nt

nu m

be r

of of

fi ce

rs av

ai la

bl e

to re

sp on

d 2

R es

po ns

e to

o fa

st In

cr ea

se d

nu m

be r

of of

fi ce

rs re

qu ir

ed to

pr ov

id e

re sp

on se

In cr

ea se

d co

st to

co m

m un

it y

to pr

ov id

e po

lic in

g se

rv ic

es

T oo

m an

y of

fi ce

rs av

ai la

bl e

co m

pa re

d to

ca ll

vo lu

m e

3 N

o re

sp on

se pr

ov id

ed In

cr ea

se d

le ve

l of

vi ct

im iz

at io

n or

in ju

ry to

ca lle

rs

R ed

uc ed

co nf

id en

ce an

d tr

us ti

n po

lic e

ag en

cy an

d ju

st ic

e sy

st em

In su

ff ic

ie nt

or no

of fi

ce rs

av ai

la bl

e to

re sp

on d

to ca

lls fo

r se

rv ic

e 4

W ro

ng re

sp on

se pr

ov id

ed

R ed

uc ed

ab ili

ty to

ef fe

ct iv

el y

re sp

on d

to si

tu at

io n

D ec

re as

ed ef

fi ci

en cy

of po

lic in

g d

el iv

er y

w it

h in

cr ea

se d

co st

s

Po or

al ig

nm en

t be

tw ee

n ne

ed s

of ca

ll an

d re

so ur

ce s

d is

pa tc

he d

5 T

oo m

uc h

re sp

on se

pr ov

id ed

Sp ec

ia lis

to r

ot he

r re

so ur

ce s

no ta

va ila

bl e

to re

sp on

d to

ot he

r ca

lls fo

r se

rv ic

e

R ed

uc ed

ef fe

ct iv

en es

s of

ov er

al la

ge nc

y re

sp on

se to

al l

cr im

e in

co m

m un

it y

Po or

al ig

nm en

t be

tw ee

n ne

ed s

of ca

ll an

d re

so ur

ce s

d is

pa tc

he d

409

www.it-ebooks.info

E xh

ib it

21 .7

Fa ilu

re M

od e,

E ff

ec ts

,a nd

C ri

ti ca

lit y

A na

ly si

s— E

xa m

pl e

2

P ro

ce ss

:P at

ro ld

ep lo

ym en

tm od

el Fu

nc ti

on :T

o pr

ov id

e po

lic e

re sp

on se

to co

m m

un it

y ca

lls fo

r se

rv ic

e in

lin e

w it

h co

m m

un it

y an

d ag

en cy

ex pe

ct at

io ns

It em

Fa il

u re

M od

e L

oc al

E ff

ec t

S ys

te m

E ff

ec t

P ot

en ti

al C

au se

C u

rr en

tC on

tr ol

O S

D R

P N

R ec

om m

en d

ed A

ct io

n 1

R es

po ns

e to

o sl

ow In

cr ea

se d

le ve

l of

vi ct

im iz

at io

n or

in ju

ry to

ca lle

rs

In cr

ea se

d co

st /

lo ss

to so

ci et

y to

d ea

l w

it h

m or

e se

ri ou

s cr

im es

In su

ff ic

ie nt

nu m

be r

of of

fi ce

rs av

ai la

bl e

to re

sp on

d

Pe ri

od ic

re vi

ew of

re sp

on se

ti m

e d

at a

7 7

4 19

6 In

cr ea

se nu

m be

r of

of fi

ce rs

as si

gn ed

to ge

og ra

ph ic

ar ea

w it

h to

o sl

ow re

sp on

se ti

m e;

m ov

e fr

om ar

ea s

w it

h to

o fa

st re

sp on

se ti

m e

2 R

es po

ns e

to o

fa st

In cr

ea se

d nu

m be

r of

of fi

ce rs

re qu

ir ed

to pr

ov id

e re

sp on

se

In cr

ea se

d co

st to

co m

m un

it y

to pr

ov id

e po

lic in

g se

rv ic

es

T oo

m an

y of

fi ce

rs av

ai la

bl e

co m

pa re

d to

ca ll

vo lu

m e

Pe ri

od ic

re vi

ew of

re sp

on se

ti m

e d

at a

4 6

4 96

R ed

uc e

nu m

be r

of of

fi ce

rs as

si gn

ed to

ge og

ra ph

ic ar

ea w

it h

to o

fa st

re sp

on se

ti m

e, m

ov e

to ar

ea s

w it

h to

o sl

ow re

sp on

se ti

m e

3 N

o re

sp on

se pr

ov id

ed In

cr ea

se d

le ve

l of

vi ct

im iz

at io

n or

in ju

ry to

ca lle

rs

R ed

uc ed

co nf

id en

ce an

d tr

us ti

n po

lic e

ag en

cy an

d ju

st ic

e sy

st em

In su

ff ic

ie nt

or no

of fi

ce rs

av ai

la bl

e to

re sp

on d

to ca

lls fo

r se

rv ic

e

C al

l- in

/ re

ro ut

in g

d is

pa tc

h pr

ot oc

ol fo

r w

he n

ce rt

ai n

th re

sh ol

d s

m et

2 9

4 72

Im pl

em en

tm or

e re

gu la

r m

on it

or in

g of

ca lls

by su

pe rv

is or

s to

tr ig

ge r

ea rl

ie r

ca ll-

in /

re ro

ut e

pr ot

oc ol

4 W

ro ng

re sp

on se

pr ov

id ed

R ed

uc ed

ab ili

ty to

ef fe

ct iv

el y

re sp

on d

to si

tu at

io n

D ec

re as

ed ef

fi ci

en cy

of po

lic in

g d

el iv

er y

w it

h in

cr ea

se d

co st

s

Po or

al ig

nm en

t be

tw ee

n ne

ed s

of ca

ll an

d re

so ur

ce s

d is

pa tc

he d

D is

pa tc

h pr

ot oc

ol lis

ti ng

re so

ur ce

s re

qu ir

ed fo

r ty

pe of

ca ll

6 4

7 16

8 R

eq ui

re su

pe rv

is or

s to

ob se

rv e

re so

ur ce

d ep

lo ym

en t,

no te

in st

an ce

s of

w ro

ng d

ep lo

ym en

t, up

d at

e d

is pa

tc h

pr ot

oc ol

5 T

oo m

uc h

re sp

on se

pr ov

id ed

Sp ec

ia lis

to r

ot he

r re

so ur

ce s

ar e

no ta

va ila

bl e

to re

sp on

d to

ot he

r ca

lls fo

r se

rv ic

e

R ed

uc ed

ef fe

ct iv

en es

s of

ov er

al la

ge nc

y re

sp on

se to

al l

cr im

e in

co m

m un

it y

Po or

al ig

nm en

t be

tw ee

n ne

ed s

of ca

ll an

d re

so ur

ce s

d is

pa tc

he d

D is

pa tc

h pr

ot oc

ol lis

ti ng

re so

ur ce

s re

qu ir

ed fo

r ty

pe of

ca ll

5 4

7 14

0 In

st it

ut e

on -s

ce ne

co m

m an

d st

ru ct

ur e

to en

su re

un ne

ed ed

re so

ur ce

s ar

e re

le as

ed fo

r re

d ep

lo ym

en te

ls ew

he re

as so

on as

po ss

ib le

,u pd

at e

d is

pa tc

h pr

ot oc

ol

410

www.it-ebooks.info

THE ROLE OF ROOT CAUSE ANALYSIS IN PUBLIC SAFETY ERM PROGRAMS 411

Exhibit 21.8 Force Field Analysis

Driving Forces −−−−−−−−→ Status Quo ←−−−−−−− Restraining Forces

Known criminals subject to monitoring conditions as part of parole terms

Strong community league group committed to maintaining standards

Police resources available to redeploy into community from other areas

Availability of citywide funding for local business owners to bridge through economic slowdown

Liquor licensing laws include review provisions for new premises

Increased crime levels within a community

Known criminal elements move into community

Reduced patrol presence in community

Economic slowdown impacted businesses in area, leading to increased number of empty premises, homes

New low-cost liquor store opened up in community

In a law enforcement context, we might want to consider why crime is rising in a particular neighborhood. The status quo in this case would be the increased crime level in the community, as this represents the problem or condition that we want to move away from. In considering this problem, we would want to consider what factors might be able to drive down the crime rate (the driving forces), as well as those factors that might restrain this decrease (the restraining forces).

Shown diagrammatically, this analysis could be presented as shown in Exhibit 21.8.

Using this example, it may be possible for the police along with the local com- munity to address those factors responsible for increased crime levels by match- ing the restraining forces with the driving forces. This could be achieved through activities such as increasing visible police patrols, increasing the number of parole checks to ensure compliance, and reviewing the effect of the new liquor store by examining the geospatial distribution of crimes that occur around the store. This information could then be used to limit the effect of the restraining forces (for exam- ple, by tightening liquor sale conditions), and even help to convert them into driv- ing forces for change through community-based partnerships.5

INFLUENCE DIAGRAMS The purpose of influence diagrams is to identify graphically those forces that could help or hinder a particular initiative, or where there is a need to understand the ability of a community to influence a particular problem. There are two general approaches to this technique: issues based and personality based. The technique will work equally well for either approach; however, it is important when trying to identify key personality influencers that this is done with a degree of discretion and with a clear understanding of how effective an individual’s influence really is on the other people involved.

www.it-ebooks.info

412 Implementing Enterprise Risk Management

Problem Statement: Crime levels are rising in a specific neighbourhood

KEY DRIVER

Lack of Police Patrol Presence

IN: 0 OUT: 3

Economic slowdown meaning less local

employment

IN: 0 OUT: 1

Increase in Offender Population in

Neighborhood

IN: 2 OUT: 1

More empty businesses and homes in which

crime can occur

IN: 4 OUT: 0

Increase in availability of cheap liquor within

neighborhood

IN: 1 OUT: 2

Exhibit 21.9 Influence Diagram for Rising Community Crime Levels

To demonstrate the technique, it is perhaps most useful to take an issues-based approach. The first step is developing a coherent statement of the problem to be addressed, which should then be recorded where it can be readily referenced by the analytical team. Once this is done, the issues (or forces) that impact the problem should be brainstormed, and placed in boxes laid out in a circular pattern. Once these are arranged, the group should consider each force in turn, and determine what other forces the force influences or impacts. This is shown by simply draw- ing a pointed line from the force to those other forces it may impact. Once this is completed for each force, the total number of lines in and out of each box should be tallied. The force with the most “out” lines (i.e., it impacts the greatest number of other forces) is likely to be the key driver or influencer on the problem. The force with the most “in” lines (i.e., it is impacted by the greatest number of other forces) is likely to be the key outcome that needs to be changed.

Using the same example from the force field analysis description, we could develop the influence diagram shown in Exhibit 21.9.

However, police agencies, like all other members of the public service, are impacted by issues of budget, finance, stewardship, and governance. With the 30 largest municipal police agencies in Canada now collectively employing nearly 32,000 officers (and approximately a further 12,000 civilian staff), policing can eas- ily become a big business for many communities to manage.

As scrutiny of public spending has increased, policing has not been immune from criticism; in fact, its large budgets are often seen as an easy target, especially as crime rates continue to fall.

Under these pressures, many police agencies have begun to adopt those busi- ness processes now common in the private sector, including enterprise risk man- agement (ERM).

www.it-ebooks.info

THE ROLE OF ROOT CAUSE ANALYSIS IN PUBLIC SAFETY ERM PROGRAMS 413

Comparing RCA Tools

One of the key drawbacks of the five whys approach is that most problems are not explained by a single causal factor. In applying the technique, it is common to discover that there are multiple answers to a single question. By focusing on only one answer, it is possible that a root cause will be discovered that only provides a partial understanding of the problem. Cause and effect analysis (sometimes called Ishikawa analysis or fish-bone analysis) provides a means of plotting these multi- ple root causes in a way that allows the analyst to truly understand all the sources of risk, as well as the interdependencies among the causal factors.

Once the causes and their effects are fully mapped out, it would be possible to identify the key drivers of risks that impact the problem. Using techniques such as Pareto analysis (where 20 percent of the effort should deliver 80 percent of the results),6 it would be possible to prioritize the issues and then make informed choices about which risks, and in which order, the agency would choose to address in dealing with the problem.

Failure mode, effects, and criticality analysis (FMECA) is a process that was developed by, and used extensively in, process-driven and engineering industries. It is an extension of the failure mode and effects analysis (FMEA) technique, which is designed to identify the inherent or root causes of risk associated with a process or system. By adding in an analysis of how critical these risks are, risk owners are able to identify those high-consequence and/or high-likelihood risks that they should address as a matter of priority.

Considering our influence diagram, we can see that the lack of police patrol presence impacts the greatest number of other forces. This conceptually makes sense given what criminology tells us about preventive policing. Where there is a lack of obvious police presence, individuals feel less inhibited about conducting activities that they would otherwise hide or not carry out, compared to how they would act in higher-scrutiny places. Equally, we can also see that the more empty homes and businesses there are in a neighborhood, the more safe places there are for crime to occur.

In this case, the most effective solution is likely to be an increase in visible policing in the neighborhood (something that the police can control), coupled with a community revitalization effort to fill the empty houses and businesses (most likely led by the community itself) in order to remove or reduce the number of places where criminals feel comfortable operating.

Combining the force field analysis and influence diagram techniques is often helpful, as it enables a fuller understanding of the factors in play to be developed. It also helps to develop an understanding of how and where existing pressures can be leveraged to achieve the desired outcome.

CONCEPT FANS Concept fans are a pseudo-form of root cause analysis (RCA), and can perhaps be more appropriately viewed as a means of organizing the outputs of other RCA techniques. The concept fan technique can be used as a simple method of organiz- ing the output of brainstorming activities, or in a more structured way to guide the development of thinking about a problem or a goal.

www.it-ebooks.info

414 Implementing Enterprise Risk Management

One way this technique can be used is as an effective means of examining the risks that surround a strategic objective or goal. Once the goal has been defined (using whatever strategic or RCA planning process makes sense for the organiza- tion), it is a straightforward matter of first identifying the potential sources of risk that could impact it, and then following these sources down to the specific risks that would arise from them.

In a law enforcement context, an agency may develop a strategic goal of reduc- ing the level of reported property crime within its jurisdiction by 5 percent within one year. It would then need to consider what types of risks could impact its abil- ity to achieve that goal. The agency may identify the following general sources of risks that might have an influence on its ability to be successful:

� Financial risk � Human resources (HR) risk � Information or data risk � External influence (EI) (environmental) risk

At this point it is sufficient to simply identify these high-level sources of risk. The next step would then take each of these strategic sources of risk, and break them down even further into the specific risks and opportunities that would affect their objective for practical purposes. This might result in a list that looks like the one shown in Exhibit 21.10.

Exhibit 21.10 Concept Fan Example Table

Strategic Source Specific Source of Risk or Opportunity

Financial risk Insufficient funds to pay for extra enforcement and prevention activities

Inability to move funds from other programs to support extra enforcement or prevention activities

Processes in place to deal with fine-based revenue Freedom to reallocate funding within defined streams to

support specific programs Human resources risk Insufficient flexibility in shift schedule to surge extra resources

into higher-crime/higher-opportunity areas Not enough resources (total) to support specific crime

reduction initiatives Contract with local Police Association allows for reallocation of

resources at the request of the agency Information or data risk No or limited access to crime metadata to support effective

targeting of neighborhoods or people Inaccurate data available to planning staff Specific crime data is able to be plotted geographically to

identify localized crime hot spots External influence risk Limited public support for certain crime prevention techniques

(such as stop and frisk) Greater public support for targeted, community-based crime

reduction/prevention techniques

www.it-ebooks.info

THE ROLE OF ROOT CAUSE ANALYSIS IN PUBLIC SAFETY ERM PROGRAMS 415

If NO

If YES

Strategic Objective

Risk Source (e.g., Financial

Risk)

Risk Source (e.g., Information

Risk)

Risk Source (e.g., Human

Resources Risk)

Specific Financial Risk

Specific Financial Risk

Specific HR Risk

Specific HR Risk

Specific Information Risk

Specific Information Risk

Is risk tolerable?

Is risk consistent with risk appetite?

Is opportunity being

managed?

Implement New / Amend Existing

Risk Controls and Opportunity Plans

Monitor Existing Risk Controls

How do we do it? (e.g., Strategic Business Plan, Balanced Scorecards, Annual Plan)

Why do we do it?

Risk Source (e.g., External Influence Risk)

Specific EI Risk

Specific EI Risk

Exhibit 21.11 Concept Fan Example

By recognizing not only the risks but also the opportunities (which could be identified from the use of techniques such as force field analysis or influence dia- grams), an agency would be able to better understand not only where its poten- tial risks could come from, but also where there may be opportunities for lever- aging existing strengths. Putting these elements together, the whole concept fan approach is shown in Exhibit 21.11.

CASE STUDY EXAMPLE: TACKLING VIOLENT CRIME The following case study is based in a fictional North American city, but represents very real approaches used by various police agencies to tackle issues similar to those that are presented here.

Case Facts: General Background

Oil City is a sprawling North American city, with a population of nearly one mil- lion people. It is the main service town for a nearby oil and gas field, with many itinerant workers traveling between the city and the oil patch. As an energy-centric town, the local economy rides the waves of oil price fluctuations, with boom times drawing an influx of workers to the city who often spend money as quickly as they earn it. When the latest oil bubble bursts, these same workers often become stranded in the city and become dependent on local aid agencies to survive.

www.it-ebooks.info

416 Implementing Enterprise Risk Management

The population is increasingly multicultural, although the members of many immigrant groups feel increasingly isolated due to reasons of language, culture, and social status. First Nations people are drawn to the city from surrounding reserves in search of employment, but often struggle to find their place in a com- munity that does not necessarily reflect their more traditional values. The city has brutally cold winters, and relatively short, dry summers that spawn regular torna- dos, making life difficult year-round for those forced to live rough.

Like most North American cities, Oil City has seen a gradual decline in its reported crime rates since peaking in the late 1970s and early 1980s. While crime has gone down across the board, the incidence of violent crime (crimes involving the use, or threatened use, of force against a person) has slowly been climbing over the past decade.

Specific Issue

In the first six months of the year the number of homicides committed in Oil City exceeded the total number of deaths for the whole previous year. At the current rate, the city is on track to more than double the previous year’s rate, and may even triple it. On average, one person was murdered approximately every six days, and in one particularly bad week, three people were killed in the space of less than 72 hours. Both local and national media have picked up on the trend, with the city being dubbed the “National Murder Capital.” The City Council and Police Board are both demanding action from the newly appointed Chief of Police, who has been in the job less than a month.

The specific facts available are:

� Of the 26 deaths in the first half of the year, 18 victims were homeless at the time or had been homeless within the previous three months.

� Of these 26 deaths, 22 had identified suspects, 12 of whom were homeless at the time of their alleged offending or had been homeless within the previous three months.

� Of the 26 victims and 22 identified suspects, 39 (81 percent) had consumed alcohol and/or narcotic drugs within six hours immediately before the fatal incident.

� Of the 39 victims and suspects who had consumed alcohol or narcotics within six hours of the fatal incident, 30 were impaired to a level that would have put them over the legal limit to drive.

� Seventeen deaths were the result of stab injuries caused by knives or other bladed weapons. Six deaths were the result of beatings, including those that involved the use of objects located at or near the scene. Two of the deaths were the result of gunshot wounds. In the final case the victim was deliber- ately run down by a vehicle.

� Each of the 30 homeless (or recently homeless) victims and suspects had been referred to or sought services from an average of 4.7 different health and social agencies in the previous six months.

� The victims of these crimes had an average of 13.2 previous convictions for petty offenses such as vagrancy, being drunk in a public place, or aggressive panhandling.

www.it-ebooks.info

THE ROLE OF ROOT CAUSE ANALYSIS IN PUBLIC SAFETY ERM PROGRAMS 417

� The identified suspects in these crimes had an average of 9.6 previous con- victions for violent offenses, and had spent an average of 3.75 years incar- cerated for those offenses.

Developing the Approach

The Chief of Police was under huge pressure to act, and act quickly. However, knowing that a knee-jerk crackdown would not achieve sustainable long-term results, the Chief instead decided that a rapid risk assessment should be used to identify the root causes of the problem. Luckily, the Police Department had an enterprise risk manager who was able to help out.

The ERM manager was called in to a meeting with the Chief of Police, the criminal operations officer, and the head of strategic planning, and was set the following two tasks:

1. Identify the techniques that will be the most effective in identifying the root cause of the current surge in homicides in Oil City.

2. Choose the best approach, and justify selection of that approach.

Solution 1

The ERM manager went away and thought about the problem. It seemed that the issue wasn’t just about the number of homicides; it was also about the amount of violence being committed in the lead-ups to those homicides. In reviewing the crime statistics (outlined previously), it was also apparent that there were close links to issues of drug and alcohol dependency and homeless- ness in play that were likely affecting the number of homicides occurring in the city.

Given the multidimensional nature of the problem, the five options the ERM manager seriously considered for root cause analysis were:

1. Cause and effect (Ishikawa) diagrams 2. Failure mode, effects, and criticality analysis (FMECA) 3. Force field analysis 4. Influence diagrams 5. Concept fans

The ERM manager did not consider five whys as an appropriate analytical tool for this problem, as it would be likely to oversimplify the issues and miss critical details that would probably be necessary to support the development of an effective response strategy. Similarly, techniques such as HAZOP (an inductive RCA technique) and HAZID (hazard identification) were unlikely by themselves to present useful insights into the range of soft issues being assessed.

The ERM manager settled on a multistage approach to the analysis. This approach acknowledged that there was a need to better understand the

www.it-ebooks.info

418 Implementing Enterprise Risk Management

underlying causes of the risks. This knowledge was then used to break out each piece to better understand the “why” of the root cause. To achieve this, the ERM manager recommended that the Police Service:

� Start by developing a cause and effect diagram to identify and group the broad issues of risk.

� Use an FMECA model to evaluate the components of the cause and effect diagram to gain a deeper understanding of the root causes of risk and to identify potential risk treatments.

Understanding the Issues

After presenting the recommendations and rationale to the Chief of Police, the ERM manager was given approval to start developing the cause and effect dia- gram. In order to make this as robust as possible, the ERM manager called together a brainstorming group from across the operations, intelligence, community sup- port, and leadership streams of the department. The first challenge they faced was to develop the problem definition.

Solution 2

The overall problem definition used to frame the cause and effect analysis was relatively straightforward to develop using a standard brainstorming approach:

What are the factors driving an increase in violent crime in Oil City?

The group quickly saw the advantage of using the following criteria to find the major causes and effects, equipment, environment, finance, materials, mea- surement, people, and processes. All of these sources were seen to be relevant (at least initially).

While these first challenges were overcome relatively easily, once the group started to identify the subsources of risk, they quickly came up against their next hurdle: How could they accurately (and defensibly) populate the subsources of risk?

Solution 3

The main issue the group faced was one of not only having to identify the subsources of risk, but also being able to defend them from internal and

www.it-ebooks.info

THE ROLE OF ROOT CAUSE ANALYSIS IN PUBLIC SAFETY ERM PROGRAMS 419

external review (and potential criticism). To overcome this issue, the ERM man- ager suggested that the following two RCA tools be used in series:

1. Force field analysis—used to identify key restraining and driving forces for change

2. Five whys analysis—used to follow each key restraining or driving force through to its root cause

As a result of the ERM manager’s suggestion, the group developed the (partial) force field analysis diagram shown in Exhibit 21.12.

Once the team had completed the force field analysis, they considered each of the restraining forces in turn using the five whys approach. Exhibit 21.13 outlines the results for two of these restraining factors.

It is important to note that there were a number of equally important answers to the third “why” question. In order to capture each of these separate answers, the analysis team would have followed each of the pathways to its logical conclusion by repeating the five whys process for each strand.

Exhibit 21.12 Force Field Analysis

Driving Forces −−−−−−−−→ Status Quo ←−−−−−−− Restraining Forces

Significant number of skilled social assistance agencies available to assist police

Ability to implement new liquor licensing regimes, placing limits on single bottle “big beer” sales

Police resources able to be redeployed into problem communities from other areas

Existing legislation provides police powers to search, arrest for concealed weapons

Well-structured strategic management and initiative management capability within the Police Department

Levels of reported violent crime double the 10-year moving average

Social assistance agencies compete with each other for funding and donations, which are often based on occupancy/throughput

Ready community access to high-strength, low-cost alcohol (including single bottle “big beers”)

Cultural acceptance of individuals carrying edged weapons among homeless, disadvantaged communities

Reluctance of prosecutors to pursue charges for carrying concealed weapon

Reluctance of some police leaders to commit resources to crime prevention if there are no arrests to be made

No coherent organizational coordination of crime prevention or violence reduction initiatives

www.it-ebooks.info

420 Implementing Enterprise Risk Management

Exhibit 21.13 Five Whys Analysis

Restraining Factor Cultural acceptance of individuals carrying edged weapons among homeless, disadvantaged communities

Reluctance of prosecutors to pursue charges for carrying concealed weapon

Why #1 Homeless, disadvantaged community members feel that they need to protect themselves from harm

Prosecutors view the charges to be a lot of work for minimal punishment to the offender

Why #2 Members of the homeless and disadvantaged communities feel that police don’t protect them to the same level as other communities

Prosecutors often have to return to the arresting police officer repeatedly for additional information that has not been provided in the original charge report

Why #3 Previous police interaction with victims from the homeless, disadvantaged communities has often been adversarial and not resulting in positive outcomes for the reporters/victims

Police officers use a generic charge report to file the arrest report, and it does not specify all the information necessary to sustain a concealed weapons charge

Why #4 Police members are not trained to recognize or relate to the specific physical, mental, and addiction issues more common among members of these communities that may impact how they are able to report crimes to the police

The Police Department records management system has not been configured with a specific concealed weapons charge report format

Why #5 Police officers are trained to respond to a call, deal with the issue as quickly as possible, and then move on to the next call

The Police Department IT group has never been asked to create a specific concealed weapons charge report with mandatory data fields

Once the analysis team had completed their force field and five whys analysis, they were able to develop a comprehensive cause and effect diagram. Exhibit 21.14 includes two or three examples for each subsource of risk; however, in practice the total diagram would have been far larger.

The completed cause and effect diagram provided a touch point for the remain- der of the risk management and strategy development processes. It provided the analysis team with detailed information on the root causes of the risks, including

www.it-ebooks.info

W ha

t a re

th e

fa ct

or s

dr iv

in g

an in

cr ea

se in

vi ol

en t c

rim e

in O

il C

ity ?

M at

er ia

ls

E qu

ip m

en t

P eo

pl e

F in

an ce

P ro

ce ss

M ea

su re

m en

t

E nv

iro nm

en t

S oc

ia l A

ge nc

y S

ta ff

re lu

ct an

t to

w or

k w

ith p

ol ic

e du

e to

cl ie

nt tr

us t p

er ce

pt io

ns

P ol

ic e

O ffi

ce rs

d id

n ot

h av

e sk

ill s

to a

dd re

ss m

en ta

l ill

ne ss

, a dd

ic tio

n is

su es

Ju st

ic e

fu nd

in g

is o

fte n

tie d

to cr

im e

re so

lu tio

n st

at s,

m ak

in g

ar re

st s

m or

e va

lu ab

le

N o

ce nt

ra lly

r un

, h ea

lth -

fo cu

se d

dr un

k ta

nk /a

cu te

ad di

ct io

n cr

is is

c en

te r

Li m

ite d

C C

T V

/ S

ec ur

ity co

ve ra

ge in

m an

y pu

bl ic

sp ac

es , h

ig h-

tr af

fic a

re as

P ro

ce ss

-d riv

en p

ol ic

e pr

ac tic

es m

ay fo

cu s

on e

nf or

ce m

en t o

th er

th an

p re

ve nt

io n

if it

ta ke

s lo

ng er

In su

ffi ci

en t a

va ila

bl e

ho us

in g

fo r

ho m

el es

s pe

op le

in n

ee d

N o

co ns

is te

nt r

ef er

ra l o

r ca

se m

an ag

em en

t p ro

ce ss

fo r

so ci

al a

ge nc

ie s

w or

ki ng

w ith

th e

sa m

e cl

ie nt

S oc

ia l A

ge nc

ie s

re ce

iv e

pu bl

ic fu

nd in

g on

th e

ba si

s of

n um

be r

of c

lie nt

s se

rv ed

C ity

w id

e ex

pe ct

at io

ns a

ro un

d po

lic e

re sp

on se

ti m

e w

er e

in co

ns is

te nt

w ith

p re

ve nt

io n

fo cu

s

La ck

o f s

up po

rt m

at er

ia l

on c

rim e

pr ev

en tio

n in

m ul

tip le

la ng

ua ge

s

N o

co ns

is te

nt , l

on g-

te rm

fu nd

in g

m od

el fo

r so

ci al

a ge

nc ie

s th

at su

pp or

te d

co lla

bo ra

tio n

E xh

ib it

21 .1

4 C

as e

St ud

y C

au se

an d

E ff

ec tD

ia gr

am R

ep ri

nt ed

w it

h pe

rm is

si on

fr om

R IM

S St

ra te

gi c

R is

k M

an ag

em en

t Im

pl em

en ta

ti on

G ui

de .

C op

yr ig

ht 20

12 R

is k

an d

In su

ra nc

e M

an ag

em en

t So

ci et

y, In

c. A

ll ri

gh ts

re se

rv ed

.

421

www.it-ebooks.info

422 Implementing Enterprise Risk Management

the many behaviorally based risks they saw in their environment, as well as pro- viding several logical starting points for developing risk treatments.

THE FMECA PROCESS Once the analytical team started to look through the cause and effect diagram, they realized that one of the common themes related to the relationships among the different social assistance agencies that worked with the homeless and disad- vantaged communities. It appeared that these agencies competed with each other to gain clients, as this enabled them to secure more public funding. In practice this meant that the faster they could turn a client around as “treated” or “helped,” the faster they could obtain another new client—and thereby obtain more funding. How could the analysis team look at this issue using an FMECA approach?

Solution 4

The team produced the following FMECA table after looking at this issue. They defined the scope of the problem process as being the Social Assistance Agency Funding Model.

Process: Social Assistance Agency Funding Model

Function: To provide public funding support to social assistance agencies that provide service to the homeless and disadvantaged of Oil City

Item Failure Mode Local Effect System Effect

Potential Cause

Current Control O S D RPN

Recommended Action

1 Funding based on output, not outcome

Increased pressure to cut time per client to move on to next client

Reduced effectiveness of response, increased cost to repeat assistance

Funding model focused on volume

Periodic funding body audits of client numbers (no quality check)

9 7 7 441 Rework funding model to focus on long-term outcomes rather than short-term volumes; provide a level of base funding independent of client numbers

2 No funding for collab- orative program- ming

No incentive for agencies to work together

Increased cost to system to fund multiple similar/same programs

Funding model based on agency outputs rather than shared outcomes

Nil 10 5 10 500 Rework funding model to focus on shared outcomes, joint funding models for shared programming

3 No funding for specialist support services

Agencies providing single, highly specialized services are not publicly funded

Access to these services is severely limited, or on user-pays basis

Lack of recognition of need for particular services

Periodic reviews of programs that are eligible for funding

6 4 7 168 Identify current specialist skill gaps; push funding body to review funding model for these skills

It is important to remember that almost all of these actions would have fallen to other agencies to carry out—but by identifying the issue, the Police Department was better able to manage its own exposure to the effects of these nonowned risks.

www.it-ebooks.info

THE ROLE OF ROOT CAUSE ANALYSIS IN PUBLIC SAFETY ERM PROGRAMS 423

Bringing It All Together

By the time the analysis team had completed the FMECA process for all of its risk sources and subsources, it was able to provide the organization with an excep- tionally detailed and very comprehensive understanding of how these risks could affect (or already were affecting) the achievement of the department’s goal to reduce the level of violent crime in Oil City.

The final step in the process was developing a single comprehensive risk treat- ment plan, which allocated both accountabilities and resources to those organiza- tional leaders best suited to dealing with the risk. This risk treatment plan took the recommended actions from the various FMECA analyses, and combined them into one single source of truth for the department’s violence reduction strategy. The RPN score from the FMECA was also used to help prioritize the initiatives, with the highest levels of risk generally being accorded a higher level of priority for treatment.

In order to align with the Police Department’s existing strategy and business planning model (including its quarterly reporting cycle), the ERM manager also worked with the head of strategy planning to group risk treatments together to form overarching strategic initiatives.

Solution 5

The risk treatments identified in the FMECA analysis were:

� Rework funding model to focus on long-term outcomes rather than short-term volumes.

� Provide a level of base funding independent of client numbers. � Rework funding model to focus on shared outcomes. � Develop joint funding models for shared programming. � Identify current specialist skill gaps and then push funding body to

review funding model for these skills.

An overarching initiative that covered all of these risk treatments might look like this:

Initiative Name: Social Assistance Agency Funding Model Advocacy Initiative Owner: Deputy Chief of Police, Community Support Services Initiative Description: In order to encourage more effective collaboration

between agencies, increase access to services, and reduce duplication of ser- vices among social assistance agencies, the Oil City Police Department will adopt an advocacy position on these issues, and use this position to intervene with the public health funding bodies with respect to the current social agency funding model.

Initiative Deliverables: � Formation of joint funding model working group with Oil City Police

Department and social assistance agency representatives

www.it-ebooks.info

424 Implementing Enterprise Risk Management

� Development of outcome-based funding model document that provides for joint funding, critical specialist skills funding, and dependable base funding independent of client numbers

� Consultation of proposed funding model among social assistance agencies

� Development of social assistance agency funding model position paper, supported by social assistance agency representatives

� Establishment of negotiations with public health funding body on pro- posed model

Available Resources:

� Deputy Chief of Police, Community Support Services (5 percent) � Officer in Charge, Strategic Planning (10 percent) � Officer in Charge, Community Outreach Programs (75 percent) � Communications Adviser (10 percent)

CONCLUSION Progressive public safety agencies are well placed to leverage their existing risk- aware culture to support an ERM approach. By adopting a range of root cause analysis techniques, these agencies are able to identify the underlying causes of community safety issues, and then develop strategies and partnerships that allow them to address these situations more effectively. In doing so, they are able to apply their resources more effectively, and also ensure that other parties to the problem are doing their part to manage the risk. Because public safety is a shared responsi- bility between the police and the public, the use of root cause analysis techniques provides public safety agencies the ability to reframe the conversation both inter- nally and externally, and ensure that they are applying their resources in the most effective and efficient way possible.

QUESTIONS 1. Identify an emerging crime issue in your community using data available from sources

such as local newspapers, online police reporting, and so forth. Frame the situation, and then identify the restraining and driving forces that may be impacting the issue.

2. Using your force field analysis, develop a cause and effect diagram for the situation. 3. Either using a FMECA approach or some other appropriate RCA tool, identify five risk

treatment actions you would recommend to the local Chief of Police to address the issue.

NOTES 1. M. Burczycka, “Police Resources in Canada,” Catalogue no. 85-225-X, Statistics Canada,

Ottawa, 2013. For a discussion of crime rates in Canada, see “Indicators of Wellbeing

www.it-ebooks.info

THE ROLE OF ROOT CAUSE ANALYSIS IN PUBLIC SAFETY ERM PROGRAMS 425

in Canada: Security—Crime Rates,” at www4.hrsdc.gc.ca/[email protected]?iid=57 (last modified November 7, 2013).

2. For further detail on cause and effect analysis, see page 56 (B17) of IEC/ISO 31010, “Risk Management—Risk Assessment Techniques.” See K. Ishikawa, Guide to Quality Control, for a detailed explanation of this technique.

3. For further detail on failure mode, effects, and criticality analysis, see page 46 (B13) of IEC/ISO 31010, “Risk Management—Risk Assessment Techniques.”

4. It is not necessary to be an engineer to follow this example—it is sufficient to under- stand the way the FMECA process is applied, and accept that the answers provided are accurate.

5. For a fuller description of this phenomenon, see George Kelling and Catherine Coles, Fixing Broken Windows: Restoring Order and Reducing Crime in Our Communities.

6. Pareto analysis is a technique used to identify those courses of action or options that are likely to deliver the greatest benefit. It is based on the theory of diminishing returns, and can be referred to as the 80/20 rule, where 80 percent of the value is seen to be delivered through the use of 20 percent of the available resources. See, for example, Suzanne Turner’s description in Tools for Success: A Manager’s Guide, where the technique is referred to as “vital few analysis.”

REFERENCES Burczycka, M. 2013. “Police Resources in Canada.” Catalogue no. 85-225-X, Statistics

Canada, Ottawa. Human Resources and Skills Development Canada. 2013. “Indicators of Wellbeing

in Canada: Security—Crime Rates.” www4.hrsdc.gc.ca/[email protected]?iid=57 (accessed November 7, 2013).

Ishikawa, K. 1985. Guide to Quality Control. 2nd Rev. Ed. Tokyo: Asian Productivity Orga- nization.

ISO 31000:2009. “Risk Management—Principles and Guidelines.” Geneva: International Organization for Standardization.

ISO/IEC 31010:2009. “Risk Management—Risk Assessment Techniques.” Geneva: Interna- tional Organization for Standardization.

Kelling, George, and Catherine Coles. 1996. Fixing Broken Windows: Restoring Order and Reducing Crime in Our Communities. New York: Free Press.

Turner, Suzanne. 2003. Tools for Success: A Manager’s Guide. Berkshire, UK: McGraw-Hill Professional.

ABOUT THE CONTRIBUTOR Andrew Bent is a practicing risk manager with a large Canadian integrated energy company. He was previously in charge of enterprise risk management for one of Canada’s largest municipal police services. He holds a master’s degree in strategic studies, as well as ARM-E, ARM-P, CRMA, CCSA, and CFE designations.

www.it-ebooks.info

www.it-ebooks.info

CHAPTER 22

JAA Inc.—A Case Study in Creating Value from Uncertainty Best Practices in Managing Risk

JULIAN DU PLESSIS Head of Internal Audit, AVBOB Mutual Assurance Society

ARNOLD SCHANFIELD Principal, Schanfield Risk Management Advisors LLC

ALPASLAN MENEVSE Risk Officer, Sekerbank T.A.S., Turkey

This case study describes how enterprise risk management (ERM) was imple-mented at a fictitious company, JAA Inc. It provides extensive detail as to thegovernance structure, the processes, and the various tools used. The case is built on the principles/guidance of ISO 310001 and the implementation guidance created by HB 436.2 The key players in this case are the heads of Internal Audit and Risk Management. It is interesting to see what they have done in the five years expended to implement ERM. We offer special thanks and appreciation to Grant Purdy from Broadleaf International in Australia for his continued support, dedi- cation, and help provided to our efforts.

SETTING THE CONTEXT It was a beautiful Wednesday afternoon in Chicago. Matt Damison, the chief inter- nal auditor (CIA), and Frank Gillespie, the chief risk officer (CRO), were hav- ing lunch in JAA’s cafeteria and reminiscing about the times at JAA when the company’s performance was much lower than the current state. Only five years earlier, in 2008, the company had embarked on a comprehensive enterprise risk management (ERM) program. Both Matt and Frank, together with executive man- agement and the board, had been actively involved in this initiative. At that time, JAA was also undergoing various regulatory audits, and employee morale was

427

www.it-ebooks.info

428 Implementing Enterprise Risk Management

quite poor. The company has now been able to satisfactorily address these issues, and in fact has won numerous awards and been written about in various journals for its risk management program. JAA has progressed from being considered risk management novices to one of being leaders in the field of effective risk manage- ment, having accomplished this in less than four years but still recognizing that improvements need to be made. Matt and Frank have just received a phone call from the Wall Street Journal press. They agreed to be interviewed to explain the gen- esis of JAA’s ERM implementation undertaken five years previously and how as a company it has since flourished. Senior and executive management have encour- aged Matt and Frank to conduct such an interview to highlight the company’s achievements.

Business Background

In 1972, JAA commenced operations as a private company founded by three broth- ers (Emile, Robert, and Frank Bergand) in Chicago, Illinois. In 1988 the brothers decided to take the company public and launched an initial public offering (IPO), as market conditions at that time were quite favorable and the brothers wished to reap financial benefits (i.e., cash out) after years of hard work. The brothers remained with the company and served in executive roles until they retired in 2003. JAA is listed on major stock exchanges, is headquartered in Chicago, and has a December 31 year-end. The financial statements appear in Appendix A.

The company has three operating segments:

1. A U.S. wholesale business 2. A U.S. retail business 3. An international business (wholesale and retail)

The aforementioned segments reflect the way the business is managed and performance is evaluated. The wholesale business focuses on the sale of undeco- rated apparel products to distributors in the United States and internationally. The international wholesale operating segments also produce apparel products that satisfy the preferences of those customers that favor a more local traditional style, to stay sufficiently competitive in those markets. This was determined from a risk workshop that identified the loyalty factor of international customers as a major business opportunity.

The company operates 57 retail stores in 10 different countries:

� North America—United States (28) � South America—Argentina and Brazil (7) � Asia—China, South Korea, and Japan (11) � Australia (4) � Europe—Switzerland and Turkey (4) � Africa—South Africa (3)

The retail stores cater directly to the consumer, and most such stores are sit- uated in major shopping malls using leased space. The stores target middle-aged men and women. Retail store customers represent quite a sophisticated group of

www.it-ebooks.info

JAA INC.—A CASE STUDY IN CREATING VALUE FROM UNCERTAINTY 429

shoppers. The stores compete on the basis of location, merchandise availability, price, and customer service. Retail sales are promoted via major newspapers and online media. JAA’s major competitors are McCory, Bertang, and Keramtor.

The wholesale customer base comprises 100 key distributors. The split between retail and wholesale is 40 percent/60 percent, respectively. Competition at both the retail and wholesale levels is fierce and has necessitated that the company out- source part of its manufacturing to lower-cost countries. Key product cost compe- tition is from China, Bangladesh, and Vietnam.

The apparel business/industry is characterized by rapid movements in fash- ion, changing consumer demand, and significant competitive pressures. JAA has emphasized quality merchandise at an affordable price. Wholesale customers are secured through a lean, but stellar, sales force established in the major cities around the globe (45 major cities). No one single distributor exceeds 5 percent of the com- pany’s sales. JAA also has an online catalog operation, whose critical success fac- tors are website availability and design, advertising response times, and social media recognition.

The Bergand brothers are now the largest company shareholders, owning some 22 percent of the stock. There are a couple of large institutional investors that collectively own an additional 12 percent of the outstanding shares.

The executive and senior management teams comprise:

� President and CEO Michael Menorix � Chief Financial Officer Jillian Verdiger � VP of Marketing and Sales Mary Mordensti � VP of Production Boris Dentiger � VP of Human Resources Francine Tanserki � Chief Internal Auditor Matt Damison � Chief Risk Officer Frank Gillespie � VP of Legal and Compliance Michael Perstay

JAA has its core U.S. manufacturing in a 360,000-square-foot facility, which also contains the corporate/executive offices and warehousing/distribution. The company also has two small satellite manufacturing facilities in Tampa, Florida, and Los Angeles, California, on company-owned properties. JAA has outsourced 25 percent of production in various agreements with third parties in Turkey, China, and South Africa. The company’s apparel product line initially focused on men’s coats, but over a period of time expanded to include a full line of men’s clothing inclusive of pants, shirts, and coats. In 1999, an upscale line of women’s clothing was added to the product portfolio.

The company purchases all fabric from 50 key suppliers, having trimmed its supplier base from 400 over the past five years. All suppliers are ISO 9000 certified and, as such, are subject to rigorous reviews prior to becoming JAA’s suppliers. JAA uses state-of-the-art technology to enhance marketplace competitiveness.

The company has been fortunate in attracting high-caliber employees. It has had minimal turnover over the past three years, and it provides a generous com- pensation and incentive package to its employees. It is not subject to any collec- tive bargaining agreements but to various environmental regulations in the United States and overseas. One other key area JAA is heavily focused on, and in strong

www.it-ebooks.info

430 Implementing Enterprise Risk Management

compliance with, is monitoring compliance at third-party manufacturing facilities overseas.

Effective management of risk was recognized by the current management team as being critical to JAA’s success. Thus the company sought individuals who were experienced in this field for key leadership positions in Internal Audit and Risk Management, as well as for the key board positions. When the current heads of Internal Audit and Risk Management joined the company in 2008, JAA had sustained six years of losses. JAA’s creditworthiness is currently BBB as rated by the major rating agencies, having improved from junk status to this rating within four years.

Initial Steps: Strategic Planning and Business Objectives

JAA’s management recognized in 2008 that there were concerns with the annual strategic planning process because the board members typically did not attend such meetings. This impeded their ability to address the key strategic questions JAA faced, and did not create an environment that could generate fresh insights. Typically, the focus on short-term performance was failing to identify risks that threatened long-term objectives. Such short-term thinking also neglected to think about untapped business opportunities.

JAA decided to discard the annual process and replace it with a much more intense form of strategic engagement with management and the board. They are now devoting extra time at each board meeting to pressure-test the strategy in view of its progress and changes in critical variables. There is a strong communi- cation process of this new strategy throughout the organization to both the inter- nal and external stakeholders. JAA prides itself in doing this well under President Michael Menorix’s leadership. Management knows who the stakeholders are and their needs and has established different communication channels with them as appropriate, including webinars, phone conference calls, town hall meetings, writ- ten media, and so on.

JAA’s management is aware of the many pitfalls of strategic planning and has recognized the need to view risk and strategy as two sides of the same coin because it knows that the two are linked. The company aims to increase shareholder value and to address the needs of the other stakeholders through successful pursuit of the following strategic objectives:

� Maintaining market leadership � Sustaining technology leadership � Strengthening global presence � Delivering quality service � Being seen as a leader in compliance with all laws and regulations

Establishing the Governance System

JAA has developed an excellent governance system by using many different met- rics as described later. The Governance Framework is depicted in Exhibit 22.1. The board consists of external directors, including Sally Hendrix, who serves as chair of the Audit Committee. The Audit Committee members have served for periods

www.it-ebooks.info

JAA INC.—A CASE STUDY IN CREATING VALUE FROM UNCERTAINTY 431

Main Board

Risk and Strategy

Committee

Audit Committee

Compensation and Nominating

Committee

B o

ar d

a n

d B

o ar

d C

o m

m it

te es

E xe

cu ti

ve F

u n

ct io

n s

Executive Risk Oversight Committee

B u

si n

es s

F u

n ct

io n

s

Responsible for managing risk and implementing internal controls

C o

n tr

o l

F u

n ct

io n

s

Internal Audit

Compliance Monitoring

Risk Management

Exhibit 22.1 Governance Framework

ranging from two to seven years. All committee members, in addition to their pro- fessional qualifications and experience, are well versed in risk management. They have all attended formal training in this subject matter at leading risk organiza- tions and have received training by both the Internal Audit and Risk Management groups of JAA as well.

The company’s risk governance framework illustrates the governance arrange- ments for the board, management, independent control functions, and ongoing business operations that exercise governance over risk.

JAA’s board is responsible for the governance processes that it requires man- agement to execute. The company understands that effective oversight by its board and senior management is critical to the overall governance effort. It protects its shareholders and other stakeholders by ensuring sustainability of the business through achievement of superior performance. The board provides leadership to JAA by understanding and accepting its responsibilities for the adoption of strate- gic plans, monitoring of operational performance and management, determining the philosophy and effectiveness of the approach for managing risk (including internal controls for managing the day-to-day operations), and compliance with all relevant laws and regulations.

www.it-ebooks.info

432 Implementing Enterprise Risk Management

The directors of JAA Inc. have applied the principles of discipline, trans- parency, independence, accountability, responsibility, fairness, and social respon- sibility to ensure that sound governance is practiced consistently throughout the company. Being listed on the New York Stock Exchange and subjected to its listing requirements emanating from the Securities Exchange Act, the company requires:

� An independent board of directors with a majority of nonexecutive directors (NEDs)

� An Audit Committee � Compensation and Nominating Committees � That board members must gain approval prior to undertaking any other

board assignments and in no event can any board member serve on more than three other boards

� Attendance of at least 75 percent of board meetings and its subcommittees annually

� Strong continuing education in various areas, including risk management, governance, and internal control

� Presence and functioning of an Executive Risk Oversight Committee (EROC) � Presence and functioning of a Risk and Strategy Committee (RSC)

JAA continually seeks to improve its knowledge of international frameworks and standards to augment its governance processes. As such, it has incorporated best practices from South Africa (King III),3 Canada (Criteria of Control),4 United Kingdom (Combined Code,5 Risk Management Consultation Draft—FRC6), and Australia (ASX and HB 4367) to update its risk management and governance frameworks.

The board of directors has delegated certain functions to the various commit- tees. The board is kept up to date on:

� Business performance relative to strategy, budgets, business plans, risk cri- teria, capital adequacy and preservation, and earnings volatility

� Noncompliance with board policies, regulations, statutes, and accounting policies

� Significant breakdowns in operations, unsatisfactory financial performance, noncompliance with laws and regulations, ineffective management supervi- sion and monitoring, internal controls or process failure, and organizational system or structure failure

� Effectiveness of the corporate governance process � Corrective actions implemented in respect of these

Specific responsibilities of different committees are discussed next in the fol- lowing subsections, namely Compensation Committee, Risk and Strategy Com- mittee, and Executive Risk Oversight Committee.

The Compensation Committee � Reviews and approves remuneration policy throughout the business � Ensures that the remuneration policies adopted do not result in excessive

risk taking

www.it-ebooks.info

JAA INC.—A CASE STUDY IN CREATING VALUE FROM UNCERTAINTY 433

� Ensures that the compensation plans and compensation awarded to senior management are based on the achievement of objectives as a result of man- aging risks effectively

� Designs and approves the principles to be used in the performance agree- ments of management to ensure that key performance indicators (KPIs) of management encourage prudent risk taking and the management thereof

The Risk and Strategy Committee � Sets and reviews JAA’s risk criteria � Oversees the risks to which the company is exposed, and monitors the activ-

ities of the Executive Risk Oversight Committee (EROC) � Approves the risk management policy on behalf of the board � Reviews the design, completeness, and effectiveness of the risk management

framework to ensure that changes and updates to risk management are per- formed in accordance with processes approved by the board as documented in the risk management policy and that oversight of it is effective

� Ensures that infrastructure, resources, and systems exist to adequately over- see and monitor JAA’s risks (this is done to ensure that risk taking is consis- tent with the risk criteria set by the board; at all times the board is aware of the comprehensiveness, accuracy, and status of the risk attitude)

� Reviews the effectiveness of risk reporting (including timeliness and events that could impact business objectives and the company’s risk profile)

� Ensures that all strategic transactions undergo appropriate review and due diligence before submission to the board, particular focus being accorded to the risk criteria

� Reviews and challenges capital and liquidity stress testing

The Executive Risk Oversight Committee (EROC) � Scrutinizes and challenges the risks identified to which the company is

exposed and evaluates the assessment of these risks � Assists the board in defining JAA’s risk criteria that align with the objec-

tives and strategies of the organization and monitors that risks are managed within the risk criteria

� Establishes the risk management policy � Ensures that the framework for managing risk continues to remain effective � Ensures that the necessary resources are allocated to manage risk � Determines that the risk management performance indicators are aligned

with KPIs of management performance of the organization � Ensures and monitors legal and regulatory compliance � Reviews results of stress and scenario testing for JAA’s strategic objectives

and attainment of them � Assigns accountabilities and responsibilities at appropriate levels within the

organization � Reports on how managing risk is performed to provide assurance to

stakeholders

www.it-ebooks.info

434 Implementing Enterprise Risk Management

Business Operations

In addition to the oversight functions (described next), JAA has embedded risk management into underlying business operations. For example, a risk manage- ment policy (see Appendix B) has been implemented across the company to support the effective implementation of risk management. A risk management framework, supported by various risk policies, has been implemented to provide guidance to all employees on how to address organizational components, such as business and strategy planning, budgeting, and performance management and reporting, as well as human resources, compliance, and information security. Heads of departments are responsible for the maintenance of the risk registers, which include treatment actions. All risks in this register are further consolidated and reported to the EROC with possible treatment options.

Oversight Functions The company’s independent oversight functions, namely the Risk Management department, the Legal department, the Compliance department, and the Internal Audit department, provide the required assurance. These functions report period- ically to the board and its committees as appropriate.

Risk Management Department The Risk Management department has a unique advisory role to all management levels as well as to the board while managing risks. Also, the department reviews and challenges the outcome and results of risk assessment activities performed by management and the resulting risk registers produced that include the risks that constitute the risk profile of JAA.

Legal Department The Legal department is responsible for providing advice to the company, its divi- sions, and its employees on matters of law and legal protection by:

� Representing the company in all meetings, conferences, and public forums � Preparation of protocols, claims, and court counterclaims � Representation of the company in court � Protection of the company’s rights and interests in judicial settings � Creation of legal documentation requirements

Compliance Department The Compliance department helps in the following areas:

� Regulatory risk management—keeping company activities in strict compli- ance with current legislation

� Compliance monitoring—evaluating and measuring the state of compliance across the organization

� Investigations—managing investigations into wrongdoing and anything that increases regulatory-related risks

Internal Audit Department The Internal Audit (IA) function is best in class. Matt Damison, who has 20 years of relevant internal audit and risk management experience, joined JAA in 2008

www.it-ebooks.info

JAA INC.—A CASE STUDY IN CREATING VALUE FROM UNCERTAINTY 435

with strong academic and professional certifications. He belongs to several leading professional organizations such as the Institute of Risk Management in London, the Conference Board of Canada, and the Risk Management Institute of Australia. He also speaks and writes extensively on this subject matter.

Matt reports directly to the Audit Committee chair, Sally Hendrix, with dotted- line daily responsibilities to the chief executive officer, Michael Menorix. Matt meets with the Audit Committee on a periodic basis. He also attends the key meet- ings in the strategic planning process.

This is a summary of what he has done during this five-year period:

� The department adopted a comprehensive risk-based approach to the audit plan. All audit projects are derived from this risk-based plan. Special requests by management that are external to the risk assessment performed by management are reviewed very carefully, especially if the requests do not appear to address issues that are generating any new risks. Audits are thus focused on the company’s highest risks or on the highest risks that are now reduced to within the stated risk criteria through management actions. Comprehensive reviews of every business/operational process are not per- formed, because such processes include areas of lower risks.

� Several senior-level personnel in the company formerly worked in the Inter- nal Audit function, and Internal Audit has a track record of promoting high- quality performers to line management positions. The function has a solid track record with minimal turnover to outside the organization.

� The Internal Audit group consistently demonstrates how it has contributed to the success of the company by linking all commentaries on its accomplish- ments to the company’s strategic objectives.

� Internal Audit annually evaluates risk management, and issues an opinion on it according to the 11 risk management principles stated in ISO 31000. This year, it has completed its third such review, focusing on: � The design of the risk management framework, including such things as

assignment of responsibilities and accountabilities, context of the com- pany, communication with the stakeholders, and mandate and commit- ment by the board

� The implementation of the risk management framework � The risk process implementation, culminating in the generation of the risk

register � Monitoring and review � Continuous improvement

External Auditors

Matt has also been successful in helping the company reinvent its relationship with the external auditor in the following areas:

� Prior to the heads of Internal Audit and Risk Management joining the com- pany, the external audit process left much to be desired. Specifically, JAA never received a well-written management letter; if it received any letter at all, it was written quite superficially and was received by the company nine months subsequent to year-end. There was extensive overlap in some of the

www.it-ebooks.info

436 Implementing Enterprise Risk Management

areas covered by external and internal audit. There were, as well, some key areas missed in the external audit that created surprises for the company.

� As a result of the foregoing, the following changes were implemented, cre- ating many positive effects for the risk management framework: � The external auditors were invited to sit in on the key strategic planning

sessions of the company. � There were ongoing meetings between the head of Internal Audit and the

principal partner on the external audit team. � The external audit team compiled and wrote a comprehensive manage-

ment letter with special emphasis on root cause analysis (meaning that they understood the root causes of specific problems). They ensured as well that all such comments were addressed by management of JAA and did not appear in the following year’s management letter comments.

� The external auditors, in performing their planning work for the current year’s audit, began to utilize the existing risk management framework and process at the company, as created by the risk management function. This was to ensure that all parties’ efforts were clearly aligned.

� The internal auditors, in assessing effectiveness of the risk management framework at the end of the year, summarized as well the contributions to it by the external auditors.

� The internal auditors did not act as surrogates for the external auditors, meaning that no internal audit time was expended in performing external audit work to reduce cost of the external audit.

Evolution of Risk Management

When initially appointed to their positions in 2008, the current heads of Internal Audit and Risk Management met with the CEO, as well as with the rest of the executive management team. After a number of discussions, it was decided to implement enterprise risk management (ERM) throughout the company so that JAA could achieve its business objectives, unlike the prior six financial years when performance was generally poor. As the CRO, Frank Gillespie was the key person who facilitated the risk management program with a team of three professionals reporting to him. The risk management team determined that the source of the problems in the company over the past several years stemmed from:

� Weak commitment to each of the business objectives � Poor internal communications � Absence of initiative taking � Inconsistencies in internal reporting � Unclear organization roles and responsibilities � Failure to adequately monitor the international brand licenses and

copyrights � Failure to provide a safe working environment

These issues further served to demotivate the existing workforce, which in turn had the compounding effect of creating an environment where employees became hesitant to undertake new projects. Ultimately, this caused JAA to fall behind its competitors.

www.it-ebooks.info

JAA INC.—A CASE STUDY IN CREATING VALUE FROM UNCERTAINTY 437

As the team scoured the marketplace in 2008, they noted that ISO 31000: 20098 was in draft stage, but its predecessor, AS/NZS 4360:2004, existed together with the accompanying HB 436 handbook. They decided to launch their risk management efforts using these guides.

After performing a detailed gap analysis of the existing risk management framework, Frank prepared the training curricula for all company employees. At the senior management level, he rolled out leadership and soft skill coaching courses. For the lower levels of management, he introduced training in commu- nications, body language, and project management. In addition, for both groups, he introduced personnel conflict resolution, negotiations, presentation skills, and human behavior/bias training workshops. To create a teamlike environment and a great atmosphere between the different layers of management, Frank organized group hobby sessions such as photography, cooking, and several weekend hik- ing events. These served to repair impaired lines of communication, which in turn helped to reinvent JAA’s new corporate culture.

Having performed a few cycles of workshops with senior management, Frank suggested that they needed to prepare a risk management policy with the infor- mation gathered from all key executives. The risk management policy became the foundation for the company’s risk management framework. Frank also created standard risk management terminology to ensure that everyone gained a common understanding of risk management words and phrases. This was incorporated into the risk management policy.

INTRODUCTION OF ISO 31000 AND HB 436 TO THE COMPANY After three years of diligent efforts in implementing this framework, benefits mate- rialized through greater profits, revenue growth, shareholder value improvement, and individual performance. In 2009, when ISO 31000 became the international risk management standard, the company adopted it through its entire business. ISO 31000 represented an opportunity to create effective risk management within JAA as this was merely an upgrade of AS/NZS 4360.

Frank’s group performed a new gap analysis while upgrading to ISO 31000 to determine what additional changes needed to be made in JAA’s current risk management principles, framework, and process. JAA adopted ISO 31000 in two phases. The initial phase was at the business level since it was critical to incorpo- rate this into the decision making processes of the company. The second phase was at the strategic level, which also included monitoring of the initial phase. The com- pany made extensive use of the HB 436 handbook to help with the implementation process.

Defining the Context of JAA

The internal and external context of the company was clearly defined by the ERM team (see Exhibit 22.2). The objectives, stakeholders, and current business envi- ronment were compiled to ascertain strengths, weaknesses, opportunities, and threats facing the company. The team identified the following stakeholders of the

www.it-ebooks.info

438 Implementing Enterprise Risk Management

EXTERNAL CONTEXT

• National and International Politics • National and International Economics • Laws and Regulations • Standards and Ethics • National and International Sector • Physical Location • Environmental Factors • Utilities and Services • Markets • Others

S T A K E H O L D E R S

Context for Risk Criteria

INTERNAL CONTEXT

PROCESSES ORGANIZATION

OBJECTIVES

POLICIES

HUMAN

INFORMATION

PRODUCT

DATA

INFRASTRUCTURE

Exhibit 22.2 Using Context for Risk Criteria

company: shareholders, board members, employees, media, third-party outsourc- ing vendors, the World Trade Organization, regulatory agencies, stock exchanges, the Internal Revenue Service (IRS), environmentalists, suppliers, customers, labor unions, and immigration authorities.

The risk management policy in Appendix B is its third version in an effort to keep up to date with the latest developments and/or evolution in respect to risk management best practices, as well as how the business is supposed to operate. The latest update was performed during 2011 to address the principal elements of ISO 31000. The company also conducted an impact analysis using worst-case scenarios to set an operational baseline, and this further helped to formulate the risk criteria and JAA’s attitude toward risks.

Defining Risk Criteria

JAA undertook the following six-step process to establish risk criteria at the company.

First, it selected each of the five strategic objectives and articulated its position on expected outcomes and how it would measure such outcomes.

The five objectives were:

1. Maintaining market leadership 2. Sustaining technology leadership 3. Strengthening global presence 4. Delivering quality service 5. Being seen as a leader in compliance with all laws and regulations

www.it-ebooks.info

JAA INC.—A CASE STUDY IN CREATING VALUE FROM UNCERTAINTY 439

For example, the expected outcomes for “being seen as a leader in compliance with all laws and regulations” are minimal injury to employees, zero fatalities, not facing prosecutions and enforcement actions, and minimizing the cost of any cleanup. It decided to measure such outcomes by people impact, legal actions, and duration and cost of any cleanup.

Second, it developed scales for each consequence type using ordinal measure- ment with the low end representing tolerable or insignificant deviations from the expected values and the high end representing very high consequences that may be retained only by board approval. Such consequences are demonstrated in Exhibit 22.3 for quantitative consequences and in Exhibit 22.4 for qualitative consequences.

Third, it decided how likelihood would be expressed, and chose ranges from rare to very often with their associated probabilities, as can be seen in Exhibit 22.5a.

Fourth, it developed a table to derive the level of risk, and this can be seen in Exhibit 22.5b. The company opted to express the level of risk as a distribution instead of a point level so that different levels of impact could be expressed with the corresponding likelihood.

Fifth, it decided how the level of risk would be expressed by using a scale consisting of four levels from high to low, based on the combination of impact and likelihood mentioned before. With this table, for each risk, a treatment method is determined by multiplying the likelihood (probability) with impact level. Bow tie analysis9 is being used to map objectives and the events or consequences.

Finally, it decided on the rules for evaluating a risk, and such rules are listed in the upcoming “Risk Attitude” exhibit, and in Appendix B, “Risk Management Policy.”

Bringing Everything Together

At the initial stage with individual participants at a risk identification and assess- ment workshop, the CRO did not intervene, even though he believed that there was some bias in the opinions being expressed. As the sessions continued, interac- tion among the different participants resulted in a diminution of the biases. At the conclusion of each workshop, all the risks were prioritized according to group con- sensus. Communication among the team members and the great facilitation by the CRO helped to reduce the biases. A set of risk criteria10 was developed (depicted in Exhibits 22.3, 22.4, and 22.5), which was used to guide strategic business decisions with respect to the apparent risks.

A new communication channel was established with the EROC and the risk owners, who met and continue to meet quarterly. This structure helped JAA estab- lish a sound and trusted medium for the exchange of ideas, thus reducing misun- derstandings. The meeting agenda usually included ongoing projects, new percep- tions of risk, and changes in the context and alignment of the current risk profile with the organization’s risk management policy and the risk attitude. The EROC demonstrated executive management’s commitment to managing risk, and helped to establish a risk consciousness and risk culture within JAA.

The need for an increased awareness of sustainability among stakeholders was one area of concern, and as such it was one of the new projects undertaken by JAA. The company added new policies and a few application projects to increase public awareness. These projects also helped to increase the brand value.

www.it-ebooks.info

E xh

ib it

22 .3

C on

se qu

en ce

Sc al

es fo

r Q

ua nt

if ia

bl e

E ff

ec t

M et

ri c

fo r

Im p

ac to

r C

on se

q u

en ce

O b

je ct

iv e

Ty p

e M

ea su

re S

ce n

ar io

5— V

er y

H ig

h 4—

H ig

h 3—

M od

er at

e 2—

L ow

1— V

er y

L ow

Fi na

nc ia

l Sa

le s

gr ow

th Q

ua rt

er ly

sa le

s ex

pe ct

at io

ns > +

25 %

< –2

5% > +

15 %

< –1

5% > +

10 %

< –1

0% > +

7% <

–7 %

> +

4% <

–4 %

B ra

nd va

lu e

M ar

ke tp

ri ce

vo la

ti lit

y > +

25 %

< –2

5% > +

15 %

< –1

5% > +

10 %

< –1

0% > +

7% <

–7 %

> +

4% <

–4 %

R ep

ut at

io n

Pu bl

ic re

la ti

on s

M ed

ia co

ve ra

ge va

lu e

(+ /

–) >

$1 0M

In te

rn at

io na

l m

ed ia

co ve

ra ge

> $7

M N

at io

na lm

ed ia

co ve

ra ge

> $4

M L

oc al

m ed

ia co

ve ra

ge

> $2

M W

it hi

n th

e se

ct or

> $1

M Pa

rt ia

ls ec

to r

E m

pl oy

ee co

m m

it m

en t

K ey

pe rs

on ne

l tu

rn ov

er 15

% 10

% 5%

3% 1.

5%

R eg

ul at

or y

L oc

al lic

en se

s R

eg ul

at or

y fi

ne s

> $1

M >

$7 00

,0 00

> $5

00 ,0

00 >

$3 00

,0 00

> $1

00 ,0

00 L

eg al

C on

tr ac

t lia

bi lit

ie s

> $1

0M >

$7 M

> $4

M >

$2 M

> $1

M

C us

to m

er s

Q ua

lit y

pe rc

ep ti

on C

us to

m er

sa ti

sf ac

ti on

> 80

% >

60 %

> 40

% >

20 %

> 5%

R et

ai lc

us to

m er

gr ow

th N

ew cu

st om

er s

an d

re te

nt io

n >

15 %

> 10

% >

5% >

3% >

1. 5%

R et

ai lb

ra nc

he s

B ra

nc h

pe rf

or m

an ce

> +

25 %

< –2

5% > +

15 %

< –1

5% > +

10 %

< –1

0% > +

7% <

–7 %

> +

4% <

–4 %

Su st

ai na

bi lit

y B

us in

es s

B us

in es

s co

nt in

ui ty

D is

ru pt

io ns

> 3

d ay

s >

2 d

ay s

> 1

d ay

> ha

lf d

ay >

1 ho

ur

M ar

ke ts

O rd

er d

el iv

er y

d el

ay s

> 5

d ay

s >

3 d

ay s

> 1

d ay

> ha

lf d

ay >

1 ho

ur

T ec

hn ol

og y

Pr oj

ec td

el iv

er y

d el

ay s

> 3

m on

th s

> 2

m on

th s

> 1

m on

th >

15 d

ay s

> 1

w ee

k

Sa fe

ty an

d E

nv ir

on m

en t

W or

k sa

fe ty

In ci

d en

ts 1

ca su

al ty

> 1

m aj

or w

ou nd

> 1

m in

or w

ou nd

M in

or w

ou nd

L oc

al ph

ys ic

al d

am ag

e on

ly

440

www.it-ebooks.info

E xh

ib it

22 .4

C on

se qu

en ce

Sc al

es fo

r N

on qu

an ti

fi ab

le E

ff ec

t

R at

in g

Fi n

an ci

al R

ep u

ta ti

on R

eg u

la to

ry C

u st

om er

S u

st ai

n ab

il it

y S

af et

y E

n vi

ro n

m en

t

M as

si ve

A va

ila bl

e fi

na nc

ia l

re so

ur ce

s af

fe ct

ed hi

gh ly

so th

at re

vi si

on s

of bu

si ne

ss pl

an s

ne ed

ed

O rg

an iz

at io

n as

se ts

th at

re pr

es en

t va

lu e

to co

m pa

ny br

an d

an d

m ar

ke t

cr ed

ib ili

ty se

ve re

ly af

fe ct

ed

M ar

ke te

xi st

en ce

an d

/ or

ab ili

ty to

ge ne

ra te

bu si

ne ss

se ve

re ly

af fe

ct ed

Pe rf

or m

an ce

or qu

al it

y se

ve re

ly af

fe ct

ed

B us

in es

s fl

ow se

ve re

ly af

fe ct

ed

M ul

ti pl

e fa

ta lit

ie s

or ir

re ve

rs ib

le d

is ab

ili ty

to m

an y

in d

iv id

ua ls

N at

ur al

re so

ur ce

s se

ve re

ly af

fe ct

ed

M aj

or A

va ila

bl e

fi na

nc ia

l re

so ur

ce s

af fe

ct ed

re m

ar ka

bl y

so th

at re

vi si

on s

of so

m e

of th

e el

em en

ts of

bu si

ne ss

pl an

s ne

ed ed

O rg

an iz

at io

n as

se ts

th at

re pr

es en

t va

lu e

to co

m pa

ny br

an d

an d

m ar

ke t

cr ed

ib ili

ty si

gn if

ic an

tl y

af fe

ct ed

M ar

ke te

xi st

en ce

an d

/ or

ab ili

ty to

ge ne

ra te

bu si

ne ss

si gn

if ic

an tl

y af

fe ct

ed

Pe rf

or m

an ce

or qu

al it

y si

gn if

ic an

tl y

af fe

ct ed

B us

in es

s fl

ow si

gn if

ic an

tl y

af fe

ct ed

Fa ta

lit y

an d

/ or

ir re

ve rs

ib le

d is

ab ili

ty to

on e

or m

an y

in d

iv id

ua ls

/ pe

rs on

s

N at

ur al

re so

ur ce

s si

gn if

ic an

tl y

af fe

ct ed

M od

er at

e A

va ila

bl e

fi na

nc ia

l re

so ur

ce s

af fe

ct ed

no ti

ce ab

ly so

th at

re vi

si on

s of

a fe

w of

th e

el em

en ts

of bu

si ne

ss pl

an s

ne ed

ed

O rg

an iz

at io

n as

se ts

th at

re pr

es en

t va

lu e

to co

m pa

ny br

an d

an d

/ or

m ar

ke tc

re d

ib ili

ty no

ti ce

ab ly

af fe

ct ed

M ar

ke te

xi st

en ce

an d

/ or

ab ili

ty to

ge ne

ra te

bu si

ne ss

no ti

ce ab

ly af

fe ct

ed

Pe rf

or m

an ce

or qu

al it

y no

ti ce

ab ly

af fe

ct ed

B us

in es

s fl

ow no

ti ce

ab ly

af fe

ct ed

M od

er at

e ir

re ve

rs ib

le in

ju ry

or im

pa ir

m en

tt o

on e

or m

or e

pe rs

on s

N at

ur al

re so

ur ce

s no

ti ce

ab ly

af fe

ct ed

M in

or Fi

na nc

ia lr

es ou

rc es

af fe

ct ed

at m

an ag

ea bl

e le

ve ls

o th

at ch

an ge

s st

ay w

it hi

n th

e bu

d ge

t lim

it

L im

it ed

ef fe

ct on

br an

d va

lu e

or m

ar ke

tc re

d ib

ili ty

E ff

ec ts

ta ys

lim it

ed an

d d

oe s

no t

ca us

e lo

ng -t

er m

bu si

ne ss

ch an

ge

E ff

ec tc

an be

co ns

id er

ed m

an ag

ea bl

e w

it h

lit tl

e re

so ur

ce s

E ff

ec ts

ta ys

in ex

pe ct

ed re

gi on

s an

d m

an ag

ea bl

e w

it h

cu rr

en t

as se

ts

H os

pi ta

liz at

io n

re qu

ir ed

;l ar

ge ly

re ve

rs ib

le in

ju ry

to on

e or

m or

e pe

rs on

s

V is

ib le

lo ca

l ef

fe ct

In si

gn if

ic an

t A

d ju

st m

en ts

ca n

be m

ad e

w it

h sh

or t-

te rm

ar ra

ng em

en ts

of fu

nd s

M an

ag ea

bl e

w it

h d

ai ly

op er

at io

ns M

an ag

ea bl

e w

it h

si m

pl e

ad ju

st m

en ts

M an

ag ea

bl e

w it

h lo

ca l

re so

ur ce

s

M an

ag ea

bl e

w it

h lo

ca l

re so

ur ce

s an

d cu

rr en

t as

se ts

R ev

er si

bl e

in ju

ry re

qu ir

in g

ho sp

it al

tr ea

tm en

t

C an

be tr

ea te

d w

it h

cu rr

en t

as se

ts

441

www.it-ebooks.info

442 Implementing Enterprise Risk Management

Exhibit 22.5a Likelihood/Probability Scales and Risk Levels

Likelihood Probability Possible Example Event

5—Very often More than 10 times or once in 0–5% of the target time period

Contract liabilities are violated 12 times in 3 years

4—Often 5–10 times or once in 5–25% of the target time period

Imitation of JAA products is observed 9 times in 5 years

3—Even 3–5 times or once in 25–50% of the target time period

M&A is observed with outsourced contractors 3 times in 5 years

2—Few 1–3 times or once in 50–75% of the target time period

Dye technology is changed once in 5 years

1—Rare 1–2 times or once in 75–100% of the target time period

Environmental pollution is caused once in 10 years

Exhibit 22.5b Defining Risk Levels

Risk Level Quantitative Level Qualitative Level

High More than $10M or >1.5% of the net sales

Frequent occurrence and high or very high impact or above

Medium–high $5–10M or 0.75–1.5% of the net sales

All between high and medium

Medium $1–5M or 0.15–0.75% of the net sales

Few occurrences and low impact

Low Less than $1M or < 0.15% of the net sales

All below medium

These projects later fostered a corporate culture of “learning to give.” The com- pany has also encouraged its employees to get involved in volunteer projects. JAA started to use natural dye colors wherever possible on the fabrics in the manu- facturing process, which was greatly welcomed by its customers. Also, the com- pany’s credit rating increased one notch with the last rating revision. This in turn has helped the company access cheaper and longer-term loans.

The communication infrastructure is now robust. The Internet phone network is set up with regional sales functions for easy access to customer needs and resolv- ing issues. Low-cost and high-availability web meetings were enabled with this project. An “I suggest” project, which helps the workforce describe innovative ideas about their jobs, has now been implemented with web-based software. Sug- gestions are reviewed and evaluated by risk and control owners. Prizes are pro- vided for those whose suggestions are implemented. The project is also helpful to the company’s efforts at enhancing the whistle-blower hotline.

During the risk workshops, it was identified that one of the root causes for a risk at the company was the potential for significant age gaps between the senior management and other personnel. Additionally, during the prior five years, most of the key personnel had left the company. Therefore, the company adopted new human resources performance and competence criteria so that highly qualified personnel could be retained. With these treatments, previously high-level risks and weaknesses have been reduced to low levels and JAA has enabled a forward- looking and proactive management approach to be put in place.

www.it-ebooks.info

JAA INC.—A CASE STUDY IN CREATING VALUE FROM UNCERTAINTY 443

Moving Forward: Overseeing Strategy and Risks

To ensure that risks were adequately considered during the strategic planning pro- cess, JAA nominated its board-level Risk Oversight Committee to also be its Strat- egy Oversight Committee and named it the Risk and Strategy Committee (RSC). However, to ensure there is day-to-day monitoring of risks and controls and timely implementation of risk treatment plans to achieve strategic goals, JAA established an Executive Risk Oversight Committee (EROC) chaired by the CEO. The board believed this would reflect the corporate commitment of senior management to play an active role in day-to-day decision making and set the tone across the com- pany that risk management is central to corporate culture.

Nonexecutive oversight of strategy and risk is the responsibility of the RSC, which regularly scrutinizes and exercises independent judgment over the most sig- nificant risks and effectiveness of the treatment plans and controls across the busi- ness. Discussions with the CRO and the heads of other oversight functions are also conducted without executive management being present. The nonexecutive direc- tors (NEDs) are a step removed from the daily operations of the business, enabling them to assess and challenge the risk treatment plans. The complete board of JAA is responsible for overseeing achievement of strategy and the long-term goals of JAA through the risk governance structures it has established and maintained.

Looking to the Future: JAA’s Management of Uncertainty

The successful turnaround in the fortunes of JAA is evidenced by its financial per- formance (see Appendix A) achieved through meeting its strategic objectives. JAA successfully seized opportunities emanating from the uncertainties impacting on those objectives. What follows is a comprehensive discussion on how JAA went about responding to the risks comprising its risk profile. The risk profile of the com- pany appears in Exhibit 22.6a with a related risk map in Exhibit 22.6b. They clearly indicate how the risks of JAA have been changing due to its successful treatment of risks (i.e., emerging and current). The perceptions or flat trends exist because the treatment plans are a work in progress. As the treatment results are achieved, rel- ative levels of risk will decrease as the benefits emerge for the objectives. The risks comprising the risk profile of the organization and the risk treatments selected to manage them are discussed next.

European Union (EU) Anti-Dumping Regulation Changes Because of the latest data from the World Trade Organization (WTO), JAA noted that there is increased market penetration from Eastern markets to EU markets. Also, complaints from local manufacturers have commenced. The EU Parliament may start to investigate anti-dumping measures against Asian countries in the textile industry, which could very well result in increased tariffs. If this scenario is realized, this will strengthen global presence and help to maintain market leadership, two of the strategic objectives of JAA. This will also have an impact on production costs, satisfying new quotas, and logistics. If the net effect is neg- ative, JAA may need to change its business model, which could create additional hardships on the company. To avoid this situation, the maturity level of markets in the Middle East and South Africa needs to be evaluated for both logistics and

www.it-ebooks.info

444 Implementing Enterprise Risk Management

Exhibit 22.6a Current Risk Profile

Risk Source 2013 Perception 2014 Forecast Trend

EU Anti-Dumping regulation changes

Medium High ↑

Outsourcing and supplier contract management: Quality and delivery assurance

Medium Medium ↓

Competitors’ marketing strategies Medium–high High ↗ Imports: National FITs for trade

discrimination Medium–high Medium–high ↘

Cost variability and management Medium Medium ↙ Local trade laws and regulations Medium Medium ↔ New fabric production and dye

technologies Medium Medium–high ↙

Reaching target customers in new locations (countries)

Medium Medium ↔

Environmental sensitivity of creditors Medium Medium–high ↗ Imitation of JAA’s products Medium–high Medium ↘

Trends: ↑: Impact is increasing, ↗: Both impact and likelihood increasing, ↘: Impact decreasing but likelihood increasing, ↔: Same from the last assessment, ↙: Both likelihood and impact decreasing.

production sites as alternatives. This step will help to ensure preservation of com- petitive advantage and the ability to identify new markets.

Outsourcing and Supplier Contract Management: Quality and Delivery Assurance The latest trends demonstrate that there will be high volatility caused by mergers and acquisitions among outsourced suppliers. The agreed standards of service- level agreements (SLA) may be degraded, which could cause delivery delays and quality issues because of laid-off workers who are more experienced and certified but more costly. This kind of situation may impact JAA’s objective of strengthening its global presence. Therefore, it decided to maintain a database of potential sup- pliers and set up procedures for sample production lots with them so that it can respond in a timely fashion and shift outsourcing arrangements to limit delays and maintain product quality.

Competitors’ Marketing Strategies JAA noted that there has been an increase in new entries to the sector with aggres- sive marketing strategies, which may affect its objective of maintaining market leadership. The quality of its products and customer satisfaction have become increasingly important. To have timely and more comprehensive information, a new customer survey for both current satisfaction and future expectations will be needed among both customers and local retail partners. This will provide JAA with the information and ability to act promptly. If JAA fails to obtain adequate infor- mation on competition, then this could result in faulty strategy setting at JAA with severe consequences.

www.it-ebooks.info

JAA INC.—A CASE STUDY IN CREATING VALUE FROM UNCERTAINTY 445

0

1

2

3

4

5

6

0 1 2 3 4 5

Im p

ac t

Likelihood

1-EU Anti-Dumping regulation change

2-Outsourcing and contract management with suppliers: Quality and delivery assurance, strike, child workers

3-Competitors marketing strategies

4-Imports: National FITs for trade discrimination

5-Cost variability and management

6-Local trade laws and regulations

7-New fabric production and dye technologies

8-Reaching the target customers in new locations (countries)

9-Environmental sensitivity of creditors

10-Imitation of JAA products

1 9

7

2

4 5 10

683

Exhibit 22.6b Risk Map Likelihood and Impact Matrix: Sizes of the bubbles are proportional to the relative interdependency of risk sources. The bigger the bubble, the greater the effect on other risk sources.

Imports: National Feed-In Tariffs for Trade Discrimination Market sentiment has become more sensitive. Local producers in the countries in which JAA operates have become increasingly sensitive to price changes. It has been decided to monitor closely the price levels in these countries. Any changes in national feed-in tariffs (FITs) will have an effect in either direction, which will also affect all of JAA’s objectives.

Cost Variability and Management Because of social movements and environmental issues in some of the coun- tries, the working conditions may be affected severely, which in turn may impact JAA’s sales and production costs as well as business continuity. The risk treatment decided for reaching new markets and contractors will help to decrease the cost volatility in the long run. In the short term, risk acceptance criteria will be reduced

www.it-ebooks.info

446 Implementing Enterprise Risk Management

and hedging will be required for short positions of the foreign exchange portfolio above the agreed risk criteria. In the long run, the cost parameters will be mon- itored continuously. According to the monitoring results, moving of production lines to different countries will be reevaluated (see Exhibit 22.7).

Exhibit 22.7 Risk Attitude

All negative risks must reside in a low region, and all positive risks must remain at least at a medium level. Exceptions must be decided accord- ing to Executive Risk Oversight Committee (EROC) approval and autho- rization levels. Specific limits and tolerances are set within the risk crite- ria to enhance risk management treatments. Each specific attitude is set consistently with the risk scales established as per Exhibit 22.3 or Exhibit 22.4. Exceeding the maximum or falling below the minimum is consid- ered a risk indicator. Hence this must be immediately evaluated by the risk owner.

Human resources personnel turnover rate: Maximum 2 percent of the sector median. Maximum compensation can be two times the minimum com- pensation at the same level in the responsibility level. If the performance parameters do not match higher compensation, then it must be decided by the Compensation Committee whether or not to continue with this policy.

Business continuity: Maximum allowable total business disruption is three days in severe conditions (i.e., disasters) for operating centers.

Health and safety: Maximum of one occurrence in a three-year period. No employee or nonemployee deaths are acceptable. Maximum is one minor event per year.

Legal: No delays accepted in reporting and replying to official letters. Contract failures must strictly reside at low levels.

Concentration: No one single customer can exceed 5 percent of JAA’s sales. Customer satisfaction: Maximum yearly returned products 1 percent, and

maximum yearly replaced products 1 percent of prior year’s sales. Market risk: Nonhedged foreign exchange portfolio balance can be a maximum

30 percent of the aggregate total open positions.

Local Trade Laws and Regulations Compliance with local laws and regulations is one of JAA’s strategic objectives. Therefore, a chief compliance officer position was established to bolster the com- pliance department and to improve its monitoring and assessment capability.

One of the most important risk sources is the potential U.S. and European Union Free Trade Agreement. It will highly impact JAA’s business and result in new opportunities and threats. The non-EU operations may be affected negatively, whereas EU operations will benefit from this agreement. The compliance depart- ment will use its contacts and sources to proactively acquire information about the details of the agreement. This will ensure a precise risk assessment as to how these developments may benefit JAA or the threat they may pose for its EU operations.

www.it-ebooks.info

JAA INC.—A CASE STUDY IN CREATING VALUE FROM UNCERTAINTY 447

New Fabric Production and Dye Technologies JAA has the ability to reduce costs and demonstrate market leadership among competitors through the efficient deployment of technology. It decided to engage in several research projects with universities that have a high reputation in these areas to stay ahead of competitors, as stated in the company’s objectives. Also, this will be done to ensure that disruptive entrants to its market can be dissuaded due to the technological advantages JAA enjoys and the cost other companies would incur to enter and compete in its market.

Reaching Target Customers in New Locations Being unable to reach target customers in new locations is considered a major risk because it would affect the market share of JAA in the future. Since the treatment of this risk would affect some other consequences that would arise from other risks, it has a special priority because of this dependency. A special markets research team was established to gather detailed information about potential new markets and customers. This team will be responsible for the extraction of information about the cultural and behavioral expectations in the targeted countries.

Environmental Sensitivity of Creditors There is a high interest from creditors of JAA concerning the environmental effect of production/chemical usage and treatment actions. Even though special agree- ments exist in the SLAs with our contractors, any failure to comply will severely degrade the credibility and the reputation of the company. Therefore all the out- sourcing arrangements allow JAA to receive monitoring reports from the external and internal auditors of its business partners to ensure that governance processes and controls are effective and their operations efficient. They also allow the com- pany to initiate its own assessments if these aforementioned assurances cannot be provided.

Imitation of JAA’s Products Given the high quality and international acceptance of JAA’s products, it noted that several attempts have been initiated to copy the brand with inferior products. A market research team will also be responsible to detect such illegal activities and report as necessary, with action to be taken accordingly.

Each risk is reassessed whenever significant new information is collected from any item in the context, as well as on the feedback from the results of treatments. Risk levels are not changed until results from the treatments are validated.

www.it-ebooks.info

448 Implementing Enterprise Risk Management

APPENDIX A: JAA INC. FINANCIAL STATEMENTS

JAA Inc. Balance Sheet Period Ended: December 31, 2013 Consolidated Balance Sheets (amounts and shares in thousands, except per share amounts)

Years ended December 31, 2013 2012

Assets Current Assets Cash $ 28,242 $ 12,853 Trade accounts receivable, net of allowances of $2,085 and

$2,195 at December 31, 2013 and 2012, respectively 18,631 14,962 Prepaid expenses and other current assets 11,248 7,631

Inventories, net 153,438 164,229 Restricted cash 1,997 733 Income taxes receivable and prepaid income taxes 149 530 Deferred income taxes, net of valuation allowance of $12,760

and $12,003 at December 31, 2012 and 2011, respectively 317 494 Total current assets 214,022 201,432 Property and equipment, net 89,778 87,438 Deferred income taxes, net of valuation allowance of $64,818

and $61,770 at December 31, 2013 and 2012, respectively 961 1,529 Other assets, net 38,586 33,783

Total assets 343,347 324,182

Liabilities and stockholders’ equity Current liabilities Revolving credit facilities and current portion of long-term debt 64,375 80,556 Accounts payable 43,425 33,920 Accrued expenses and other current liabilities 34,181 41,516 Income taxes payable 3,945 2,137 Deferred income tax liability, current 1,594 296 Current portion of capital lease obligations 3,705 1,903

Total current liabilities 151,225 160,328 Long-term debt, net of unamortized discount of $27,929 and

$20,183 at December 31, 2012 and 2011, respectively 97,445 107,012 Capital lease obligations, net of current portion 4,371 3,844 Deferred tax liability 583 262 Deferred rent, net of current portion 30,706 24,706 Other long-term liabilities 17,695 10,695 Total liabilities 302,025 306,847

www.it-ebooks.info

JAA INC.—A CASE STUDY IN CREATING VALUE FROM UNCERTAINTY 449

JAA Inc. Balance Sheet Period Ended: December 31, 2013 Commitments and Contingencies Stockholders’ Equity $ $ Preferred stock, $0.0001 par value per share, authorized

1,000 shares; none issued — — Common stock, $0.0001 par value per share, authorized

230,000 shares; 110,111 shares issued and 107,181 shares outstanding at December 31, 2013, and 108,870 shares issued and 105,588 shares outstanding at December 31, 2012 2013 2012

Additional paid-in capital 6,786 6,786 Accumulated other comprehensive loss (2,725) (3,356) Accumulated profit 39,407 16,051 Less: Treasury stock, 304 shares at cost (2,157) (2,157) Total stockholders’ equity 41,322 17,335

Total liabilities and stockholders’ equity 343,347 324,182

JAA Inc. Income Statement Period Ended: Dec. 31, 2013 JAA, Inc. and Subsidiaries Consolidated Statements of Operations and Comprehensive Gain (Amounts and shares in thousands, except per share amounts)

Years Ended December 31,

2013 2012 Net sales $779,534 $694,559 Cost of sales 384,783 359,927 Gross profit 394,751 334,632 Selling expenses 239,625 217,447 General and administrative expenses (including related

party charges of $1,090 and $912 for the years ended December 31, 2013 and 2012, respectively) 120,625 97,327

Income (loss) from operations 34,501 19,858 Interest expense 859 1,283 Foreign currency transaction loss (gain) 775 (1,235) Other expense (income) 4,384 (904) Gain before income taxes 28,483 20,714 Income tax provision 5,127 3,729 Net gain $ 23,356 $ 16,985 Basic and diluted earnings per share $ 0.21 $ 0.15 Weighted average basic and diluted shares outstanding 105,980 105,980 Net gain (from above) $ 23,356 $ 16,985 Other comprehensive (loss) income item: Foreign currency translation, net of tax 631 631 Comprehensive gain $ 23,987 $ 17,616

Number of common shares issued 110,111 108,870

www.it-ebooks.info

450 Implementing Enterprise Risk Management

APPENDIX B: RISK MANAGEMENT POLICY Purpose

Risk management is considered critical to the company and as such it is viewed as a lifetime strategic project for JAA. JAA continuously monitors and reviews its risk management framework in view of the 11 principles of ISO 31000 and puts great effort into achieving outstanding results through the ongoing learning process.

JAA encourages transparent communications and making decisions with the best available information. It also motivates its employees to clearly understand the business and be proactive in detecting opportunities and threats.

All personnel are expected and encouraged to understand this culture and thus be instrumental in being part of JAA’s decision making process. Utilization of uni- form terminology is considered a crucial component for building and maintaining the desired culture throughout the company.

This document has been accepted and signed by the board of directors as an indication that there is a common understanding of how the company will man- age its risks. The target audience of this policy is the entire organization comprising both the internal and external stakeholders. Each employee is required to under- stand, manage, monitor, and act according to the policies, principles, and method- ology stated in this document. The Risk and Strategy Committee (RSC) approves and oversees the risk management policy and monitors the effect of risk manage- ment on the organization. The RSC is assisted by the Executive Risk Oversight Committee (EROC) with the oversight and monitoring of the risks impacting JAA.

Scope

This document supplies overarching principles and a framework for JAA for effec- tive risk management. Each business unit is responsible for taking the neces- sary actions for treatment within the risk criteria. Each business unit is required to use the policies and the methodology that follow to design its processes and procedures.

Objectives of Risk Management

The only purpose of risk management is to accomplish our business objectives, as that is what we are accountable for to the stakeholders of the company. Each employee has a vested interest to ensure that this happens to the best of his or her abilities and in a way that is consistent with his or her job descriptions. All risks must be understood and all key decisions must factor into such understanding before an action is taken. JAA acknowledges that increasing personal capabilities will also increase organization capabilities. Therefore, maximum prudent effort is expected from each employee in the decision making process to prioritize organi- zation resources so that JAA’s objectives are attained at all levels.

Terminology

Risk: Effect of uncertainty on objectives. Risk criteria: Terms of reference against which the significance of a risk is eval-

uated.

www.it-ebooks.info

JAA INC.—A CASE STUDY IN CREATING VALUE FROM UNCERTAINTY 451

Risk management: A discipline for managing uncertainty. Risk monitoring: Continuous checking, supervising, critically observing, or

determining the status in order to identify change from the performance level required or expected.

Risk register: A dynamic record that is maintained to monitor and review risks continuously. It is not intended to be used as a static document, and it represents one of the critical outputs of the risk management process.

Risk treatment: Process to modify risk. Stakeholder: Entity that affects, is affected by, or perceives that it can be

affected by a decision of the organization. Each stakeholder’s needs and expectations have to be addressed explicitly in the risk management pro- cess. In addition, a robust communication process needs to be established with all stakeholders.

Risk Oversight Principles

The board acknowledges that it will not always be able to manage all of the risks the company faces within the set risk criteria. Consequently, a set of high-level principles that set the overarching boundaries for how the company will manage its risks effectively is in place, so that the strategic objectives can be achieved:

� The board will adopt measures to ensure a low level of volatility in revenues and earnings.

� The board will promote orderly business operations to guard against a loss of confidence in the company by all stakeholders, including shareholders, customers, suppliers, and regulatory agencies.

� The board will adopt measures to minimize regulation-related risks. � The board will review any changes to the existing risk profile caused by the

introduction of any new significant projects. � The board will monitor business and strategic performance via reporting of

key performance indicators. The risk criteria statements will provide a basis for strategic evaluation and assessment of new strategic directions.

A discussion of JAA’s business strategy must include an analysis of the uncer- tainties impacting objectives of that strategy. This will provide JAA with an oppor- tunity to improve the likelihood of strategic success by thinking about risks proac- tively.

Roles and Responsibilities

The board of directors (BOD) is accountable to ensure that the organization man- ages all risks. The BOD fulfills this duty by establishing the RSC, as well as an EROC for the governance process. The BOD evaluates the structure and effective- ness of the RSC and EROC yearly.

The chief risk officer (CRO) is an adviser to all committees. He or she is respon- sible for facilitating risk workshops and providing support to establish training curricula. He or she collaborates between the risk oversight and other risk man- agement groups.

www.it-ebooks.info

452 Implementing Enterprise Risk Management

Risk Management Methodology

JAA uses the ISO 31000 Risk Management Standard and HB 436 to organize its risk management activities. The BOD oversees risk management through its estab- lished committees and delegates authority to management where needed. This mandate and commitment function is executed by the EROC. Risk policies adopted for the organization must be consistent with the ISO 31000 principles.

In the objective setting process, as part of business strategy, there must be an alignment with SMART criteria (i.e., specific, measurable, attainable, relevant, and timely). All company personnel need to understand the company’s internal and external context. Risk assessment consists of event identification, risk analysis, and risk evaluation.

Scenario analysis and strengths, weaknesses, opportunities, and threats (SWOT) analysis are conducted to identify, analyze, and evaluate the risks. Surveys are conducted monthly to detect any changes in perception. Risk sources stated in the context are always included in threat and benefit analyses. Risk workshops are facilitated by the risk management department to identify, analyze, and evaluate JAA’s risks.

All identified major risks are reported to the EROC, which in turn is respon- sible for the implementation and monitoring of risk treatment plans. Treatment plans include measurement and monitoring activities together with performance and success criteria. All risks are subjected to three different scenarios for what-if analysis. Each scenario set is divided into four categories as worst case, current conditions, best case, and most expected case, and is analyzed accordingly. The RSC oversees execution of the risk treatment plans.

Monitor and Review: At each fiscal year-end, monthly impacts of conse- quences are statistically combined and mapped to risk levels in the risk criteria to verify whether the previous predictions occurred. If there are any identified gaps and/or significant errors, the root cause of these gaps needs to be identified and results communicated to stakeholders to ensure that these can be included in the next assessment.

General Risk Management Policies

General risk management policies apply to the entire company. Policies provide high-level guidelines for managing risks within JAA. Commitment to comply with the general policies is a company-wide requirement. The following are key risk policies:

� Corporate ethics policy. Corporate ethics rules are monitored and maintained by the Audit Committee. Ethics are included in each training seminar and such seminars need to be taken periodically.

� Customer satisfaction and retention policy. Internal and external customer expectations are periodically monitored and communicated in a timely fash- ion to ensure that service levels are achieved for operational objectives.

� Ownership policy. No information, data, process, report, or asset can exist without having an owner attached to it. Change of ownership can be ini- tiated only upon approval of a designated internal stakeholder. Ownership

www.it-ebooks.info

JAA INC.—A CASE STUDY IN CREATING VALUE FROM UNCERTAINTY 453

is assigned according to priority criteria of “most used by,” “first created by,” and “most impacted by.”

� Training policy. Each item in this policy statement must be included in the company’s training program. Corporate culture can be established and maintained only by providing timely and sufficient training to each employee. No employee can be assigned responsibilities without adequate measurement of his or her competencies.

� Information systems policy. Objectives at all levels (strategic, tactical, and oper- ational) should be mapped down to the infrastructure level. (see Exhibit 22.2). Context definition should be monitored and reviewed at least yearly and whenever a major event occurs. All risk owners must be cognizant of their dependency on other areas of the business. Integrity, consistency, and accessibility objectives are set by business lines, and information technology (IT) hardware and software architectures are designed to ensure the achieve- ment of such objectives.

� Access rights policy. Access rights should be provided according to each employee’s responsibility level. Access rights should not be changed with- out approval of a senior manager. All access rights need to be consistent with the authorization levels in Exhibit 22.8. No conflict of interest and segrega- tion of duties issues are permitted to exist.

� Human resources policy. Background screening and training are required for all employees. Compensation is evaluated and performance is monitored by the Compensation Committee. Compensation must be proportional to responsibilities and should not motivate unnecessary and inconsistent risk taking as compared with JAA’s risk criteria. Especially, performance mea- sures will include and reflect a fair amount of collaborative and teamwork performance as well as individual performance to prevent destructive com- petition. Any contrary action will be considered a failure to comply with the corporate policies and will be treated according to company laws and regu- lations.

� Outsourcing and contract management policy. Outsourcing is used whenever it is beneficial for the organization to do so. A comprehensive risk assess- ment must be conducted and results must be communicated among inter- nal stakeholders before establishing any outsourcing engagement. Service- level agreements (SLAs) are determined according to business needs and set within the tolerance levels of the objectives. Monitoring of SLAs is the responsibility of the owner of the business line signing the contract. Depen- dency on a single outsource agreement must be avoided by establishing alternate sources.

� Business continuity policy. Impact analysis is conducted yearly to assess the impact level of disruption to all business units. Service-level agreements are based on this impact analysis and must be signed by all parties. IT depart- ments use this impact analysis to determine parameters for service levels. Each employee must have a designated backup coordinator.

� Conflict of interest policy. Conflicts of interest must be avoided. Special emphasis needs to be given to those areas sensitive to public percep- tions. Corporate ethics is included in each training curriculum to establish enhanced awareness at JAA.

www.it-ebooks.info

454 Implementing Enterprise Risk Management

Exhibit 22.8 Authorization Levels for Risk Acceptance or Retaining of Risk

All management level personnel are to be assigned an authorization level by the board of directors (BOD). Purchases and borrowings must be performed in accordance with the levels of authority.

Risk attitudes are defined with risk criteria, and different risk attitudes may be assigned to specific risks in specific circumstances. Risk criteria are established by the RSC to evaluate the significance of risks and to distin- guish the possible risk levels. For qualitative risk types, high-level risks can be accepted and retained only by the BOD; medium-level risks can be accepted and retained by the RSC; low-level risks can be accepted and retained by the EROC. The business lines are responsible for the implementation of the treatment of risks to align with risk criteria for the risks they own and need to manage.

For quantifiable risks, the following authorization levels are/should be applied: Level A: Signature authority up to $10 million; $10 million to $50 million needs

a second signature, and any level above this must be signed by the board of directors as well.

Level B: $1 million to $10 million Level C: $500,000 to $1 million Level D: Up to $500,000 Level E: No spending authorization

The BOD has a Level A authority, C-level executives have Level B author- ity, department heads have Level C authority, line managers have Level D authority, and all other personnel have Level E authority.

� Segregation of duties policy. Critical processes as defined by business lines are subject to design criteria of the “four eyes principle.”11 A commencer of any process should not have the capability to terminate it, and a second person should review and approve it.

� Internal communications policy. The company should establish specific com- munication channels. Stakeholders must be informed prior to any major changes being made. Communication response times should be created and compliance levels should be measured to ensure quality.

� Public relations and external communications policy. Corporate brand and repu- tation are our most critical assets. Therefore, maximum effort should exist to protect and increase their value. External communications must be carried out by trained and authorized personnel. All media and external relations need to be monitored by the public relations department. Any communica- tions outside the company must be properly authorized.

� Patents, trademarks, and copyrights policy. Any type of innovation that would have an effect on corporate objectives is strongly encouraged and rewarded

www.it-ebooks.info

JAA INC.—A CASE STUDY IN CREATING VALUE FROM UNCERTAINTY 455

proportionally to its contribution to effectiveness or efficiency throughout the organization. Patent rights belong to JAA. Appropriate permission and rights can be granted with the approval of JAA.

� Sustainability and environmental protection policy. Maximum effort must be provided to preserving the environment and the resources in each project to enable achievement of business objectives. Carbon emissions must be reduced as a priority throughout the business. Green sources of energy must be utilized if available. Energy backups must contain solar cells in produc- tion locations where at least moderate seismic rates are recorded.

� Insurance policy. Insurance needs are decided upon after evaluating the cur- rent risk profile. Market research must be conducted annually to identify the best total value, which is not necessarily the lowest rate.

� Market risk policy. Fluctuations in market prices and exchange rates affect the valuation and cost of JAA’s products. Therefore, JAA’s ability to com- pete in the marketplace may change accordingly. Close monitoring of costs is required throughout the entire business. Exchange rate risks above the limit of accepted amounts in export contracts must be hedged by futures contracts to ensure cost/profit stability. Market risk attitude was provided in Exhibit 22.7. Also, key risk indicators must be accepted and reviewed periodically for effectiveness. Liquidity risks need to be managed by the financial control and accounting departments. Liquidity figures are updated monthly and projected for the fiscal year. This document is reviewed yearly and updated as necessary by the EROC. The Internal Audit department is responsible for assessing the adequacy and alignment with this policy doc- ument of the applications and procedures throughout the organization.

PART A – QUESTIONS 1. How high do you assess the knowledge level of the business strategy throughout the

company by the average employee? Is it your assessment that there is a robust under- standing of JAA’s business strategy? Support your position with examples.

2. As you are aware, effective implementation of ISO 31000 involves effective design and implementation of a risk management framework and effective implementation of the risk management processes. This will be verified by incorporation of 11 key principles. Find an example in the case for each of the 11 principles in action.

3. Why is it important that the company be able to identify JAA’s major stakeholders? How should a company identify its stakeholders? What is meant by the concept that stakeholders select the company instead of the company selects the stakeholders?

4. What characteristics do you see in the board of directors that lend themselves to a strong tone at the top and a culture that fully embraces risk management?

5. If you compare the internal audit department at JAA to several that you know of cur- rently in the marketplace, what are some of the major differences that you see at JAA that obviously have contributed to superior performance? What is unique and refresh- ing about the approach to the external audit as compared to what you have seen in industry?

6. What is your opinion of the risk (event) identification techniques in place at JAA? How do you think that the company evolved to using such techniques?

7. What is the linkage at JAA between the strategic objectives, context, stakeholders, and risk criteria? Support your comments with specific examples of the link in these four areas.

www.it-ebooks.info

456 Implementing Enterprise Risk Management

8. Why is it important that risk criteria be created as per JAA? Do you think it is possible for any reasonable risk treatment plan to be in place without creation of such criteria?

9. Review the risk management policy in Appendix B and describe the kinds of things that constitute a best-in-class policy.

10. What other types of general or specific polices can you describe to manage risks? 11. Why is it that “tone at the top” and a strong risk culture are critical components for a

company’s success, such as what you see at JAA?

PART B – QUESTIONS 1. If the internal audit department did not report directly to the Audit Committee, but to

the CFO, what kind of issues would this raise in your mind? Is this something that you would support? Can you cite specific examples?

2. Is it important that internal audit annually reviews the company’s risk management function? What advice would you provide to a head of internal audit that was not performing such a review? Have you seen any examples where internal audit has con- ducted such reviews and if not, why do you think this to be the case?

3. In many companies, it is typical for internal audit to itself perform a risk assessment which it will use for audit planning and execution purposes. Do you have any thoughts on what you see as the pitfalls in this? What is the ideal situation in a company?

4. Is it appropriate that internal audit provides an opinion on the integrity of work per- formed by the external auditors, as in the JAA case, and what do you see as pitfalls where internal audit does not do this? Should internal audit be asked to opine on the performance by the external auditors, when in fact not too long ago external auditors were the ones providing an opinion on internal audit performance?

5. What specific characteristics differentiate this external audit function from those you have seen over the past several years? How do you envision external audit fitting into JAA’s overall risk management system?

6. If JAA was not using ISO 31000 and HB 436, but instead was using the COSO ERM framework and as well the new COSO internal controls framework, what challenges do you think the company would face in trying to roll out a credible program? Do you think they could be as successful? Support your opinion.

7. Would you consider using alternative internal control frameworks and if so, which ones?

8. Suppose the board decided that they did not need to monitor the risks at all and that this could be delegated down to the CEO. What problems do you see occurring in future?

9. Evaluate the different risk identification and analysis methods being used by JAA, and compare to other methods you are aware of that are not being used. Support your opin- ion on this subject matter.

10. Suppose that JAA did not have a formal system of risk management using ISO 31000. Do you think it is possible that they could still be doing an excellent job at managing their business risks? Please support your opinion in this regard.

11. How would the board measure the success of their risk management? 12. How would the Compensation Committee use risk management in their reward and

compensation process of the company?

NOTES 1. ISO 31000:2009, “Risk Management—Principles and Guidelines,” was issued by the

International Organization for Standardization (ISO) and provides principles, frame- work, and a process for managing risk. It can be used by any organization regardless

www.it-ebooks.info

JAA INC.—A CASE STUDY IN CREATING VALUE FROM UNCERTAINTY 457

of its size, activity, or sector. Using ISO 31000 can help organizations increase the like- lihood of achieving objectives, improve the identification of opportunities and threats, and effectively allocate and use resources for risk treatment.

2. HB 436.SA/SNZ HB 436:2013, “Risk Management Guidelines: Companion to AS/NZS ISO 31000:2009.”

3. The Institute of Directors in Southern Africa (IoDSA) formally introduced the King Code of Governance Principles and the King Report on Governance (King III) in September 2009. Like its 56 commonwealth peers, King III has been written in accordance with the “comply or explain” principle based approach of governance, but specifically the “apply or explain” regime. This regime is unique in the Netherlands and now in South Africa. While this approach remains a hotly debated issue globally, the King III Committee continues to believe it should be a nonlegislative code on principles and practices.

4. In 1995, the Criteria of Control Board of the Canadian Institute of Chartered Accountants (CICA) had written this guidance for people who are responsible for or concerned about control in organizations. Conceptually, it was considered a leader in thinking about con- trol but was later abandoned by the CICA and ultimately overtaken in popularity by COSO’s Internal Control Framework.

5. The UK Corporate Governance Code (formerly the Combined Code) sets out stan- dards of good practice in relation to board leadership and effectiveness, remunera- tion, accountability, and relations with shareholders. The latest edition was issued in September 2012.

6. In November 2013, the Financial Reporting Council issued its Risk Management, Inter- nal Control and the Going Concern Basis of Accounting Consultation on Draft Guidance to the directors of companies applying the UK Corporate Governance Code, and asso- ciated changes to the code.

7. “Risk Management Guidelines: Companion to AS/NZS 4360:2004.” The Risk Manage- ment Guidelines companion to the AS/NZS ISO 31000:2009 handbook provides guid- ance for establishing and implementing effective risk management processes in any organization.

8. See note 1. 9. The use of bow tie analysis is described in ISO 31010 “Risk Management—Risk Assess-

ment Techniques.” 10. See ISO 31000:2009 section 5.3.5 for additional detail on risk criteria. 11. The “four eyes principle” refers to having two people view each transaction so that one

checks on the other.

REFERENCES AS/NZS 4360:2004, “Risk Management.” Canadian Standards Association. 1997. Q850-97 “Risk Management: Guideline for Decision-

Makers.” COSO Internal Control Framework. 1992/1994. “Committee of Sponsoring Organizations

of the Treadway Commission.” COSO Internal Control Framework. 2013. “Committee of Sponsoring Organizations of the

Treadway Commission.” Financial Reporting Council. “Consultation Draft on Risk Management, Internal Control

and the Going Concern Basis of Accounting.” Fraser, John, and Betty J. Simkins, eds. 2010. Enterprise Risk Management: Today’s Leading

Research and Best Practices for Tomorrow’s Executives. Hoboken, NJ: John Wiley & Sons. HB 436:2004, “Implementation Guidelines to AS/NZS 4360:2004.” HB 436:2013, “Implementation Guidelines to ISO 31000 Risk Management.” ISO 31000:2009, “Risk Management Framework.” ISO 31010:2009, “Risk Management—Risk Assessment Techniques.”

www.it-ebooks.info

458 Implementing Enterprise Risk Management

ISO Guide 73:2009. “King III Report on Corporate Governance.” 2009. Purdy, Grant. 2011. “Risk Appetite: Is Using This Concept Worth the Risk?” Broadleaf Cap-

ital International, Risk Post, NZ Society for Risk Management, September.

ABOUT THE CONTRIBUTORS Julian du Plessis has more than eight years’ financial sector experience. He is the Head of Internal Audit at AVBOB Mutual Assurance Society, a long-term insurer in the life and savings business. He joined AVBOB during 2011 as its Governance Officer. He previously worked at FirstRand Bank, one of the largest banking insti- tutions in South Africa, as a senior risk manager starting out in the Group ERM department focusing on strategic risk management. Julian is a South African char- tered accountant, and completed his professional training at Pricewaterhouse- Coopers. Julian has an MPhil (business management) master’s degree obtained from the University of Johannesburg (2011), a B Compt Honors accounting degree from the University of South Africa (2000), and a B Admin (international politics) degree majoring in economics and political science from the University of Pretoria (1994).

Arnold Schanfield is a Principal with Schanfield Risk Management Advisors LLC. He is an internal audit and risk professional with diversified industry expertise, including consumer products, higher education, life sciences, manufacturing, not for profit, retail, trading companies, and higher education. He specializes in risk management implementations and has leveraged his prior experiences in inter- nal audit, public accounting, and governance to the risk management discipline. Arnold holds an undergraduate degree (BSC) from Loyola College in Montreal and a graduate degree in public accountancy from McGill University in Mon- treal. In addition, he holds certifications of certified public accountant and certi- fied internal auditor in the United States as well as a Chartered Accountant from Canada. Arnold has a passion for the risk management discipline and has used his experiences to develop seminar and training material that has been delivered to numerous companies. In addition, he comments and speaks frequently on risk management–related matters.

Alpaslan Menevse is currently the Risk Officer at Sekerbank T.A.S., which has in excess of 310 branches in Turkey. He has 28 years of experience in information systems, both as an academic and as a practitioner. In the early years of his career, he joined work groups as a team member of Business Process Management (BPM) in the manufacturing industry. During his academic career, as a computer and aeronautics engineer he was involved in several Information and Communication Technology (ICT) projects and completed his master’s thesis in EUCLID RTP 11.3 artificial intelligence project of F-16 fighter jet simulator development, where he modeled pilot behaviors of risk assessments in BVR (beyond visual range) flight. He also led different sizes of local area network (LAN) and wide area network (WAN) projects during 1995–2004, specializing in business continuity and disaster recovery management.

www.it-ebooks.info

JAA INC.—A CASE STUDY IN CREATING VALUE FROM UNCERTAINTY 459

He is a silver member of Information Systems Audit and Control Association (ISACA) and holds Certified Information Systems Auditor (CISA) and Certified in Risk and Information Systems Control (CRISC) certificates where he was one of the members of the review work group of the CRISC 2011 manual, which is the first book published in this area. He joined Sekerbank as the Internal IS Auditor and started working with AS/NZS 4360 in 2007. He is responsible for implementing ISO 31000 throughout the organization. He has a special interest in human behav- iors and the human side of change management. Additionally, he is a member of the ISO 31000 TC 262 Technical Committee, United Nations Economic Commission for Europe (UNECE) - Risk Management Group (GRM) and also the chairman of the Turkish Standards Institute TS ISO 31000 MTC 132 Risk Management National Mirror Technical Committee.

Note: Authors of this case study manage the group on LinkedIn titled “Risk Man- agement: Creating Value From Uncertainty.” Any questions or comments can be forwarded either personally or as a discussion topic.

Website: http://lnkd.in/djN94XJ.

www.it-ebooks.info

www.it-ebooks.info

CHAPTER 23

Control Complacency Rogue Trading at Société Générale

STEVE LINDO Principal, SRL Advisory Services

This case study is divided into two parts. Part One seeks to bring alive thecircumstances leading up to the June 2010 public trial involving SociétéGénérale, the French banking group, and Jérôme Kerviel, the equities trader whose positions caused Société Générale to lose €4.9 billion (U.S.$7.2 billion) in January 2008. Part One concludes with an exercise in which the reader is asked to form his or her own opinion on who was to blame for the losses, based on the infor- mation contained in Part One. Part Two reveals the actual outcome of the trial and offers additional study materials for the reader. A Classroom Guide, available sep- arately to instructors wishing to facilitate interactive discussion of the case study in a classroom setting, identifies key risk management lessons from the case study and provides a session plan.

PART ONE: KERVIEL’S TRIAL—A MEDIA CIRCUS On Tuesday, June 8, 2010, the criminal trial of 33-year-old Jérôme Kerviel began in Paris’s Palais de Justice. The charges against him were forgery, abuse of trust, and illegal use of computers, brought by the Paris public prosecutor. Since the date he was charged, January 28, 2008, Kerviel had been free on bail and preparing his defense.

Despite the long time lapse between the January 2008 events that had caused Société Générale’s losses and the commencement of the trial, media attention was at a fever pitch because of Kerviel’s claims that he was a scapegoat for high-risk trading practices that were condoned by Société Générale when they were prof- itable. Kerviel released an autobiographical book presenting his version of the events shortly before the trial.

Société Générale, on the other hand, maintained from its earliest public com- munications the posture that Kerviel was a rogue trader who single-handedly developed methods to conduct unauthorized trading without being detected and used them to take massive trading positions that ultimately backfired when mar- kets turned against him. Société Générale also sought to mitigate the damage to its reputation, due to the apparent facility with which Kerviel conducted his

461

www.it-ebooks.info

462 Implementing Enterprise Risk Management

Exhibit 23.1 Sample of News Headlines at the Time of Kerviel’s Trial

Headline Source and Date

Rogue Trader Says Ex-Bosses Encouraged Him Reuters (June 8, 2010) French Trader Stays Silent as Trials Begin amid

Media Scrum The Guardian (June 8, 2010)

$62 Billion of Suspect Trades Exposed Lack of Oversight

CBC (June 8, 2010)

Kerviel Gets Day in Court, SocGen Too Wall Street Journal (June 7, 2010) Kerviel’s Trial—The World of Finance Takes a

Hard Look at Itself (translation) L’Express (June 25, 2010)

Rogue Trader Denounces “Banking Orgy” in Book Agence France Presse (May 4, 2010)

unauthorized trading, by publishing in May 2008, a detailed examination of the operational and managerial circumstances that had allowed Kerviel’s unautho- rized trading to occur and the remedial actions it was taking to prevent recur- rence. Société Générale stated from the outset its intention to hold the individu- als accountable whom it considered responsible for the unauthorized trading, and took the first step by filing a civil lawsuit against Kerviel on January 24, 2008.

By June 2010, global financial markets were slowly recovering from the 2008 crisis, but memories of Société Générale’s trading losses remained especially vivid because, at the time of their announcement in January 2008, the incident seemed to confirm investors’ worst fears that banks in general were taking massive amounts of risk far beyond their traditional lines of business. Exhibit 23.1 shows selected news headlines published at the time of Kerviel’s trial, which illustrate this loss of public confidence in banks’ risk management discipline.

Société Générale—The Rise of Trading

In the years 1999 through 2006, Société Générale’s net income increased 164 per- cent, from €2 billion annually to €5.2 billion. Though its retail and investment man- agement businesses both prospered during this period, the main driver of Société Générale’s higher profitability was its Corporate and Investment Banking (CIB) division, whose net income increased 230 percent, from €708 million annually to €2.3 billion. Within the CIB, the largest contributors to this profit growth were fixed income, foreign exchange (FX), equities, and commodities trading, which together accounted for 77 percent of CIB’s net business revenues in 2006.

These results followed a strategic shift in business focus engineered by Daniel Bouton, who was appointed Société Générale’s CEO in 1993 and became chair- man and CEO in 1999. Bouton was not himself a trader or an investment banker, but a product of the French financial establishment. His early career was spent in government service with the French Finance Ministry. Like most leading public officials and executives of French financial institutions, he was a graduate of the École Nationale d’Administration, France’s elite college of public administration.

Among France’s top banks, Société Générale was not alone in pursuing growth in the early 2000s through expansion of its trading and capital markets business. Its larger rival, BNP Paribas, adopted the same strategy, as did major banks in other

www.it-ebooks.info

CONTROL COMPLACENCY 463

countries such as the United Kingdom, Germany, Switzerland, and the United States. For many of these banks, this strategy backfired when their fixed income desks became deeply involved in structuring, selling, and trading credit deriva- tives and debt securities backed by U.S. residential mortgages, and consequently were unable to avoid massive write-downs and funding crises when global credit markets seized up in the second half of 2008. Though Société Générale suffered some losses from its fixed income activities, the flaws in its expansion into trading truly came to light in the rogue equities trading incident that is the subject of this case study.

From Business to Retail to Investment Banking, from Private to Public to State Ownership

Société Générale was founded as a private bank by a group of industrialists in 1864, with the intention of providing finance for industry and commerce. Its early years were marked by a modest expansion of commercial lending activity and bank- ing locations, but little interest in deposit taking or retail banking services. How- ever, it demonstrated resilience in adverse times, such as France’s economic slump in the 1880s. The turn of the century marked the beginning of several new direc- tions, as Société Générale opened up its capital, actively sought to capture deposits, and launched itself into retail lending. It also established its international presence, principally in London and New York. After the upheavals of World War I, Société Générale rapidly expanded its domestic branch network, domestic lending, and deposit taking, as well as its shareholder base, surpassing Crédit Lyonnais in the mid-1920s to become France’s leading bank.

The next phase in Société Générale’s development was dictated by external events as France passed through the 1930s economic downturn, World War II, and the postwar rebuilding effort. In 1945, France’s three largest commercial banks were nationalized, putting Société Générale into state ownership for the next 42 years. While economic policy prerogatives constrained the bank’s domestic activi- ties during the recovery years, the postwar revival of international trade presented new opportunities for overseas expansion. The next 30 years were transformative for the banking industry in general and for Société Générale in particular. ATMs and credit cards reinvented the economics of retail banking, and the breakdown of the Chinese wall between investment and commercial banking opened up securi- ties underwriting and trading business to commercial banks. Société Générale suc- cessfully took advantage of these changes and, in 1987, became the first of France’s nationalized banks to be reprivatized.

During the 1990s, the bank’s primary strategy was to expand its share of the domestic banking market, which was undergoing a phase of consolidation. In 1997, it met with initial success by acquiring Credit du Nord, but in 1999 suffered a big disappointment when its friendly merger with Banque Paribas was snatched away by a hostile bid from Banque Nationale de Paris (BNP). As a consequence, Société Générale refocused its growth strategy in the 2000s on three pillars: international retail banking, investment management, and capital markets. The first pillar led to a string of retail banking acquisitions in former Soviet Union countries and Africa. The second pillar resulted in the establishment of a global platform of investor services, including fund management, mutual funds, and securities processing.

www.it-ebooks.info

464 Implementing Enterprise Risk Management

The third pillar was entrusted to its newly formed Corporate and Investment Bank- ing (CIB) division, intended to achieve prominence in the markets for debt and equity securities and derivatives.

CIB Gets a Boost from Trading Talent

In 1997, Société Générale’s CIB contributed just €151 million to the group’s net income of €933 million, barely 16 percent. Then, in 1998 the CIB recorded a loss of €67 million as global markets suffered from the liquidity and volatility back- lash from Russia’s debt default and the collapse of Long Term Capital Manage- ment (LTCM). In 1999, shortly after Daniel Bouton was elected chairman of Société Générale in addition to his role as CEO, the CIB received a boost from the pro- motion of Jean-Pierre Mustier from head of international equity options trading to head of fixed income, FX, commodities, and derivatives. Over the previous 10 years since joining Société Générale, Mustier, aged 38, had gained high internal recog- nition for building a profitable equity derivatives trading business. CIB’s earnings over the next four years proved Mustier’s mettle. In 1999, CIB’s net income jumped to €708 million, 35 percent of Société Générale’s worldwide net income, and over the next three years CIB accounted for 36 percent of Société Générale’s €6.2 bil- lion cumulative net income, amounting to €2.3 billion. Mustier’s contribution to this impressive performance earned him promotion to the position of CIB’s global head and membership in Société Générale’s Executive Committee.

Now all under Mustier’s leadership, Société Générale’s CIB began to deliver ever-higher profits. In 2003, its net income rose to €1.1 billion, which was 46 per- cent of the group total, followed by €1.4 billion in 2004, €1.8 billion in 2005, and €2.3 billion in 2006. Consistent with Mustier’s demonstrated abilities, CIB derived a higher proportion of its revenues from trading than previously. In 2000, trad- ing had accounted for 23 percent of CIB revenues. During the next six years, the percentage averaged 30 percent. This performance was made possible by a rapid expansion in the number of traders CIB deployed and the markets in which they were active. However, as the investigation into Kerviel’s unauthorized trading later revealed, this growth in activity was not accompanied by a corresponding reinforcement of CIB’s infrastructure and controls.

Société Générale Group Snapshot, December 2006

As 2006 turned into 2007, Société Générale’s business performance appeared to be riding the crest of a wave. Compared to 2005, net income for 2006 increased 18.6 percent to €5.2 billion, net banking income increased faster than operating expenses (16 percent versus 12 percent), and all business units delivered higher returns. In 2006, Société Générale raised €2.4 billion of new capital, and Stan- dard & Poor’s and Fitch raised their long-term debt ratings from AA– to AA. Over the preceding seven years, the number of Société Générale’s retail customers had increased 2.4 times, the assets under management by its wealth management business had increased 2.8 times, and the number of Société Générale employees had increased 1.9 times worldwide. As of December 31, 2006, Société Générale’s

www.it-ebooks.info

CONTROL COMPLACENCY 465

SOCIETE GENERALE GROUP

Strong long-term development at the Group Change

since end-1999

× 2.4 +17.2% +4.0%

+31.7%

+9.3% +59.5%

+22.8%

+15.9%

× 1.3 × 9.1

× 2.3 × 3.8

× 1.6

× 1.9

over 1 year 22.5 million individual clients in Retail Banking and Financial Services

Global Investment Management and Services

Corporate and Investment Banking

Around 120,000 staff** in 77 countries

10.5 million individual customers in France

AuM: EUR 422bn (+ EUR 110bn* + EUR 61bn*)

Assets under custody: EUR 2,262bn

No. 3 bank in the euro zone in terms of NBI: EUR 7.0bn in 2006

One of the most profitable platforms: ROE in excess of 30% for 4 years in a row

51% outside mainland France

Around 15,000 staff recruited in 2006, incl. 5,350 in France

FULL-YEAR AND FOURTH QUARTER 2006 RESULTS 14 / 02 / 2007 6

12.0 million individual customers outside France**

Exhibit 23.2 Highlights of Société Générale’s 2006 Performance * GIMS’ AuM do not include EUR 110bn of assets held by customers of the French Networks (investable assets exceeding EUR 150,000) or EUR 61bn of assets managed by Lyxor AM, whose results are consolidated in the Equity & Advisory business line (EUR 61bn). ** Excluding Rosbank (Russia). Source: Société Générale.

total group assets amounted to €869 billion, its risk-weighted assets amounted to €285 billion, and its shareholders’ equity amounted to €22.3 billion. Selected 2006 group performance highlights published in Société Générale’s annual shareholder filing are shown in Exhibit 23.2.

Measured by 2006 net investment banking income, Société Générale’s CIB ranked #3 in the Euro-zone. Compared to 2005, its net income increased by 27 percent to €2.3 billion, bolstered by trading revenue that increased 37.5 percent and worldwide front office head count, which increased by 490 (+11 percent). The CIB reported that its fixed income desk had been ranked #2 in corporate eurobond issuance and its equity derivatives business named global equity deriva- tives house of the year by the International Financing Review. Forecasting con- tinued capital markets growth for 2007–2010, the CIB’s leadership saw no sub- prime mortgage clouds on the horizon, while its 2006 provisions for credit and trading losses declined from their 2005 level. Selected 2006 CIB performance high- lights published in Société Générale’s annual shareholder filing are shown in Exhibit 23.3.

For a more complete picture of Société Générale’s financial profile, see its 2006 and 2007 income statements and balance sheets, presented later in this chapter.

www.it-ebooks.info

466 Implementing Enterprise Risk Management

CORPORATE AND INVESTMENT BANKING

Full year 2006

Fourth quarter 2006

ROE after tax in excess of 30% for 15th quarter in a row: 46.2%

GOI +31.2%* vs. 2005 with a record Q1 06

Net banking income

Operating expenses

Net allocation to provisions

ROE (after tax)

C/I ratio

o.w. Equity & Advisory

o.w. Corp. Banking & Fixed Income

o.w. Equity & Advisory

o.w. Corp. Banking & Fixed Income

In EUR m FY 05

2,377

2,522

1,033

1,489

1,841

5,697

(3,320)

145

44.4%

58.3%

2,554

3,143

FY 06 Change 06/05 Q4 06 Change Q4/Q4

3,108 +30.8% +31.2%*

+26.9% +27.4%*

+27.1% +27.6%*

3,201

1,578

1,623

1,340

6,998 +22.8% +25.5%* 1,688

(3,890) +17.2% +21.1%*

93 –35.9% –35.4%*

47.6%

55.6%

3,349 +31.1% +37.8%*

+52.8% +53.4%*

+9.0% +9.4%*

+16.1% +16.3%*

+33.7%*

+27.1%*

+19.1%*

+26.8%*

+21.7%*

–61.9%*

+66.9%*

x2.8*

–8.1%*

+8.7%*

758

774

585

(930)

16

46.6%

55.1%

691

319

455

9973,649

Gross operating income

Operating income

Net income

NBI : +26.8%* vs. Q4 05

Operating expenses: +21.7%* vs. Q4 05

Very low C/I ratio: 55.1% (vs. 57.6% in Q4 05 excl. Cowen)

Risk provisioning: another net reversal

Record results

FULL-YEAR AND FOURTH QUARTER 2006 RESULTS 14 / 02 / 2007 37

Exhibit 23.3 Highlights of CIB’s 2006 Performance * When adjusted for changes in Group structure and at constant exchange rates. Source: Société Générale.

Jérôme Kerviel, an Ambitious Outsider

Hidden behind the rosy outlook depicted in Société Générale’s 2006 financial results were two fires smoldering in its CIB. One, exposure to U.S. subprime residential mortgage-backed securities (MBSs), was about to spread like wild- fire throughout the world’s financial sector and engulf several larger and more ambitious banks than Société Générale. The other, unauthorized speculative trading in European equity markets, was about to drive a huge hole through Société Générale’s reputation and profits at the hands of a single trader, Jérôme Kerviel.

Kerviel’s position in Société Générale’s CIB was unlikely to be noticed. He was one of seven traders in the Delta One Listed Products (DLP) team, a part of the Equity Finance section in the Equity Arbitrage group of the CIB’s Global Equities & Derivative Solutions (GEDS) business unit. At the end of 2006, the CIB had almost 5,000 front office personnel worldwide. GEDS itself had a head count of over 1,300. GEDS’s proprietary trading activities comprised two groups—volatility and arbi- trage. As these names imply, GEDS’s volatility traders were charged with profiting from directional trading positions, while the arbitrage traders looked to profit from long/short combinations of offsetting positions by capturing mispricing between assets with similar market sensitivity. A common feature of arbitrage trading is that price differentials are typically very small, which requires large notional amounts of offsetting trades in order to capture meaningful profits.

www.it-ebooks.info

CONTROL COMPLACENCY 467

Kerviel joined Société Générale in August 2000 at age 23 to do modeling and process automation in CIB’s middle office. In July 2002, he was promoted to trader assistant in CIB’s Delta One Equity Derivatives product team, respon- sible for position valuations, price reserves, and risk analysis. In March 2004, he was appointed junior trader for the purpose of proprietary arbitrage trading in listed equity derivative products, including stock futures, indexes, exchange- traded funds (ETFs), and customized equity options such as turbo warrants.

Though inconspicuous in Société Générale’s big picture, Kerviel’s career pro- gression was quite an impressive achievement considering his modest origins. He grew up in a small town on the coast of Brittany, and obtained a bachelor’s degree in finance in 1999 at the University of Nantes, a provincial town in western France, and a master’s degree in financial markets organization and control in 2000 at the University of Lyon. Just as executive positions in France’s leading financial insti- tutions were considered reserved for the alumni of elite colleges such as the École Nationale d’Administration that Daniel Bouton had attended, so high-earning trading positions were also considered to be the preserve of graduates from France’s top 23 business schools known as grandes écoles, like Jean-Pierre Mustier.

At First a Few Side Bets, Then Massive Speculation

Kerviel began experimenting with directional positions during his first year as a Delta One trader, creating small index futures and cash equity positions that he closed out before the end of each day. Although these trades were unrelated to Kerviel’s arbitrage trading assignment, his supervising manager monitored and discussed them and allowed Kerviel to continue. In 2005, Kerviel became bolder, venturing into overnight trades. Initially, it seems that this progression was also tolerated because of the small amounts, but a €10 million overnight cash equity position drew his manager’s concern in July 2005. Kerviel’s next move took him over the line into fraudulent activity. In order to continue taking overnight direc- tional positions without arousing management concerns, he began to create fic- titious trades to offset them in DLP’s books. This practice continued in sporadic fashion and in relatively small amounts through the end of 2006, peaking at €140 million in August, unnoticed by Kerviel’s manager or any of DLP’s middle or back office personnel. Meanwhile, in the other sector where trouble was brewing for Société Générale, the first signs of distress were emerging in the U.S. residential mortgage finance market, as several subprime lenders started to report high delin- quencies and the U.S. home construction index tumbled.

In January 2007, Kerviel’s manager left Société Générale to take another job. For the next two months, Kerviel was effectively unsupervised. Finally, in April 2007, a new manager was assigned to Kerviel’s DLP team, but this one had no prior trading experience and received no orientation on his critical duties. Mean- while, in the European equity markets where Kerviel traded, the accelerating U.S. residential mortgage meltdown had not yet had any impact, but the opportunity to bet on a stock market correction proved irresistible. By January 24, Kerviel’s directional short position in European equity index futures had reached €850 million. During February, Kerviel increased his short position to €2.6 billion (U.S.$3.4 billion), and by the end of March it had risen to €5.5 billion. As news from the U.S. residential mortgage market continued to deteriorate in June and two Bear

www.it-ebooks.info

468 Implementing Enterprise Risk Management

Stearns collateralized debt obligation (CDO) funds collapsed, Kerviel became even bolder. By July 19, his short equity index position hit a peak of €30 billion. So far in 2007, Kerviel’s accumulated mark-to-market loss was €2.2 billion, which was hidden in the fictitious forwards that he entered into GEDS’s transaction system.

The forward counterparties Kerviel selected were either “pending,” Société Générale affiliates, or genuine but unsuspecting counterparties. To avoid detec- tion, Kerviel assigned deferred start dates to these forwards, for which GEDS’s internal policies did not require formal counterparty confirmations until the start date, which he could manipulate by canceling and reentering new fictitious trades. The sheer volume of this trading was not completely unnoticed. In fact, 41 queries about transaction anomalies, accounting discrepancies, and broker commissions were raised by Société Générale’s back office during the period from June 2006 to January 2008, but in each case they were satisfied by Kerviel’s trade amend- ments, cancellations, and explanations. A summary of the queries is shown in Exhibit 23.4.

During the next four weeks, Kerviel’s massive stock market bet finally paid off, as stocks around the world fell 8 percent. His short equity futures posi- tions erased their losses and began to show profits, allowing Kerviel to gradu- ally unwind them and accumulate €750 million in profits, which he concealed in fictitious counterparty trades and provisions. In November, stocks began to recover and Kerviel reversed his strategy by building a €30 billion portfolio of unauthorized long equity futures positions matched by fictitious offsetting trades, which he liquidated in December with a further €750 million in profits. Again, the volume of Kerviel’s activity attracted notice, this time in the form of an alert from Eurex about a large (€1.2 billion) purchase of equity index futures by DLP in November, which Kerviel’s manager failed to follow up.

Exhibit 23.4 Internal Queries Raised about Kerviel’s Fictitious or Unauthorized Trades, 2006–2008

Dates No. of

Queries Focus of Query Source Department

June 2006 1 Pricing discrepancies GEDS Operations Dec. 2006 to June 2007 5 Earnings discrepancies CIB Accounting Jan. to Oct. 2007 9 Unidentified counterparty or

broker GEDS Operations

Jan. to Nov. 2007 7 Unexplained balance sheet variations

CIB Accounting

Jan. 2007 to Jan. 2008 3 Trade entry errors GEDS Operations Feb. 2007 1 Trade settlement discrepancy GEDS Operations March to Oct. 2007 12 P&L and provision

discrepancies, high notional amount of transactions

GEDS Operations, CIB Accounting

June to Aug. 2007 2 Reconciliation differences GEDS Operations Dec. 2007 1 High broker commissions DLP trading

management

Source: “Mission Green” report, General Inspection Services, Société Générale.

www.it-ebooks.info

CONTROL COMPLACENCY 469

As 2007 came to a close on December 31, Kerviel was careful to close out all his unauthorized trades, ending with a €1.5 billion profit hidden in fictitious for- wards with Société Générale affiliates. This was his prize for having held unau- thorized directional positions in European stock indexes, in a volume equal to the bank’s entire capital, during two prolonged periods of the year. Meanwhile, else- where in Société Générale, concerns were mounting that CIB’s exposure to U.S. subprime mortgage-backed securities could prove very costly. The first admission of its troubles occurred in October 2007 when CIB’s fixed income, currencies, and commodities business unit took a €230 million write-down in its U.S. residential mortgage-related assets. Even though European equity markets ended the year close to their levels before the July correction, Société Générale’s year-end share price was still down 37 percent from its May 2007 peak.

Discovery, Damage Control, and Retribution

As soon as 2008’s equity markets opened, Kerviel resumed his unauthorized direc- tional trading, confident in his ability to keep calling market movements correctly and hiding his profits. Convinced that the European stock markets would extend their November rally into 2008, he began a series of unauthorized equity index futures purchases that reached a new peak of €49 billion on January 18, offset- ting these positions with fictitious trades as before. However, unconnected to this even bolder move, his strategy was about to unravel because of an administrative, not operational, slip. In the first days of 2008, Kerviel changed the counterparty of the fictitious trades concealing his €1.5 billion 2007 profits from a Société Générale affiliate to an unsuspecting third-party counterparty. During 2007, he had made this kind of change many times without tripping any alarms. On this occasion, however, the counterparty he selected did not have a collateral agreement in place with Société Générale, which triggered a massive overage in the counterparty’s credit value at risk (CVaR) limit.

Caught by surprise when queried by Société Générale’s group risk manage- ment department, which was responsible for monitoring counterparty exposures, Kerviel decided to cancel the fictitious trades and create a provision in order to keep his 2007 profits out of sight. Without any signs of concern over this incident, Kerviel calculated an amount for the provision that would leave €15 million of his undisclosed profits to be accounted for in DLP’s 2007 yearbook-end trading results and assure him of a high ranking among DLP’s traders. Seemingly in the clear again, Kerviel did not know that a second trip wire was about to end his long and eventful trading journey. The query that unraveled his strategy did not come from risk management or operations, but from financial reporting.

January 15 marked the first consolidation of Société Générale’s 2007 year- end financial reporting, which included regulatory capital. It also coincided with another slump in global equity prices, triggered by fears that U.S. and international banks were more exposed to subprime mortgage losses than previously disclosed. As Société Générale’s preliminary risk-weighted asset (RWA) numbers began to be checked, the massive counterparty exposure that had triggered risk manage- ment’s CVaR inquiry showed up in the bank’s RWA numbers. When queried, Kerviel explained that the trades had been canceled, but the financial reporting group was not satisfied with his explanation. A flurry of e-mails and phone calls

www.it-ebooks.info

470 Implementing Enterprise Risk Management

took place over the next two days between financial reporting and the DLP mid- dle office and back office, during which Kerviel insisted that the trades had been canceled but gave no satisfactory explanation. Finally, a meeting took place where Kerviel discovered that the outsize RWA number was the result of his fictitious counterparty not having a collateral agreement in place; he thereupon changed his explanation, claiming that the wrong counterparty had been entered for the for- wards and identifying another counterparty as the correct one. The meeting ended with Kerviel promising to provide documentary evidence of the replacement coun- terparty’s agreement to the trades.

However, the financial reporting team were skeptical of Kerviel’s new expla- nation and decided to escalate the incident to GEDS’s senior management, given the very large size of the transactions. The next day, Friday, January 18, Kerviel modified the trades and sent e-mails that appeared to confirm that the forwards had been agreed with the replacement counterparty. Still concerned, representa- tives of financial reporting, DLP operations, and GEDS’s senior management met at the end of the day and decided to independently confirm the existence of the for- wards with the replacement counterparty the next morning, which was Saturday, January 19. Meanwhile, the week’s close of business brought more gloom to Société Générale’s stock price, which dropped another 8.2 percent as the French central bank announced that Société Générale and another major French bank would have to further write down the valuation of their U.S. assets. On Saturday, January 19, within hours of the fictitious nature of his December 2007 trades being revealed by the counterparty’s negative confirmation response, Kerviel divulged the full extent of his €49 billion directional equity index positions, which was immediately com- municated to Société Générale’s executive management. A summary of the queries, conversations, and meetings that resulted in discovery of Kerviel’s unauthorized trading is shown in Exhibit 23.5.

Sunday, January 20, began a series of four days of unthinkable consequences for Société Générale. After being advised of the known facts and extent of Kerviel’s unauthorized trading, Bouton notified Société Générale’s board and offered his resignation, which was declined and he was told to take charge of controlling the damage. The following day, Bouton obtained an unprecedented permission from France’s Financial Markets Authority (Autorité des Marchés Financiers, AMF) to secretly unwind Kerviel’s directional equity index position over the next three days before making a public announcement about Société Générale’s unauthorized positions. As GEDS’s traders set to work, no matter how discreetly they executed their sales, Société Générale inevitably suffered heavy losses due to the size of its positions and the equity markets’ bearish trend. By close of business on January 23, all of Société Générale’s unauthorized equity index positions were gone and a €6.4 billion loss was recorded, equivalent to 13 percent of the notional value of the positions that Kerviel had created just weeks earlier. Recognizing the damage that such a huge loss could have on market confidence in Société Générale’s solvency, Bouton used the time before publicly announcing the losses to secure commit- ments to raise €5.5 billion of new capital. He also briefed the French, European, and U.S. monetary authorities ahead of the public announcement. On January 24, Bou- ton held a press conference and issued a letter to Société Générale’s clients briefly describing the incident and declaring it to be under control. The letter also stated that Société Générale’s capital was to be replenished by the new equity issuance.

www.it-ebooks.info

CONTROL COMPLACENCY 471

Exhibit 23.5 Sequence of Queries, Conversations, and Meetings Resulting in Discovery of Kerviel’s Unauthorized Trading

Date Parties Involved Issue Outcome

Jan. 8, 2008 ∙ Société Générale Risk Management

∙ GEDS middle office ∙ Kerviel

Exposure (CVaR) over limit for fictitious counterparty

Issue closed—trades canceled by Kerviel.

Jan. 15, 2008 ∙ CIB Regulatory Reporting (CIB-RR)

∙ GEDS middle office

Very high RWA and Cooke ratio for fictitious counterparty

CIB-RR sought clarification of Kerviel’s previous explanations and trade cancellations.

Jan. 16, 2008 ∙ CIB Regulatory Reporting

∙ GEDS middle office ∙ Kerviel

Correct financial reporting of very large trades, clarification of trader’s explanations

Not convinced by further telephone explanations, CIB-RR scheduled meeting with Kerviel for January 17.

Jan. 17, 2008 ∙ CIB Regulatory Reporting

∙ GEDS middle office ∙ Kerviel

Correct financial reporting of very large trades, clarification of trader’s explanations

Kerviel advised that the wrong counterparty was entered for the trades and would be corrected. CIB-RR requested supporting documentation.

Jan. 18, 2008 ∙ CIB Regulatory Reporting (CIB-RR)

∙ GEDS Trading Management (GEDS-TM)

∙ Kerviel

Trade cancellations, counterparty substitution, unconvincing trader explanations

CIB-RR briefed GEDS-TM, who spoke with Kerviel and received the same unsatisfactory explanations. Kerviel canceled and reentered the fictitious trades with the replacement counterparty and sent CIB-RR a falsified confirmation. CIB-RR and GEDS-TM met in the evening and decided to seek direct confirmation from the replacement counterparty.

Jan. 19, 2008 ∙ CIB Regulatory Reporting

∙ GEDS Trading Management (GEDS-TM)

∙ Kerviel ∙ Société Générale

Executive Management

Proof of fictitious transactions, discovery of unauthorized trading positions

Confronted by proof of his fictitious transactions, Kerviel revealed the nature and extent of his past and current unauthorized trading positions that were offset by fictitious trades.

Source: “Mission Green” report, General Inspection Services, Société Générale.

www.it-ebooks.info

472 Implementing Enterprise Risk Management

In a subsequent interview he disclosed that Société Générale would take a further €2 billion write-down in its U.S. residential mortgage exposures for 2007 year-end. Bouton’s revelations were generally greeted by astonishment that a financial insti- tution of Société Générale’s standing could have failed to prevent such egregious risk taking by a single individual.

In the following days, Société Générale filed a civil lawsuit against Kerviel, and Paris’s public prosecutor filed criminal charges against Kerviel. Société Générale’s board formed a special committee to investigate the incident, which commissioned an internal audit report and a diagnostic review of GEDS’s internal control envi- ronment by Pricewaterhouse Coopers (PwC). The internal audit team’s prelim- inary findings were published on February 21, its final report, and PwC’s find- ings published on May 20. On April 17, Bouton relinquished his role as CEO but remained chairman for another year. On May 30, Mustier relinquished his position as global head of CIB. Several months later, Mustier was reassigned to head Société Générale’s investment management business, but resigned from Société Générale a year later.

Postmortem

During the spring and summer of 2008, further details released about Société Générale’s unauthorized trading losses continued to tarnish its reputation, while the outlook for banking as a whole darkened significantly, as delinquencies in U.S. residential mortgages spread losses and fear across the entire sector. The New York investment bank Bear Stearns ran out of funds in March 2008 and had to be rescued by JPMorgan Chase. IndyMac Bank failed in July, and Fannie Mae and Freddie Mac were put into receivership in September, closely followed by the bankruptcy of Lehman Brothers, rescue of Merrill Lynch by Bank of America, and the Federal Reserve’s bailout of American International Group (AIG).

Meanwhile, the internal and external investigations into how Société Générale’s management and control environment allowed Kerviel to conduct his unauthorized trading for so long and in such large amounts revealed an extraor- dinary range of failings. This was so much that the French Banking Commis- sion (Commission Bancaire, CB) fined Société Générale €4 million in July 2008, an insignificant sum relative to the magnitude of Société Générale’s trading losses, but close to the CB’s legal maximum.

The principal findings of the internal and external investigations were as follows.

Managerial Supervision

GEDS’s trading management had primary responsibility for continuously mon- itoring its trading positions; performing daily analysis of the coherence of risks, earnings, and positions; and ensuring that all transactions complied with the department’s policies and limits. However, there was no explicit requirement to monitor cash movements. Société Générale’s systems provided trading manage- ment with a series of transaction, profit and loss (P&L), and cash flow reports and, during 2005–2006, monitoring appears to have been done in a desultory manner by Kerviel’s trading manager. However, after this manager’s departure in January 2007, Kerviel’s trading activity received no monitoring at all. Trading management

www.it-ebooks.info

CONTROL COMPLACENCY 473

was also tasked with responding to internal and external alerts and queries about the positions under their responsibility. In Kerviel’s case these were rare; however, an alert from Eurex about a large transaction in November 2007 related to Kerviel’s unauthorized directional positions was never followed up. PwC noted in partic- ular that the rigor of DLP’s front office oversight diminished as trading volume increased, allowing unauthorized activities such as day trading, P&L smoothing, and position transfers between traders to proliferate.

Control Environment

The primary control framework in which Kerviel operated had a number of serious deficiencies:

� There were no limits on notional transaction volumes or cash movements. � Trade cancellations, modifications, deferred start dates, and provisions were

not subject to exception treatment. � There was inadequate separation of duties between DLP’s front office and

middle office: Kerviel was able to modify and cancel trades at will in GEDS’s transaction system and create provisions that concealed his unauthorized profits.

� Policies and procedures for escalation of concerns were either unclear or nonexistent.

� There was no policy dictating minimum consecutive days of vacation.

The secondary control framework supporting DLP also had serious deficiencies.

� GEDS’s back office support for DLP was separated into four different oper- ations groups, which did not communicate with each other and whose pro- cedures required them to raise and resolve but not to question trade-related queries.

� Société Générale’s counterparty risk management group was required to raise and resolve exposure issues but not to validate the cause or solu- tion. This group raised 20 queries that they considered resolved by Kerviel’s explanations and amendments.

� Société Générale’s market risk management performed a risk reporting and advisory role, but did not exercise trading oversight; consequently they were not involved in monitoring the alerts and unusual activity created by Kerviel’s unauthorized positions and fictitious offsetting trades.

� During 2006 and 2007, GEDS’s back office was chronically understaffed due to high employee turnover, while DLP’s trading volume doubled, its range of traded products multiplied, and the number of traders increased from four to 23.

System Reliability

GEDS’s transaction systems also had serious deficiencies:

� Faulty security protocols allowed Kerviel to continue to access and change system records after he was promoted from the middle office to the front office.

www.it-ebooks.info

474 Implementing Enterprise Risk Management

� Chronic accuracy, reliability, and timeliness problems predisposed opera- tions and risk personnel to expect system errors to be the cause of processing exceptions, not suspicious activity.

� Daily reports of cash movements from margins and broker commissions were aggregated across portfolios, hindering identification of the unusual levels of activity created by Kerviel’s unauthorized trades.

Risk-Sensitive Culture

The investigations also identified cultural deficiencies, specifically citing that DLP’s trading oversight and control personnel were not trained or instructed to be alert for fraud and were slow and lax in responding to and resolving queries.

Action Plan PwC reviewed and endorsed Société Générale’s two-part remedial action plan, consisting of a series of immediate fixes and longer-term structural changes. The key elements of this action plan were:

� Immediate strengthening of GEDS’s front office supervision across all equi- ties, fixed income, derivatives, and commodities trading desks, by means of heightened awareness of responsibilities, introduction, and use of formal monitoring tools

� Immediate strengthening of GEDS’s middle and back office controls by means of remedying controls found to be missing or ineffective

� Immediate strengthening of system access controls and information technol- ogy (IT) security

� Immediate strengthening of governance by specifying roles, responsibilities, and escalation protocols across all relevant positions

� A four-part transformation strategy to improve GEDS’s control infrastruc- ture, culture, and IT security, consisting of: 1. More control-sensitive operations processes 2. Creation of a cross-divisional operational surveillance program designed

to identify and rectify anomalous situations and chronic conditions that could be symptomatic of or conducive to fraud

3. Long-term IT security improvement plan 4. Professional ethics and accountability education program for traders and

their support staff � Formation of two committees tasked with ensuring implementation of these

four initiatives

Who Was to Blame?

The two years between publication of the two investigative reports into Kerviel’s unauthorized trading and his trial were tumultuous for U.S. and European banks. A steady succession of huge asset write-downs, government bailouts, liquidity life- lines, and arranged takeovers of once-proud banks and insurance companies took

www.it-ebooks.info

CONTROL COMPLACENCY 475

place. Stock and housing prices tumbled, unemployment soared, and the U.S. and European economies slipped into recession. After multilateral government stabi- lization measures began to take effect, lawsuits began to emerge alleging dishonest lending and securitization practices. As Kerviel’s June 8, 2010, trial date neared, Société Générale kept a low profile. Kerviel, on the other hand, sought to publicize his assertion that Société Générale unofficially endorsed his directional trading, with the publication of a book entitled The Spiral: Memoirs of a Trader.

Exercise

Now begins the interactive portion of this case study. The preceding narrative and exhibits have presented key facts that were publicly known at the beginning of Kerviel’s trial. Whether or not the information they provide is conclusive one way or another is up to the reader to decide. In a real trial, prosecution and defense attorneys methodically lay out their respective evidence and arguments. To facili- tate the reader’s assessment of both arguments in this case study, a blank Critical Questions table is provided in Exhibit 23.6. The purpose of this table is for the

Exhibit 23.6 Critical Questions and Answers—Worksheet

Question Answer Implying Guilty Answer Implying Not Guilty

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

www.it-ebooks.info

476 Implementing Enterprise Risk Management

reader to list critical questions that the trial judges should have asked in order to determine the truth behind each party’s claims, and then to identify answers that would incriminate (“Guilty”) or exonerate (“Not Guilty”) Kerviel. Once this exer- cise has been completed, the reader may turn to Part Two.

PART TWO: OUTCOME AND LESSONS LEARNED Part Two of this case study reveals the outcome of the trial and its consequences, provides a prepared list of critical questions on page 487 to compare with those compiled by the reader at the end of Part One (Exhibit 23.6) and additional learn- ing materials in the form of: (1) a list of the reference materials used to compile this case study, (2) Société Générale’s full-year 2006 and 2007 financial statements (Exhibits 23.7), and (3) a chronology of events leading up to, during, and after the period in which Kerviel’s unauthorized trading took place (Exhibit 23.8).

1

2

3

4

5

6

7

8

9

10

11

12

13

SUMMARY INCOME STATEMENT OF SOCIETE GENERALE

07/06 07/06 07/06 20062007

Net banking income

Gross operating income

Operating income

Net Income

Operating income before tax

Income tax

Net allocation to regulatory provisions

Societe Generale net income for the 2007 financial year came out at EUR-961 million, down 123.8% on 2006. The breakdown of results for Societe Generale in France and abroad is given in the above table.

The principal changes in the income statement were as follows:

management fees totaled EUR 6,763 million, down from 2006, mainly due to the change in variable costs recorded by Corporate and Investment Banking, a direct reflection of the situation in 2007. Retail Banking in France expanded in 2008 with the opening of over 50 new branches:

net income from long-term investments came out at EUR 46 million in 2007. This breaks down into EUR + 131 million in income from the disposal of subsidiary shares (of which a net capital gain of EUR +93 million from the exchange of Euronext shares for NYSE shares and the subsequent sale of the new entity’s shares) and EUR –89 million stemming from the write-back of provisions for other shares in conso- lidated subsidiaries:

exceptional items include the loss before income taxes of the unwinding of the directional positions on unauthorized and concealed trading activities discovered on January 19 and 20, 2008:

the EUR 9 million allocation to provisions for banking risks corresponds to an allocation to an investment provision, in accordance with article 237 bis All of the French Tax Code. A provision of EUR 10 million had been booked at December 31, 2006.

EUR -1,250 million on unhedged super senior CDO tranches:

EUR -947 million on counterparty risk exposure to US monolines:

EUR -325 million on the RMBS trading portfolio.

Retail Banking in France remained on a steady growth trend, in terms of both individual customers and business customers. Customer acquisition (+126,000 sight accounts in 2007) went hand in hand with the overall increase in customer savings. At the same time, outstanding loans to business customers remained on an uptrend in 2007.

Societe Generale was directly impacted by the effects of the US subprime mortgage crisis, leading to gross operating income down from 2006 to EUR 2,007 million:

net banking income amounted to EUR 8,770 million, down sharply on 2006, due to the consequences of this crisis on the Corporate and Investment Banking arm. The solid commercial performance generated by this activity was thus erased by trading activities, owing to write down and losses:

(On millions of errors at December 31)

Operating experses

Cost of risk

Net income from long-term investments

Exceptional items

9,062

3,623

3,427

319

3,656

1,473

(9)

France

(5,539)

(96)

229

(4,801)

(292)

(1,516)

(1,556)

(1,280)

1,739

459

-

International

(1,224)

(40)

(183)

-

2,480

1,199

1,230

931

1,233

(302)

-

International

(1,281)

31

3

-

11,126

4,072

4,111

4,033

4,526

(482)

(10)

(7,054)

39

414

-

Societe Generale

8,770

2,007

1,871

(961)

1,917

1,932

(9)

Societe Generale

(6,763)

(136)

46

(4,801)

8,646

2,873

2,881

3,102

3,292

(180)

(10)

France

(5,773)

8

411

-

4,8

22.6

18.9

(89.7)

11.0

(918.3)

(10.0)

(%)

(4.0)

(1,300.0)

(44.3)

NS

(111.8)

(226.5)

(226.8)

(237.5)

(241.1)

(251.9)

NS

(%)

(4.5)

(229.8)

NS

NS

(21.2)

(50.7)

(54.5)

(123.8)

(57.6)

(500.7)

(10.0)

(%)

(4.1)

(450.4)

(88.9)

NS

Exhibit 23.7 Société Générale’s 2006 and 2007 Summary Income Statement

www.it-ebooks.info

CONTROL COMPLACENCY 477

Exhibit 23.7 (Continued)

www.it-ebooks.info

478 Implementing Enterprise Risk Management

Exhibit 23.8 Chronology of Events

Internal/ Date External Description

1991 Internal Daniel Bouton joined Société Générale (SG) as EVP, after serving in a number of different positions in the French Finance Ministry, including that of Budget Director, from 1988 to 1991, Chief of Staff of Alain Juppe, Deputy Minister in charge of the budget from 1986 to 1988, in the Budget Department from 1977 to 1986, and in the Finance Inspectorate from 1973 to 1976.

1993 Internal Bouton appointed CEO of SG Group. Nov. 1997 Internal Bouton appointed chairman and co-CEO of SG Group. 1999 External SG’s proposed friendly merger with Banque Paribas torn

apart by hostile bid for both banks from BNP. SG escaped but Paribas succumbed, leaving SG’s growth strategy in disarray.

1999 Internal Jean-Pierre Mustier promoted from head of CIB equity options trading in SG’s Corporate and Investment Banking (CIB) to head of fixed income, FX, commodities, and derivatives.

Aug. 2000 Internal Jerome Kerviel (JK) hired to do modeling and process automation in CIB’s middle office, aged 23.

July 2002 Internal JK promoted to trader assistant in SG’s Delta One equity derivatives product team, responsible for valuations, provisions, and risk analysis.

May 2003 Internal Daniel Bouton appointed CEO of SG bank. 2003 Internal Mustier promoted to head of CIB, beginning a period of

aggressive and successful expansion in securities underwriting, derivatives, and proprietary trading. Over the next five years, CIB’s glamor and earnings eroded SG’s traditional control-oriented, retail banking culture.

March 2004 Internal JK promoted to junior trader in Delta One Listed Products (DLP) team.

June 2005 External A handful of U.S. investment banks set up short residential mortgages positions, even as their own and other banks’ fixed income desks continue to source, warehouse, structure, and distribute subprime mortgages and MBSs.

July 2005 Internal First unauthorized trades by JK, offset by fictitious trades with counterparties either SG subsidiaries, unidentified/pending, or third parties. JK’s fictitious trades had deferred start dates, which did not require immediate confirmation.

Jan.–Dec. 2006 Internal JK continued sporadic unauthorized trading, with insignificant gains or losses.

May 2006 External First cutbacks and failures among U.S. subprime mortgage lenders; Merrill Lynch, unable to sell super-senior tranches of new subprime CDOs, set up a buy-and-hold trading desk. Some investment banks started producing CDOs designed to fail, so they could buy and profit from the investors’ credit protection.

www.it-ebooks.info

CONTROL COMPLACENCY 479

Exhibit 23.8 (Continued)

Internal/ Date External Description

Aug. 2006 Internal JK’s unauthorized trading volume moved up a notch to €140 million (U.S.$179 million) in equity index futures.

Sep. 2006 External U.S. residential housing construction index down 40 percent year-over-year. Some investment banks began reducing their securitization activities and limiting their exposures to U.S. residential mortgages.

Jan. 2007 Internal JK’s immediate CIB trading manager left SG and was not replaced until April by another CIB manager who had no prior experience of trading management and received no detailed direction on his responsibilities until November 2007.

Feb. 2007 External Trickle of losses and failures in U.S. subprime lending sector turned into a flood—Ownit, American Freedom Mortgage, Network USA, HSBC, Accredited, New Century, DR Horton, Countrywide.

Feb.–March 2007

Internal Anticipating a stock market crash, JK progressively built up unauthorized short equity index futures positions amounting to €5.5 billion (U.S.$7.3 billion), masking the directionality of these trades with fictitious offsetting trades.

April–June 2007

Internal JK further increased his unauthorized short equity index futures positions amounting to €30 billion with a cumulative P&L of €2.2 billion (U.S.$3 billion). Between February and June, 39 instances of discrepancies in settlement details, accounting entries, and broker commissions were flagged by SG’s controllers, but deflected by JK’s trade amendments, cancellations, and explanations.

May 4, 2007 External SG’s stock hit its peak of €140.55 per share. June 2007 External Bear Stearns halted redemptions in two CDO hedge funds,

which immediately become insolvent. July 2007 External Equity markets slumped. July 2007 Internal JK unwound substantially all of his short equity index futures

positions in the last week of July, having erased all of his losses.

Aug. 2007 External Onset of credit crunch as traces of subprime MBSs in bank portfolios around the world set off a counterparty exposure panic that caused interbank and repo markets to freeze up. Investors everywhere started liquidating other assets in order to take refuge in U.S. Treasuries. The U.S. Federal Reserve made the first of many liquidity interventions, followed by the European Central Bank (ECB).

Sep. 2007 External First month of negative U.S. job growth since August 2003. Sep.–Nov.

2007 Internal JK’s remaining short equity index futures positions

accumulated €750 million of profits before he unwound them in November 2007 when equity markets began to recover.

Oct. 2007 Internal First effects of financial sector crisis on CIB revenues: €230 million write-down in SG’s U.S. residential mortgage-related assets.

(continued)

www.it-ebooks.info

480 Implementing Enterprise Risk Management

Exhibit 23.8 (Continued)

Internal/ Date External Description

Oct. 24, 2007 External Merrill Lynch announced Q3-07 loss of U.S.$5.5 billion, later revised to U.S.$8.4 billion.

Nov. 2007 Internal JK built a €30 billion portfolio of unauthorized long equity futures positions matched by fictitious offsetting trades. An alert from Eurex about a large (€1.2 billion) purchase of equity index futures went unheeded.

Dec. 2007 Internal JK liquidated his unauthorized portfolio of long equity futures positions, concealing the resulting €1.5 billion of profits in fictitious forward trades with an SG affiliate.

Dec. 2007 External SG’s market capitalization down 23 percent since June 2007 on fears that its exposure to U.S. subprime mortgages was much greater than disclosed.

Jan. 2–10, 2008 Internal On January 2 JK switched his December 2007 fictitious forward counterparties from the SG subsidiary to a third party, unaware that the third-party counterparty he chose did not have a collateral agreement with SG, thus causing a huge CVaR exposure to show up in risk reports. Note: This issue did not occur in early 2007 when JK’s unauthorized trades were losing money and SG’s risk reports showed negative counterparty credit exposure to fictitious third parties. When the massive CVaR exposure was queried, JK canceled the fictitious forwards and instructed his (24-year-old) trading assistant to create a valuation provision of €1.485 billion to conceal the bulk of his 2007 gains, resulting in €15 million reported year-end trading profits versus actual trading profits of €1.5 billion.

Jan. 2–18, 2008 Internal JK rebuilt a €49 billion portfolio of unauthorized long equity index futures positions with fictitious offsetting trades.

Jan. 14–17, 2008

Internal The fictitious CVaR exposure disappeared from SG’s daily counterparty credit risk reports but was still queried for 2007 year-end RWA and Cooke ratio reporting. JK met with SG’s financial reporting group and explained that the counterparty he recorded for the forwards was incorrect and should have been a different third party (with a collateral agreement).

Jan. 15, 2008 External Global slump in equity markets triggered by fears that U.S. and international banks were more exposed to subprime mortgage losses than disclosed.

Jan. 18, 2008 External SG’s stock dropped another 8.2 percent as Banque de France announced that SG and another major French bank would have to write down the valuation of their U.S. assets.

www.it-ebooks.info

CONTROL COMPLACENCY 481

Exhibit 23.8 (Continued)

Internal/ Date External Description

Jan. 18, 2008 Internal SG’s financial reporting group escalated their concerns about JK’s unusual transactions and explanations to CIB senior management. Meanwhile, JK canceled the fictitious December 2007 forwards, reentered them with the replacement counterparty, and falsified a confirmation document from the replacement counterparty. JK’s supervisors decided to call the replacement counterparty to verify the existence of JK’s forwards.

Jan. 19, 2008 Internal SG’s replacement counterparty advised that the forwards recorded by JK did not exist.

Jan. 19, 2008 Internal JK’s current portfolio of unauthorized long equity index futures positions with fictitious offsetting trades was discovered, amounting to €49 billion, equivalent to 181 percent of SG’s capital of €27 billion, and already €2 billion underwater.

Jan. 20, 2008 Internal SG’s chairman and CEO Daniel Bouton tendered his resignation, which was rejected by the board and SG’s union leaders, who insisted that he stay to resolve the rogue trading problem.

Jan. 21, 2008 External European equity markets suffered further heavy declines (–6 percent). Bouton received approval from SG’s regulator, Autorité des Marchés Financiers (AMF), to withhold disclosure of SG’s unauthorized equity index portfolio for three days so that it could be liquidated without panicking already nervous equity markets.

Jan. 21–23, 2008

Internal JK’s €49 billion portfolio of unauthorized long equity index positions was liquidated, crystallizing losses of €6.4 billion.

Jan. 23, 2008 External Bouton briefed France’s President, Economy Minister, the ECB president, and chairman of the U.S. Federal Reserve on the origin and extent of SG’s rogue trading losses.

Jan. 24, 2008 External SG filed a civil lawsuit against JK for fraud. Jan. 24, 2008 Internal An investigation by SG’s General Inspection Services

(internal audit) was commissioned by the Executive Committee of the board to: (1) determine the exact nature and methods used by JK to conduct his unauthorized transactions, (2) verify the accuracy of the positions and subsequent losses, (3) investigate JK’s motives and the role of any possible accomplices, (4) identify the cause of and responsibility for the internal control breakdowns, (5) verify the nonexistence of similar practices anywhere else in CIB.

(continued)

www.it-ebooks.info

482 Implementing Enterprise Risk Management

Exhibit 23.8 (Continued)

Internal/ Date External Description

Jan. 24, 2008 External Trading in SG’s shares was temporarily suspended as Bouton issued a public letter and newspaper interview describing the origin and extent of the losses and remedial actions being taken, including legal action against JK, separation of employees responsible for supervision and control of the department where JK’s unauthorized trading occurred, and raising €5.5 billion of new capital.

Jan. 25, 2008 External Police raided JK’s apartment and SG’s offices to seize JK’s computer records.

Jan. 26, 2008 External JK voluntarily surrendered to the police and was held in custody.

Jan. 28, 2008 External JK was charged by the Paris prosecutor with forgery, abuse of trust, and illegal use of computers, and was released on bail.

Jan. 30, 2008 Internal Independent board committee formed to investigate JK’s unauthorized trading. Operational review of the circumstances and control failings commissioned from PwC.

Feb. 21, 2008 Internal SG announced a Q4-07 loss of €3.4 billion, due to JK’s unauthorized trading and increased its December 2007 write-downs on U.S. residential mortgage-related exposures to €2.3 billion.

Feb. 21, 2008 Internal Preliminary findings of investigation by SG’s General Inspection Services (internal audit function) published.

Feb.–March 2008

External A steady stream of public sparring took place between senior SG, banking, and government officials regarding a possible takeover bid for SG and Bouton’s responsibility for SG’s rogue trading scandal.

March 16, 2008 External Bear Stearns rescued by JPMorgan Chase with U.S.$30 billion New York Fed backstop.

April 2008 Internal Bouton resigned as CEO, but remained as SG chairman.

May 13, 2008 SG announced another €596 million write-down to its U.S. residential mortgage-related exposures and completion of its €5.5 billion new equity raising.

www.it-ebooks.info

CONTROL COMPLACENCY 483

Exhibit 23.8 (Continued)

Internal/ Date External Description

May 20, 2008 Internal The investigation report by SG’s General Inspection Services entitled “Mission Green” was presented to SG’s board of directors. Key findings: (1) JK’s unauthorized trading progressed through five stages—(i) intraday directional trades, (ii) overnight directional positions, (iii) disguising overnight directional positions with fictitious offsetting trades (947 instances), (iv) concealing gains from unauthorized directional positions with fictitious loss-making buy-sell trades (115 instances), and (v) concealing gains from unauthorized directional positions with valuation provisions (9 instances); (2) in 2007 JK built and liquidated two €30 billion unauthorized portfolios of equity index futures, concealed by fictitious offsetting trades, which generated net profits of €1.5 billion, and between January 2 and 18, 2008, he built a €49 billion portfolio of unauthorized equity index futures with fictitious offsetting trades, which was liquidated by the bank at a loss of €6.4 billion; (3) JK’s 2007 incentive compensation would have been based on his reported 2007 trading P&L of €25 million, which resulted from €3 million in legitimate gains from his turbo warrant trading plus €22 million in gains generated by his unauthorized trades less €1.475 billion gains from his unauthorized trades concealed by his fictitious trades and provisions (Note: The seven valuation provisions and almost 15 percent of the fictitious trades were entered by JK’s trading assistant); (4) the two factors that most contributed to SG’s prolonged failure to detect JK’s unauthorized and fictitious trading were: (i) ineffective trading management oversight represented by tolerance of intraday trading; disinterest in reconciling JK’s profits, margin, and cash movements to his authorized trading activity; indifference to system and counterparty alerts; and, from April 2007, lack of trading oversight experience; and (ii) control procedures that were focused on reporting rather than investigating anomalies, were fragmented among different control groups, and had no triggers for deferred start dates, values, counterparties, trade modifications and cancellations, or mandatory vacation periods; (5) no other evidence was uncovered of similar fraudulent activities in SG’s CIB. Note: The report contained no attribution of responsibility to SG’s Risk Management, whose role as a second line of defense in managing trading risk was not clearly specified in SG’s policies or procedures.

(continued)

www.it-ebooks.info

484 Implementing Enterprise Risk Management

Exhibit 23.8 (Continued)

Internal/ Date External Description

May 21, 2008 Internal PwC delivered its diagnostic review of SG’s unauthorized trading losses and remedial action plan. PwC endorsed the GIS report’s findings and added several more: (1) There were no clear policies or procedures for escalation of queries; (2) trading oversight and control personnel were not trained or instructed to be alert for fraud; (3) trading oversight and control personnel were slow to respond to and lax in resolution of queries; (4) the rigor of DLP’s front office oversight diminished as trading volume increased, allowing unauthorized activities such as day trading, P&L smoothing, and position transfers between traders to proliferate; and (5) trading oversight policy omitted to require monitoring of cash movements. PwC also endorsed SG’s two-part action plan, consisting of a series of immediate fixes and longer-term structural changes, specifically: (1) immediate strengthening of GEDS’s front office supervision across all equities, fixed income, derivatives, and commodities trading desks by means of heightened awareness of responsibilities, along with introduction and use of monitoring tools; (2) immediate strengthening of GEDS’s middle and back office controls by means of remedying controls found to be missing or ineffective; (3) immediate strengthening of system access controls and IT security; (4) immediate strengthening of governance by specifying roles, responsibilities, and escalation protocols across all relevant positions; (5) a four-part transformation strategy to improve GEDS’s control infrastructure, culture, and IT security, consisting of: (a) more control-sensitive operations processes; (b) creation of a cross-divisional operational surveillance program designed to identify and rectify anomalous situations and chronic conditions that could be symptomatic of or conducive to fraud; (c) long-term IT security improvement plan; (d) professional ethics and accountability education program for traders and their support staff; and (6) formation of two committees tasked with ensuring implementation of these initiatives.

May 30, 2008 Internal Mustier resigned as CIB head and voluntarily surrendered his bonuses for 2007 and 2008; however, he remained with SG.

June 20, 2008 External The French Banking Commission (Comission Bancaire, CB) interviewed SG officers in the course of investigating JK’s unauthorized trading.

July 2, 2008 External JK switched legal counsel to a more aggressive firm.

www.it-ebooks.info

CONTROL COMPLACENCY 485

Exhibit 23.8 (Continued)

Internal/ Date External Description

July 4, 2008 External The CB found that SG violated banking regulations by not having adequate financial controls, and imposed a fine of €4 million, close to its maximum allowable penalty. The CB’s key observations were: (1) poor supervision, (2) monitoring staff inattentive to fraud, (3) deficiencies in IT systems, and (4) inadequate limits and policies.

July 11, 2008 External IndyMac Bank placed into receivership. Aug, 1, 2008 External JK’s trading assistant was indicted on a relatively minor

charge of complicity. Aug. 5, 2008 Internal SG announced year-to-date losses and write-downs on

exotic credit derivatives of €789 million. Sep. 7, 2008 External Fannie Mae and Freddie Mac placed into receivership. Sep. 14–18,

2008 External Merrill Lynch sold to Bank of America, Lehman Brothers

filed for bankruptcy, AIG downgraded and rescued by New York Fed with a U.S.$85 billion borrowing line, money market mutual fund Reserve Primary Fund suffered such catastrophic losses on its asset-backed commercial paper holdings that its net asset value “broke the buck,” and commercial paper market seized up.

Sep. 19–29, 2008

External U.S.$700 billion “take-it-or-leave-it” Paulson rescue plan voted down by Congress, Washington Mutual seized by FDIC and its banking assets sold to JPMorgan Chase, Wachovia seized by FDIC, and sale of banking assets to Citigroup negotiated.

Sep. 2008 Internal Mustier appointed CEO of SG’s investment management business with €350 billion assets under management.

Nov. 3, 2008 Internal SG announced a further of €370 million of losses and write-downs on exotic credit derivatives and €754 million of write-downs on its U.S. residential mortgage monoline insurance, provided mainly by AIG.

Nov. 1–30, 2008

External Fed provided emergency US$ liquidity to foreign banks (most notably Depfa and Dexia), negotiated Troubled Asset Relief Program (TARP) equity stakes in second wave of U.S. banks, rescued Citigroup with another U.S.$20 billion of capital on top of U.S.$25 billion already injected, pledged U.S.$600 billion to buy MBSs guaranteed by Fannie Mae and Freddie Mac.

Dec. 2008 External U.S. economy officially declared in recession since December 2007.

Feb. 18, 2009 Internal SG announced its full-year 2008 results, which included €792 million losses and write-downs on exotic credit derivatives, €1.0 billion write-downs on its U.S. residential mortgage monoline insurance, and €1.2 billion losses and write-downs on its European asset-backed security (ABS) underwriting and distribution business. These losses were partially offset by €2.2 billion of mark-to-market gains on credit default swaps held for portfolio protection.

(continued)

www.it-ebooks.info

486 Implementing Enterprise Risk Management

Exhibit 23.8 (Continued)

Internal/ Date External Description

May 2009 Internal Daniel Bouton ended his tenure as chairman of SG Group. May 2009 External France’s economy declared officially in recession since

Q3-08. Aug. 2009 External France’s recession officially declared ended Q2-09. Aug. 2009 Internal Mustier resigned from SG Group. 2010 External Regulatory and investor lawsuits emerged, aimed at

deceptive residential mortgage securitization practices, flawed mortgage foreclosure practices, and misrepresentation of mortgage borrowers’ creditworthiness.

May 2010 External Publication of JK’s memoir L’Engrenage: Mémoires d’un Trader (The Spiral: Memories of a Trader).

June 8, 2010 External JK’s trial commenced. Sep. 2010 External U.S. recession declared officially ended as of June 2009. Oct. 5, 2010 External JK was convicted of the charges, sentenced to five years in

prison with two years suspended, and ordered (symbolically) to repay SG’s €4.9 billion in losses. JK filed an appeal and remained free pending its hearing.

2011 External Markets became anxious over EU banks’ exposure to peripheral EU countries.

2012 External U.S. banks able to repurchase TARP stakes with new stock issuance.

Oct. 23, 2012 External JK’s appeal denied and his conviction upheld. July 4, 2013 External Paris employment tribunal denied JK’s request to void his

dismissal, levy a €4.9 billion fine on SG, and form an inquiry to question the justification of his conviction.

What Actually Happened

Kerviel’s criminal trial lasted three weeks, during which the defense attorneys rein- forced Kerviel’s claims that his managers at Société Générale were well aware of the nature and scale of his trading and encouraged him to continue, so long as he made profits. They highlighted that Kerviel did not derive any personal profit from his unauthorized trades. Société Générale’s attorneys, acting as co-plaintiff, acknowledged the failings in supervision and control described in the internal audit and PwC reports published in 2008, but rebutted any suggestion that the bank knowingly allowed Kerviel to conduct the unauthorized trading that resulted in its massive loss. Both parties had to wait another three months for the verdict, which caused a new uproar when it was announced on October 5, 2010. The three- judge panel found Kerviel guilty of all three charges—abuse of trust, forgery, and computer access abuse—and sentenced him to five years in prison with two sus- pended, ordering him to compensate Société Générale €4.9 billion (U.S.$7.1 bil- lion) for its losses. No penalties or reprimands were directed at Société Générale at all. Kerviel’s attorneys immediately filed an appeal, while the severity of the

www.it-ebooks.info

CONTROL COMPLACENCY 487

sentence and Société Générale’s complete exoneration reignited media speculation that France’s financial establishment had colluded to label Kerviel as a scapegoat.

Kerviel’s appeal took another two years to be heard, but the result did not go in his favor. On October 24, 2012, the appeals judge upheld the trial verdict and sentence. However, Kerviel did not immediately go to jail or pay any of the compensation to Société Générale, whose amount was clearly symbolic. In fact, he disappeared from public view after the appeal and only briefly reappeared in July 2013, to ask a Paris employment tribunal for his January 2008 dismissal by Société Générale to be overturned and an independent inquiry constituted to investigate the circumstances surrounding it. However, the tribunal rejected his request, leav- ing Kerviel to seek other options to delay or escape his sentence.

QUESTIONS 1. Could other DLP traders have manipulated GEDS’s transaction systems like Kerviel

did? 2. Was it typical for middle office employees to be promoted to the front office? 3. When Kerviel worked in the middle office, did he show any unusual aptitude for

manipulating the transaction systems? 4. Did DLP have any rules or disincentives designed to deter traders like Kerviel from

undertaking unauthorized trading? 5. Why did Kerviel make such huge bets when he did not derive any personal benefit

from the profits? 6. Had there been any previous instances or notifications of deficiencies in DLP’s controls? 7. Was Société Générale prudent in assigning sole responsibility for market risk oversight

to trading management? 8. Did GEDS make effective use of market risk management? 9. Why did financial reporting catch the fraud, not trading management, operations, or

risk management? 10. Had there been any previous instances or notifications of deficiencies in DLP’s transac-

tion systems? 11. Why did operations employees fail to validate the explanations or escalate any of the

many queries relating to Kerviel’s unauthorized trades? 12. Did Société Générale omit any information at the trial that might have exonerated

Kerviel? 13. Did the Paris prosecutor have sufficient grounds for criminal charges against Kerviel? 14. Did Société Générale sufficiently admit its responsibility for the losses? 15. Was Société Générale so focused on achieving growth on many fronts that it neglected

to invest in sufficiently robust systems and internal controls?

REFERENCES MarketWatch. 2008. “Text of Daniel Bouton’s Letter to Customers and Shareholders

Disclosing Société Générale’s Trading Losses.” January 24. www.marketwatch .com/story/letter-from-societe-general-ceo-to-customers-and-shareholders.

Société Générale. 2008. “General Inspection Department ‘Mission Green’ Summary Report.” May 20. www.societegenerale.com/sites/default/files/documents/Green_VA.pdf.

Société Générale. 2008. “Report of the Special Board Committee Investigating the Trading Losses.” May 23. www.societegenerale.com/sites/default/files/documents/ rapportcomitespecialmai2008.pdf.

www.it-ebooks.info

488 Implementing Enterprise Risk Management

PricewaterhouseCoopers. 2008. “Summary of Diagnostic Review and Analysis of the Action Plan.” May 23. www.societegenerale.com/sites/default/files/documents/ pricewatercooper.pdf.

Société Générale. “Annual Reports 1999–2007.” www.investor.socgen.com/phoenix.zhtml? c=69575&p=irol-results.

Kerviel, Jérôme. 2010. L’engrenage: Mémoires d’un trader (The Spiral: Memories of a Trader). Paris: Flammarion; pap. ed., J’Ai Lu, 2011.

ABOUT THE CONTRIBUTOR Steve Lindo is a financial risk manager with more than 30 years’ experience man- aging risks in asset/liability management (ALM), funding, international fixed income, and alternative asset portfolios. His current role is Principal of SRL Advi- sory Services, an independent consulting firm specializing in risk governance, cul- ture and education, risk strategy, measurement, and regulatory expertise, in the United States and internationally. His career includes U.S. and international risk management positions with Fifth Third Bancorp, GMAC Financial Services (now Ally Financial), Cargill Inc.’s proprietary financial trading group (today operating as Black River Investments and Carval Investors), First National Bank of Chicago (now part of JPMorgan Chase), and Lloyds TSB Bank. During 2008–2010, he under- took a two-year engagement as CEO of the Professional Risk Managers’ Inter- national Association (PRMIA), a nonprofit member organization with more than 75,000 members in 198 countries. He has a BA and an MA from Oxford University and speaks fluent French, German, Spanish, and Portuguese.

www.it-ebooks.info

CHAPTER 24

The Role of VaR in Enterprise Risk Management Calculating Value at Risk for Portfolios Held by the Vane Mallory Investment Bank

ALLISSA A. LEE Assistant Professor of Finance, Georgia Southern University

BETTY J. SIMKINS Williams Companies Chair of Business and Professor of Finance, Oklahoma State University

You have to risk going too far to discover just how far you can really go. —Jim Rohn, adapted from T. S. Eliot

Vane Mallory is a large investment bank headquartered in New York. Thefirm is multifaceted, conducting normal investment banking activities suchas underwriting and providing advising and brokerage services to its clients, but also trading on its own account through its trading desk.

You are a senior risk analyst at Vane Mallory investment bank. This is a new position for you and part of your responsibilities includes providing the value at risk (VaR) estimates to the chief risk officer (CRO) of the company, Christian Cross. You are responsible for reporting on two different portfolios:

1. A commodity portfolio that contains energy commodity assets. 2. An equity portfolio that contains stocks of firms based in the United States.

In your previous positions, you were not responsible for this calculation, and it is a relatively foreign concept to you. Accordingly, your boss, the chief risk officer, has given you a few days to acquaint yourself with the idea of VaR so you are pre- pared to calculate it accurately and efficiently. You did some research and talked to some of your colleagues, and found out quite a bit about VaR. A summary of your findings is included next.

489

www.it-ebooks.info

490 Implementing Enterprise Risk Management

RISK AND VALUE AT RISK OVERVIEW There are many definitions of risk, but most relate to the possibility of an unex- pected outcome. Risk is an inherent part of life for individuals, businesses, and corporations alike. Investment banks are no different, especially given the degree of innovation they have undertaken through the years. As regulations and markets change, profits can potentially decline. Consequently, other avenues must be dis- covered or created from which revenue can be generated. This process of financial innovation is fraught with risk. From the creation of mortgage-backed securities (MBSs) and collateralized mortgage obligations (CMOs), investment banks have been at the forefront of financial innovation. There are many types of risk, includ- ing market, credit, liquidity, operational, and legal risk.

There are various ways to measure risk. Risk is commonly thought of as volatil- ity, which is measured by standard deviation. However, standard deviation is unconcerned with the direction of movement. Naturally, investors are not really worried about movement to the upside; it is the downside movement that is impor- tant. A measure of risk that focuses on downside movement is VaR. VaR is a key element of a firm’s enterprise risk management (ERM) strategy. One aspect of ERM involves the likelihood and magnitude of impact of events or circumstances to the firm’s objective, including both risks and opportunities. The concept of VaR encompasses this quite well and is an integral part of risk management.

Value at Risk

Risk metrics traditionally included valuation, sensitivity analysis, scenario analy- sis, and maybe even Monte Carlo simulations. VaR goes further: it blends the price- yield relationship with the likelihood of a market movement that is unfavorable. Correlation and leverage are taken into consideration, and a summary measure of portfolio risk is expressed in a single probabilistic statement (Jorion 2001, p. 27).

VaR was initially developed to measure market risk and has many applica- tions, including risk management and measurement, financial control and report- ing, and the computation of regulatory capital requirements. Investors can use VaR to analyze, with a given level of confidence, what is the worst-case scenario or how much they may lose in a given time period. Formally, “VaR described the quan- tile of the projected distribution of gains and losses over the target horizon. If c is the selected confidence level, VaR corresponds to the 1 – c lower-tail level” (Jorion, p. 22).1 Intuitively, “VaR summarizes the worst loss over a target horizon with a given level of confidence” (p. 22).

History, Characteristics, and Assumptions of VaR

Value at risk is a risk management tool developed by Till Guldimann at J.P. Morgan in the 1980s. It was developed as a result of discussions surrounding the impor- tance of “value risks” or “earnings risks.” The parties determined that value risks were of greater consequence, and VaR was born.

VaR is applicable to many different assets, including stocks, bonds, and derivatives as well as single assets or portfolios of assets. There are several methods that can be used to calculate VaR, including (1) the historical method (nonparametric delta normal), which uses past data; (2) the parametric method,

www.it-ebooks.info

THE ROLE OF VAR IN ENTERPRISE RISK MANAGEMENT 491

which only requires the mean and standard deviation to be used;2 or (3) the Monte Carlo method, which uses future or forecasted data. Additionally, either percent- age VaR or dollar VaR can be obtained, depending on the preferred output result. It is important to note that back-testing is extremely important with this technique. VaR is only an estimated worst-case scenario, and actual losses may surpass VaR. A loss that exceeds VaR is termed a “VaR break.” VaR is rooted in the statistical and probabilistic foundations of portfolio theory. There is no one VaR value. In fact, there are multiple VaRs, depending on the circumstances and inputs.

There are five primary underlying assumptions for VaR. They are as follows:

1. Stationarity. A 1 percent fluctuation in returns is equally likely to occur at any point in time.

2. Random walk of intertemporal unpredictability. Day-to-day fluctuations in returns are independent.

3. Nonnegativity.3 Financial assets with limited liability cannot attain negative values.

4. Time consistency. All single-period assumptions hold over the multiperiod time horizon.

5. Distributional. Daily return fluctuations follow a normal distribution with a mean of zero and a standard deviation of 100 bp4 (Allen, Boudoukh, and Saunders 2004, 8–9).

With respect to the assumptions, the most obvious flaw is with the distribu- tional assumption. Stock returns, in particular, have repeatedly been shown to not follow a normal distribution historically. However, using log returns can compen- sate for this issue.

Advantages and Criticisms of VaR

Like any measure, value at risk has pros and cons. There are several advantages to using VaR as a risk management measure. First, it provides a measure of total risk that is fairly easy to understand and explain. Second, as previously mentioned, it can measure the risk of many types of securities, including stocks, bonds, com- modities, foreign exchange, and off-balance-sheet derivative assets like futures, forwards, swaps, and options. Also, VaR possesses very nice portfolio applica- tions. It translates the concept of portfolio volatility into a dollar value and can be useful for monitoring and controlling risk inside a portfolio. Last, comparisons can be made between a portfolio and a market portfolio.5

No measure is perfect, though, and several criticisms of VaR exist; all measures have shortcomings that must be taken into consideration. Critics such as Nassim Taleb (1997) have professed the following: (1) VaR is somewhat of an untested model, ignoring 2,500 years of experience, and claims to estimate risks of “rare events,” which is virtually impossible; (2) using VaR could provide a false sense of security that could lead to excessive risk taking and use of leverage; and (3) VaR ignores the tails and focuses on risks near the center of the distribution that are more manageable. This last criticism was suggested by David Einhorn (2008).

Additionally, many misuse VaR and its implications, which can be dangerous. VaR is not a worst-case scenario or a maximum tolerable loss. In fact, losses can be incurred multiple times per year that surpass the one-day 1 percent VaR. The main

www.it-ebooks.info

492 Implementing Enterprise Risk Management

concern of risk management should be on what happens when a loss is incurred that is greater than VaR, not on VaR itself. Further, assuming that a loss will be less than a multiple of VaR (even two to three times) is dangerous. Last, VaRs should not be reported unless they are back-tested.6

Calculating Value at Risk

There are five basic steps to calculating value at risk. They are as follows:

The dollar value at risk equation is as follows (see note 7):

VaR$α = AssetMktValue × Variability × NormDistFactor

√ Holding period

Trading days per year

7

Additionally, there is another presentation of the dollar VaR equation that uti- lizes slightly different inputs (see note 8):

VaR$ α = AssetMktValue × [1 − exp (zα × 𝜎 + μ)]

8

As mentioned previously, percentage VaR can also be calculated. The steps are similar to those for the dollar VaR, with a few differences:

� Obtain the periodic log returns and then calculate the average log return. � Calculate the volatility of the log returns. The variance can be found using

VARP in Microsoft Excel and then taking the square root to find the standard deviation. Alternatively, STDEVP in Microsoft Excel can be used to find the standard deviation directly. Note: Both the VARP and STDEVP functions utilize the population version of the formula.

www.it-ebooks.info

THE ROLE OF VAR IN ENTERPRISE RISK MANAGEMENT 493

� Calculate VaR using the following equation once the desired confidence level has been selected.

The percentage VaR equation is:

VaR%α = zα𝜎

The equations just presented are for individual assets. A similar approach can be used for portfolios of multiple assets. Simply return to theories surrounding portfolios by finding the weighted average portfolio return, and obtain the volatil- ity of the portfolio. Matrix applications are quite helpful in calculating portfolio volatility utilizing the concept of covariance. The portfolio VaR equation is:

VaR$α = zα𝜎p × PortfolioValue

The standard deviation of the portfolio can be computed using percentage weights or dollar values of each asset within the portfolio. The end results are iden- tical with either approach.

Confidence levels are self-selected in the VaR model. Obviously, choosing higher confidence levels will yield more precise VaR estimates; however, lower confidence levels provide estimated VaRs that are broader and more informative. Exhibit 24.1 contains several different confidence levels as well as the associated normal distribution factor or z value.

Dollar VaR: One-Asset Example The mark-to-market value of the investment is $85 million. The standard devia- tion (variability) of the asset is 20 percent. Using a holding period of seven busi- ness days and a confidence level of 99 percent, what is the value at risk for this investment?

VaR$1% = $85 million × 0.20 × 2.33 √

7 252

= $6, 601, 666.67

Exhibit 24.1 Various Confidence Levels and Associated Alphas as Well as the z Value or Normal Distribution Factor Utilized in VaR Calculations

z Value or Normal Confidence Level Alpha (α) Distribution Factor

99.9% 0.10% ±3.09 99.5% 0.50% ±2.58 99.0% 1.00% ±2.33 97.5% 2.50% ±1.96 95.0% 5.00% ±1.65 90.0% 10.00% ±1.23

www.it-ebooks.info

494 Implementing Enterprise Risk Management

The interpretation: You are 99 percent confident that the loss will not exceed about $6.6 million.

Percentage VaR: One-Asset Example Using the following information for stock XYZ, calculate VaR at the 95 percent level. Note: A short horizon is used for illustrative purposes only. A longer horizon should be used for actual calculations.

Date Adjusted Closing Price Periodic ROR

Dec. 9 $714.84 Dec. 10 $718.42 0.50% Dec. 11 $699.20 –2.71% Dec. 12 $699.35 0.02% Dec. 13 $694.05 –0.76% Dec. 14 $689.96 –0.59%

First, the periodic rate of return (ROR) is found by taking the natural logarithm of the daily return. Next, the average daily periodic ROR is obtained by finding the simple average. It is –0.7085 percent. Third, the volatility must be calculated. This can be obtained by taking the square root of the variance (VARP in MS Excel) or by calculating the standard deviation directly (STDEVP in MS Excel). The variance is 0.0001, and the standard deviation is 1.0974 percent. Using the confidence level provided, VaR can be calculated. The normal distribution factor for the 95 percent level is 1.65.

VaR%5% = (1.65) 1.0974% = 1.8108%

The interpretation: You are 95 percent confident that the worst loss will not exceed about 1.81 percent.

Exhibit 24.2 illustrates the distribution of VaR with 99 percent and 90 percent confidence levels as well. VaR at the 99 percent level is 2.56 percent, and it is 1.35 percent at the 90 percent confidence level.

YOUR TASK: CALCULATING PORTFOLIO VAR FOR VANE MALLORY As noted previously, your boss tasked you with reporting VaR for several of the firm’s portfolios. The CRO wants all portfolio VaRs reported at both the 90 percent and 99 percent confidence levels to gather as much information as possible about potential losses.

Christian Cross, the CRO of Vane Mallory, asked you to report on two port- folios. Each portfolio is equally weighted and contains five assets. One portfolio is comprised of energy commodities. The second portfolio you are responsible for monitoring contains equities. Information about the portfolios is provided next.

www.it-ebooks.info

THE ROLE OF VAR IN ENTERPRISE RISK MANAGEMENT 495

0.000%

5.000%

10.000%

15.000%

20.000%

25.000%

30.000%

35.000%

40.000%

45.000%

50.000%

–4.68% –2.55% –0.92% –0.14% 0.14% 0.92% 2.55% 4.68%

P ro

ba bi

lit y

VaR (Percentage)

Exhibit 24.2 Potential Percentage VaR Losses (Gains) Based on the Various Confidence Levels or Probabilities

Portfolio 1: Energy Commodities

The firm holds a portfolio comprised of five different energy commodities: West Texas Intermediate (WTI) crude oil, Brent crude oil, natural gas, propane, and jet fuel. The firm invests equally in each asset. The current value of the portfolio is $50 million. Five years of monthly spot prices are used to determine the VaR inputs. All data were obtained from the U.S. Energy Information Administration, a division of the U.S. Department of Energy, for the period of 2008 to 2012.

The use of matrix applications in Microsoft Excel is convenient when analyzing portfolios. The expected return of the portfolio is 0.1484 percent, and the volatility (standard deviation) is 7.6366 percent. The covariance matrix and other important information are included in Exhibit 24.3. At the 90 percent and 99 percent confi- dence levels, the VaRs are approximately $4,696,515 and $8,896,649, respectively. The calculations are as follows:

VaR$10% = 1.23 × $50 million × 7.6366% = $4, 696, 515

VaR$1% = 2.33 × $50 million × 7.6366% = $8, 896, 650

Portfolio 2: Equities

This portfolio is comprised of the following equities (ticker): Alcoa, Inc. (AA), Citigroup, Inc. (C), Cisco Systems, Inc. (CSCO), Pfizer, Inc. (PFE), and Anadarko Petroleum Corporation (APC). The current value of the portfolio is $50 million, with $10 million invested in each company. One year (252 days) of asset returns are used in construction of VaR components. All asset prices were obtained from Yahoo! Finance for the period of May 22, 2012, through May 24, 2013.

www.it-ebooks.info

496 Implementing Enterprise Risk Management

Exhibit 24.3 The Covariance Matrix as Well as the Expected Return and Standard Deviation for Each Portfolio

Panel A: Energy Commodities Covariance Matrix

WTI Brent Crude NatGas Propane Jet Fuel

WTI 0.0094 0.0081 0.0011 0.0066 0.0074 Brent Crude 0.0081 0.0083 0.0012 0.0070 0.0074 Nat Gas 0.0011 0.0012 0.0123 0.0019 0.0016 Propane 0.0066 0.0070 0.0019 0.0099 0.0067 Jet Fuel 0.0074 0.0074 0.0016 0.0067 0.0080 Expected Return (Portfolio): 0.0015 Standard Deviation (Portfolio): 0.0764

Panel B: Equities Covariance Matrix

AA C CSCO PFE APC

AA 0.0002 0.0002 0.0001 0.0000 0.0002 C 0.0002 0.0004 0.0001 0.0001 0.0002 CSCO 0.0001 0.0001 0.0003 0.0000 0.0001 PFE 0.0000 0.0001 0.0000 0.0001 0.0000 APC 0.0002 0.0002 0.0001 0.0000 0.0003 Expected Return (Portfolio): 0.0014 Standard Deviation (Portfolio): 0.0119

Using matrix applications in Microsoft Excel, the expected return of the portfolio is 0.1440 percent, and the standard deviation is 1.1893 percent. The covariance matrix and associated calculations are provided in Exhibit 24.3, as a point of reference.

At the 90 percent confidence level, the VaR of the equity portfolio is approxi- mately $731,409, while at the 99 percent confidence level the VaR is approximately $1,385,514. The calculations are:

VaR$10% = 1.23 × $50 million × 1.1893% = $731, 409

VaR$1% = 2.33 × $50 million × 1.1893% = $1, 385, 514

The table presented in Exhibit 24.4 includes data for Apple (AAPL) and Hypercom (HYC). Question 7 will use the information in Exhibit 24.4 to have the reader conduct similar VaR calculations, using Apple Computer and Hypercom as the equities analyzed.

www.it-ebooks.info

THE ROLE OF VAR IN ENTERPRISE RISK MANAGEMENT 497

Exhibit 24.4 Data for Apple (AAPL) and Hypercom (HYC)

AAPL AAPL HYC HYC Date Adj. Close Periodic ROR Date Adj. Close Periodic ROR

31-Dec $322.56 30-Sep $3.10 3-Jan $329.57 2.15% 1-Oct $2.97 −4.28% 4-Jan $331.29 0.52% 2-Oct $2.90 −2.39% 5-Jan $334.00 0.81% 5-Oct $2.98 2.72% 6-Jan $333.73 −0.08% 6-Oct $3.07 2.98% 7-Jan $336.12 0.71% 7-Oct $3.11 1.29% 10-Jan $342.45 1.87% 8-Oct $3.04 −2.28% 11-Jan $341.64 −0.24% 9-Oct $3.04 0.00% 12-Jan $344.42 0.81% 12-Oct $3.07 0.98% 13-Jan $345.68 0.37% 13-Oct $3.13 1.94% 14-Jan $348.48 0.81% 14-Oct $3.14 0.32% Average 0.7729% 15-Oct $3.09 −1.61% Variance 0.0051% 16-Oct $3.04 −1.63% Volatility 0.7125% 19-Oct $3.02 −0.66%

20-Oct $2.94 −2.68% 21-Oct $2.99 1.69% 22-Oct $3.01 0.67% 23-Oct $3.27 8.28% 26-Oct $3.11 −5.02% 27-Oct $3.02 −2.94% 28-Oct $3.00 −0.66% 29-Oct $3.00 0.00% 30-Oct $2.85 −5.13% Average −0.3822% Variance 0.0882% Volatility 2.9704%

CONCLUSION Value at risk possesses many attractive features that can be useful when applied appropriately. Of course, understanding the limitations of VaR is essential, and such factors must be incorporated when applicable. VaR should never be thought of as a worst-case scenario, but should be considered carefully and used in con- junction with a broad-ranging risk management program. Till Guldimann, head of J.P. Morgan Global Research, stated: “RiskMetrics isn’t a substitute for good man- agement, experience, and judgment. It’s a toolbox, not a black box” (Jorion 2001, p. 29).

QUESTIONS 1. Actual losses __________ the calculated level of VaR can occur:

(a) greater than (b) less than (c) equal to

www.it-ebooks.info

498 Implementing Enterprise Risk Management

(d) both b and c (e) all of the above

2. VaR is: (a) an exact science that yields exact estimates. (b) an educated estimate of market risk. (c) a risk management tool. (d) the variability of a portfolio. (e) both b and c.

3. Back-testing VaR is: (a) not relevant. All of the underlying assumptions are correct and hold in reality. Sim-

ilar assumptions are used in most financial models. (b) extremely important. There are many underlying assumptions, which may or may

not hold in reality. (c) a waste of time. It’s just a guess after all.

4. Which assumption underlying VaR is the most important yet most questionable? (a) Distributional (b) Nonnegativity (c) Random walk (d) Stationarity (e) Time consistency

5. You may have noticed that VaR is reported as a positive number. What would a nega- tive VaR suggest? (a) VaR is undefined. (b) Losses could be really, really bad. (c) There is a high likelihood of making a profit.

6. Assume a portfolio is currently worth $250 million. If the portfolio has volatility of 12 percent and a holding period of 15 business days, what is the VaR estimate with 97.5 percent confidence? Now assume the portfolio has volatility of 35 percent, what is the VaR estimate? Interpret the results. Discuss the difference in the estimates obtained.

7. See Exhibit 24.4, which contains the daily adjusted closing prices for Apple, Inc. (AAPL) in 2009 as well as the periodic daily log returns. Calculate the daily 1 and 5 percentage VaR for Apple and interpret the results.

8. Exhibit 24.4 reports the daily adjusted closing prices and periodic daily log returns for Hypercom Corp (HYC) in 2009. Calculate the 0.1 and 2.5 percentage VaR for HYC.

9. Calculate the monthly VaR at the 99 percent and 90 percent confidence level for various market segments given below. These are average value weighted returns obtained from http://mba.tuck.dartmouth.edu/pages/faculty/ken.french/data_library.html. The data include monthly returns from July 1926 through December 2010. Assume a current portfolio value of $100,000.

Industry Consumer Manufacturing High Tech Health Other

Mean 0.0099 0.0098 0.0093 0.0107 0.0090 St. Dev VaR 0.0539 0.0558 0.0569 0.0575 0.0656

10. Discuss the VaR amounts obtained in question 9. Be sure to include the pros and cons of using a 90 percent versus a 99 percent confidence level.

www.it-ebooks.info

THE ROLE OF VAR IN ENTERPRISE RISK MANAGEMENT 499

11. What happens when markets are behaving irrationally? Do VaR estimates hold up in these types of circumstances?

NOTES 1. Alternatively, some sources will use z as the confidence level instead of c. The approaches

are identical; it is simply a notational difference. 2. The parametric method for calculating VaR is commonly used, and the only variables

needed to do the calculation are the estimated mean and standard deviation of the port- folio. This method assumes that returns from portfolios are normally distributed.

3. Note: Derivatives can violate this assumption. 4. Here, bp represents the common abbreviation of basis points. A basis point is 1/100th of

a percent. 5. Most portfolios are compared against a benchmark, with the most common benchmarks

being the market portfolio, such as an index for the overall market performance in a coun- try. For example, in the United States, the common market portfolios are the Dow Jones Industrial Average (DJIA) and the Standard & Poor’s 500 index.

6. The purpose of back-testing is to estimate the performance of a strategy as if it had been employed during a past period. Detailed historical data are needed to implement this procedure. VaR must be used with care, and that is why back-testing is highly recom- mended.

7. The number of trading days per year is 252. 8. Here and throughout the remainder of this chapter, σ represents volatility (variability),

which is proxied by standard deviation, and μ is the mean or expected mean return. Additionally, z is the zα value or normal distribution factor. Exp represents the exponen- tial function.

REFERENCES Allen, Linda, Jacob Boudoukh, and Anthony Saunders. 2004. “Introduction to value at risk

(VaR).” In Understanding Market, Credit, and Operational Risk: The Value at Risk Approach. Oxford, UK: Blackwell Publishing.

Einhorn, David. 2008. “Private Profits and Socialized Risk.” Global Association of Risk Profes- sionals Risk Review (June/July). www.garpdigitallibrary.org/download/GRR/2012.pdf.

Jorion, Philippe. 2001. Value at Risk. 2nd ed. New York: McGraw-Hill. Taleb, Nassim. 1997. “The World According to Nassim Taleb.” Derivatives Strategy, Decem-

ber/January. http://derivativesstrategy.com/magazine/archive/1997/1296qa.asp.

ABOUT THE CONTRIBUTORS Allissa A. Lee, PhD, is an Assistant Professor of Finance in the College of Busi- ness Administration at Georgia Southern University. Previously she was a visit- ing assistant professor of finance in the Spears School of Business at Oklahoma State University and the McCoy College of Business Administration at Texas State University–San Marcos. Dr. Lee has contributed to several academic pub- lications, including in the Journal of Banking and Finance, and has presented at var- ious academic conferences. Her research interests are varied and include mergers and acquisitions, banking, real estate, corporate issues, and journal citations. She earned her PhD in finance from Oklahoma State University. Before returning to academia, Allissa worked in the mortgage industry for MidFirst Bank.

www.it-ebooks.info

500 Implementing Enterprise Risk Management

Betty J. Simkins, PhD, is Williams Companies Chair of Business and Profes- sor of Finance at Oklahoma State University. Betty received her PhD from Case Western Reserve University. She has had more than 50 publications in academic finance journals. She has won awards for her teaching, research, and outreach, including the top awards at Oklahoma State University: the Regents Distin- guished Research Award and the Outreach Excellence Award. Her primary areas of research are risk management, energy finance, and corporate governance. She serves on the editorial boards of nine academic journals, including the Journal of Banking and Finance; is past co-editor of the Journal of Applied Finance; and is past president of the Eastern Finance Association. She also serves on the Executive Advisory Committee of the Conference Board of Canada’s Strategic Risk Coun- cil. In addition to this book, she has published two others: Energy Finance and Eco- nomics: Analysis and Valuation, Risk Management and the Future of Energy and Enter- prise Risk Management: Today’s Leading Research and Best Practices for Tomorrow’s Executives. Prior to entering academia, she worked in the corporate world for Cono- coPhillips and Williams Companies. She conducts executive education courses for companies globally.

www.it-ebooks.info

CHAPTER 25

Uses of Efficient Frontier Analysis in Strategic Risk Management A Technical Examination

WARD CHING Vice President, Risk Management Operations, Safeway Inc.

LOREN NICKEL, FCAS, CFA, MAAA Regional Director and Actuary, Aon Global Risk Consulting

Over the past 25 years, the use of advanced quantitative financial and behav-ioral analysis has received increasing attention in an attempt to betterunderstand and predict the performance impact on hazard risk portfolios. The limitations of single discipline modeling and decision making, which can lead to misreading of financial and performance risks across broad operational cate- gories, were highlighted by the collapse of the financial markets in mid-2007. The need to answer broader risk questions has motivated the risk management indus- try (i.e., insurance, actuarial, finance, audit, and operations) to recalibrate and redi- rect core analytical protocols toward a more integrated approach.

The effort to take advantage of complex data techniques was, in part, stimu- lated by the evolving risk management framework integration into what is now being modestly referred to as enterprise risk management (ERM) or strategic risk management (SRM).1

Within the 2013 Risk and Insurance Management Society (RIMS) SRM Imple- mentation Guide, the concept of strategic risk management is defined as a “busi- ness discipline that drives the deliberations and actions surrounding business- related uncertainties, while uncovering untapped opportunities reflected in an organization’s strategy and execution.”

What distinguishes this definition from previous descriptions of enterprise- wide risk management (ERM) approaches is the effort to sustainably deliver a robust fact-based strategic dialogue across the entire organization. This new strategic dialogue requires an analytical framework that is dynamic and encom- passes all areas of an enterprise. In this chapter, we demonstrate how the use of

501

www.it-ebooks.info

502 Implementing Enterprise Risk Management

efficient frontier analysis (EFA), and many of its derivative techniques, provides a robust portfolio approach to hazard, operational, market, and reputational risk domains.

STRATEGIC RISK MANAGEMENT FRAMEWORK EXAMINED One of the most important ways SRM is beneficial for an organization is its ability to create opportunities for interaction and risk discovery (sometimes called “risk sensing”) across organizational boundaries. This has not always been the case with previous ERM frameworks, where conceptual frameworks were overly formalized and yielded very narrow risk estimates. For most active SRM practitioners, this has proven not to be the case. Even in the area of insurance, where dialogues around risk estimates of frequency and severity are common, the effort to cross internal organizational boundaries has sometimes been met with significant resistance or dismissal.

An illustration of the SRM approach as described by RIMS is shown in Exhibit 25.1.

While first impressions might suggest that the SRM framework is a closed sys- tem, in actuality it is a continuous cycle with a robust opportunity for various parts of an organization to recognize and examine risk profiles within the context of a strategy setting, with the focus toward establishing the trade-off between risk transfer and risk assumption.

Moreover, the notion of risk appetite and risk tolerance combined with sce- nario and stress testing speaks to a more comprehensive analytical framework.2

The intent of this framework is to drive a different set of “analytically informed” discussions among decision makers who may also be asking whether the risk pro- file of the organization constitutes a competitive opportunity.

As Fox and Merrifield point out:

Strategic risk management focuses on the risks that may impede or accelerate the organization’s strategic objectives for creating value, whether that value is

Strategic objectives, strategic risks, and risks arising from

plans to meet objectives Untapped

opportunities Strategy

Risk Control Framework

Risk Appetite Framework

Scenario and Stress Testing

Integrated Enterprise Risk Profile

Emerging & Dynamic Risks

Scenario and stress testing used for:

Calculation of investment, resource needs, capital allocation Revising risk appetite positions and control actions

Guiding strategy adjustments

Risk appetite and tolerance statements for key risk

categories are used to reframe risks as opportunities and to position control framework

Exhibit 25.1 Strategic Risk Management Diagram Source: RIMS Strategic Risk Management Implementation Guide 2012.

www.it-ebooks.info

USES OF EFFICIENT FRONTIER ANALYSIS IN STRATEGIC RISK MANAGEMENT 503

expressed as market share, profit, service provision, donor levels, social impact, or other benefit. Strategic risk management serves as a source of competitive advan- tage for decision making in two aspects: risk to the objectives themselves and risks arising from the plans to meet the objectives. While many organizations include risks to the objectives themselves, little consideration generally is given to the risks arising from the plans to meet the objectives, nor to the additional opportuni- ties evolving from the underlying strategy and from emerging and dynamic risks. When addressed early and linked to the control framework, strategic adjustments can be made relatively quickly.

Fox and Merrifield, RIMS Strategic Risk Management Implementation Guide, 2013

The fundamental difference between traditional risk assessment and SRM is the conscious effort to define advantage or exploitable risk profiles that can be used to sustainably differentiate or distinguish the organization in a competitively noisy environment.

MODERN PORTFOLIO THEORY AS A FOUNDATION FOR EFFICIENT FRONTIER ANALYSIS Modern portfolio theory (MPT) is a mathematical method developed in the early 1950s and built out through the mid-1970s as a theory of finance that focuses on the maximization of portfolio return while minimizing the risk for a given amount or level of expected return, by specifically choosing the proportions of various assets contained in the portfolio. For the most part, MPT consists of a number of mathe- matical formulations that simulate and identify the impact of a risk-adjusted strat- egy investment diversification where the portfolio risk profile is collectively lower in value or volatility than any one asset.

In general, MPT models asset returns as a normally distributed function and recognizes risk as the standard deviation of return where the portfolio is viewed as the weighted combination of assets. Thus, the return of a given portfolio is con- sidered the weighted combination of the asset return streams (Markowitz 1952).

Expected return is characterized as:

E(Rp) = ∑

wiE(Ri)

where Rp is the return on the portfolio, Ri is the return on the asset i, and wi is the weighting of the asset i, which represents the asset i in the overall portfolio.

The operational concept behind MPT is that the assets in an investment port- folio should not be selected individually but should consider how their relative prices and values change across the portfolio. For many, this speaks to the rela- tive trade-offs between calculated risk and expected return. Therefore, MPT would argue that assets and investments with higher expected returns attract higher mea- surable levels of risk. If the objective is to maximize the highest possible return on a portfolio of performing assets, MPT provides a way to describe and select those assets and investments that fit the return demand.

From an SRM perspective, within any operating organization there exists a series of hazard, operational, market, human capital, and reputational risks. These

www.it-ebooks.info

504 Implementing Enterprise Risk Management

risks, while generally identified and mitigated separately, in fact exist in an inte- grated operational space—a risk portfolio. The essential questions that MPT can attempt to answer are:

� What is the economic value of an organization’s material risk profile when characterized as a financial portfolio?

� How can the economic and operational volatility of an organization’s risk profile be characterized dynamically and intertemporally?

� Are an organization’s risk mitigation strategies and methods efficiently matching an organization’s risk profile?

� If an organization changes its operations in a material way, what impact can be visualized across the organization’s risk portfolio?

� Given the financial and operational activities of an organization, can an efficient3 risk profile be determined? What trade-offs might be required to achieve an efficient risk profile? Efficiency could be defined as maximizing the contractual financial return relative to the expected utility of risk trans- ferred to a third party. If the trade is equal—in other words, the price of the transference effectively matches the economic dynamics of the risk—then the trade may be considered efficient for both parties.

� If risk retention and risk transfer are considered two independent variables in an organization’s risk profile distribution, how can the value of risk reten- tion and risk transfer be maximized throughout an organization’s insurance purchasing approach?

The approach to answering these questions is found with a number of mathe- matical techniques within MPT, notably efficient frontier analysis (EFA), dynamic financial analysis (DFA), capital asset pricing modeling (CAPM), or some other behavioral economic analysis of choice under conditions of information uncer- tainty. For the purpose of this chapter and its case study, we focus on the use of EFA within an insurance purchasing context.

It is important, however, to point out that some assumptions contained within the original MPT framework have been controversial and have generated a lively even-sided debate within the academic and practitioner literature base.4

The key assumptions include:

� The owners of portfolios are exclusively interested in the optimization problem.

� Asset returns are jointly normally distributed and random. � Expected correlations between assets are fixed and constant without a time

frame—in effect, forever. � All parties to the use or exploitation of the portfolio always maximize eco-

nomic utility regardless of other information, expectations, or considera- tions.

� All parties to the portfolio are considered rational and risk-averse. � All parties to the portfolio performance have consistent, timely, and the same

information at all points in time.

www.it-ebooks.info

USES OF EFFICIENT FRONTIER ANALYSIS IN STRATEGIC RISK MANAGEMENT 505

� All parties have the ability to accurately conceptualize and calculate the pos- sible distribution of returns to the portfolio, and these calculations, in fact, match the actual returns of the portfolio.

� The performance of the portfolio is free of tax or transaction costs, and there is no transactional or postreturn friction.

� All parties to the portfolio are considered price takers, and their behaviors and choices do not influence the price market for the portfolio.

� Like the transactional or postreturn friction assumption, capital to invest in the portfolio is free and without an encumbering interest rate.

� A priori risk volatility can be conceptualized, calculated, and known in advance of the portfolio’s construction, including asset/investment selec- tion. Also, the portfolio’s risk volatility is constant except when significant or material changes to the asset/investment distribution are made.5

For many, the primary criticism of the MPT model and many of its derivative subanalytics is that the assumptions are overly restrictive and do not adequately model real-world markets. Critics view MPT output and/or results as mathemati- cal predictions about the future because many of the risk distributions, return cal- culations, and hypothesized correlations contained in the MPT approach are found in expected values. Since expected values are themselves statistical distributions, they may be inaccurate due to misspecification or may be subject to the influences of mitigating market information or circumstances.

Nonetheless, MPT and the use of EFA represent powerful ways to generate insight into portfolio performance and the prospective individual portfolio compo- nent efficiencies, which is a key step in implementing a strategic risk management philosophy.

PRACTICAL APPLICATIONS OF RISK MEASUREMENT FOR INSURANCE Now we begin our journey through the practical application of risk theory applied to insurance risk and portfolios. The purpose of the process is to optimize insurance placements and risk limits for a relevant organization. We will start with a basic understanding of terminology, knowledge, and skills needed for a proper analysis, and then dive into the details and calculations necessary for a robust study. In the end, we will establish that this process can transcend insurance and be used in alternative risk transfer, noninsurance settings.

For the purposes of working through a real-life example, we need to establish insurance equivalents for the portfolio theory formulas. What follows is a list of definitions that we will use throughout this chapter and the equivalent portfolio theory definition.

From the previous section, we bring forth the standard portfolio theory for- mulas for the optimal return and optimal variance using the capital asset line:

E(rc) = rf + y[E(rp) − rf ]

σp = w2Aσ 2 A + w

2 Bσ

2 B + 2wAwBσAσBρAB

Expected risk spend = E(rsp) replaces expected return E(rp).

www.it-ebooks.info

506 Implementing Enterprise Risk Management

Here the expected risk spend on an insurance portfolio, E(rsp), replaces the expected return on an asset, E(rp). The expected risk spend is defined as the expected losses not transferred in the insurance contract plus the costs of the insur- ance contract. The expected risk spend is based on the insurance contract at hand, and will differ (often significantly) based on different contracts analyzed as part of the analysis.

The risk-free rate is replaced by an insurance portfolio with no risk transfer (i.e., an uninsured risk line/portfolio).

The intent here is to set the steady state at no insurance purchase and deter- mine if insurance will actually lower the risk to the organization. If it does, then insurance should be purchased. If it does not, insurance should not be purchased. In other words, on the capital market line for a given level of risk, you want to buy a portfolio with the highest level of return, but here you want to put together a risk portfolio with the lowest level of losses outside of the insurance contract for a given level of risk. By minimizing the losses, you are maximizing your return.

Visually, in our insurance example, you want to pick the bottom of the portfo- lio efficient frontier and not the one on the capital asset line as in typical portfolio theory.

Tail value at risk of loss = TVaRL replaces standard deviation of assets A, B, C . . .

Tail value at risk, also known as tail conditional expectation (TCE) or conditional tail expectation (CTE), is a risk measure associated with the more general value at risk. It quantifies the expected value of the loss given that an event outside a given probability level has occurred.6

Modern Portfolio Theory (MPT)

Given a portfolio of A, one would prefer B, C, or D as compared to A as shown in Exhibit 25.2.

Standard Deviation of Return

E xp

ec te

d R

et ur

n

A

B

D

C

Exhibit 25.2 MPT Portfolio Preference

www.it-ebooks.info

USES OF EFFICIENT FRONTIER ANALYSIS IN STRATEGIC RISK MANAGEMENT 507

Tail Value at Risk

B

D

C

A

Exhibit 25.3 Efficient Frontier Framework Portfolio Preference

Efficient Frontier Insurance Framework

As for MPT, given a portfolio of A, one would prefer B, C, or D as compared to A as shown in Exhibit 25.3. However, notice that the preferred portfolios are now below the stated portfolio, as the preference here is to lower the expected losses and premium dollars spent.

The replacement of the typical finance standard deviation is an important one. In most financial textbooks (and practical usage), the standard deviation is most often from a normal distribution. In our example, we may use any multivariate distribution that is applicable, but for practicality we have chosen closed-form log- normal/Pareto distributions, which are typically used in insurance. We have also made another significant variation in the use of the tail value at risk (TVaR) instead of the standard deviation. The intent of this replacement is that most insurance con- tracts are low-probability contracts, so the standard deviation does not completely describe the use or intent of the contract. By using the tail value at risk, we can focus on the main use of the insurance contract and allow for multiple distribution func- tions, which will better describe the underlying distribution for its intended use.

The given probability of the TVaR calculation is up to the user. We have selected a probability level of 95 percent, meaning that the worst 5 percent of out- comes are averaged to produce the TVaR figure at 95 percent.

The next complexity of selecting a TVaR calculation means that one will almost always be required to run a simulation model to determine the statistic. Only the most simplistic applications will allow for a closed-form expression of the mea- sure of volatility. Therefore, we have chosen to use Monte Carlo simulation for our application of the efficient frontier for insurance portfolios.

The added benefit of using a simulation model is that we are now free to use multivariate distributions, complex correlations, copulas, and other transforma- tions that may be too complex for most formulaic calculations. It is also important to note that most insurance portfolios contain more than seven to 10 different contracts/risks; so modeling is often a required component for any portfolio analysis.

We certainly do not want to gloss over the correlation concerns with insurance contracts, as there are many. It is becoming more common to use copulas (and dif- ferent versions of copulas formulas—for example, a Gaussian copula or a Gumbel

www.it-ebooks.info

508 Implementing Enterprise Risk Management

copula7) to measure more complex correlations. The choice and use of correlations are critical elements of a proper model and should be reviewed with statisticians or actuaries versed in their use.8 For our purposes, we have assumed no correlations, for the simplicity of the calculations and translation of the results into knowledge.

It should be noted that TVaR is a simple method to allocate capital for insur- ance risk. The TVaR demonstrates the level of risk for a given insurance line or contract. Capital can thus be allocated based on that level of risk. Capital alloca- tion theory is beyond the scope of this chapter, as there are many other variations upon this theme for allocating capital. It should be noted that the next step beyond the portfolio optimization is capital allocation.

One immediate question with the introduction of the TVaR as a risk measure is: “What is the right level of risk?” Or in simpler terms: “What is the largest loss I am willing to take?” Management should make a conscious decision on the level of risk to take through a formal enterprise risk management program. Risk setting is a critical step in any efficient frontier analysis and should not be overlooked. For our purposes, we have assumed that the organization will seek to minimize risk and minimize the annual costs to the budget (i.e., uninsured losses and insurance costs).

With some liberties taken in the usage of financial theory in the development of our risk transfer methods, we can now build a framework to analyze risk and optimize risk transfer spends (i.e., like insurance). The framework is intended for financial professionals versed in financial theory and its applications. With proper application, many organizations across the world could more efficiently allocate their risk spends and reduce the risk to their balance sheets.

SAMPLE CASE STUDY Let’s start with a practical example of a large corporation with three basic insurance risks: earthquake exposure to buildings, workers’ compensation insurance, and general liability insurance.

Earthquake risk is defined as the potential for loss to buildings and property from a large earthquake as well as business interruption following the event. For our sample company, management has chosen to insure earthquake risk with a policy that covers $25 million in business and personal property with a 5 percent per occurrence retention. Earthquake sprinkler leakage is not covered.

For workers’ compensation, management has chosen to buy a retention pol- icy with a $1 million per occurrence retention, with no upper limitation, as it is a statutorily unlimited coverage.

The general liability coverage is represented by a $25 million per occurrence limit and a $250,000 per occurrence retention.

Now that we have the insurance coverage, we can assume the risk of loss for each of the three lines of coverage follows basic loss distributions as follows:

1. Earthquake (EQ). Loss frequency has a Poisson distribution with mean λ = 0.1, and severity has a Pareto distribution with parameter θ = 5,000,000, α = 50,000,000.

www.it-ebooks.info

USES OF EFFICIENT FRONTIER ANALYSIS IN STRATEGIC RISK MANAGEMENT 509

Exhibit 25.4 Mean Retained Losses by Line

Retention Limit Current

EQ 5% $25,000,000 $2,500,501 WC $1,000,000 Statutory $3,163,992 GL $250,000 $25,000,000 $1,597,373 Portfolio $7,261,866

2. Workers’ compensation (WC). Loss frequency has a Poisson distribution with mean λ = 50, and severity has a lognormal distribution with parameters μ = 10, σ = 1.5.

3. General liability (GL). Loss frequency has a Poisson distribution with mean λ = 10, and severity has a lognormal distribution with parameters μ = 12, σ = 1.0.

Notice that because the retentions are rather large, we are more focused on the tail portion of the loss distributions. We have decided not to use correlations for this example, to allow the reader to more easily follow and replicate the figures. In reality, correlations would be a key input into the model and would help determine the optimal risk transfer structures.

Exhibit 25.4 is a brief summary of the expected losses for the insurance policy and to the corporation below retentions and above insurance limits. The intent of this exhibit is to show the risk profile of the corporation using the assumed distri- butions listed earlier.

Note that there are many methods for fitting proper distributions and selecting the parameters to ensure good fits of historical data. Curve fitting is well beyond the scope of this chapter, and we will let the reader peruse other sources for details on loss distribution fitting.

With the knowledge of the current risk profile, we can now seek to optimize the portfolio and the insurance purchase by selecting different insurance options for our portfolio. By “options” we mean to choose different risk transfer contracts that can be used to modify the risk profile of the corporation. This can be done by taking a mathematical approach (using increments off of the current program) or by selecting common insurance contract terms known in the insurance market- place. Exhibit 25.5 lists the options using the two different methods.

As one can see, there is almost an unlimited amount of options in the math- ematical approach. The possibilities are only limited by your computing power.

Exhibit 25.5 Portfolio Options under the Mathematical Approach

Option #1 Option #2 Option #3 Option #4 Option #5

EQ 5% retention 5% retention 5% retention 5% retention 10% retention $20M limit $30M limit $40M limit $50M limit $25M limit

WC $250K retention $500K retention $2M retention $3M retention $4M retention Statutory limit Statutory limit Statutory limit Statutory limit Statutory limit

GL $500K retention $1M retention $2M retention $3M retention $500K retention $25M limit $25M limit $25M limit $25M limit $30M limit

www.it-ebooks.info

510 Implementing Enterprise Risk Management

Exhibit 25.6 Portfolio Options under the Coverage Availability Approach

Option #1 Option #2 Option #3 Option #4 Option #5

EQ 5% retention 5% retention 5% retention 5% retention 10% retention $20M limit $50M limit $75M limit $100M limit $25M limit

WC $250K retention $500K retention $2M retention $5M retention $10M retention Statutory limit Statutory limit Statutory limit Statutory limit Statutory limit

GL $500K retention $2M retention $5M retention $10M retention $500K retention $25M limit $25M limit $25M limit $25M limit $30M limit

It should also be noted that the selections for the different options are based on simple increments from the current values. These options may not be available in the insurance marketplace. This is somewhat intentional, as the goal is to find the optimal mathematical solution and then find the insurance option that gets closest to that optimal solution. The coverage availability approach is shown in Exhibit 25.6.

You will notice a subtle change in Exhibit 25.6, as indicated by the bolded options. The difference here is that we have selected options that can be know- ingly purchased in the insurance marketplace. For more historical reasons than anything else, insurance risk transfer has been based around round numbers for retentions and limits. By using these options, we are guaranteeing (assuming the entity is insurable) viable options for the corporation.

Now the mathematicians can begin their number crunching. Using the options for Exhibit 25.5, we can determine the expected risk spend (expected losses to the corporation, which are the losses below the retention and above the limits) and the tail value at risk (TVaR) for each option, and then plot them on a graph. We have done this for each line described earlier and combined all the lines in a portfolio. We have assumed no correlations in the portfolio, to keep the mathematics and logic easier for the reader to follow.

To obtain Exhibits 25.7 to 25.10, we have run a simulation model using a Monte Carlo simulator. There are various software programs that provide the capability to simulate losses by using different distributions. Readers may wish to try the parameters within their own software to follow along.

Exhibit 25.10 provides the assumed insurance premiums for each of the mathe- matical options. In reality, we would work with insurance brokers to obtain insur- ance quotes for each of the options to arrive at a true market price for each option. The option exists to use an actuarial estimate of premium, which is not preferred. The reason an actuarial estimate of premium is not preferred is that the market does not always follow actuarial estimates and can often fall to other vagaries of market pricing (underwriting judgment, capital constraints, class restrictions, premium goals, etc.). Therefore, we recommend using different quotes provided by insurance brokers for each option. Given insurance premiums are presented in Exhibit 25.11.

Now with the options plotted (using our modeled losses, TVaR, and insurance premiums), we have created an efficient frontier and can determine the best option for a given level of risk. Ideally, we would select more than five options, and the options would be more complex. The beauty of the process is that it can be as simple

www.it-ebooks.info

USES OF EFFICIENT FRONTIER ANALYSIS IN STRATEGIC RISK MANAGEMENT 511

$–

$5

$10

$15

$20

$25

$30

$35

$40

$5.2 $5.4 $5.6 $5.8 $6.0 $6.2 $6.4

T V

aR @

95 %

R et

ai n

ed L

o ss

es +

P re

m iu

m ($

M ill

io n

s)

Mean Retained Losses + Premium ($Millions)

Current Option #1 Option #2 Option #3 Option #4 Option #5

Exhibit 25.7 Earthquake Modeled Options

or complex as one desires. The process is flexible so as to handle different risk measures (not just TVaR) and can optimize different costs of risk (losses, insurance spend, internal costs, etc.).

It is also important to have an enterprise understanding of our risk appetite and tolerance. By having a formal statement of risk appetite, we can use that knowl- edge in the proper selection of the options in our efficient frontier.

$0.0

$1.0

$2.0

$3.0

$4.0

$5.0

$6.0

$7.0

$8.0

$3.4 $3.4 $3.5 $3.5 $3.6 $3.6 $3.7

T V

aR @

95 %

R et

ai n

ed L

o ss

es +

P re

m iu

m ($

M ill

io n

s)

Mean Retained Losses + Premium ($Millions)

Current Option #1 Option #2 Option #3 Option #4 Option #5

Exhibit 25.8 Workers’ Compensation Modeled Options

www.it-ebooks.info

512 Implementing Enterprise Risk Management

$–

$1

$2

$3

$4

$5

$6

$7

$2.7 $2.7 $2.8 $2.8 $2.9 $2.9 $3.0 $3.0

T V

aR @

95 %

R et

ai n

ed L

o ss

es +

P re

m iu

m ($

M ill

io n

s)

Mean Retained Losses + Premium ($Millions)

Current Option #1 Option #2 Option #3 Option #4 Option #5

Exhibit 25.9 General Liability Modeled Options

Case Study General Findings

Using the same charts as previously, we can make a few judgments about the options presented. For this example, let’s assume the company does not want to lose more than $20 million in a fiscal period. This would be considered its risk appetite and is roughly equivalent to maximizing utility for a corporation. By

$–

$5

$10

$15

$20

$25

$30

$35

$40

$45

$11.6 $11.8 $12.0 $12.2 $12.4

T V

aR @

95 %

R et

ai n

ed L

o ss

es +

P re

m iu

m ($

M ill

io n

s)

Mean Retained Losses + Premium ($Millions)

Current Option #1 Option #2 Option #3 Option #4 Option #5

Exhibit 25.10 Combined Portfolio Modeled Options

www.it-ebooks.info

USES OF EFFICIENT FRONTIER ANALYSIS IN STRATEGIC RISK MANAGEMENT 513

Exhibit 25.11 Given Insurance Premiums

Current Option #1 Option #2 Option #3 Option #4 Option #5

EQ $2,941,765 $2,353,412 $3,618,371 $4,942,165 $6,008,556 $2,941,765 WC $ 288,796 $1,098,994 $ 607,957 $ 116,861 $ 64,051 $ 40,630 GL $1,359,385 $ 696,302 $ 261,277 $ 68,436 $ 26,041 $ 696,302

selecting a program that puts the $20 million or more at risk, there is potential for breaching that corporate goal.

Note that the models assume that insurance is recoverable for the risk ana- lyzed. This may not always be the case, so it is important to review coverage and ensure that the model is reflective of the coverage provided and that the insurance carrier’s ability to pay is also reviewed.

The numbers and options have been chosen to reflect realistic scenarios. The results are typical of what we see in the insurance and corporate landscape.

Findings on the earthquake simulation are (see Exhibit 25.12):

� We have a wide variety of options and a wide variety of risk levels. � The slope of the efficient frontier is very steep as a result. � The options all lie close to the frontier, resulting in many efficient options. � If the organization is using a risk appetite for only earthquake risks, then it

would look at the efficient frontier below the $20 million tail value at risk level. (Options #3 and #4 qualify.)

$–

$5

$10

$15

$20

$25

$30

$35

$40

$5.2 $5.4 $5.6 $5.8 $6.0 $6.2 $6.4

T V

aR @

95 %

R et

ai n

ed L

o ss

es +

P re

m iu

m ($

M ill

io n

s)

Mean Retained Losses + Premium ($Millions)

Current Option #1 Option #2 Option #3 Option #4 Option #5

Efficient Frontier

Exhibit 25.12 Efficient Frontier on Earthquake Options

www.it-ebooks.info

514 Implementing Enterprise Risk Management

$0

$1

$2

$3

$4

$5

$6

$7

$8

$3.4 $3.4 $3.5 $3.5 $3.6 $3.6 $3.7

T V

aR @

95 %

R et

ai n

ed L

o ss

es +

P re

m iu

m ($

M ill

io n

s)

Mean Retained Losses + Premium ($Millions)

Current Option #1 Option #2 Option #3 Option #4 Option #5

Efficient Frontier

Exhibit 25.13 Efficient Frontier on Workers’ Compensation Options

Findings on the workers’ compensation simulation are (see Exhibit 25.13):

� We have a similar wide variety of options, but a much tighter range of risk levels.

� The slope of the efficient frontier is very shallow as a result. � The options all lie close to the frontier, resulting in many efficient options. � If the organization is using a risk appetite for only workers’ compensation,

then it would look at the efficient frontier below the $20 million tail value at risk level. All options qualify.

� Because workers’ compensation risks are relatively stable, the model has only modest differences between options and all options are reasonable.

� To change the options to give a greater range of results, one could be more extreme on the options (assuming the insurance market is willing to provide such options to the corporation).

Findings on the general liability simulation are (see Exhibit 25.14):

� We have a similar wide variety of options, and a modest range of risk levels. � The slope of the efficient frontier is shallow as a result. � The options all lie close to the frontier, resulting in many efficient options. � If the organization is using a risk appetite for only general liability, then it

would look at the efficient frontier below the $20 million tail value at risk level. (All options qualify.)

� Similarly to workers’ compensation, different options can be substituted here for a wider range of outcomes.

www.it-ebooks.info

USES OF EFFICIENT FRONTIER ANALYSIS IN STRATEGIC RISK MANAGEMENT 515

$–

$1

$2

$3

$4

$5

$6

$7

$2.7 $2.7 $2.8 $2.8 $2.9 $2.9 $3.0 $3.0

T V

aR @

95 %

R et

ai n

ed L

o ss

es +

P re

m iu

m ($

M ill

io n

s)

Mean Retained Losses + Premium ($Millions)

Current Option #1 Option #2 Option #3 Option #4 Option #5

Efficient Frontier

Exhibit 25.14 Efficient Frontier on General Liability Options

The portfolio shown in Exhibit 25.15 is simply the annual events for all three lines added together, again with no correlation assumptions (i.e., inde- pendence). Portfolio option #1 is the sum of each of the respective lines Option #1, with no aggregate insurance limitations assumed. The framework certainly allows for aggregations and correlations; we have not provided them here for simplicity.

$–

$5

$10

$15

$20

$25

$30

$35

$40

$45

$11.6 $11.8 $12.0 $12.2 $12.4

T V

aR @

95 %

R et

ai n

ed L

o ss

es +

P re

m iu

m ($

M ill

io n

s)

Mean Retained Losses + Premium ($Millions)

Current Option #1 Option #2 Option #3 Option #4 Option #5

Efficient Frontier

Exhibit 25.15 Efficient Frontier on the Combined Portfolio Options

www.it-ebooks.info

516 Implementing Enterprise Risk Management

Findings on the portfolio simulation are (see Exhibit 25.15):

� The portfolios no longer follow the efficient frontier, as some of the options lie considerably above the efficient frontier line.

� The slope of the efficient frontier is somewhat steep, and follows the risks that contribute to the portfolio (earthquake in this instance is driving the steep curve).

� If the organization is using a risk appetite for the entire portfolio, then it would look at the efficient frontier below the $20 million tail value at risk level. (Only option #4 qualifies.)

We can now see how the efficient frontier insurance framework utilizes the information provided, combines a complex set of insurance structures, and uses a risk appetite to select the best portfolio option. This framework facilitates a com- pany’s ability to make fact-based decisions, using real-time information. The orga- nization no longer has to wonder if it is getting the best deal or if there were other options that might have provided a better bang for its buck.

INTENDED USES FOR OUR APPROACH It is important to note that this framework, as all others, has limitations in its use. The intended purpose for this framework is to help large corporate organizations with their risk management process and portfolio management. The framework is robust enough to handle both insurance risk and noninsurance risk. It is best used within an established enterprise risk management discipline.

The following is a brief description of the benefits of an ERM strategy and how our framework fits within those benefits, which is important for understanding the full potential of its use. We have referenced James Lam’s (2003) benefits, as they are excellent.

The four benefits to risk management as defined by James Lam9 are:

1. Managing risk is management’s job. 2. Managing risk can reduce earnings volatility. 3. Managing risk can maximize shareholders’ value. 4. Risk management promotes job and financial security.

In item 1, Lam indicates that management has access to critical information about the business and therefore has a duty to use it to manage risk. We agree wholeheartedly with his assessment, and our process is intended to improve senior leaders’ understanding of risk and give them more transparency in managing costs.

In item 2, Lam indicates that top-tier companies better manage their earnings volatility through risk management activities. Too often firms do not consider risk management or relegate it to small, back-room activities. This often overlooks the value that can be had by minimizing volatility on major risks to the organization.

www.it-ebooks.info

USES OF EFFICIENT FRONTIER ANALYSIS IN STRATEGIC RISK MANAGEMENT 517

By taking a more in-depth look at the portfolio of risk through the efficient frontier and making more data-driven decisions, volatility can be reduced.

In item 3, Lam indicates that firms can increase their shareholders’ values by 20 to 30 percent or more by identifying opportunities for risk management and busi- ness optimization through a risk-based program.10 This goes beyond just manag- ing volatility and extends to a better-performing business model with more accu- rate information spread across the organization. Using risk-based measures is a critical element of any risk measurement department. Components like the effi- cient frontier require wide distribution and use; otherwise they are not getting the full attention they deserve.

For the real company this framework was modeled after, the efficient fron- tier was sent directly to the business leaders and they became owners of the risks for their particular areas of influence. They had to learn the language of risk and through a diverse corporate program are now using the risk assessments as part of their daily routines, leading to a better understanding of risk for the business leaders and more accurate information for the risk management team.

When implementing this framework at different companies, we often hear something to the effect of “What’s in it for me?,” which really gets down to job and financial security for individuals, as noted in item 4. A truly robust framework should allow for better risk taking, as the guidelines have been set and approved by management. With a data-first strategy there should be less concern over losing your job, as long as the risk is within the tolerances set by management. Thus, when a calculated risk does happen, the organization is ready to respond. All too often, the opposite is true and a surprise event leads to the ouster of a senior leader. We believe that our framework will help provide senior leaders with the information they need to take calculated risks and therefore preserve their livelihoods, regard- less of their golden parachutes.

It is inherently assumed that the lines of insurance or risk transfer can be mod- eled appropriately. This is certainly not an insignificant assumption, as data limi- tations, information asymmetry, internal disputes, and plain modeling foibles can easily derail the best intentions of the framework.

To combat these issues, it is always important to stress test any model, back- test the model if possible, involve different business leaders to vet the results of the model, and use independent experts to question and test the assumptions in the model. Any model is only as good as its creators, so it is advised to hire the best and then “trust but verify.”

MODERN PORTFOLIO CONCERNS CONTAINED IN THE FRAMEWORK There are several modern portfolio shortcomings that we should address in rele- vance to our framework, represented in these MPT assumptions:11

� Asset returns are (jointly) normally distributed random variables. � Correlations between assets are fixed and constant forever. � All investors have access to the same information at the same time.

www.it-ebooks.info

518 Implementing Enterprise Risk Management

� All securities can be divided into parcels of any size. � Risk and volatility of an asset are known in advance and are constant.

To address the first point, we have already discussed our use of nonnormal distributions and feel the framework is robust enough to handle any variation of distributions that a modeler feels is appropriate. In postmodern portfolio manage- ment, the use of normal distributions has also been relaxed for similar reasons, so this is not as much of a concern as originally stated.

Correlations are clearly not constant or fixed, and once more, they are hard to measure without good historical data. The modeler will often make assumptions around correlations and use copulas to simulate different relationships between correlations at different points of a distribution. It is clear that, again, modern com- puting power has allowed us to use correlations in a much different way than in the past. Unfortunately, the flexibility is not always a good thing. As correlations are often a modeler’s assumption, the use and selection of them should be highly scrutinized.

In insurance, the market is very far from what one would call efficient. On stock exchanges there are clearinghouses and information services to provide an up-to-date information exchange. And even then, the market is not truly efficient. In insurance, pricing different contracts is dealt serious information asymmetry and is fraught with poor information, as the data and pricing start with an actuary in a corporate insurance company, then are translated by an underwriter, and then are ignored by sales professionals (only slight exaggerations involved). This lack of an efficient market is what makes our risk framework so critical. Without it, the insurance buyer has little chance of getting the best deal.

Our framework does have an issue with the ability to fractionalize options and to get the insurance market to respond to all potential mathematical pric- ing options. This can happen for a variety of reasons: internal restrictions, lack of proper information, risk limits, reinsurance requirements, and so on. The frame- work can, however, lead insurance markets to more optimal insurance contracts. So even if an option is not technically available, the closest option available in the marketplace can be substituted in similar fashion.

In insurance, especially for large corporations, the party who controls the information can hold a competitive advantage. Both parties to a transaction (cor- poration and insurance company) have pieces of the puzzle in determining the true risk exposure for the corporation. The insurance company has a significantly larger database of similar risks, and the corporation has very specific data to its risk profile and a much better understanding of how its risk profile is changing. All of this means that the underlying risk is clearly not constant and is difficult to predict. Thankfully, to optimize a risk portfolio one does not require perfect information, only relative accuracy and reasonable assumptions on information that is not available.

In our framework, we are not fully constrained by the limitation of modern portfolio theory, as we are not developing a theory, but rather a practical modeling application. We also have use of greater computer power than ever before, which allows the relaxation of many of the constraints presented earlier in this chapter. We believe that we have addressed the major concerns of modern portfolio theory

www.it-ebooks.info

USES OF EFFICIENT FRONTIER ANALYSIS IN STRATEGIC RISK MANAGEMENT 519

and its application to insurance, but we will leave that conclusion fully up to the reader.

CONSIDERATION OF BEHAVIORAL CONCERNS IN STRUCTURE A commonly stated concern with the efficient frontier theory is that is breaks down due to behavioral concerns with the market participants. The participants do not always maximize utility, information is not always readily available, and people do not always make decisions based solely on mean and standard deviations of returns.12 Because of these concerns, it is necessary to discuss the behavioral impli- cations for our framework.

We start with the definition of common behavioral errors associated with infor- mation processing and then move on to the types of informational errors.

Definition: “Information processing—errors in information processing can lead investors to misestimate the true probabilities of possible events or associated rates of return.”13

The different types of informational processing errors are:

� Forecasting errors � Overconfidence � Conservatism � Sample size neglect and representativeness14

People often have problems forecasting the future. The most typical concern is using the most recent information to forecast the future. As risk professionals, we see this every day as everyone thinks that the most recent years of information reflect the best and most reliable information. In reality, forecasting is much more complex than that. In our model, we rely on forecasting techniques, but concentrate on methods that use a minimum of five years of information and often 10 years or more of information if it is available. This reduces any forecasting errors and relies on data methods, which are more consistent than human forecasts.

Overconfidence is another common behavioral trait that is difficult to over- come. People often believe they forecast better than they actually do and are often unwilling to recognize that blind spot. This is where a robust process and using several independent experts can reduce the bias that comes from overconfidence. Any one person can have his or her own biases, even experts. So involving a team of experts and a process to reduce the bias is critical to getting a more accurate estimate of risk.

Sometimes a process or framework can be too slow to react to new informa- tion. A slow response often occurs in insurance where there is an unrecognized change in a company’s risk profile. The client history and the industry data are naturally slow to reflect trends, and large volumes of data are required to finally identify new information. This phenomenon is the counterbalance to being too fast to react. The conservatism bias is best handled by involving business experts in the process to question and comment on changes in the business and to get a common understanding on how those changes are reflected in the modeling work.

www.it-ebooks.info

520 Implementing Enterprise Risk Management

Sample size bias is usually pretty well handled by expert modelers. They understand that small sample sizes are less credible than large ones and therefore provide less usable information within a forecast. This can be difficult to commu- nicate, however, so it should be noted that communication of the biases of sample size neglect and representativeness is just as important as realizing them.

We next consider behavioral biases. It has been stated that “Behavioral biases largely affect how investors frame questions of risk versus return, and therefore make risk-return trade-offs.”15

The main types of behavioral biases are:

� Framing � Mental accounting � Regret avoidance � Prospect theory16

Framing is the way a question is posed about risk. The question can be posed as “Will you lose $50 million under a worst-case scenario?” or be posed as “Will you stand to make $5 million on the expected basis under the same scenario?” Dif- ferent questions can lead to different responses, even in seemingly rational people. The way we approach framing is to include the positive and the negative, as well as several other scenarios to provide a range of responses. This can be information overload at first, but after the framework is understood, it provides key informa- tion to avoid the framing bias.

Oftentimes people segregate risks based on a particular belief or internal struc- ture within an organization, saying it is fine to take risk in this particular area but not in another one. This is called mental accounting. Organizations are plagued with mental accounting as different divisions; regions, locations, and management all create some level of mental accounting for an organization. The only way to minimize this bias is to have the C-level executives dictate the level of risk they want to adhere to as an organization; otherwise the line-level managers will all view risk through their own lenses. Consultants can often point out this bias within a company, but a company that is not already aware of this bias can fail to use any risk framework appropriately.

Another large corporate risk is regret avoidance. This is the phenomenon that losing a bet on a scenario with long odds is more painful than losing the same amount on a game with a better expected outcome. This is illustrated in the saying “No one ever got fired by hiring IBM.” Large corporations have different cultures and approaches to this bias. Some companies in Silicon Valley make an extra effort to avoid this bias and to create a risk-taking culture. Either way, this is a concern for our analysis. Any option we present, no matter how risk reducing to the orga- nization, will look suboptimal to the current one based on our behavioral biases.

Prospect theory does not apply as well in a corporate environment as in a per- sonal one. In prospect theory the change in wealth from one’s current wealth is what is important, not the absolute wealth. For an organization, each employee has his or her own “wealth” and access to company funds. Many are limited in this area, and any change in wealth for the company is not often felt by the employee. There is a disengagement from the wealth of the corporation. This does not mean there is a certain level of bias in the corporation.

www.it-ebooks.info

USES OF EFFICIENT FRONTIER ANALYSIS IN STRATEGIC RISK MANAGEMENT 521

As we have shown, there are several behavioral considerations to make in any risk framework. We have tried to comment on how we address those concerns, but are sure there are many other successful ways to handle these biases. The key consideration here is to be aware of the biases and to make sure the organization addresses these issues as part of its enterprise risk management program.

QUESTIONS 1. How does efficient frontier analysis differ from other forms of complex risk assessment

techniques? 2. What limitations might an analyst encounter through the use of efficient frontier analy-

sis? 3. How can efficient frontier analysis results be communicated and utilized with nonmath-

ematical decision makers?

ACKNOWLEDGMENTS Special recognition is given to the following editors of this chapter:

Jillian Hagan, FCAS Virginia Jones, ACAS Betty Simkins, PhD

NOTES 1. “RIMS Strategic Risk Management Implementation Guide,” 2013. 2. “Details of Risk Appetite and Tolerance,” www.theirm.org/publications/documents/

IRM_Risk_Appetite_Consultation_Paper_Final_Web.pdf. 3. We have defined efficient to mean the maximum return on investment for keeping risk

or transferring risk to a third party. 4. Milan Vaclavik and Josef Jablonsky, “Revisions of Modern Portfolio Theory Optimiza-

tion Model,” 2011. 5. Jerry A. Miccolis and Marina Goodman, “Next Generation Investment Risk Manage-

ment: Putting the ‘Modern’ Back in Modern Portfolio Theory,” Journal of Financial Plan- ning, January 2012.

6. Ibid. 7. Ibid. Bodie, Zvi, Alex Kane, and Alan Marcus. Investments. 8th edition. New York:

McGraw-Hill. 8. For reference, a good article on copulas is available on the CAS website: www.casact

.org/library/studynotes/feldblum-dependency2013.pdf. 9. James Lam, “Enterprise Risk Management from Controls to Incentives,” 6–9.

10. Ibid., 8. 11. Miccolis and Goodman, “Next Generation Investment Risk Management,” 2012. 12. www.investopedia.com/articles/investing/041213/modern-portfolio-theory-vs-

behavioral-finance.asp. 13. Zvi Bodie, Alex Kane, and Alan Markus, Investments, 8th ed. (New York: McGraw-Hill,

2008), 385. 14. Ibid., 386. 15. Ibid., 387. 16. Ibid., 387–388.

www.it-ebooks.info

522 Implementing Enterprise Risk Management

REFERENCES Bodie, Zvi, Alex Kane, and Alan Marcus. 2008. Investments. 8th edition. New York: McGraw-

Hill. “RIMS Strategic Risk Management Implementation Guide.” 2013. “Managed Futures—Reducing Portfolio Volatility, A Look into the Top 3 Managed Futures

Accounts Worldwide.” 2011. Emanagedfutures.com, March 19. Markowitz, H. M. 1952. “Portfolio Selection.” Journal of Finance 7:1, 77–91. Markowitz, H. M. 1959. Portfolio Selection: Efficient Diversification of Investments. New York:

John Wiley & Sons, reprinted by Yale University Press, 1970. Merton, Robert. 1972. “An Analytical Derivation of the Efficient Frontier.” Journal of Financial

and Quantitative Analysis 7, September. Miccolis, Jerry A., and Marina Goodman. 2012. “Next Generation Investment Risk Manage-

ment: Putting the Modern Back in Modern Portfolio Theory.” Journal of Financial Planning, January.

Lam, James. 2003. Enterprise Risk Management from Controls to Incentives. Hoboken, NJ: John Wiley & Sons.

Taleb, Nassim Nicholas. 2007. The Black Swan: The Impact of the Highly Improbable. New York: Random House.

Vaclavik, Milan, and Josef Jablonsky. 2011. “Revisions of Modern Portfolio Theory Opti- mization Model.”

ABOUT THE CONTRIBUTORS Ward Ching is Vice President, Risk Management Operations, at Safeway Inc., located in Pleasanton, California. His responsibilities include enterprise risk man- agement, integrated risk finance, hazard loss control, environmental compliance, property risk control/engineering, and a variety of retail, distribution, and manu- facturing risk management initiatives, including Safeway’s Culture of Safety. Prior to joining Safeway, he was a principal at Towers Perrin and a managing director at Marsh. He completed his undergraduate and graduate degrees in international relations and economics at the University of Southern California, and has taught and written extensively on the subjects of international relations, game theoretical applications in foreign policy, and enterprise risk management.

Loren Nickel, FCAS, CFA, MAAA, is the Regional Director and Actuary for the Northwest Region (Seattle, San Francisco, and Los Angeles) and National Leader for Operational Risk for Aon Global Risk Consulting. He is responsible for provid- ing clients with actuarial support as well as a variety of financial and tailored risk services. His work includes pricing, reserving, profitability studies, retention stud- ies, dynamic financial analysis, and captive analysis for all major lines of insurance. He provides professional actuarial opinions as well as a variety of innovative risk solutions.

www.it-ebooks.info

PART V

Mini-Cases on ERM and Risk

www.it-ebooks.info

www.it-ebooks.info

CHAPTER 26

Bim Consultants Inc. JOHN R.S. FRASER Senior Vice President, Internal Audit, and former Chief Risk Officer, Hydro One Networks Inc.

Bim Consultants Inc. is a medium-sized consulting firm. It is a corporationwith 30 partners who own most of the shares. It has 10 offices across Canadawith 3,000 staff, and has been in business for 30 years. Senior staff also own shares and participate in an annual bonus scheme. Salaries are generally on the low side, but bonuses in good years can be quite high. The balance sheet is sound (see Exhibit 26.1).

The company has always prided itself on its customer focus. “Customers are number one” has been the mantra from the chairman, Mr. Smooth, for many years. Recently, however, revenue has been stagnant, and the younger partners are get- ting restless, wondering if the older partners have lost their edge and whether changes are needed to return to the glory days of large bonuses.

At a recent strategic planning meeting of the major partners, the decision was made to continue focusing on customers as number one, but also to explore how to increase revenue from within the existing clientele and to explore what additional services could be provided to enrich the client experience (and revenues). It was agreed that the strength of the firm was in its blue-chip client base and that this high-quality reputation was worth preserving. Some discussions were also held around the idea of selling a minority share of the company at a large multiple, if such a deal was identified. Bim Consultants’ profit and loss and retained earnings are provided in Exhibit 26.2.

Earlier this week, the chairman received a call from the president of the Cana- dian subsidiary of a U.S.–owned competitor, Bravado International, saying that Bravado was pulling out of Canada and would consider an offer to sell the sub- sidiary to Bim Consultants Inc. The Bravado subsidiary had 12 offices across Canada and just over 3,500 staff, but had often drawn on its U.S. resources when required for large engagements.

525

www.it-ebooks.info

526 Implementing Enterprise Risk Management

Exhibit 26.1 Bim Consultants Balance Sheet

Bim Consultants Inc. Summary Balance Sheet As of December 31, 2014

2014 2013

Year ended December 31 (Canadian dollars in millions) $ $ Current Assets

Cash and Short-Term Investments 12 7 Accounts Receivable 175 168

187 175

Current Liabilities Accounts Payable 34 27 Short-Term Loans 100 110

134 137

Working Capital 53 38 Fixed Assets

Leasehold Improvements 196 178 Furniture and Equipment 100 94 Less Accumulated Depreciation & Amortization (153) (128)

143 144

Net Assets 196 181

Share Capital Common Shares 100 100 Retained Earnings 96 81

196 181

The chairman called an executive meeting and pointed out that making such a purchase would double sales, catapult Bim Consulting into the number one posi- tion in major markets in Canada, and provide a strong marketing thrust into pre- viously untapped midtier markets. Based primarily on the persuasiveness of the chairman, the executive committee approved proceeding with the negotiations.

The president of the Bravado subsidiary cautioned Mr. Smooth that it was imperative not to have word of the negotiations leak out, as this could lead to a loss of key staff and possibly clients. Accordingly, he urged Mr. Smooth not to do the normal due diligence in the subsidiary’s offices but to review the necessary records and meet with select senior executives of Bravado at an off-site location. This process seemed to work well, and the Bravado executives were well prepared and very likable. All the information checked out, and the way seemed clear to do a deal.

www.it-ebooks.info

BIM CONSULTANTS INC. 527

Exhibit 26.2 Bim Consultants Profit and Loss and Retained Earnings

Bim Consultants Inc. Summary Profit and Loss and Retained Earnings For the Year Ended December 31, 2014

2014 2013 Year ended December 31 (Canadian dollars in

millions) $ $

Revenue 300 290

Expenses Salaries 220 207 Other 20 18

Net Profit before Income Tax 60 65 Income Tax Provision 27 29

Net Income after Tax 33 36

Retained Earnings—Beginning of Year 81 65

114 101 Dividends 18 20

Retained Earnings—End of Year 96 81

QUESTIONS 1. What is your assessment of the situation? 2. What advice would you provide to the board of Bim Consultants? 3. What pitfalls should they be concerned with?

ABOUT THE CONTRIBUTOR John R.S. Fraser is the Senior Vice President, Internal Audit, and former Chief Risk Officer of Hydro One Networks Inc., one of North America’s largest electricity transmission and distribution companies. He is a Fellow of the Ontario Institute of Chartered Accountants, a Fellow of the Association of Chartered Certified Accoun- tants (UK), a Certified Internal Auditor, and a Certified Information Systems Audi- tor. He has more than 30 years’ experience in the risk and control field, mostly in the financial services sector, including areas such as finance, fraud, derivatives, safety, environment, computers, and operations. In addition to this book, he also served as editor on Enterprise Risk Management: Today’s Leading Research and Best Practices for Tomorrow’s Executives (John Wiley & Sons, 2010).

www.it-ebooks.info

www.it-ebooks.info

CHAPTER 27

Nerds Galore ROB QUAIL, BASc Director, Enterprise Risk Management, Hydro One Networks Inc.

Nerds Galore (NG) is a Canadian service company with 1,000 employeesworking out of offices in 12 Canadian cities; the head office is in Edmon-ton, Alberta. NG provides full-service information technology (IT) sup- port to small and medium-sized Canadian businesses, including help desk, on-site troubleshooting, security, network setup and support, backup services, wireless networks, hardware and software procurement, and website design and hosting solutions.

Nerds Galore was formed in 2000 in the garage of its founder, Jeeves Stobes. NG has enjoyed strong growth in its segment and has an excellent reputation with its customers. In the beginning, NG focused on a particular customer subsegment, small start-up businesses, especially on low-tech businesses such as boutique ser- vices. Lately its strategy has shifted more to midsize customers (which have deeper pockets and less chance of going broke) with more sophisticated technology needs.

Recently there have been problems for NG. There has been steady decline in customer satisfaction, as shown in

Exhibit 27.1. Following a thorough investigation and follow-up with many of NG’s key cus-

tomers, the Executive Team has concluded that the main cause of this has been high internal staff turnover, leading to gaps in customer services and service continuity.

Indeed, staff retention has been an issue, as shown in Exhibit 27.2. To continue to provide strong customer service, it is critical that team mem-

bers are competent in the latest technology, and yet turnover has approached 20 percent in three recent years. This is a particular problem for NG because of its high focus on customer service; new staff receive extensive and costly training in NG’s customer service and cross-selling approaches. The company’s pay package is competitive but not at the very top; instead NG uses its reputation for excellent customer relationship and staff development to attract motivated staff. Note that it’s well known that one of NG’s competitors was recently raided by a large sys- tems integration firm and lost most of its network management technical staff in a single quarter. NG has been having a particularly difficult time retaining staff in the larger urban centers and other technology hubs in Canada where there are more competitors and the competitors generally pay more.

Despite the fact that customer satisfaction has been declining, the Execu- tive Team did note that revenue numbers have not suffered; in fact, they have

529

www.it-ebooks.info

530 Implementing Enterprise Risk Management

96

94

92

90

88

% v

er y

sa tis

fie d

2008 2009 2010 2011 2012 2013

86

84

82

80

Exhibit 27.1 Nerds Galore Customer Satisfaction

continued to climb year over year, as shown in Exhibit 27.3. It was concluded that this lack of a drop in revenues is due to two factors:

1. Many current customers have multiyear contracts with Nerds Galore. 2. Very small businesses that have made up the bulk of NG’s customer base

are generally tolerant of minor service hitches and less focused on optimal technology performance.

Recently, the company suffered a major shock when one of its employees was killed in a head-on car crash while rushing to a customer site during a snowstorm in Rimouski, Quebec. The employee who was killed was a well-known and much admired member of the team, and many staff thought at the time that NG’s Exec- utive Team didn’t respond properly to this event. In fact, the Globe and Mail ran a story on workplace tragedy and its impact on morale and used Nerds Galore as a case study on how not to manage sudden trauma, and, while the company’s cus- tomers didn’t seem to notice, NG did experience a sudden jump in staff departures and some difficulty in recruiting replacements.

Also, there is a sense that staff efficiency is not what it should be; in partic- ular, scheduling technicians for on-site technical work has been a problem. Small business customers tend to have diverse and unique technology needs, and finding specialists who can work in multiple areas such as network support and voice over

25

20

15

10

5% o

f e m

pl oy

ee s

2008 2009 2010 2011 2012 2013 0

Exhibit 27.2 Nerds Galore Employee Turnover

www.it-ebooks.info

NERDS GALORE 531

100

10 20 30 40

Revenues Net Income

50 60 70 80 90

$C D

N

20 04

20 05

20 06

20 07

20 08

20 09

20 10

20 11

20 12

20 13

0

Exhibit 27.3 Nerds Galore Financial Performance

Internet Protocol (VoIP) while working with a single customer is difficult; most of the propeller-heads (as NG affectionately terms its technicians) are specialists in a few areas, and the company has found that its specialists are spending a lot of time behind the wheel traveling from site to site dealing with point solutions to individ- ual technical problems. NG’s founder and CEO, Jeeves Stobes, freely admits that the company’s own internal technology has not really kept pace with the growth of the company. NG lacks a customer/account management program and relies on whiteboards and e-mail managed by the company’s small core of four senior work schedulers (long-service employees who work out of a war room in Edmonton and know the company’s customers and staff well) to schedule employees to customer sites. In addition, while the company has placed a premium on developing staff, this has been through informal mentoring and apprenticeships rather than formal development based on identified customer needs, and this approach has been dif- ficult to sustain given the scrambles created by sudden staff departures.

As shown in Exhibit 27.4, CEO Stobes has set targets of 15 percent revenue growth year over year (which is close to recent rates of growth) and a net income target of 15 percent of annual revenues, which will be a stretch (recent years have yielded margins of 8 to 10 percent). Stobes has set a target of 95 percent customer satisfaction going forward.

Exhibit 27.4 Strategic Targets

Actual Targets

2013 2014 2015 2016 2017 2018

Revenues ($M) (target is 15% year-over-year growth) 100 115 132 152 175 201

Net Income ($M) (target is 15% of revenues) 10 17 20 23 26 30

Customer Satisfaction (% “very satisfied”) (target is 95%) 83 95 95 95 95 95

Staff levels 1,000 1,100 1,200 1,300 1,400 1,500

www.it-ebooks.info

532 Implementing Enterprise Risk Management

Gil Bates, NG’s vice president of human resources (HR), recently recruited from the competitor Propell-O-Rama, is concerned about not only the employee turnover rates but HR management in general. He has come forward with a five- point strategy for improved HR management, but has encountered stiff resistance from the rest of the Executive Team. The strategy is:

1. Attract the best talent. Do this by offering a positive and flexible work envi- ronment with flexible hours and a work-at-home culture.

2. Retain good people. Do this by offering employee recognition programs, pro- viding multiskilling/cross-training (which will have the added benefit of greater customer satisfaction), and ensuring that compensation stays at or near the 75th percentile of competitors or comparators.

3. Manage talent. Put in place a formal talent management program so that high-potential employees are identified, developed, and mentored.

4. Optimize the use of people. Do this by purchasing and implementing a fully integrated customer management and workforce management tool, to allow greater scheduling and tracking of employee effort on customer accounts.

5. Rely on outsourcers to handle overflow of business requests that have highly volatile work volumes, or in areas where retaining internal capability and know-how is prohibitively expensive.

At a management discussion, it was agreed that the Executive Team would meet for a risk workshop to explore the following HR-related risks and to help the exectives evaluate the situation and decide on whether to invest in Bates’s strategy:

� Inability to recruit people with needed skills � Loss of staff with key internal knowledge � Uncompetitive labor productivity � Increased departures of skilled technical staff � Loss of key business know-how

QUESTIONS 1. This is a relatively brief case study, yet the problems faced are quite complex. In your

workshop, how did you handle uncertainty in the information you have been given and how does this translate into real-world workshops where not all the answers can neces- sarily be given at the table?

2. What were some of the risk sources that emerged repeatedly in evaluating the risks? How is this helpful?

3. How would this risk assessment aid in the decision on whether or not to proceed with the new HR strategy?

ABOUT THE CONTRIBUTOR Rob Quail, BASc, is Director of Enterprise Risk Management at Hydro One Net- works Inc. Rob has had a leadership role in enterprise risk management (ERM)

www.it-ebooks.info

NERDS GALORE 533

at Hydro One since 2000, and developed much of Hydro One’s pioneering ERM methodology. He has successfully applied ERM techniques to a diverse range of business problems and decisions, including annual business and investment plan- ning; major transformational, infrastructure, customer, and technology projects, as well as acquisitions, partnerships, divestitures, downsizing, and outsourcing. Rob was a contributing author to Enterprise Risk Management: Today’s Leading Research and Best Practices for Tomorrow’s Executives, edited by John Fraser and Betty J. Simkins (John Wiley & Sons, 2010), and is guest lecturer for the Schulich School of Business Masters Certificate in Business Performance and Risk Management pro- gram at York University, Toronto. He is a popular speaker at risk management conferences, and performs as a musician in clubs in the Toronto area in his spare time. He is an industrial engineering graduate of the University of Toronto.

www.it-ebooks.info

www.it-ebooks.info

CHAPTER 28

The Reluctant General Counsel NORMAN D. MARKS, CPA, CRMA Fellow of the Open Compliance and Ethics Group, and Honorary Fellow of the Institute of Risk Management

Business Software Corporation (BSC) is a global software company headquar-tered in the Silicon Valley of California, with annual revenues of over $1billion. It is listed on major North American stock exchanges. The head of the Internal Audit function, Jason Garnelas, has been asked by the board to lead the establishment of an enterprise risk management (ERM) function. Top manage- ment, led by the chief executive officer (CEO), John Black, and the chief financial officer (CFO), Jim Toll, have indicated their support for this important initiative. The plan is for Jason to run the program for the first year, at which point manage- ment and the board will consider whether it is necessary and appropriate to hire a full-time risk officer.

Jason is grateful for the support of both the board and top management, because it is unusual for an entrepreneurial technology company to recognize the value of risk management and dedicate both time and resources to its imple- mentation. In fact, at a meeting of the executive leadership, John Black explains that he holds his direct reports individually and collectively responsible for the management of risks to the business. He sees the role of the risk officer, currently Jason Garnelas on a part-time basis, as a facilitator to the leadership team. Jason will lead the development of a framework and process, and will facilitate the iden- tification, assessment, and treatment of risk, but all decisions are a management responsibility.

Jason holds a series of one-on-one meetings with each of the CEO’s and CFO’s direct reports to understand, with them, the more significant risks to the organi- zation. Most of them engage actively and with energy into the discussions, as they can see that the process will contribute to their and the company’s success. Due to their travels, Jason is initially unable to meet with the executive vice president (EVP) of development (responsible for all the software developers) and the general counsel. But he is able to develop a preliminary list and assessment of the more significant areas.

The preliminary assessment is reviewed with the executive leadership team, and the CEO expresses his appreciation for the work that has been performed, but he is concerned that several of his direct reports identified the same areas of risk with significantly different evaluations of both potential impact and likelihood. He decides to assign each area of risk to individual executives who will own them and

535

www.it-ebooks.info

536 Implementing Enterprise Risk Management

be responsible not only for monitoring the risk levels and assessing the potential impact and likelihood, but also for ensuring that actions are taken as and when necessary to bring the risk levels in line with acceptable limits established by the CEO and the board.

As everybody leaves the meeting, Jason chats briefly with the EVP of develop- ment and the general counsel, George French. The EVP quickly agrees to meet later in the week for an hour to review the risks in his assigned areas. But the general counsel asks Jason to step into his office.

The general counsel tells Jason that while he agrees that a risk management program is fine in theory, he has strong reservations. His concerns fall into two general areas.

First, the company, like every technology company, is routinely engaged in multiple lawsuits. Some lawsuits, particularly those concerned with the protection of intellectual property, involve potential settlements in the hundreds of millions of dollars—both in favor of and against BSC. These lawsuits have been identified as areas of risk that should be addressed by the new risk management program, but any formal assessment is discoverable by the opposition attorneys and could be used against BSC both in negotiations and at trial.

George understands that Jason needs his and his team’s input to identify the potential impact of both favorable and adverse results to current and future law- suits, and the likelihood of those results. But, because of the risk to the company that would be created by a formal risk assessment of the lawsuits, he has decided he cannot participate.

Second, BSC is listed on some U.S. exchanges and is subject to all U.S. Securities and Exchange Commission (SEC) filing requirements. The quarterly and annual filings have to include a discussion of the significant risks facing the organization.

The general counsel is concerned that BSC’s competitors could gain an unnecessary advantage from a risk management program. His reading of the SEC rules is that the discussion in the filings has to be consistent with any formal discussion of risks by management and the board. So, if the internal discussion is too detailed and includes specific likelihood and potential effects for each risk area, that would lead to excessive and unnecessary disclosures to the company’s disadvantage.

George believes that participation by the legal department will constitute for- mal risk discussions. Discussion of risk by the rest of the management team is a normal part of running the business, but when he and his team join the discus- sion it raises risk management from informal discussions to a formal process that should influence the risk disclosures in the company’s SEC filings.

George tells Jason that he commends him for the initiative but cannot sup- port it by contributing legal advice to the risk assessment and evaluation process. That should be the responsibility of the executive leadership team, with Jason’s assistance. The involvement of the legal department represents, itself, too great a risk.

QUESTIONS 1. What are Jason’s options? Can he accept a risk management program that does not

involve the legal department?

www.it-ebooks.info

THE RELUCTANT GENERAL COUNSEL 537

2. Do you agree with George’s arguments? Are they valid? 3. How would you proceed, if you were the risk officer?

ABOUT THE CONTRIBUTOR Norman D. Marks, CPA, CRMA has been the chief audit executive of major global corporations for more than 20 years, and is one of the most highly regarded thought leaders in the global professions of internal auditing and risk management. He has been profiled as an innovative and successful internal auditing leader, and is a Fellow of the Open Compliance and Ethics Group and an Honorary Fellow of the Institute of Risk Management. Norman has been a motivational keynote speaker at conferences around the world and across the United States. In addi- tion, he is a prolific blogger about internal audit, risk management, governance, and compliance.

www.it-ebooks.info

www.it-ebooks.info

CHAPTER 29

Transforming Risk Management at Akawini Copper GRANT PURDY Associate Director, Broadleaf Capital International

This case study describes how the approach to managing risk can be trans-formed and enhanced in a company. The case study is based on a hypothet-ical mining company, Akawini Copper, that has recently been acquired by an international concern, United Minerals. Akawini has a rudimentary approach to risk management (RM) that must be improved if the new owners are to realize the level of return claimed in the business case that was used to justify the acquisition. Akawini owns a single mine and concentrate plant approximately 50 kilometers from the coast. It ships the concentrate using trucks to a nearby port for export. The company earns revenue of $774 million a year from the sale of concentrate and employs a total of 1,500 people at the mine site and port.

THE ACQUISITION AND DUE DILIGENCE United Minerals has developed and implemented a framework for managing risk based on ISO 31000 (ISO 2009). In particular, this has enabled it to properly inte- grate the risk management process into its approach to making decisions on major projects and investment decisions and also into the way it develops, plans, and executes projects.

During due diligence prior to the acquisition, the risk management team for United Minerals reviewed the current approach to risk management at Akawini and, from a cursory examination of documents, was able to determine that the approach was very limited and was unlikely to yield much real value. The team found, for example, that:

� A process for formal risk assessment was applied only to what were described as “business risks.” This occurred only once a year as part of a risk review that updated the current risk register so that it could be reported to an Audit Committee.

539

www.it-ebooks.info

540 Implementing Enterprise Risk Management

� There was a different process applied for safety risks that actually did not consider risks as such but generated a risk rating using a matrix system only for hazards.

� No systematic process for assessing and treating risks was used in support of major decisions. In particular, project management did not include any form of explicit risk management process.

� The Akawini risk manager mostly dealt with insurance matters and asked the company’s external audit provider to offer a facilitator for the annual risk review.

� The annual internal audit plan did not seem to be based on the outcomes of the risk assessment and did not focus on assuring many of the critical controls.

� The risk criteria systems used for both “business risks” and “safety risks” covered only detrimental consequences and seemed to be based on five lev- els of consequences and consequence types that were not associated in any meaningful way with the company’s objectives.

� Both systems used the term probability to estimate likelihood and did not consider the frequency or return period for consequences.

� In both systems, risks were analyzed incorrectly by combining the likelihood of an event with what was described as “the plausible worse-case conse- quences.” This produced many “extreme” risks, which were then being dis- counted by managers as implausible.

� Once risk registers were created on spreadsheets, they were kept on separate personal computers and were rarely considered until the next yearly review. Any risk treatment actions decided on were not followed up or closed out.

� Critical controls were not identified and were not assigned to individuals for ongoing monitoring and periodic review.

� There was no coherent process that defined and captured learnings from successes and failures.

The risk management team signaled its concerns to the acquisition team, and the need for improvement of Akawini Copper’s approach to risk management to bring it into line with ISO 31000:2009. Then, the United Minerals framework was placed on the transformation plan and given a high priority.

THE TRANSFORMATION PROCESS Once the acquisition had been completed, the risk management team followed the stepwise process in Exhibit 29.1 to transform the approach to risk management at Akawini.

The starting point was a structured analysis of Akawini’s current approach to managing risks, to identify where changes had to be made and then to assign a priority to particular tasks. This was conducted in two parts:

1. A full desk-based review of Akawini’s risk management documentation 2. A complementary set of interviews with Akawini management

The second activity was particularly important because it was the experience of the United Mineral risk management team that it was vital to observe and review

www.it-ebooks.info

TRANSFORMING RISK MANAGEMENT AT AKAWINI COPPER 541

Transformation of Akawini RM

Approach

3. Gap Analysis and Evaluation

3.1. Document review

3.2. Analysis and

evaluation

3. Elicitation, Verification, and Feedback

Exhibit 29.1 Risk Management Transformation Process Steps

how risk management takes place in practice. This was particularly true if there might be any discontinuity of practice across Akawini or inconsistent processes and systems. It was also important to test out Akawini management’s perceptions of the current approach to risk management to see if it was currently viewed as effective and if managers perceived it as likely to satisfy their future needs.

The risk management team conducted a series of structured interviews with senior management from Akawini so that the team could draw objective conclu- sions on:

� The suitability of the current approach to manage risk associated with an organization of the size and complexity of Akawini, its risk profile,1 and its risk attitude2

www.it-ebooks.info

542 Implementing Enterprise Risk Management

� The drivers of that attitude, based on what were recognized as the key suc- cess factors and growth objectives for the organization

� The perceived usefulness of the current risk management process and its degree of integration into key decision-making processes

� The strengths and limitations of the other risk-type specific approaches to risk management that coexisted in the company3—specifically, whether the tools and methods currently being used were capable of providing Akawini with a current, correct, and comprehensive understanding of its risks and informing it whether the risks were within its risk criteria4

� The level of understanding of senior management about aspects of the risk management culture

� An outline of the perceived risk profile of Akawini and whether this varied from that reported to the board in the past

Questions asked included:

� What is your definition of risk? How, in your view, do risk and its manage- ment relate to the company’s objectives?

� What is the purpose of risk assessment? How often should risk assessment take place? What triggers it in your area?

� As a practical matter, how do you gain assurance that the critical controls that your part of the company relies on are in place, are effective, and work when required?

The risk management team members consolidated their findings and com- pared them with the elements of the existing United Minerals risk management framework and the requirements of ISO 31000. They particularly mapped what they found by comparing it with the principles for effective risk management in Clause 3 and the attributes in Annex A of the Standard.

GAINING SENIOR MANAGEMENT OWNERSHIP FOR TRANSFORMATION For effective management, it was regarded as critical that senior management at Akawini appreciated and could comment on and contribute to the findings and conclusion of the review so that this would lead to ownership of the transforma- tion plan. The risk management team therefore presented its findings and recom- mendations at a meeting with senior managers that covered:

� Fundamentals of risk and best practice risk management � Overall findings and assessment of the benchmarking review � Suggested improvements and enhancement strategies � Draft enhancement plan

The risk management team elicited feedback and acceptance of the conditions it found and prompted a discussion on the desired situation. In this way the team helped managers identify what needed to change. The diagram of the desired

www.it-ebooks.info

TRANSFORMING RISK MANAGEMENT AT AKAWINI COPPER 543

Intent Policy statement Standards Guidelines/procedures Risk Management Plans Assurance Plans

Capability Training strategy Communications strategy Information system Measuring and reporting RM Network

Accountability Board Audit Comm. Exec RM Steering Comm. RM Lead RM Champions Risk and Control Owners

Continual Improvement Performance measures Maturity evaluation Assurance processes Formal review Revision

Strategic

S tr

at eg

ic

S tr

at eg

ic

Strategic

Tactical

Tactical

Tactical

Establish the Context!

C om

m un

ic at

e an

d co

ns ul

t!

M on

ito r

an d

re vi

ew !

Identify the risks!

Analyze the risks!

Evaluate the risks!

Treat the risks!

Tactical

Exhibit 29.2 Desired Framework Architecture �✓ Indicates that the element is present and effective, □ means that it is not present or is ineffective.

framework architecture given in Figure 29.2 was used to demonstrate the strengths and weaknesses in the current approach.

To demonstrate the desired outcomes, the risk management team explained that the primary purpose of risk management in United Minerals was to act in a dynamic fashion to support decisions and that the company framework had been designed to ensure that:

� Assumptions and preconceptions were properly challenged before decisions could be made.

� Appropriate actions were then taken to reduce the uncertainty that objec- tives would be achieved.

� Early warnings were provided if key controls were not in place or were not fully effective, so that preemptive action could be taken.

� The organization learned in a systematic way from its successes and failures, at a fundamental level so that learnings would lead to lasting changes.

To help the organization as a whole improve its ability to manage risk, the company had adopted 10 performance requirements that it called its “standards.” These were, in outline:

1. The risk management process will be integrated into all key decision making processes.

www.it-ebooks.info

544 Implementing Enterprise Risk Management

2. The risk management process will be integrated into strategic, business, and project planning processes.

3. Key controls will be identified and allocated to owners for monitoring. 4. After every major decision, event, or change or at the conclusion of all plans,

the organization will learn lessons from successes and failures using root cause analysis.

5. The same, consistent methodology will be used for analyzing risks and for evaluating control effectiveness.

6. The significance of risks will be evaluated using one set of risk criteria. 7. Viable options for treating risks will always be considered, and those

options will be implemented where there is a net benefit to the business. 8. Accountability for managing risk will be allocated in a manner that is fully

consistent with the management of the business and with the delegations of authority system.

9. Only one database system will be used to hold and manage all forms of risk management information.

10. Sites will plan how they will implement these standards and will report on the progress with this implementation and the effectiveness of risk manage- ment as part of the company’s governance processes.

THE TRANSFORMATION PLAN The Akawini management team was then encouraged to discuss and compare options and to suggest major actions for the enhancement plan. The actions were allocated to members of the management team, and completion dates were agreed. These agreements were recorded and became the risk management plan that described the transformation process for managing risk at the sites. The manage- ment team was also asked to commit on a review and reporting process for the transformation plan.

QUESTIONS 1. If you were conducting interviews of the Akawini management team so that you could

draw objective conclusions for the review described in the chapter, what questions would you ask?

2. What would you expect to see in the first year risk management transformation plan? What would be the typical tasks?

3. You have been asked to advise the Akawini management team on how they should pro- mote and monitor the transformation of risk management in their business. What per- formance measures would you recommend they use so that they can monitor progress and performance?

NOTES 1. A risk profile is a description of a set of risks. In this case, it is that which represents the

major risks the company faces. 2. The term risk attitude (defined as the organization’s approach to assess and eventually

pursue, retain, take, or turn away from risk) is used in ISO 31000 rather than the term risk

www.it-ebooks.info

TRANSFORMING RISK MANAGEMENT AT AKAWINI COPPER 545

appetite for two reasons—it is a wider term (risk appetite is defined in ISO Guide 73 as the amount and type of risk that an organization is willing to pursue or retain) and also translates better into some other languages, a necessary consideration in the drafting of ISO 31000.

3. These are the outcome tests for effective risk management given in Annex A of ISO 31000. 4. Risk criteria provide both the means to determine and express the magnitude of risk, and

to judge its significance against predetermined levels of concern. They comprise internal procedural rules selected by the organization for analyzing and then evaluating the sig- nificance of risk, and are also used when selecting between potential risk treatments.

REFERENCE ISO. 2009. International Standard ISO 31000:2009, “Risk Management—Principles and

Guidelines.” Geneva, Switzerland: International Organization for Standardization.

ABOUT THE CONTRIBUTOR Grant Purdy is Associate Director, Broadleaf Capital International. He has special- ized in the practical application of risk management for more than 38 years, work- ing across a wide range of industries and in more than 25 countries. He works with many types of organizations, helping them develop and enhance ways to manage risk in support of the decisions they make. This involves mentoring, training, and giving advice, predominantly to senior managers and boards. Grant is an accom- plished trainer and speaker and has had more than 100 papers, books, and articles published. He has been a member of the Standards Australia and Standards New Zealand Joint Technical Committee on Risk Management for more than 12 years and was its chair for seven. He is coauthor of the 2004 version of AS/NZS 4360 and also of AS/NZS 5050, a standard for managing disruption-related risk, and has also written many other risk management handbooks and guides. He was the nominated expert for Australia on the working group that prepared ISO 31000 and Guide 73 and subsequently head of delegation for Australia on ISO PC 262, Risk Management.

www.it-ebooks.info

www.it-ebooks.info

CHAPTER 30

Alleged Corruption at Chessfield Corporate Governance and the Risk Oversight Role of the Board of Directors

RICHARD LEBLANC Associate Professor of Law, Governance, and Ethics at York University

The police and the regulator contacted the author early in the author’s gov-ernance review process. When the author attended his first meeting withthe chairman of the board of directors for Chessfield Inc. and the regulator, the regulator mentioned the word corruption explicitly. Now the New York Police Department was also investigating the conduct of some of Chessfield’s directors, by interviewing them and collecting evidence. The author’s role was to conduct a thorough governance review, with a specific focus on risk management, and report his findings and recommendations to the regulator and board of directors. Chess- field is a fictional company; however, this case is based in part on actual situations that have been modified and disguised.

CHESSFIELD INC. AND ITS BOARD OF DIRECTORS Chessfield is a well-known American company in the sports and entertainment industry. It is headquartered in New York, and is led and governed by an outspo- ken and successful CEO and a blue-chip board of directors. Several directors are household names and have been on the board for many years, knowing each other in social and professional circles. One director had been on the board for 28 years, the second-longest-serving director had been on the board for 24 years, and so on. The shortest-serving director’s tenure was seven years. It was an all-male board, known fondly among a few directors as “the good ol’ boys.”

Governance and decision making were informal, and almost always by con- sensus. By externally viewing Chessfield, it would be difficult to glean that it had any governance shortcomings whatsoever. It had a majority of directors who were current or former CEOs, a separate chair, and other independent direc- tors from prestigious New York professional services firms. It had three commit- tees that were all composed of independent directors. The size of the board was

547

www.it-ebooks.info

548 Implementing Enterprise Risk Management

10 members. Chessfield appeared to comply at least in letter with all applicable governance regulations in place at the time.

WHISTLE-BLOWER COMPLAINT A credible and anonymous whistle-blowing complaint had recently reached the regulator, from a possible former director or officer.

Chessfield was not a publicly traded company, but was in an industry that was highly regulated, given the potential for misuse of information and cash receipts, as well as the potential for harm (of patrons) and for organized crime.

The regulator had concerns about the compensation awarded to the CEO being approximately four times that of comparable industry peers, and potentially cre- ating an incentive for undue risk taking; the apparent lack of internal controls over material risks, including operational risks; and possible impropriety by certain directors in using their positions for self-gain.

MESSAGE FROM THE CEO REQUESTING TO MEET THE AUTHOR Chessfield’s CEO e-mailed the author when the author was in Dallas, Texas, at a conference, asking for a meeting within 24 hours if possible. At that meeting in New York, with the CEO and Chessfield’s legal counsel, the author was told that the company had just been put under regulatory investigation.

The author was asked whether he could assist by reviewing Chessfield’s over- all governance, and, in particular, risk management and compliance practices. The board chair had recommended the author to the regulator because the author had assessed a previous board on which the chair served at the time, and the author was independent.

The author agreed to conduct the governance review of Chessfield for a mutu- ally agreed fee under two conditions. He made it clear to the board chair, CEO, and general counsel that:

1. He would be entitled to any document or access to any personnel he requested.

2. He must have a direct reporting line to the regulator, including separate meetings without the presence of any director or officer.

All parties agreed, including the regulator. The author was to have separate meetings with both the regulator and the New York Police Department official conducting the investigation.

GOVERNANCE DOCUMENTS, INTERVIEWS, AND ON-SITE OBSERVATION REQUESTED BY THE AUTHOR As a starting point, the author asked for the following: any and all governance doc- uments, including recent board minutes and meeting materials, bylaws, relevant

www.it-ebooks.info

ALLEGED CORRUPTION AT CHESSFIELD 549

correspondence, board and committee charters, risk registers, compensation plans, and financial statements (in no particular order).

The author, as part of his methodology and data collection, would also inter- view each director, each member of senior management, the internal audit func- tion, and possibly other assurance staff. The author would also tour Chessfield’s facilities and have access to the cash room1 so he could see operations firsthand. All requests were acceded to, and the author began his work. This work took about 30 days on a part-time basis, and a report was generated to the board and endorsed by the regulator.

Document Review

It soon became apparent that governance documentation at Chessfield was min- imal. The board did not have guidelines; committees did not have charters; posi- tion descriptions for board leadership roles, directors, and the CEO did not exist; and meeting agendas and minutes were very sparse, with the average meeting agenda being one page with key headings only. There was no documented, board- approved strategic plan or risk appetite framework. Indeed, many material risks were not reported to the board at all.

Documentation for key board decisions, including evidence of review, report- ing, assurance, due diligence, and deliberation, appeared to be either lacking mean- ingful content or nonexistent.

Interview Data

Many noncompensation committee directors neither knew nor approved what or how the CEO and the former CEO (who was also on the board as the longest- serving director) were paid. The nonexecutive board chair had a consulting stream paid to him by Chessfield, which certain other directors did not know about. The internal auditor was junior, inexperienced, and unqualified; had operational and revenue generation responsibilities; and had little exposure to, or oversight by, the audit committee. Audit committee members did not possess adequate financial lit- eracy or relevant qualifications. The compensation committee chair rarely attended meetings in person for health reasons, and did not possess compensation expertise. His tenure as committee chair exceeded 11 years. He was a former service provider (now retired) of a large New York law firm.

CEO COMPENSATION ISSUE There was little correspondence evidencing the basis on which total compensation was awarded to the CEO. There was a spreadsheet with a password that was pro- vided to the author by the CEO’s assistant. When the author interviewed the chair of the compensation committee about the lack of either supporting documentation or independent assurance by a compensation consultant, the compensation com- mittee chair told the author that the compensation committee was composed of experienced businessmen who were of the view that the CEO’s compensation was appropriate given the CEO’s performance.

www.it-ebooks.info

550 Implementing Enterprise Risk Management

The author was not provided with any CEO goals and objectives, key perfor- mance indicators, or trigger and target requirements for short-term or long-term incentives to be awarded or to vest. The foregoing items were asked for but, to the author’s knowledge, did not exist. The compensation committee chair had friend- ships and social relationships with a number of directors, including the CEO. The basis for the quantum of compensation awarded to the CEO (1) relative to peers or (2) relative to company performance was not explicit.

The board chair and compensation committee chair said to the author that the regulator did not have the business judgment to opine on the quantum of CEO compensation. The author responded by saying that (1) the quantum of total com- pensation was very high compared to industry peers of a similar size and com- plexity, but, more importantly and particularly given this fact, (2) there should be a visible, diligent process to employ such business judgment of directors and to explicitly link pay to performance, which appeared to be what was lacking in any event.

RISK MANAGEMENT There were very few explicit risk management protocols or systems to identify and mitigate material risks, including operational risk in particular. In the cash room, the controls were all manual (i.e., paper, with greater capability for management override or weaker controls, it would appear), as information technology was not used. Risk identification and assessment were not documented explicitly. There was no risk function reporting directly to the board or to a committee. Indeed, there was no risk function.

There was little evidence that internal controls over operational and com- pliance risks were designed and/or effective, regularly tested by the internal audit function, and reported to the board or a committee. A number of directors appeared blindingly ignorant of their obligation to oversee risk management.

SELF-DEALING ISSUE There was not a conflict of interest policy that applied to directors. Board guide- lines did not exist to address confidentiality, the use of corporate opportunity, the treatment of inside information, related-party transactions, or identifying and ade- quately addressing perceived conflicts of interest. The author was unable to ascer- tain self-dealing, but robust policies and controls did not exist to deter, detect, monitor, or enforce anticorruption, in any event.

Board Composition

As mentioned previously, several directors were long-serving. Independent direc- tors were selected originally (and to the author’s observation, still) on the basis of personal knowledge and prior working relationships. All directors, however, were believed to comply with formal independence standards in place. There was little if any documentation of such independence, of the expertise directors possessed, or of collective expertise that the board needed.

www.it-ebooks.info

ALLEGED CORRUPTION AT CHESSFIELD 551

Preparation of the Author’s Report and Communication with the Regulator

Given the foregoing, the author prepared 43 recommendations for the review of the regulator and the board of directors.

The regulator endorsed the 43 recommendations that the author provided, with minor modifications and with two additional recommendations to establish a compliance committee of the board and to have a board-approved strategic plan, which the regulator suggested and which the author incorporated into his report. There were 45 recommendations in the author’s final report, which he was now to present to the board of directors of Chessfield. The report was 14 pages long.

CHESSFIELD BOARD MEETING TO DISCUSS THE AUTHOR’S RECOMMENDATIONS The author was invited to present his report and 45 recommendations to the full board of directors of Chessfield Inc. in New York City at 10 A.M. on a Friday morn- ing in December. This was a special board meeting, and the author’s report was the only item on the agenda.

The author had 15 minutes to present a summary of his recommendations. (Note: The board had a full week prior to the board meeting to read the author’s report.) There was to be a 45-minute period of dialogue and questions and answers, after which the author would leave the room and the board would discuss the report in closed session.

The author was told by the general counsel that the regulator had requested to the chair of the board that the board approve a resolution adopting the author’s report in whole, supported by a commitment to implement the recommendations within the time frame prescribed in the report. The chairman of the board was to telephone the regulator shortly after the meeting to report whether this requested approval had occurred. (The regulator had told the chair early in the process that Chessfield was close to having its license to operate revoked because of the gover- nance and risk shortcomings.)

When the author was invited into the boardroom, he saw that it was very for- mal. There were portraits of past directors on the walls, large mahogany chairs, and dark wood. The author did not observe any use of technology, such as laptops or tablet computers, which is typical in most boardrooms now.

At the board meeting, the author presented 45 recommendations based on his review and discussions with the regulator. A time frame for each recommendation was set out (up to eight months, eight to 12 months, and 12 to 18 months) within the report, along with independent validation and reporting back to the regulator, to ensure execution of the recommendations.

TWO CONTENTIOUS RECOMMENDATIONS Directors accepted all of the recommendations initially except for two, which were: (1) that the three longest-serving directors (28, 24, and 23 years, respectively) resign, and (2) that a woman be selected for directorship and serve on the com- pensation committee in particular.

www.it-ebooks.info

552 Implementing Enterprise Risk Management

As far as the three longest-serving directors resigning was concerned, one director (28-year tenure) had, during the data collection phase, invited the author to his estate in Boston prior to the final report to tell the author how important the board was to him, and how he should be allowed to continue to serve so long as he is able. The author indicated politely that regulators are moving toward term limits of nine or 10 years to guard against entrenchment and compromising of indepen- dence over time. The author said that one of his recommendations was not only that he and two other directors should resign, but also that term limits be in place at 15 years for all incumbent directors and nine years for all new directors.

Recommending a Woman to Serve on the Board

The second issue was more contentious and surfaced at the board meeting itself. It was the author’s recommendation that a woman be added to the board.

One director remarked, “Dr. Leblanc, you want us to put a lady on the board?” (Emphasis in original remark.) Another director remarked, “Perhaps we can have a lady in a wheelchair who is a lesbian.” Many of the directors laughed at this comment.

The author indicated that evidence existed that CEO turnover is more sensi- tive to stock return performance in firms with a greater proportion of women; that women are more likely to join committees that perform monitoring-performing tasks; and that male directors have fewer attendance problems, the greater the number of women on the board.2 The author also indicated that the regulator had agreed to all of his recommendations, including this one, and that there was a need for the skill set of compensation and information technology literacy on the board, given prior concerns and the transformation of the industry.

CONCLUSION This case concluded one month after the author’s presentation to the board, when the regulator asked the author to black-line, with suggested improvements, forth- coming regulations to apply to all companies under the regulator’s purview, adopting many of the recommendations the author had provided for Chessfield.

QUESTIONS 1. What is your assessment of the situation at Chessfield? 2. What recommendations would you provide to the regulator? 3. What is your opinion of the governance regulation of Chessfield? In what ways should

governance regulation improve, given the above? 4. What are the learnings and broader implications of this case?

NOTES 1. Part of this company’s business operation involved receiving cash directly from con-

sumers, which was assembled, tallied, and reconciled in what is known in the industry as the “cash room.”

2. R. B. Adams and D. Ferreira, “Women in the Boardroom and Their Impact on Governance and Performance,” Journal of Financial Economics 94 (2009): 291–309.

www.it-ebooks.info

ALLEGED CORRUPTION AT CHESSFIELD 553

REFERENCES Adams, R. B., and D. Ferreira. 2009. “Women in the Boardroom and Their Impact on Gov-

ernance and Performance.” Journal of Financial Economics 94, 291–309. Basel Committee on Banking Supervision. 2010. “Principles for Enhancing Corporate Gov-

ernance.” Bank for International Settlements Communications, October. Canadian Securities Administrators. 2008. “Request for Comment: Proposed Repeal and

Replacement of NP 58-201 Corporate Governance Guidelines, NI 58-101 Disclosure of Corporate Governance Practices, and NI 52-110 Audit Committees and Companion Pol- icy 52-110CP Audit Committees, 31 OSCB 12158.”

Canadian Securities Administrators. 2010. “Staff Notice 58-306 2010 Corporate Governance Disclosure Compliance Review,” December.

Caplan, G. R., and A. A. Markus. 2009. “Independent Boards, but Ineffective Directors.” Corporate Board, March/April, 1–4.

Carter, D. A., F. D’Souza, B. J. Simkins, and W. G. Simpson. 2010. “The Diversity of Cor- porate Board Committees and Financial Performance.” Corporate Governance: An Interna- tional Review 18:5 (September), 396–414.

Carter, D. A., B. J. Simkins, and W. G. Simpson. 2003. “Corporate Governance, Board Diver- sity, and Firm Value.” Financial Review 38, 33–53.

Elson, C. F., and C. K. Ferrere. 2012. “Executive Superstars, Peer Groups and Over- Compensation—Cause, Effect and Solution,” August 7. Available on SSRN website at http://irrcinstitute.org/pdf/Executive-Superstars-Peer-Benchmarking-Study.pdf.

Financial Reporting Council. 2011. “Guidance on Board Effectiveness.” Financial Reporting Council Limited, March.

Financial Reporting Council. 2012. “The UK Corporate Governance Code,” September. Available online at www.frc.org.uk/Our-Work/Publications/Corporate-Governance/ UK-Corporate-Governance-Code-September-2012.pdf.

Fraser, J., and B. J. Simkins, eds. 2010. Enterprise Risk Management: Today’s Leading Research and Best Practices for Tomorrow’s Executives. Hoboken, NJ: John Wiley & Sons.

Group of 30. 2012. “Toward Effective Governance of Financial Institutions.” Washington, DC, 1–96.

House Committee on Financial Services. 2010. “Dodd-Frank Wall Street Reform and Con- sumer Protection Act.” H.R. 4173, June 25.

Institute of Chartered Secretaries and Administrators. 2009. “Boardroom Behaviours—A Report Prepared for Sir David Walker by the Institute of Chartered Secretaries and Administrators.” Report, June.

Institute of Corporate Directors. 2006. “ICD Key Competencies for Director Effectiveness.” Competency list issued, Toronto.

Leblanc, Richard. 2011. “A Fact-Based Approach to Boardroom Diversity.” Director Journal, Institute of Corporate Directors 154, March: 6–8.

Leblanc, Richard. 2012. “Discussion Notes for: OSC Dialogue.” Toronto, October 30. Leblanc, Richard. 2013. “Forty Proposals to Strengthen the Public Company Board of Direc-

tors’ Role in Value Creation, Management Accountability to the Board, and Board Accountability to Shareholders.” International Journal of Disclosure and Governance 10:4, 1–16.

Leblanc, Richard. 2013. “Review of the Regulatory Guideline for [a Regulator], Black-Lined Report,” March 19.

Leblanc, Richard, 2013. “Review of the Regulatory Standard for [a Regulator], Black-Lined Report,” March 6.

Leblanc, Richard, et al. 2012. “General Commentary on European Union Corporate Gover- nance Proposals.” International Journal of Disclosure and Governance 9:1, 1–35.

Leblanc, Richard, and James Gillies. Inside the Boardroom: How Boards Really Work and the Coming Revolution in Corporate Governance. Toronto: John Wiley & Sons, 2005.

www.it-ebooks.info

554 Implementing Enterprise Risk Management

Leblanc, Richard, and Katharina Pick. 2011. “Separation of Chair and CEO Roles: Impor- tance of Industry Knowledge, Leadership Skills & Attention to Board Process.” Director Notes: Conference Board. New York, August.

Lorsch, Jay, ed. 2012. The Future of Corporate Boards. Boston: Harvard Business Review Press. Monks, R. A. G., and N. Minow. 2011. Corporate Governance. 5th ed. Chichester, UK: John

Wiley & Sons. National Association of Corporate Directors. 2010. “Template for Disclosure of Director

Skills and Attributes,” August. [email protected]. National Commission on the Causes of the Financial and Economic Crisis in the United

States. 2011. “The Financial Crisis Inquiry Report.” U.S. Government Printing Office. Washington, DC, January.

Neill, D., and V. Dulewicz. 2010. “Inside the ‘Black Box’: The Performance of Boards of Direc- tors of Unlisted Companies.” Corporate Governance: An International Review 10:3, 293–306.

Trautman, Lawrence J. 2012. “The Matrix: The Board’s Responsibility for Director Selec- tion and Recruitment.” Florida State University Business Review 11, 1–66. Available at http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1998489.

U.S. Senate Permanent Subcommittee on Investigations. 2011. “Wall Street and the Financial Crisis: Anatomy of a Financial Collapse.” U.S. Government Printing Office. Washington, DC, April 13.

Useem, M. 2006. “How Well-Run Boards Make Decisions.” Harvard Business Review 84:11, 130–138.

ABOUT THE CONTRIBUTOR Richard Leblanc is a governance lawyer, certified management consultant, and Associate Professor of Law, Governance & Ethics at York University. He holds a PhD focusing on board of director effectiveness. He has published in leading academic and practitioner journals, has advised regulators on corporate gover- nance guidelines, and, as part of his external professional activities, has served as an external board evaluator and governance adviser for Australian Securi- ties Exchange (ASX), London Stock Exchange (LSE), New York Stock Exchange (NYSE), NASDAQ, New Zealand Stock Exchange (NZX), and Toronto Stock Exchange (TSX) listed companies, as well as in an expert witness capacity in lit- igation concerning corporate governance reforms.

www.it-ebooks.info

CHAPTER 31

Operational Risk Management Case Study Bon Boulangerie

DIANA DEL BEL BELLUZ President, Risk Wise Inc.

Bon Boulangerie is a bakery business located in Oakville, Ontario. When theowner, Ray Pane, purchased the business three years ago, it consisted of asingle site with baking facilities and a retail store and café. Based on mar- ket research with the bakery’s retail and café clientele, Ray began to change and expand the product offerings to increase the volume of sales and margins. He also began a new line of business, wholesaling to local restaurants and high-end gro- cery stores within a 20-kilometer radius of the bakery.

Based on the success over the past three years (see Exhibit 31.1), Ray has made a strategic decision to expand his wholesale business, with the goal of tripling profits over the next three years (see Exhibit 31.2). He expects to accomplish this by: (1) covering a larger territory (i.e., expanding to a 120 km radius) for wholesaling to local restaurants and independent grocery stores across the entire Greater Toronto Area, and (2) introducing a new business line, white label products that he can supply to major supermarket chains.

To realize this strategy, Ray has leased and outfitted a separate baking facility to be primarily dedicated to supplying the wholesale business. Ray also hired a full-time vice president of sales and marketing (see Exhibit 31.3 for a summary of the Bon Boulangerie management team) to take over from him on the wholesale side. Finally, he purchased a second previously owned delivery truck and hired a full-time distribution manager.

Growth in the first three years is attributable to enhancement of product offer- ings and continual drive to find efficiencies in operations. In year 4, the new baking facility will open. It is expected that it will take several years to add new wholesale customers and wholesale products. Therefore, there will be unutilized capacity in the new facility. It is anticipated that expanding the wholesale business will, at least initially, require an increased level of product development, marketing, sales, and distribution.

555

www.it-ebooks.info

556 Implementing Enterprise Risk Management

Exhibit 31.1 Financials for Past Three Years

(Actuals)

(all figures in $000’s) Year 3 Year 2 Year 1

Income Café 300 273 246 Retail Bakery 718 624 562 Wholesale—Restaurants 410 234 0 Wholesale—Other Retailers 359 312 0 Total Revenue 1,786 1,443 807

Operating Expenses Cost of Inventories Sold 1,349 1,090 610 Marketing, General, and Administrative 361 291 163 Total Expenses 1,710 1,381 773

Net Income 76 62 35

Exhibit 31.2 Projections for Next Three Years

(Projections)

(all figures in $000’s) Year 6 Year 5 Year 4

Income Café 348 331 315 Retail Bakery 831 791 753 Wholesale—Restaurants 960 768 614 Wholesale—Other Retailers 4,306 2,153 1,076 Total Revenue 6,444 4,043 2,759

Operating Expenses Cost of Inventories Sold 4,926 3,105 2,175 Marketing, General, and Administrative 1,301 816 557 Total Expenses 6,227 3,921 2,732

Net Income 217 121 27

Exhibit 31.3 The Bon Boulangerie Team

� Ray Pane, President and CEO. After a successful legal career, Ray decided to pursue his dream of being an entrepreneur. He has a passion for fine food and is committed to providing his customers with high- quality, wholesome, and artisanal products.

� Janice Sweet, Manager, Accounting. Janice is a Chartered Professional Accountant who came to Bon Boulangerie with five years’ experience in several finance roles at a furniture retailer. She joined Bon Boulan- gerie halfway through its third year of business. She is the company’s

www.it-ebooks.info

OPERATIONAL RISK MANAGEMENT CASE STUDY 557

first in-house accountant. Prior to her joining, the accounting was done by an external bookkeeper on a contract basis. Janice has begun to intro- duce more systematic accounting processes. She is also working with Ray to develop more forward-looking reporting, including projections and forecasts of revenues and costs.

� Joe Silkwood, Vice President, Sales and Marketing. Joe was hired near the end of year 3 when Ray decided to expand the wholesale business. Joe is a classic salesman; he’s outgoing and optimistic. He has nearly 10 years’ experience in the grocery business.

� Rick Kneader, Manager, Baking Operations. Ray hired Rick as the head baker for the retail bakery at the beginning of year 1. Rick is a true artisan who successfully developed the new products that have been responsi- ble for the increases in sales in the café and retail bakery in its first three years of business. He also runs a tight ship and has managed costs well, despite shifting to products with higher-cost ingredients. With the open- ing of the new commercial baking facility in year 4, Ray has received a promotion to Manager of Baking Operations for both the retail and the commercial facilities. He will now spend less time working with his hands and more time overseeing junior bakers while managing the expenses at the commercial baking facility.

� Mohammed Sharif, Manager, Distribution. Mohammed has been hired by Ray to manage distribution to the expanding roster of wholesale customers—both restaurants and other retailers. He has worked in the trucking field for 15 years. He will expand and supervise the existing team of drivers who were hired in year 2 to distribute product to whole- sale customers. Ray has also made it clear that he expects Mohammed to find efficiencies and reduce shipping costs.

� Jelena Zarinovic, Manager, Retail Operations. Jelena has been with the company since it started. In fact, she worked for the previous owners. She is the only full-time retail sales employee. She is friendly and adored by customers and the many part-time sales associates. However, she is less interested in paperwork and is finding it challenging to learn the new accounting procedures that Janice is implementing.

QUESTIONS Answer the following questions to identify the key operational risks that Ray and his team need to address. Note, additional information on the principles and steps of operational risk management (including a worked example) are available in Chapter 16, “Operational Risk Management,” of the book Enterprise Risk Management: Today’s Leading Research and Best Practices for Tomorrow’s Executives (John Wiley & Sons, 2010).

1. How does Ray’s strategic objective translate to the operational level, that is, what is his key operational objective(s) for the wholesale business line?

2. What performance drivers, that is, the internal capabilities (e.g., people, processes, and systems), and external factors need to be present to achieve operational success?

www.it-ebooks.info

558 Implementing Enterprise Risk Management

3. What are the risk factors that drive the uncertainty around achieving operational objec- tives?

4. Which risk drivers are most likely to impact operational objectives? 5. How large of an impact might those key risk factors have? Hint: Use scenario analysis to

explore the full range of potential outcomes. 6. Based on your analysis, what are the “significant few” factors on which Ray should focus

his attention to manage the operational risks associated with the new facility? 7. What underlying assumptions underpin your analysis and conclusions?

ABOUT THE CONTRIBUTOR Diana Del Bel Belluz is the President and Founder of Risk Wise Inc., a risk man- agement consulting firm that provides advice and support to executive leadership teams and boards who want to achieve more effective, proactive, and strategic management and oversight of risk. Her forte is helping leaders to solve the people issues associated with bringing enterprise risk management (ERM) to life in their organizations. Diana advances the practice of ERM through her thought leader- ship as an educator, conference organizer, speaker, and author of ERM resources, including numerous articles, book chapters, and the Risk Management Made Sim- ple Advisory, a quarterly publication of ERM implementation tips and resources available at www.riskwise.ca. She also wrote Chapter 16, “Operational Risk Man- agement,” of the book Enterprise Risk Management: Today’s Leading Research and Best Practices for Tomorrow’s Executives, edited by John Fraser and Betty J. Simkins (John Wiley & Sons, 2010). She holds bachelor’s and master’s degrees in systems design engineering from the University of Waterloo and is a professional engineer.

www.it-ebooks.info

PART VI

Other Case Studies

www.it-ebooks.info

www.it-ebooks.info

CHAPTER 32

Constructive Dialogue and ERM Lessons from the Financial Crisis

THOMAS H. STANTON Fellow, Center for Advanced Governmental Studies at Johns Hopkins University

The financial crisis caused immense harm. Millions of people lost their homesto foreclosure and many more lost employment and, as the stock marketdropped, their retirement and investment savings. The financial and eco- nomic carnage caused by the crisis has led to increased emphasis on enterprise risk management (ERM), in the sense of identifying and addressing risks that can prevent accomplishment of a company’s mission or objectives.

ERM played little role in risk management of financial institutions before and during the financial crisis. In a 2005 report on the state of ERM, Anette Mikes found that “enterprise risk management remains a rather elusive and under-specified concept.”1 Many large, complex financial firms, such as Citigroup and American International Group (AIG), lacked even an enterprise-wide view of risks, which is a precondition but different from ERM. Parts of those firms continued to build their exposures to subprime mortgages and other risky financial products while other parts tried to shed those risks before the crisis broke.

To understand risk management at large, complex financial firms before the crisis, one must look for critical elements of ERM, but generally not for ERM itself. This chapter focuses on one critical element, constructive dialogue, which includes (1) processes for eliciting risk-related information that flows to the top of the orga- nization where it can be addressed in decision making, and (2) full, candid, and respectful discussions of risk/reward trade-offs. The financial crisis demonstrated how constructive dialogue was essential to promote sound decision making at a time when the expanding housing and credit bubbles had lulled many financial firms into complacency.

As a staff member of the U.S. Financial Crisis Inquiry Commission (FCIC), I had the opportunity to interview CEOs, risk officers, traders, bankers, regulators, and policy makers to try to understand the difference between financial firms that successfully navigated the crisis and those that did not. FCIC interviews took place in 2010 while people, still in shock at the destruction caused by failures of financial firms and their regulators, were generally eager to tell their sides of the story. The

561

www.it-ebooks.info

562 Implementing Enterprise Risk Management

FCIC also had access to thousands of internal documents that helped to inform our questions and establish patterns of prudent or imprudent decision making at various firms and regulators.2

When the FCIC published its final report,3 I built on its work and wrote a book, Why Some Firms Thrive While Others Fail: Governance and Management Lessons from the Crisis (Oxford University Press, 2012). The book examines a dozen large finan- cial firms, four that navigated the crisis successfully and eight that failed in the sense that they went out of business, were acquired on disadvantageous terms, or required government aid to stay afloat. The book asks a simple question: What were key differences in governance and management (including risk management) that distinguished the two groups of firms?

CONSTRUCTIVE DIALOGUE: THE ESSENTIAL DIFFERENCE BETWEEN FIRMS THAT NAVIGATED THE CRISIS AND THOSE THAT FAILED One single factor distinguished the two groups: Firms that successfully navigated the crisis built a process of constructive dialogue into their decision making. When making major decisions, successful companies brought together proponents in the firm who favored a revenue-generating activity and those such as risk offi- cers who worried about its possible disadvantages and downsides. The CEO or another senior manager encouraged a respectful exchange of views between these perspectives to gain a better understanding of the risk/reward trade-offs of the activity. These were the firms that successfully avoided exposure to unaccept- able volumes of subprime mortgages and other risky products before the crisis or that shed or mitigated their exposures in a timely manner before taking major losses.

Successful firms had cultures that welcomed input from those concerned about risk. In the felicitous phrase of organizational development specialist, Jack Rosenblum, they recognized that “feedback is a gift.” By encouraging construc- tive dialogue between those seeking increased profits and those concerned about risks, company leaders elicited information and obtained a more robust under- standing of the contours of decisions than they otherwise would have had. Per- haps my favorite example comes from an official of a successful firm who told me, “The CEO often asks my opinion on major issues,” and then added, “but he asks 200 other people their opinions, too.” When he made a decision, that CEO had a strong sense of the risks and rewards that it entailed.

When there was still time before the financial crisis finally broke in 2008, infor- mation flow and constructive dialogue were essential to allow a firm to avoid, shed, or hedge its exposure to toxic assets (i.e., those that looked to be safe but in fact con- tained major embedded risk). Classic toxic assets were AAA-rated private-label mortgage securities that appeared to give financial firms both safety and higher yield than the usual safe assets. While toxic assets were risky investments for any firm, they proved fatal for highly leveraged firms that lacked the balance sheet strength to absorb the losses.4

www.it-ebooks.info

CONSTRUCTIVE DIALOGUE AND ERM 563

SUCCESSFUL FIRMS: JPMORGAN CHASE, GOLDMAN SACHS, WELLS FARGO, AND TD BANK While ERM was not developed to the point that it is today, the elements of infor- mation flow and constructive dialogue were the essential distinguishing features between successful firms and those that failed. My book identifies four firms that successfully navigated the crisis: JPMorgan Chase, Goldman Sachs, Wells Fargo, and Toronto Dominion Bank (TD Bank). Each distinguished itself in operational competence and intelligent discipline, but with different approaches. JPMorgan Chase’s story is of preparing the company to be strong enough to take advantage of long-term opportunities. Goldman’s is of firmwide systems and capacity to react quickly to changes in the environment. Wells Fargo is a company with a strong cul- ture of customer focus and restraint. And TD Bank provides the simple lesson: If you don’t understand it, don’t invest in it.

Constructive dialogue was built into the cultures of these firms. The first important element was an emphasis on ensuring that information flowed to parts of the organization that needed it. As one JPMorgan Chase executive put it, “Jamie [Dimon] and I like to get the bad news out to where everybody can see it . . . to get the dead cat on the table.”5 Goldman Sachs maintained a “culture of over- communication; multiple formal and informal forums for risk discussions coupled with a constant flow of risk reports.”6 Dan Sparks, formerly head of the Goldman mortgage desk, told FCIC staff that he reported bad news to the firm’s top man- agement because “Part of my job was to be sure people I reported to knew what they needed to know.”7 The Wells Fargo Vision and Values Statement emphasizes risk awareness as a part of the company’s culture:

We want compliance and risk management to be part of our culture, an extension of our code of ethics. Everyone shapes the risk culture of our company. We encourage all team members to identify and bring risk forward. We should thank them for doing so, not penalize them. Ben Franklin was right: An ounce of prevention is worth a pound of cure.8

TD Bank’s CEO, Edmund Clark, wanted to hear negative news fast:

I’m constantly saying to people: “Bring forward the bad news; the good news will surface soon enough. What I want to hear about is what’s going wrong. Let’s deal with it.” . . . It’s about no surprises. Any number of problems we’ve had to deal with could have been solved if the person had only let us know early on. . . . In fact [employees] joke that I’m only happy when the world’s falling apart and that I’m a total pain when everything is going well.9

The second important part of effective constructive dialogue is that managers need to have a forum where they can conduct open and respectful but possibly intense debates about what the information actually means. This part of construc- tive dialogue has been a feature of well-run banks for a long time. Banks use a credit committee to deliberate about whether to make particular loans. Loan offi- cers bring information about a proposed large loan to the committee. There, under

www.it-ebooks.info

564 Implementing Enterprise Risk Management

the watchful eye of a senior manager, the loan officer presents the case to make the loan, followed by the underwriting department’s presentation about risks that the loan involves. If the dialogue goes well, the result might be a synthesis between the two views. Instead of simply making a yes-or-no decision, the credit com- mittee might decide to ask for more protection, such as an added guarantee or a shorter term, or more collateral, as a way to allow the transaction to go forward. The final result often can be a higher-quality decision than either the loan officer or the underwriter would make by themselves.

JPMorgan Chase

At JPMorgan Chase, constructive dialogue at the top management level helped protect the company from taking major losses in the financial crisis. The 15- member operating committee is a diverse group “of longtime loyalists, J.P. Morgan veterans, and outside hires.” They meet monthly for intense debate about devel- opments in the company and in the markets it serves.

The group is generally loud and unsubtle . . . , the atmosphere is variously described by the participants as “Italian family dinners” or “the Roman forum—all that’s missing is the togas.” Dimon will throw out a comment like “Who had that dumb idea?” and be greeted with a chorus of “That was your dumb idea, Jamie!” “At my first meeting, I was shocked,” says Bill Daley, 60, the head of corporate responsibil- ity and a former Secretary of Commerce. “People were challenging Jamie, debating him, telling him he was wrong. It was like nothing I’d seen in a Bill Clinton cabinet meeting, or anything I’d ever seen in business.”10

A similar atmosphere prevailed at monthly meetings of top management of each of JPMorgan Chase’s major operating units:

To make it on Dimon’s team you must be able to withstand the boss’s withering interrogations and defend your positions just as vigorously. And you have to live with a free-form management style in which Dimon often ignores the formal chain of command and calls managers up and down the line to gather information.11

As one participant told Fortune in 2008, Dimon was tough but open to feedback. “He understands the details completely, he loves to debate and disagree, yet he’ll let you do it . . . [a]s long as you know what’s in Appendix 3 of your report as well as he does.”

In October 2006 at one of the monthly reviews, the part of JPMorgan Chase’s retail operations that serviced mortgages reported a significant increase in delin- quencies by subprime mortgage borrowers. Data confirmed that the trend was widespread in the subprime market and that competitors’ subprime holdings were performing even worse. Other parts of the company also reported indicators that mortgage securities were increasingly troubled. Putting all of this together, Dimon issued an order to all parts of the company to shed its exposure to subprime mortgages. JPMorgan Chase took losses that were modest compared to its major competitors.

www.it-ebooks.info

CONSTRUCTIVE DIALOGUE AND ERM 565

As Northwestern University Professor Russell Walker concludes:

In the case of JPMorgan, it was the retail banking division that shared data with the investment bank on the escalations in mortgage delinquencies. This sharing of data across business lines allowed Mr. Dimon and his corporate team to change strategy on the investment side. For many organizations, sharing information that challenges accepted norms or questions conventional wisdom is not welcomed. Other banks could have done the same as JPMorgan, but the practice of communi- cating risks and data across business lines was absent. The lesson, of course, is that an enterprise must be willing to communicate about risk, especially when things are going well and the risk has yet to be realized.12

Goldman Sachs

Goldman Sachs has built constructive dialogue into the firm’s daily processes. The firm uses mark-to-market accounting to assess the value of each trader’s positions. The firm maintains a parallel structure so that a controller supervises each trader’s position and marks it to market each evening. This information helps manage trad- ing positions through devices such as internal pricing to ensure that assets do not remain on the balance sheet for too long. The information from each position is rolled up through the organization to the CFO, who obtains a timely firmwide view of positions and exposures. Goldman CFO David Viniar told the FCIC that there may be disagreements between a controller and a trader, and in such cases the controller’s view is likely to prevail.

The firm reported that “Dan Sparks, then head of the mortgage department, [told] senior members of the firm in an email on December 5, 2006, that the ‘Sub- prime market [was] getting hit hard. . . . At this point we are down $20mm today.’ For senior management, the emergence of a pattern of losses, even relatively mod- est losses, in a business of the firm will typically raise a red flag.”13

The immediate result, Sparks explained to the FCIC, was that he suddenly received visits from senior Goldman officials who before had never bothered to learn the details of his operations. CFO Viniar convened a meeting to try to under- stand what was happening. Goldman’s senior management decided, in Viniar’s phrasing, “[t]o get closer to home” with respect to the mortgage market. In other words, in its combination of long and short positions, the firm would begin taking a more cautious and more neutral stance. It would reduce its holdings of mortgages and mortgage-related securities and buy expensive insurance protection against further losses, even at the cost of profits forgone on what had looked like an attrac- tive position in mortgages.14

In January and February 2007 Goldman hedged its exposure to the mort- gage market. The firm then closed down mortgage warehouse facilities, moved its mortgage inventory more quickly, and reduced its exposure yet further by tak- ing on more hedges and laying off its mortgage positions. The end result was that Goldman avoided taking the substantial losses it would have suffered if it had not reacted so promptly to signs of problems.

In one area, Goldman was slow to recognize emerging risk: This concerned the firm’s reputation. When FCIC staff asked a Goldman risk officer who was respon- sible for reputational risk, the answer came back that everyone was responsible; the

www.it-ebooks.info

566 Implementing Enterprise Risk Management

company had not organized to deal with reputational risk. In early 2011 the firm published a response to its problems with reputational risk, including a new com- mittee structure for reporting potential conflicts and a code of conduct. Goldman stated that this would be integrated not only into processes of the firm, but also into its culture:

The firm’s culture has been the cornerstone of our performance for decades. . . . We must renew our commitment to our Business Principles—and above all, to client service and a constant focus on the reputational consequences of every action we take. In particular, our approach must be: not just “can we” undertake a given business activity, but “should we.”15

In 2011, Goldman separated its reporting of business segments so as to distin- guish investing on behalf of clients from the firm’s proprietary trading on its own account, an area of public controversy that had been subject to some reputational risk in the aftermath of the financial crisis.

Wells Fargo

Wells Fargo protected itself in the financial crisis because of a strong company culture with several important elements: (1) a general conservatism that precluded simply following the market with new products and services, or even acquisitions, until these had been tested within the firm for consistency with the company’s culture and values; (2) an emphasis on developing relationships with customers rather than simply viewing sales of products and services as transactions; and (3) a decentralized structure that made heads of business units responsible for the risks of their activities.

These cultural attributes helped Wells Fargo to weather the crisis more success- fully than many of its peers. The focus on the customer meant that it refrained from offering the most risky mortgage products. Richard Kovacevich, then chairman of the Wells Fargo board and past CEO, told the Stanford Graduate School of Busi- ness in 2009 that the bank “did not offer any no-doc option, negative-amortization loans, to subprime borrowers. These exotic subprime mortgage loans were not only economically unsound, they were not appropriate for many borrowers. We lost 4 percent market share in our mortgage business for three years between 2005 and 2007, $160 billion in originations in 2006 alone.”16

Wells Fargo supported this customer-centric approach with its core business strategy, which was to be able to cross-sell financial products to its existing cus- tomers. Again Richard Kovacevich:

Consistent, organic revenue growth through cross-selling is probably Wells Fargo’s most distinctive skill. Our average retail household has 5.9 products, and over one in four has over eight products. These are, by far, the highest cross-sell ratios in the industry and about twice the industry average.

The logic was that if customers lost money on a risky financial product, then they would not turn to Wells Fargo for the many other financial products and ser- vices they would purchase from a trusted source.

www.it-ebooks.info

CONSTRUCTIVE DIALOGUE AND ERM 567

Wells Fargo also had a management style that sought to promote constructive dialogue. Kovacevich rejected hierarchical control as an effective means to promote performance. Instead, as CEO he had seen his job as:

to select the best people to run [individual Wells business lines] and . . . groups, let them do it, coach them so they learn even faster, and assure we have a strong internal check-and-balance audit process that verifies that they are adhering to the principles and the policies that we’ve agreed upon.

People at the top should, above all, be leaders. . . . At Wells Fargo, we believe personal leadership is the key to success. We believe the answer to every problem, issue, or opportunity in our company is already known by some person or team in the company. The leader only has to find that person, listen, and help effect the change. By the way, the people with the best answers are not always the people with the most stripes. True leaders do not demand loyalty; they create it. They use conflict among diverse points of view to enable the team to reach new insights. They exert influence by reinforcing values.

John Stumpf, Richard Kovacevich’s successor as CEO, told the FCIC, “We believe at the company that risk is best managed as close to the customer as pos- sible with strong oversight from independent bodies within the company.”17 Part of the process of checks and balances was what Michael Loughlin, the Wells Fargo chief risk officer (CRO), called “[providing] effective challenge.” He offered the FCIC several examples of how oversight from his office helped detect risk short- comings in major business units and led to remediation and, in some cases, changes in business unit management.18

The result of the Wells Fargo culture and processes was that the company refrained from taking major losses and came through the financial crisis with greater strength than before. Wells Fargo doubled in size and, through its acquisi- tion of Wachovia, which had failed in the crisis, became a national company.

Toronto Dominion Bank (TD Bank)

TD Bank is the only bank in our sample that appears to have maintained a working ERM framework before the crisis. The 2007 TD Annual Report presents the Enter- prise Risk Framework and “the major categories of risk to which we are exposed, and how they are interrelated.” The report defines ERM in appropriate terms:

This framework outlines appropriate risk oversight processes and the consistent communication and reporting of key risks that could hinder the achievement of our business objectives and strategies.19

Among other elements of the framework,

The corporate Risk Management function, headed by the Chief Risk Officer, is responsible for setting enterprise-level policies and practices that reflect the risk tolerance of the Bank, including clear protocols for the escalation of risk events and issues. The Risk Management Department monitors and reports on discrete business and enterprise-level risks that could have a significant impact.20

www.it-ebooks.info

568 Implementing Enterprise Risk Management

TD Bank provides a useful lesson about the need to surface anomalous facts, investigate them, and make a disciplined decision. While the FCIC did not inter- view people from TD Bank, the company’s annual reports and other public infor- mation tell the story. In the early 2000s, Toronto Dominion Bank had had an active international business in structured products. Then, with little explanation, CEO Edmund Clark announced in the company’s 2005 annual report, “We . . . made the difficult business decision to exit our global structured products business. . . . While the short-term economic cost to the Bank is regrettable, I am pleased that we have taken the steps we have and that we can continue to focus on growing our businesses for the future to deliver long-term shareholder value.”21 The company reported taking significant losses as it unwound its positions in 2005 and 2006.

How did CEO Clark make the decision both to avoid exposure to the U.S. sub- prime market and to shed the firm’s exposure to structured mortgage products and derivatives? “I’m an old-school banker,” Clark told a reporter in May 2008. “I don’t think you should do something you don’t understand, hoping there’s somebody at the bottom of the organization who does.”22

Clark said he spent several hours a week meeting with experts to understand the financial products being traded by the bank’s wholesale banking unit. “The whole thing didn’t make common sense to me,” Clark said. “You’re going to get all your money back, or you’re going to get none of your money back. I said, ‘Wow! if this ever went against us, we could take some serious losses here.’”23

Clark recalled that stock analysts at the time wrote that he was an “idiot” for taking his long-term perspective.24 Yet, as the crisis hit, the company could report that it held no exposure to U.S. subprime mortgages, no direct exposure to third-party asset-backed commercial paper except for exposure of its mutual funds and asset management group, and no direct lending exposure to hedge funds, with only nominal trading exposure.25 Because TD Bank came through the crisis intact, it was able to begin systematic expansion from its Canadian base into the U.S. market. By 2013, through a series of acquisitions, TD Bank had become one of the 10 largest U.S. banks, with branches extending along the East Coast from Maine to Florida.

FIRMS THAT FAILED TO NAVIGATE THE CRISIS By contrast to the examples of financial firms that successfully navigated the crisis, those that failed lacked constructive dialogue in their cultures. I met with one CRO who explained her dilemma: If she kept raising concerns with management, she would become a pain in management’s neck; but if she didn’t raise concerns, she would be known as the CRO at an institution that blew itself up. She left the firm in 2006 and the firm failed in 2008.

A distinguishing characteristic of unsuccessful firms was their pursuit of short- term growth without appropriate regard for the risks involved. In 2005–2007 both Fannie Mae and Freddie Mac decided to take on more risk and increase exposure to the subprime mortgage market just as home prices were peaking. Other firms that decided similarly around the same time included Lehman Brothers, Washington Mutual (WaMu), and Countrywide.

Many of the firms that took excessive risk at the wrong time did have chief risk officers (CROs). Sometimes, the chief risk officer reported to the head of a business

www.it-ebooks.info

CONSTRUCTIVE DIALOGUE AND ERM 569

unit rather than to a committee of the board of directors or at least to the CEO. This muted the CRO’s ability to assess risk or make recommendations that top manage- ment would hear. Some of the firms that failed either fired the CRO (Freddie Mac) or moved the CRO to a less important position at the company (Lehman) or layered the CRO far down in the company and ignored his input (Countrywide). In one major case, the corporate CRO simply lacked access to information at a part of the firm that was taking excessive risk (AIG). At many firms, ERM specialist Stephen Hiemstra explains, risk management was a compliance exercise rather than a rig- orous undertaking.26

Firms that came to grief in the crisis lacked both (1) a proper flow of infor- mation from inside the organization to the top, and (2) forums for constructive dialogue, so that sound decisions could include consideration of risks as well as potential rewards.27 Classic was the experience of a Fannie Mae official who told the FCIC that his unit produced pricing models showing that Fannie Mae was not appropriately pricing the mortgages that it purchased. The official recounted that the executive vice president to whom he reported asked, “Can you show me why you think you’re right and everyone else is wrong?”28

Citigroup CEO Charles Prince, only partly in jest, characterized Citigroup as not having one good culture but five or six good cultures. Prince told the FCIC about his frustration at the inability of Citigroup’s business lines to communicate with one another. In an e-mail in October 2007, he wrote about Citi’s “[i]ncredible lack of coordination. We really need to break down the silos!”29 An inability to communicate effectively across organizational lines meant that a firm lacked an enterprise-wide view of risks. A 2008 UBS report to shareholders on the firm’s losses similarly notes the absence of strategic coordination at that institution. While the various risk functions relating to market risk, credit risk, and financial risk came together to assess individual transactions, “[i]t does not appear that these functions sought systematically to operate in a strategically connected manner.”30

The CEOs of both Citigroup and AIG told the FCIC that until sometime in 2007 they were completely unaware of the financial products that almost took their firms down.31 In part this resulted from the immense size and organizational complexity of these firms. Citigroup had 350,000 employees and nearly 2,500 sub- sidiaries, and AIG, much smaller than other large, complex financial institutions,32

consisted of 223 companies that operated in 130 countries with a total of 116,000 employees.33

Another problem was the CEO or other powerful top manager who simply refused to take feedback. The FCIC heard repeated statements that pressure from chief officers to increase market share was a problem, for example at Moody’s Investors Service, which came under pressure to please issuers with its ratings, and numerous financial institutions, including AIG Financial Products, Lehman, Countrywide, and WaMu. As a European supervisor told staff in an interview, “The best guys in the banks are often the arrogant ones.”

The financial crisis was not the first time that executives followed success with serious lapses in judgment. Some years before the crisis, Professor Sydney Finkel- stein of Dartmouth College’s Tuck School of Business pointed to a pattern:

Want to know one of the best generic warning signs you can look for? How about success, lots of it! . . . Few companies evaluate why business is working (often

www.it-ebooks.info

570 Implementing Enterprise Risk Management

defaulting the credit to “the CEO is a genius”). But without really understanding why success is happening, it’s difficult to see why it might not. You have to be able to identify when things need adjustments. Otherwise you wake up one morning, and it looks like everything went bad overnight. But it didn’t—it’s a slow process that can often be seen if you look.34

This observation helps to relate the credit bubble to governance and risk man- agement: In years when house prices were appreciating and the economy dis- played apparent moderation, financial firms grew and reaped generous returns, regardless of whether they had the people and systems and processes in place to ensure effective risk management. The problem was exacerbated as financial firms consolidated and became larger and more complex. CEOs of firms that made substantial profits during the credit bubble too frequently came to believe in their ability to make decisions without soliciting constructive dialogue to inform themselves.

One consequence of this attitude was the diminished role of the risk function at many firms. The FCIC placed on the public record an Oliver Wyman report from early 2008 that describes “Gaps in Risk Management” at Bear Stearns, which failed shortly thereafter. Of relevance here in a long list of shortcomings was the observa- tion that Bear Stearns had a “[l]ack of mandate for the Risk Policy Committee” and a “[l]ack of institutional stature for [the] Risk Management Group.” The report bolsters the latter observation by stating, “Risk managers [are] not positioned to challenge front-office decisions.”35

Clifford Rossi, who held senior risk management and credit positions at Citigroup, Washington Mutual (WaMu), Countrywide, Freddie Mac, and Fannie Mae, observed what he calls “risk dysfunction” at a number of firms. Each of these symptoms relates to the inability of risk managers to bring information to top lev- els of the company and to engage in a process of constructive dialogue when the company makes major decisions:

� Low morale and self-esteem among risk managers; � Openly derisive comments and attitudes toward risk staff; � High turnover in risk functions: voluntary and involuntary; � Increasingly combative and aggressive posture toward risk management; � Lack of stature of risk management; and � Risk management viewed as a cost center.36

Based on his experience, Mr. Rossi contends that, to do their work, risk officers need “air cover” from senior officers and the board of a company (and, I would add, from regulators).

JPMORGAN CHASE AFTER THE CRISIS: THE PERILS OF HUBRIS The problem of too much success also beset JPMorgan Chase, despite (or perhaps because of) its emergence from the financial crisis as a complex financial institution with $2.3 trillion in assets. In 2012, JPMorgan Chase unexpectedly lost $6.2 billion

www.it-ebooks.info

CONSTRUCTIVE DIALOGUE AND ERM 571

on operations of its London office. When news accounts broke, CEO Dimon dis- missed them on an analysts call as “a tempest in a teapot.” Two weeks later losses accelerated significantly, and only then did top management request an indepen- dent review of positions of the London office.

In early 2013 the company published findings of the internal task force investi- gating the losses. Of relevance here, the task force found that the company failed to allow negative messages to rise to top management and failed to engage in timely constructive dialogue to understand the contours of the problem:

� “A number of . . . employees . . . became aware of concerns about aspects of the trading strategies at various points throughout the first quarter. How- ever, those concerns failed to be properly considered or escalated, and as a result, opportunities to more closely examine the flawed trading strategies and risks . . . were missed. . . .

� “These concerns were not fully explored. At best, insufficient inquiry was made into them and, at worst, certain of them were deliberately obscured from or not disclosed to [London] management or senior Firm management. Although in some instances, limited steps were taken to raise these issues, as noted above, no one pressed to ensure that the concerns were fully con- sidered and satisfactorily resolved. . . .

� “[The London office’s] Risk Management lacked the personnel and structure necessary to properly risk-manage the Synthetic Credit Portfolio, and as a result, it failed to serve as a meaningful check on the activities of the [office’s] management and traders. This occurred through failures of risk managers (and others) both within and outside of [the office]. . . .

� “As Chief Executive Officer, Mr. Dimon could appropriately rely upon senior managers who directly reported to him to escalate significant issues and concerns. However, he could have better tested his reliance on what he was told. This Report demonstrates that more should have been done regarding the risks, risk controls and personnel associated with [the London office’s] activities, and Mr. Dimon bears some responsibility for that.”37

The JPMorgan Chase board of directors issued its own report, emphasizing that it could not make sound decisions without access to good information:

The ability of the Board or its committees to perform their oversight responsibilities depends to a substantial extent on the relevant information being provided to them on a timely basis. . . . Because the risks posed by the positions in the [London office] were not timely elevated to the Risk Policy Committee as they should have been or to the Board, the Board and the Risk Policy Committee were not provided the opportunity to directly address them.38

The company responded to these losses in a way that would seem to ban- ish current hubris from its risk management and decision making processes. Top management accepted resignations from several high-ranking officers, includ- ing the chief investment officer to whom the London office reported and the firmwide chief risk officer, and terminated or accepted resignations from a number

www.it-ebooks.info

572 Implementing Enterprise Risk Management

of employees of the London office. The board of directors, while expressing confi- dence in how he ultimately responded to the crisis, cut Mr. Dimon’s 2012 compen- sation by 50 percent.

CONCLUSION The JPMorgan Chase example is instructive. Past success doesn’t always predict success in the future. Not only is constructive dialogue an essential part of a com- pany’s culture, but it also must be continually nurtured by top management to ensure that it endures. If it is not embedded in the company’s culture, construc- tive dialogue tends to be displaced by the drive for revenues, profits, market share, and the substantial personal remuneration that these bring for top officials of large, complex financial institutions and their most profitable units.

This leads to one final conclusion with respect to large, complex financial institutions, or other large, complex firms that require high-quality decision making to protect the public from major harm: Better decision making is essential in today’s increasingly complicated world. Ultimately, if constructive dialogue is not part of a company’s culture, then the company’s regulators will need to insist on it. The crisis and its immense costs suggest that companies should change their approach and try to listen to their supervisors and consider the merits of supervisory feedback. While regulators may not have the depth of expertise or access to detailed information available to managers in a large financial institution, feedback from supervisors can sometimes help to improve decisions merely by posing the right questions and pursuing the answers. In the end, constructive dialogue from a regulator may be the only way for overbearing top company managers to receive the feedback that they need in order to make better decisions and to protect the public’s health, safety, and economic well-being.39

QUESTIONS 1. What are the preconditions for conducting constructive dialogue in an organization? 2. Is effective risk management possible without constructive dialogue? 3. What are the forces that tend to undermine effective risk management in an organiza-

tion? 4. Given its obvious value in helping an organization to understand the major risks that

could prevent it from accomplishing its mission and objectives, why was the financial sector, including a risk-sensitive organization such as Goldman Sachs, so slow in adopt- ing ERM?

5. If you are a bank examiner, what are the signals you would find that would show that a bank is engaging in good risk management?

6. If you are a bank examiner, what are the signals you would find that would show that a bank is failing to engage in good risk management?

NOTES 1. Anette Mikes, “Enterprise Risk Management in Action,” London School of Economics

and Political Science, Discussion Paper No. 35, August 2005. 2. The FCIC placed numerous interview records and documents on the public record. They

are available at the FCIC permanent website, at http://fcic.law.stanford.edu/resource.

www.it-ebooks.info

CONSTRUCTIVE DIALOGUE AND ERM 573

3. Available for downloading at http://fcic.law.stanford.edu/report. 4. The financial crisis broke in two waves. First, firms started taking losses on assets that

they had considered to be safe (especially AAA-rated private-label mortgage securities). Second, when firms realized they didn’t understand the assets on their balance sheets or, by extension, on the balance sheets of their counterparties, the market panicked and withdrew liquidity from counterparties it considered potentially troubled because of too many toxic assets on the counterparties’ books. It was the panic that allowed a relatively small volume of toxic assets to precipitate the financial crisis and its consequences. See Thomas H. Stanton, Why Some Firms Thrive While Others Fail: Governance and Manage- ment Lessons from the Crisis (Oxford University Press, 2012), Chapter 2, “Dynamics of the Financial Crisis.”

5. Shawn Tully, “Jamie Dimon’s Swat Team: How J.P. Morgan’s CEO and His Crew Are Helping the Big Bank Beat the Credit Crunch,” Fortune, September 2, 2008, http:// money.cnn.com/2008/08/29/news/companies/tully_dimon.fortune/index. htm, accessed February 14, 2013.

6. "Risk Management at Goldman Sachs,” February 20, 2007. Materials provided to the Senate Permanent Subcommittee on Investigations.

7. FCIC interview with Dan Sparks, Goldman Sachs, June 16, 2010. 8. Available at https://www.wellsfargo.com/pdf/invest relations/VisionandValues04

.pdf. 9. Edmund Clark, “Corporate Transparency and Corporate Accountability—Today’s

Table Stakes for Senior Executives,” remarks to the Executive Women’s Alliance Con- ference, Vancouver, July 12, 2004.

10. Tully, “Jamie Dimon’s Swat Team.” 11. Ibid. 12. Russell Walker, “Fortune Favours the Well-Prepared,” Financial Times, January 29, 2009. 13. Goldman Sachs, “Goldman Sachs: Risk Management and the Residential Mortgage Mar-

ket,” April 23, 2010, 5. Materials provided to the Senate Permanent Subcommittee on Investigations.

14. Jenny Anderson and Landon Thomas Jr., “Goldman Sachs Rakes In Profit in Credit Cri- sis,” New York Times, November 19, 2007.

15. Goldman Sachs, “Report of the Business Standards Committee: Executive Summary,” January 2011.

16. Richard Kovacevich, "What I’ve Learned Since Business School," 2009. Video available at www.youtube.com/watch?v=XTh4ELp2VDc.

17. FCIC interview with John G. Stumpf, chairman and CEO, Wells Fargo, September 23, 2010.

18. FCIC interview with Michael Loughlin, chief risk officer, Wells Fargo, November 23, 2010.

19. TD Bank Financial Group, “152nd Annual Report 2007,” 60–61. 20. Ibid. 21. W. Edmund Clark, “President and CEO’s Message,” TD Bank Financial Group 2005

Annual Article, 2006, 6. 22. Bloomberg, “The Bank That Said ’No’ to Subprime Debt,” Sydney Morning Herald, May

27, 2008. Available at www.smh.com.au/business/the-bank-that-said-no-to-subprime -debt-20080527-2ihd.html.

23. Ibid. 24. TD Bank Financial Group, National Bank 2010 Financial Services Conference, presenta-

tion, March 30, 2010. 25. TD Bank Financial Group, “Investor Presentation, September 2007,” Slide no. 15. 26. Stephen W. Hiemstra, “An Enterprise Risk Management View of Financial Supervi-

sion,” Enterprise Risk Management Institute International, October 2007.

www.it-ebooks.info

574 Implementing Enterprise Risk Management

27. This also applies to nonfinancial firms. My book assesses decision making and costly mistakes such as the BP Gulf oil spill, fatalities at the Massey Mining Company, and hospital medical errors. Failures at nonfinancial firms show the same patterns of over- bearing or distracted CEOs or others (e.g., doctors) who make poor decisions without obtaining feedback, and cultures that emphasize production without adequate consid- eration of risk.

28. Financial Crisis Inquiry Commission, “Final Report of the Financial Crisis Inquiry Com- mission,” 2011, 181–182.

29. Financial Crisis Inquiry Commission, “Interview of Charles O. Prince,” transcript, March 17, 2010, 37 and 41, respectively, available on the FCIC permanent website.

30. UBS AG, “Shareholder Report on UBS’s Write-Downs,” April 18, 2008, 40. 31. Financial Crisis Inquiry Commission, “Interview of Charles O. Prince,” March 17, 2010,

73–74; and Financial Crisis Inquiry Commission, “Official Transcript, Hearing on ‘The Role of Derivatives in the Financial Crisis,’” June 30, 2010, 151; both available on the FCIC permanent website.

32. Richard Herring and Jacopo Carmassi, “The Corporate Structure of International Finan- cial Conglomerates: Complexity and Its Implications for Safety & Soundness.” In Allen N. Berger, Phillip Molyneux, and John Wilson, eds. The Oxford Handbook of Banking, 2009, Chapter 8. “Among the 16 international financial conglomerates identified by regula- tors as large, complex financial institutions (LCFIs), each has several hundred majority- owned subsidiaries and 8 have more than 1,000 subsidiaries.”

On the other hand, FCIC staff learned in interviews with federal regulators that many of these subsidiaries and affiliates were small institutions, acquired in a process of accretion, that had little financial significance.

33. Government Accountability Office, “Troubled Asset Relief Program, Status of Government Assistance Provided to AIG,” September 2009, 5; AIG, Form 10-K for 2008, 7.

34. Sydney Finkelstein, Why Smart Executives Fail, and What You Can Learn from Their Mistakes (New York: Portfolio, 2003), 251–252.

35. Bear Stearns, “Management Committee: Risk Governance Diagnostic; Recommenda- tions and Case for Economic Capital Development,” February 5, 2008. Available on the permanent FCIC website.

36. Clifford Rossi, “Removing Barriers to Pathological Risk Behavior: The Art of Effec- tive Communication,” Association of Federal Enterprise Risk Management Summit, September 18, 2012.

37. “Report of JPMorgan Chase & Co. Management Task Force Regarding 2012 CIO Losses,” January 16, 2013.

38. “Report of the Review Committee of the Board of Directors of JPMorgan Chase & Co. Relating to the Board’s Oversight Function with Respect to Risk Management,” January 15, 2013.

39. See, e.g., Thomas H. Stanton, “Listening to Regulators Can Keep Your Bank out of Trouble,” American Banker, August 20, 2012; and Thomas H. Stanton, comment to the Federal Reserve Board on the proposed rulemaking on “Enhanced Prudential Standards and Early Remediation Requirements for Covered Companies. www.federalreserve .gov/SECRS/2012/February/20120215/R-1438/R-1438_021312_105398_555068728868 _1.pdf.

ABOUT THE CONTRIBUTOR Thomas H. Stanton is a Fellow of the Center for Advanced Governmental Stud- ies at Johns Hopkins University, President-Elect of the Association of Federal

www.it-ebooks.info

CONSTRUCTIVE DIALOGUE AND ERM 575

Enterprise Risk Management (AFERM), a former director of the National Academy of Public Administration, and a former member of the federal Senior Executive Service. His publications include two books on government-sponsored enterprises (GSEs), including A State of Risk: Will Government-Sponsored Enterprises Be the Next Financial Crisis? (HarperCollins, 1991), and two edited books on government orga- nization and management. His two recent books are Why Some Firms Thrive While Others Fail: Governance and Management Lessons from the Crisis (Oxford University Press, 2012) and Managing Risk and Performance: A Guide for Government Decision Makers, co-editor with Douglas Webster (John Wiley & Sons, 2014). Mr. Stanton’s B.A. degree is from the University of California at Davis, M.A. from Yale Univer- sity, and J.D. from the Harvard Law School.

www.it-ebooks.info

www.it-ebooks.info

CHAPTER 33

Challenges and Obstacles of ERM Implementation in Poland ZBIGNIEW KRYSIAK, PHD Associate Professor of Finance, Warsaw School of Economics, Poland

SL̄AWOMIR PIJANOWSKI, PHD President, POLRISK Risk Management Association, Poland

This research is about the status of enterprise risk management (ERM) imple-mentation in Poland’s companies. We analyze the challenges and obstaclesto a more mature stage of ERM rather than a compliance- or governance- driven one. Poland, after the transition into the free market economy in 1989, became open to the knowledge and transfer of the best practices from around the world. Since 1995, with the publication of AS/NZS 4360 and COSO II in 2004, as well as easy access via the Internet, it seems that theoretically there should not be a delay in implementing modern risk management (RM) processes in Poland. While there is contact with authors and thought leaders taking part in the creation of various ERM standards, and with some professionals implementing ERM in vari- ous companies, barriers still exist. These barriers are due to geographical distances, language differences, budget constraints, a lack of awareness, or other business pri- orities. We (the authors) first heard about AS/NZS 4360 in 2004 while looking for inspiration from various standards to improve risk assessment methodologies for our companies. In 2004, the aforementioned standards were translated into Polish and published in the Polish Ministry of Finance’s Orange Book Risk Management— Principles and Concepts. A similar publication had also been done earlier by the UK Ministry of Treasury, and another handbook of risk management for the audit department, which included descriptions of some risk management tools and stan- dards. Later, in 2005 and 2006, the Ministry of Finance also led a project implement- ing ERM in selected units of public administration as a pilot phase.

Managers in Poland were becoming familiar with ERM concepts mainly by educating themselves. In 2006, the POLRISK Risk Management Association1 was established, and later became a member of the Federation of European Risk Man- agement Associations (FERMA).2 Under POLRISK, ERM has been popularized in a more structured way by its first founding members and other officers. Since 2006, ERM experts from around the world have begun to come to Poland as speakers in the annual conferences organized by POLRISK.

577

www.it-ebooks.info

578 Implementing Enterprise Risk Management

There are many people involved with Poland’s ERM efforts.3 We have the honor to be two of them. For example, late in 2009, Slawomir Pijanowski, on behalf of POLRISK, with the support of Kevin W. Knight, AM, initiated the preparation for adoption of ISO 31000 in Poland. In 2011, Mr. Pijanowski, as representative of both POLRISK and the Polish Committee for Standardization, joined ISO/PC 262, contributing to the elaboration of ISO 31004. It is, however, difficult to demonstrate the benefits of ERM in Poland, because there are few good examples of ERM imple- mentation in domestic companies. Additionally, there are few CEOs or indepen- dent parties who have observed how ERM adds value. This state of ERM imple- mentation provides the motivation for our case study. This case study examines the reasons, challenges, and obstacles of ERM implementation and will help us reach the right conclusions.

METHODOLOGY TO DIAGNOSE THE STATUS OF ERM IMPLEMENTATION The sources used in this article come from:

� Research performed by the authors on approximately 100 companies in 2006 and with 300 managers in 2010.

� The POLRISK Risk Management Association, with 100 members, at vari- ous workshops, conferences, seminars, and training courses where ERM has been challenged, questioned, and openly discussed.

� Participation in the creation of an ERM program in the telecommunications industry.

� Exchanging practical knowledge, experience, or training about ERM among the Polish practitioners (various managerial positions, CEOs, boards, experts, and specialists) of the following industries: telecommunications, energy, logistics (road, post, railway industry), oil and gas, consulting, insur- ance, banks, hospitals, and construction.

We would like to share our observations by pointing out areas of weakness, as well as the challenges of demonstrating ERM’s value per se for boards, managers, and operational employees. There are 3,000 companies in Poland with more than 250 employees that would potentially benefit from ERM implementation. Assum- ing that ERM is justified for companies with at least 250 employees, then our stud- ies deal with about 10 to 20 percent of such companies in Poland. The research includes only private companies, excluding the financial industry (i.e., insurers, banks, investment funds, etc.), and not public administration.

We use the following three definitions of ERM:

1. Enterprise risk management can be defined as an integrated approach to credit risk, market risk, operational risk, business risk, and economic capi- tal management. This includes risk control, mitigation, and risk transfer to maximize the value of the company (Lam 2003).

2. In ISO 31000, risk management is defined as coordinated activities to direct and control an organization with regard to risk (ISO Guide 73:2009, definition 2.1).

www.it-ebooks.info

CHALLENGES AND OBSTACLES OF ERM IMPLEMENTATION IN POLAND 579

3. Enterprise risk management is a process, effected by the entity’s board of directors, management, and other personnel, applied in the strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within the risk appetite, to provide reasonable assurance regarding the achievement of entity objectives (COSO II, 2004 definition).

An important issue at the top of the risk management activities is value cre- ation. What creates a company’s value are vision, strategy, knowledge on how to commercialize ideas, innovation, implementation, managers’ and employees’ attitudes, and decisions influencing specific value sources and drivers. To create shareholder value, a company has to take on the right risks, retain them, and man- age them within its boundaries. The major risk management activities here are as follows (Antikarov 2012):

� Identify the strategic risks associated with each strategic alternative and select the strategy with the best risk/reward characteristics.

� Build and apply strategic flexibility/agility to take advantage of new strate- gic opportunities and protect against materialized strategic risks.

� Build and apply operational flexibility and resilience to manage ongoing business environment volatility.

� Build and apply financial flexibility allowing the company to survive, exe- cute its strategy, and not transfer ownership during periods of financial distress.

� Build full risk assessment into the performance evaluation of existing busi- nesses and the corresponding rewards and compensation of management and employees.

� Build full risk assessment into the evaluation, ranking, and selection of new investment projects.

In Exhibit 33.1, we display the general framework of the methodology we use for the analysis of the case study. We will present the status of ERM implementa- tion in Poland relating to the four stages of risk management maturity described by Purdy (2010): increasing levels of maturity for (1) management of specific risks, (2) the approach to risk driven by governance, (3) risk management driven by the changes within the organization, and (4) the integrated approach. In the applied methodology, the characteristics proposed by Antikarov (2012) fit more or less to Purdy’s “Integrated” stage 4 shown in Exhibit 33.1. Exhibit 33.2 displays the main components of risk management proposed by ISO 31000.

MAIN ISSUES IN POLAND’S ERM IMPLEMENTATION There are many issues faced by companies in Poland in the process of ERM imple- mentation. The main systemic natural obstacles are:

� There has been little attention paid to ERM among nonfinancial sectors, although the level of interest has slowly increased since 2004, approaching the highest interest around 2009 to 2011.

www.it-ebooks.info

580 Implementing Enterprise Risk Management

Risk Specific Governance Driven Change Driven Integrated E

ff ic

ie n

cy o

f R

is k

M an

ag em

en t

P ro

ce ss

( R

et u

rn s/

E ff

o rt

)

Different types of processes for different types of risk. Risk categorization is largely consequence based. Attempts to integrate measurement. Negative perception of risk. Terms hazards, risk, and threats are used interchangeably. Risk is seen as harm, loss, and detriment. RM is closely linked to insurance.

Risk is motivated by reporting. High-level risk assessment is stipulated by reporting requirements, normally only once or twice a year. Risk measures vary according to types of risk. Risks are seen as events—mostly with negative consequences. There are inconsistent approaches for managing different types of risk.

Risk is associated with management of change. RM processes are separate but are invoked by decision-making process. Risk is driven by performance-based standard. Risk is seen as effect of uncertainty on objectives. Uniform system for analysis of most types of risk.

Risk is implicit in all decision making. RM processes are integrated into key organizational processes. RM is integral to the system of management. RM is culturally driven by performance standard. Risk is seen as effect of uncertainty on objectives. Effective RM leads to resilience and agility.

Degree of Integration of Risk Management, Extent of Accountability Stage 1 Stage 2 Stage 3 Stage 4

Exhibit 33.1 Risk Maturity Levels Used in Methodology. Source: G. Purdy, “How Good Is Our Risk Management? How Boards Should Find Out,” Risk Watch, Conference Board of Canada, December 2010.

a) Creates and protects value

b) Integral part of all organizational processes

c) Part of decision making

d) Explicitly addresses uncertainty

e) Systematic, structured, and timely

f) Based on the best available information

g) Tailored

h) Takes human and cultural factors into account

i) Transparent and inclusive

j) Dynamic, iterative, and responsive to change

k) Continual improvement of the organization

Principles (Clause 3)

Mandate and commitment

(4.2)

Design of framework for managing

risk (4.3)

Implementing risk

management (4.4)

Continual improvement

of the framework

(4.6)

Monitoring and review of the framework

(4.5)

Framework (Clause 4)

C om

m un

ic at

io n

an d

co ns

ul ta

tio n

(5 .2

)

M on

ito rin

g an

d re

vi ew

( 5.

6)

Process (Clause 5)

Establishing the context (5.3)

Risk assessment (5.4)

Risk identification (5.4.2)

Risk analysis (5.4.3)

Risk evaluation (5.4.4)

Risk treatment (5.5)

Exhibit 33.2 ISO 31000:2009 Relationships between Principles, Framework, and Process Source: ISO 31000:2009.

www.it-ebooks.info

CHALLENGES AND OBSTACLES OF ERM IMPLEMENTATION IN POLAND 581

� There are few domestic companies that can be used as examples of good ERM and as a benchmark for the Polish business community. In other words, there are few examples that can be used as good references regarding risk management matters such as financial results, reports, management discus- sion and analysis (MD&A), and communication of risk within the investor relations process.

� There has been a relatively short time for gathering experience from com- panies on ISO 31000 implementation; only two years have passed since the publication in March 2012 of PN-ISO 31000:2012, Risk Management— Principles and Guidelines. The Polish Committee for Standardization reports that there is interest in ISO 31000, but there are common misun- derstandings of what ISO 31000 really is. One of the examples is in using the term risk mitigation instead of modification or treatment. Also, there is no guidance on ISO 31000 in the Polish language. These translation issues are delaying adoption of various guidelines because all those activities need sponsorships for funding. The same holds for risk management books; some of the classics, such as works by James Lam, are not translated into Pol- ish, and this is blocking widespread practical knowledge on ERM. Any meaningful guidance remains within the advisory services industry, with no guarantee that risk management is done coherently or correctly with the approach prescribed by ISO 31000. In contrast, Australia and New Zealand have had more than 17 years of experience with standards of risk man- agement, and there are many publicly available guidelines being applied by public and private companies in those countries, creating stronger fun- damentals there as compared to in Poland. That is what we can call the “experience gap.”

� There are very few domestic experts in Poland who have had the oppor- tunity to implement ERM as a real change management process instead of a governance-driven one. There are few companies interested in building the value of the company through effective risk management. However, there are some ERM implementations in Poland in logistics, energy, oil, gas, telecommunication, mining, insurance, and the public sector. Risk manage- ment becomes a more important topic due to investors’ requirements in the construction industry and the European Union directives for the railway industry.

� The POLRISK Risk Management Association needs further development in order to become a strong, recognizable body for legislative initiatives related to governance and risk management for the good of the business commu- nity. In Polish enterprises there is a need for building the risk manager pro- fession, which would have to be built almost from scratch. The issue of the scope of duties of a risk manager is often discussed in the European forum because a risk manager’s responsibilities are perceived differently from country to country. In the FERMA bylaws the responsibilities of the risk manager are not addressed, but FERMA is considering covering that issue in the requirements for the certification of risk managers. This all presents big challenges to the harmonization of educational programs with expected skills for risk managers in European countries. When this is done, it will be

www.it-ebooks.info

582 Implementing Enterprise Risk Management

a big step in the promotion of the profession and risk management itself in Poland and elsewhere in Europe.

� MBA programs and higher education in Poland do not include enough enterprise-wide risk management topics. There are one or two exceptions of postgraduate studies including ERM standards. One way to promote ERM is to integrate ERM studies with strategic management and value-based risk management courses and executive MBA programs.

� The tradition of risk management became broken under the various socialist economic systems between 1945 and 1991. For example, there are at present only a few captive insurance companies in Poland. Before World War II, there were around 300 captives and mutual insurance companies. The use of such risk management techniques by many organizations was an impor- tant part of the culture then relating to managing risk. Risk managers in international companies are now managing captives together with coordi- nating ERM. We are in the process of rebuilding the number of captives and that culture. The POLRISK Risk Management Association also supports this process.

Apart from the aforementioned systemic issues in Poland, there is also con- fusion among proponents of ERM in Poland about what are regarded as weak- nesses of the ERM concept itself, concerning the tools, models, terminology, pub- licly available materials, and articles. Examples of concerns are:

� In most of the cases, the risk matrix or heat map does not show the efficiency of controls.4

� There is also a lack of references to or use of historical data or simulation as justification for the respective risk level to support decision making. Greater use of actual data is considered necessary to assure a high quality of risk management.

� There seem to be two schools of holistic risk management currently strug- gling with each other on the pros and cons of the setting of risk appetite or concepts like inherent and residual risk.

Due to a lack of understanding by those involved and the apparent confusion over the foregoing concepts, these differences do not help the followers of ERM, because in many cases, they are not able to clearly and in a convincing way explain or translate those different concepts into decision making processes and value creation. Problems arise if executives who are trying to properly understand ERM are asked to explain why the concept of risk appetite is needed. Executives, man- agers, and directors expect a clear message about whether this exercise with ERM can increase performance, reduce costs, optimize margins, or make good decisions on current resources and capital allocation. All of these issues, both at the inter- national level and at the local level, only confirm that ERM as a concept itself still is not stabilized or is not ready to be used. As a result, managers we have spoken with indicate that they are not going to implement ERM because of these problems.

Risk management terminology, principles, frameworks, and processes in Poland are orientated primarily toward either internal controls or governance.

www.it-ebooks.info

CHALLENGES AND OBSTACLES OF ERM IMPLEMENTATION IN POLAND 583

Some companies are making efforts to influence value via risk management. ERM is viewed by managers in Poland as an optimizing activity in achieving objectives and therefore is perceived as integrally related to strategic management. The major question stated by practitioners in Poland is: “What is the real added value of ERM?” The partial answer to that question can be obtained by referring to the meaning of good performance or good execution of strategy and goal achieve- ment. In Exhibit 33.3 we offer an answer in the form of comparative statements of good practices of the execution and performance of the strategy applied from classic books on the topic. ERM is frequently commented on by Chartered Institute of Management Accountants (CIMA)-designated experts, CEOs, CFOs, financial controllers, and other top managers as something they are already doing, which they perceive as:

� Strategy development and its execution by risk management � An idea that is perhaps worthy to apply and utilizes various risk criteria

focused on efficiency and performance or risk controlling as part of business controlling

Using three of the best books on strategy execution (Kaplan and Norton, Bossidy and Charan, Welch) and one on performance (Peters and Waterman), we put together the comparative statements indicating some ideas and sources of ERM principles being used in management mainstream practice and literature. Since many Polish executives refer to these books, ERM must be shown in the light of which practices should be part of a company’s management framework, as is also recommended in ISO 31000. Exhibit 33.3 shows the relationship between ERM con- cepts and strategy execution and performance.

From these comparisons, there are important conclusions that may be applied to the case study of ERM in Poland. Suboptimal efficiency of management may result from the fact that ERM is a missing link between strategic management (SM) and value-based management (VBM). Selling ERM in isolation from strategy and value-based management creates a risk of unsuccessful ERM implementation. Sell- ing the triple package of SM, ERM, and VBM together and creating the adequate educational program increase the chance that the value proposition related to ERM will be accepted by the boards of directors at enterprises in Poland.

Moreover, in the view of Polish CFOs and CEOs, a properly defined strategy is in fact a reflection of a new or updated arrangement of a company’s capital and assets/resources allocation. Therefore, the risk management function must be close to strategy and produce a strategic portfolio of initiatives, programs, projects, and processes. Thus the reporting line of the risk management department should always be where decisions are made on capital and resources allocation— that is, in the strategy department or in CFO-managed business units such as value-based financial controlling and budgeting (i.e., operating expense [opex] and capital expenditure [capex]). If these functions were supported by various tools applied for risk assessment, monitoring, and modeling, then most of the CEOs and CFOs would be interested in applying such approaches into their daily management practice.

www.it-ebooks.info

E xh

ib it

33 .3

C om

pa ra

ti ve

St at

em en

ts of

G oo

d Pr

ac ti

ce s

in St

ra te

gy E

xe cu

ti on

an d

Pe rf

or m

an ce

R ob

er tS

.K ap

la n

an d

D av

id P.

N or

to n

,T he

E xe

cu ti

on P

re m

iu m

(2 00

8) Ja

ck W

el ch

,W in

ni ng

(2 00

5) L

ar ry

B os

si d

y an

d R

am C

h ar

an ,

E xe

cu ti

on (2

00 2)

To m

P et

er s

an d

R .H

.W at

er m

an Jr

., In

Se ar

ch of

E xc

el le

nc e

(1 98

2)

M an

ag em

en ts

ys te

m lin

ki ng

st ra

te gy

to op

er at

io ns

: 1.

D ev

el op

th e

st ra

te gy

(s tr

at eg

ic an

al ys

is ,S

W O

T ,

ri sk

as se

ss m

en to

fs tr

at eg

y, ho

w be

st to

co m

pe te

). H

er e

w e

sh ou

ld kn

ow at

le as

tt he

ty pe

of st

ra te

gy an

d re

la te

d ri

sk .R

is k

ta ki

ng is

re la

te d

to ty

pe of

st ra

te gy

an d

it s

fl ex

ib ili

ty in

M ic

ha el

R ay

no r’

s (2

00 7)

se ns

e: lo

w co

st ,d

if fe

re nt

ia ti

on ,

d iv

er si

fi ca

ti on

. 2.

Pl an

th e

st ra

te gy

(s tr

at eg

y m

ap s—

lin ks

w it

h ri

sk s.

H ow

w e

m ea

su re

ou r

pl an

:s et

ti ng

ob je

ct iv

es —

ba si

s fo

r ri

sk as

se ss

m en

to ft

he ob

je ct

iv es

, st

re ss

te st

in g

of as

su m

pt io

ns ,

st ra

te gi

c pr

oj ec

t, pr

og ra

m s,

po rt

fo lio

s, in

it ia

ti ve

s, w

ho w

ill le

ad ex

ec ut

io n

of st

ra te

gy ?)

E st

ab lis

h th

e co

nt ex

t. H

er e

is a

pl ac

e fo

r ri

sk lim

it s,

(a pp

et it

e) to

le ra

nc es

ag ai

ns tt

ar ge

ts in

st ra

te gi

c pl

an .

St ra

te gy

is a

ga m

e, vi

ta l,

d yn

am ic

.N o

sc ie

nt if

ic ap

pr oa

ch to

st ra

te gy

is ne

ed ed

; ov

er lo

ad in

g st

ra te

gy w

it h

sc ie

nc e

is un

pr od

uc ti

ve .

Ja ck

W el

ch d

ef in

in g

st ra

te gy

as “a

llo ca

ti on

of re

so ur

ce s”

; “s

tr at

eg y

is w

ha tr

em ai

ns af

te r

re m

ov in

g bi

g w

or d

s re

la te

d to

it .”

“S tr

at eg

y is

m ak

in g

ch oi

ce s

on ho

w to

be co

m pe

ti ti

ve .(

A s

fo r

st ra

te gy

,y ou

sh ou

ld th

in k

le ss

an d

ac tm

or e.

In ot

he r

w or

d s,

th is

is ag

ai n

ab ou

t ex

ec ut

io n.

)S tr

at eg

y is

si m

pl e—

yo u

ch oo

se ge

ne ra

l d

es ti

na ti

on an

d pu

rs ue

it w

it h

yo ur

be st

ef fo

rt .”

Fo rg

et ab

ou t

sc en

ar io

s, pl

an s,

w ho

le -y

ea r

re se

ar ch

an d

10 0-

pa ge

re po

rt s,

re co

m m

en d

at io

ns ,a

nd so

on .T

o be

nu m

be r

on e

or tw

o in

ea ch

in d

us tr

y— to

re ac

h th

is go

al yo

u ha

ve to

re pa

ir /

re st

ru ct

ur e,

se ll,

or cl

os e

th e

co m

pa ni

es .”

E xe

cu ti

on :T

hr ee

co re

pr oc

es se

s of

ex ec

ut io

n of

an y

bu si

ne ss

: 1.

St ra

te gy

pr oc

es s—

lin k

pe op

le an

d op

er at

io ns

.S tr

at eg

y re

vi ew

. 2.

O pe

ra ti

on s

pr oc

es s—

lin k

st ra

te gy

an d

pe op

le .

3. Pe

op le

pr oc

es s—

lin k

st ra

te gy

an d

op er

at io

ns .

T hr

ee bl

oc ks

of ex

ec ut

io n:

1. Se

ve n

es se

nt ia

lb eh

av io

rs of

le ad

er s:

K no

w yo

ur pe

op le

an d

yo ur

bu si

ne ss

.I ns

is to

n re

al is

m .S

et cl

ea r

go al

s an

d pr

io ri

ti es

.F ol

lo w

th ro

ug h.

R ew

ar d

th e

d oe

rs .E

xp an

d pe

op le

’s ca

pa bi

lit ie

s. K

no w

yo ur

se lf

. 2.

Fr am

ew or

k fo

r cu

lt ur

al ch

an ge

— op

er at

io na

liz in

g cu

lt ur

e: B

eh av

io rs

ar e

be lie

fs tu

rn ed

in to

ac ti

on (p

ri nc

ip le

a) re

w ar

d pe

rf or

m an

ce (c

om pa

re L

am [2

00 3]

— ”P

ay fo

r th

e pe

rf or

m an

ce yo

u w

an t”

), al

lo w

ro bu

st d

ia lo

gu e.

B eh

av io

rs d

el iv

er th

e re

su lt

s. So

ci al

so ft

w ar

e of

ex ec

ut io

n, le

ad er

s ge

tt he

be ha

vi or

s th

ey ex

hi bi

ta nd

to le

ra te

.

� A

bi as

fo r

ac ti

on ,a

ct iv

e d

ec is

io n

m ak

in g—

”g et

ti ng

on w

it h

it .”

� C

lo se

to th

e cu

st om

er —

le ar

ni ng

fr om

th e

pe op

le se

rv ed

by th

e bu

si ne

ss .

� A

ut on

om y

an d

en tr

ep re

ne ur

sh ip

— fo

st er

in g

in no

va ti

on an

d nu

rt ur

in g

“c ha

m pi

on s.

” �

Pr od

uc ti

vi ty

th ro

ug h

pe op

le —

tr ea

ti ng

ra nk

-a nd

-f ile

em pl

oy ee

s as

a so

ur ce

of qu

al it

y. �

H an

d s-

on ,

va lu

e- d

ri ve

n— m

an ag

em en

t ph

ilo so

ph y

th at

gu id

es ev

er yd

ay pr

ac ti

ce —

m an

ag em

en t

sh ow

in g

it s

co m

m it

m en

t. �

St ic

k to

th e

kn it

ti ng

— st

ay w

it h

th e

bu si

ne ss

th at

yo u

kn ow

. �

Si m

pl e

fo rm

,l ea

n st

af f—

so m

e of

th e

be st

co m

pa ni

es ha

ve m

in im

al H

Q st

af f.

584

www.it-ebooks.info

3. A

lig n

th e

or ga

ni za

ti on

(i ti

s in

fa ct

“d es

ig n

of ri

sk m

an ag

em en

tf ra

m ew

or k”

an d

“e st

ab lis

h th

e co

nt ex

t” ph

as es

of ri

sk m

an ag

em en

t pr

oc es

s in

IS O

31 00

0) .

4. Pl

an op

er at

io ns

(a nd

in cl

ud e

ri sk

m an

ag em

en tp

la n)

. 5.

M on

it or

an d

le ar

n (i

s ou

r st

ra te

gy w

or ki

ng ?

it is

n’ tt

oo la

te ?)

.T he

se qu

es ti

on s

sh ou

ld be

as ke

d fi

rs ta

tt he

“d ev

el op

th e

st ra

te gy

” ph

as e

(w ill

ou r

st ra

te gy

w or

k? ar

e as

su m

pt io

ns cr

ed ib

le ?

is ou

r st

ra te

gy fe

as ib

le ?)

.S im

ila r

to m

on it

or an

d re

vi ew

in IS

O 31

00 0.

6. T

es ta

nd ad

ap t(

th at

is ,w

ha t

sh ou

ld re

su lt

fr om

“m on

it or

in g

an d

re vi

ew ”

ph as

e) .(

C on

ti nu

ou s

im pr

ov em

en ti

n IS

O 31

00 0—

pa rt

of fr

am ew

or k.

) W

ha ti

s m

is si

ng ?

Pr in

ci pl

e (d

)f ro

m IS

O 31

00 0—

R M

ex pl

ic it

ly ad

d re

ss es

un ce

rt ai

nt y.

T hr

ee st

ag es

of st

ra te

gy ex

ec ut

io n:

1. E

la bo

ra te

bi g

id ea

— B

ig H

ai ry

A ud

ac io

us G

oa ls

(B H

A G

s) fo

r bu

si ne

ss ,s

m ar

t, re

al is

ti c,

fe as

ib le

,r el

at iv

el y

qu ic

k w

ay of

ge ne

ra ti

ng co

m pe

ti ti

ve ad

va nt

ag e.

2. A

ss ig

n ri

gh tp

eo pl

e to

ri gh

t ta

sk s

to su

cc es

se s

w it

h im

pl em

en ta

ti on

of id

ea .(

W e

co ul

d sa

y to

th e

ri gh

tr is

k m

an ag

em en

tf ra

m ew

or k

an d

pa y

ke y

at te

nt io

n to

“e st

ab lis

h th

e co

nt ex

tp ha

se ”

as in

IS O

31 00

0. )

3. C

on ti

nu ou

sl y

w it

h pe

rs is

te nc

e se

ek be

st m

et ho

d s

of im

pl em

en ta

ti on

of id

ea ,a

d ap

ti t,

im pr

ov e

it —

in co

m pa

ny or

ou ts

id e

of it

.( C

on ti

nu ou

s im

pr ov

em en

t in

IS O

31 00

0— pa

rt of

fr am

ew or

k. )W

ha ti

s m

is si

ng ?

Pr in

ci pl

e (d

)f ro

m IS

O 31

00 0—

R M

ex pl

ic it

ly ad

d re

ss es

un ce

rt ai

nt y.

3. T

he jo

b le

ad er

sh ou

ld no

t d

el eg

at e—

ha vi

ng th

e ri

gh t

pe op

le in

th e

ri gh

tp la

ce .

A ll

of th

e ab

ov e

ar e

ri sk

m an

ag em

en tf

ra m

ew or

k ac

ti vi

ti es

as in

IS O

31 00

0 if

lo ok

ed at

fr om

a ri

sk pe

rs pe

ct iv

e an

d im

pl em

en ta

ti on

of th

e pr

oc es

s. W

e se

e al

so th

e ri

sk m

an ag

em en

tp ri

nc ip

le s

“a d

d va

lu e,

in cl

ud e

hu m

an an

d cu

lt ur

al fa

ct or

s. ”

W ha

ti s

m is

si ng

? Pr

in ci

pl e

(d )

ex pl

ic it

ly ad

d re

ss es

un ce

rt ai

nt y.

� Si

m ul

ta ne

ou s

lo os

e- ti

gh t

pr op

er ti

es —

au to

no m

y in

sh op

-f lo

or ac

ti vi

ti es

pl us

ce nt

ra liz

ed va

lu es

. (A

ll of

th e

ab ov

e ca

n be

se en

in pr

in ci

pl es

of ri

sk m

an ag

em en

ta nd

fr am

ew or

k sc

op e

an d

ha ve

to be

a ta

ilo re

d in

es ta

bl is

hi ng

th e

co nt

ex ti

n ri

sk m

an ag

em en

t pr

oc es

s an

d fr

am ew

or k

le ve

l.) W

ha ti

s m

is si

ng ?

Pr in

ci pl

e (d

)f ro

m IS

O 31

00 0—

R M

ex pl

ic it

ly ad

d re

ss es

un ce

rt ai

nt y.

So ur

ce :A

ut ho

r’ s

re se

ar ch

,S .P

ija no

w sk

i.

585

www.it-ebooks.info

586 Implementing Enterprise Risk Management

BOARD PERCEPTION OF ERM: “WE HAVE TO CHANGE THE WAY WE RUN THE BUSINESS, BECAUSE LACK OF ERM CREATES INEFFICIENT MANAGEMENT” In program and project management terms, ERM is, in fact, change management or an organizational change project or program. So the board, ideally, should be the first catalyst for change, instead of any lower level of management. Our experi- ence shows that an attempt by middle-level managers to convince board members about ERM is not effective and can create, to some extent, a misunderstanding, as we show next. The critical thing here is to see who the messenger is. It should be the CEO who raises the need, or it could be the board of directors, or the audit commit- tee in a supervisory board representing the interests of owners or key stakeholders. As for any conviction, this may happen first informally in terms of bilateral talks between one board member and an “n – 1” manager (“n” means board level). Then if there is trust and proper understanding by the board member, the senior execu- tive may be able to explain ERM to the board member and have him or her promote the idea at the board level. A misperception of ERM by boards in Poland, especially in highly regulated industries such as energy, mining, or telecommunications, can be summed up in one simple sentence: “I won’t sign anywhere formally that I know about any risks and that I continue managing the company, or a functional area, despite the identified risk.”

Let us examine examples of how ERM concepts might be communicated and how the board may misunderstand what is intended:

� Telling the board how it should manage risk, as, of course, it is highly proba- ble that such a message will be rejected. The board believes that it is already hired to oversee the management of the organization, including its risks, and to achieve appropriate results. If there is a better system than what is applied now, we have to be ready to show how much the financial results will change by using it.

� Saying to the board that the current motivational system should be changed to include rewards not only for performance but also for risk treatment meth- ods that should lead to better performance.

� Saying to the board that management should identify which of the top man- agement staff are the primary risk owners for each major risk. The directors already feel that they are responsible for the results or performance, so the nomination of a risk owner is perceived to some extent as a redundant activ- ity. If responsibility has already been assigned for performance, what else needs to be done?

� Saying to the board that the current decision-making process could be better if risk assessment techniques were used to support decision making. This could be interpreted as saying, “I could tell you, as an ERM follower, how to make better decisions.” This could be risky.

� Saying that current coordination processes of various parts of company are not optimal (e.g., that higher costs are being incurred from having separate

www.it-ebooks.info

CHALLENGES AND OBSTACLES OF ERM IMPLEMENTATION IN POLAND 587

insurance for individual areas of the organization), and that some solutions optimize costs but generate other risks.

� Saying that the current strategy execution could be better and also the bud- geting process (including capital allocation).

� Saying that one risk champion will overview what other top management staff are doing.

� Telling the board that they have to commit to what they are already obliged to do by signing off on the policy of risk management.

� Telling the board to change the managerial information and reporting to include risk profiles and risk assessments.

� Telling the board to change the culture, or even the corporate identity, in order to allow mistakes and failures and thereby to learn from the past, and to openly speak about risks. Would this mean the board should tolerate staff making mistakes twice or tolerate incompetence among the staff?

These examples of the challenges of communicating with boards when seeking to implement ERM are based on what we have experienced in practice. If someone presenting ERM concepts communicates them in the wrong way to the board, such as: “I know better,” “You manage inefficiently,” “You could do it better,” “I would like to criticize how you manage the company,” or “You are not competent,” thus giving the message that the board is managing the company poorly because it does not have ERM in place, this is highly risky. Therefore, good preparation and use of properly worded arguments are critical to avoid such perceptions, regardless of whether the messenger is a consultant or an “n – 1” director or manager. When anyone who is suggesting using ERM is on a lower level than the executive board, all of the foregoing questions arise and can be mental blocks. Let us see now in more detail who in Poland is usually getting management to buy in.

WHO IS GETTING MANAGEMENT BUY-IN FOR ERM? The ERM implementation activities in Poland are mainly driven from the following sources:

� Governance stimulation, such as a supervisory board (board of directors) recommendation, governance (stock exchange), or audit good practices committees. For public administration units, the Public Finance Act states that there is an obligation to include risk management as part of managerial supervision.

� POLRISK Risk Management Association, since the beginning of its existence � Internationally operated brokers in Poland. � Risk management consulting companies. � The companies themselves or head offices of international companies that

are operating as subsidiaries or affiliates in Poland.

Our survey of 100 POLRISK members showed that a lot of interest in ERM in Poland is generated by various specialists or senior experts related to business

www.it-ebooks.info

588 Implementing Enterprise Risk Management

continuity management, information technology (IT), physical security, opera- tional risk, project risk management, internal audit or internal supervision from commercial and public sector, internal control, and legal attorney, but rarely pure insurance managers. Some board members or directors showed interest, but not many. Professional consultants who participated in POLRISK discussion panels or workshops told us that they had problems with communication and explaining ERM concepts to the boards.

We decided to explore the challenges of communicating with boards, and after discussions with executives it appeared that the key aspect is the context in which ERM is presented. We have identified that problems with executive communica- tion are related to two main personality profiles in business. The first is that it is difficult or almost impossible to be both a good manager and an expert in the sub- ject matter simultaneously. Why? The main difference is how decisions are made: The expert needs almost a 99 percent certainty to give a recommendation on a specific solution, system, or expertise. In turn, the manager operates and makes decisions with more uncertainty involved—it does not matter if there is a 60 per- cent certainty or an 80 percent certainty. The point is that this substantial difference requires the development of different skills.

The decision of an individual to pursue or develop a career toward being a highly skilled executive or an effective manager means resignation from being an expert, which means in turn also abandoning the expert’s mentality and way of making decisions. And when in corporate reality those two mentalities meet on boards, audit committees, or any executive meetings, those differences arise and are reflected in attitudes, wording, and beliefs. For managers, the uncertainty of making decisions is normal—they may even pursue it. Experts, however, when talking about uncertainty while presenting ERM, use terms like “mitigate” or “avoid” risk in a different context. They are not decision makers, so they do not understand that anyone who makes important business decisions accepts that there are regulators, audits, internal competitors, and the like who may second- guess the decisions of any given manager.

Therefore, the pure concept of documenting all assumptions, risk analysis, and consequences of decisions seems to be ERM utopia, as no manager would like to deliver any formal evidence or proof for potential corporate enemies or competi- tors that the decision was made despite high risk—because this may later be eas- ily judged as incompetence and could be used to terminate the manager’s contract immediately. So, paradoxically, not documenting everything is in fact the behavior of good personal risk management. This we know from several very experienced managers we interviewed. Why are we saying this? The reason is that ERM buy-in is often promoted (we assume this is the case not only in Poland) by experts or consultants rather than by pure managers—and hence problems with communi- cation, mentality, and business justification arise. The manager is bold, risk taking, and brave by nature, whereas the expert is more risk averse, cautious, circumspect, and risk avoiding by nature.

This is a paradox. ERM is often suggested and promoted by experts who do not like to take risks and are not making important decisions. Successful ERM has been driven by CFOs or CEOs who are passionate about ERM—we directly know that this is the case. So perhaps awakening a passion for risk management in CEOs

www.it-ebooks.info

CHALLENGES AND OBSTACLES OF ERM IMPLEMENTATION IN POLAND 589

or CFOs is the right way to go. When we include the differences in experience of both groups of professionals, it is very hard to find a common understanding even on an interpersonal level, excluding knowledge of risk management itself.

SPECIFIC CHALLENGES AND OBSTACLES OBSERVED IN RISK MANAGEMENT In this section, we describe key issues within the risk management domain that we identified during our study, obtained during interviews with managers, and gath- ered on specific topics (for example, risk appetite) from various risk management experts.

Terminology

Authors of both scientific and business literature seem to exhibit little discipline for using the same terminology about risk consistently. Terms such as informa- tion, noise, uncertainty, risk, ambiguity, threat, hazard, opportunity, vulnerability, exposure, consequence, and strengths are examples of where we observe a lack of precision in definitions. What we observe (not only in Poland) is mixing the meaning of threat with risk, showing risk as the opposite of opportunity, instead of threat and opportunity. This issue directly influences practitioners’ perceptions and approaches to ERM. Another example is the hypothesis of informational effi- ciency of a capital market, which has a lot to do with investors’ risk management and their evaluation of companies. The efficient market hypothesis (EMH) does not have a precise definition of what information is (see Pijanowski 2005–2006), and that is why the hypothesis is called unsolvable, but when we define parame- ters of information and uncertainty, it can be solved in a convincing way.

Moreover, we have observed that the current inconsistencies and ambiguity regarding the term risk appetite cause directors not to buy into the ERM concept because it cannot be properly explained or justified by its followers.

Principles

If we look at the implementation of ERM in Poland, we see that risk is not part of key managerial decisions, despite a risk management policy being formally agreed upon. The only decision regarded as relating to risk is to comply with the law (i.e., “We have to do it, so we must do it”). We know several cases where one consulting company corrected the other consulting company’s frameworks. Our conclusion is that ERM is often sold in isolation from strategy and value-based management.

Risk Management Frameworks

Our experience shows that ERM processes in Poland—mainly frameworks, poli- cies, procedures, and methodologies—are mainly governance driven. There are of course some exceptions, and in the energy sector it has been identified that there

www.it-ebooks.info

590 Implementing Enterprise Risk Management

is a company that makes an effort to increase its value through effective risk man- agement.

Writing a risk management policy is relatively easy. Typically, the policy is combined with a risk assessment methodology. The main framework that is used in Poland is COSO 2004—almost always fully used by the public sector. We can say that it is an auditor-based view of risk management. Some companies use the MoR (Management of Risk) Framework (UK Office of Government Commerce), some became interested in ISO 31000, some frameworks were developed and delivered by consulting companies, and some were elaborations of the company’s own framework as based on various aspects from the different frameworks just mentioned.

Risk Owners

After the relatively easy part—writing some documents—the execution phase starts. What are the typical challenges during the execution phase? In an ERM implementation in which we participated, confirming the risk owners was one of the first challenges, as business managers perceived being a risk owner as an unfavorable label in the company. For example, a billing process owner did not understand that he should be a risk owner since he managed the budget and had targets and goals related to the billing process. The billing process owner did not want to be a risk owner for political reasons—he did not like to be associated with IT billing systems problems, and he postulated that the head of IT should also be a risk owner. This is an example of a typical silo-based approach. For middle- or high-level managers, being a risk owner looks like a dangerous role. Finally, after discussions that confirmed that he had the budget to influence the process and by referring to the risk management policy, he had to agree, but he was not happy with the new responsibility. So perhaps it is better to call the role a risk manage- ment leader, risk coordinator, or risk manager, rather than a risk owner.

Organizational Placement of ERM

Another topic that we explored was the organizational arrangement of where the risk management function or department should be placed. Our research showed that typically the function either was within the internal audit department, the internal supervision department, or the insurance department, or was a direct report to the CFO. The way it appeared was as though one was chasing people to get them to perform risk management (legal, internal control, insurance, etc.). Almost nobody wanted to be responsible for ERM, as it was treated as a new scope of responsibilities with compensation remaining at the same level.

The Influence of the Size of Organizations

We observed that the nature of risk management frameworks in medium-sized companies could be different than for larger companies. Board members of medium-sized companies told us that silo-based thinking was not an issue in many medium-sized companies as there are simply no silos. Executives also asked, “What is the business case for risk management in medium-sized companies?”

www.it-ebooks.info

CHALLENGES AND OBSTACLES OF ERM IMPLEMENTATION IN POLAND 591

When we explored the matter in more detail, it was evident to us that integration was not the main issue; instead the lack of managerial information on margin or profitability of various projects and contracts was really the issue, as well as what to write in tender offers about how the company manages risk of customer demands (for example, investors expect it from vendors in the construction industry) and vendor credibility before making decisions. We have to be aware not to provide arguments on ERM benefits like integration of various risk treatment activities in medium-sized companies, as they may not be as applicable for those companies as for big companies.

Risk Management Process

Risk identification is one of the key steps of the risk management process. We explored how people describe risk and found that a lot are confusing threat with risk or mixing up other risk terminology. When we looked into how people describe risk, we found that the risk description being used in companies is not a real risk description at all. There are a lot of risk registers with no risk information but rather only threat or vulnerability descriptions that are understandable only to the person who wrote them (almost 95 percent of the cases we checked). People are rating risks without explaining why, or without justification of what supports making decisions and what does not. The Statement of Context5 is not present, which would help readers to understand why specific risk criteria have been set. Almost nobody is aware that the Statement of Context is one of the deliverables of the “establish the context” phase of the risk management process in ISO 31000.

The reason for this is that there is no proper guidance on how to describe risk properly in the absence of risk management implementation guidelines. Due to this lack of more detailed guidance, despite being interested in ISO 31000, corpo- rate representatives have problems with understanding it, resulting in a poor opin- ion of the ISO 31000 standard in Poland. Unfortunately, ISO TR 31004, produced by the ISO/PC and the ISO/TC 262 Working Group in its final version, does not fulfill this requirement; therefore, we will have to elaborate on it on our own with the support of international experts who really know ISO 31000 and how it should be implemented.

If we have no good guidance on risk management and there are no volunteers to take responsibility for promoting ERM, we will have to create the right profes- sion and professionals to deal with risk. When we looked into the formal profes- sions registry of the Social Policy and Labor Ministry in Poland for job position lists that include risk in the name, we found only underwriter—being translated as a risk management specialist and an appraiser of a company’s risk. That leads us to the conclusion that is the title of the next section—we have to build the chief risk officer (CRO)/risk manager profession from scratch.

WE HAVE TO BUILD THE CHIEF RISK OFFICER/RISK MANAGER PROFESSION FROM SCRATCH In 2009, the POLRISK Risk Management Association board asked its office assis- tant to contact 253 companies by phone, including 77 percent associated with the

www.it-ebooks.info

592 Implementing Enterprise Risk Management

Polish Association of Listed Companies on the Warsaw Stock Exchange (WSE), to inquire about whether they had a risk manager who potentially could join the association. We wanted to diagnose the awareness and needs related to risk man- agement in Poland, primarily among listed companies on the WSE. The results of these phone interviews are as follows. Thirty-three (13 percent) of the companies did not want any further contact. The main reasons were that they were not inter- ested because they did not have risk managers, they were not interested at all, they received from their head office a strategy already written and ready to implement (“We receive strategy out of the box”), they were just tired of receiving various training offers, and the like. In a few cases it was mentioned that “Risk manage- ment is outsourced.” The most interesting example from a global company was: “Risk management is at the discretion of the head office.” Only 11 companies out of 253 (4.3 percent) declared potential interest in joining the POLRISK Risk Man- agement Association.

This is perhaps not fully representative research on the perception of risk man- agement in Poland, but it shows, together with other surveys, that we have to build the risk manager profession in Poland from scratch. Of course, this conclu- sion does not apply to financial risk managers holding the PRM (Professional Risk Manager—Professional Risk Managers’ International Association [PRMIA]) des- ignation or the FRM (Financial Risk Manager—Global Association of Risk Profes- sionals [GARP]) designation. More than 1,000 people in the financial industry are similarly certified in Poland.

After the intensive telephone interviews, we changed the strategy of increas- ing the POLRISK membership. POLRISK, after two years of pilot risk management courses, confirmed that there was an interest in risk management professional development, and now it is updating the program scope of knowledge necessary for risk managers and chief risk officers, who will be expected to present a holistic big picture of the company’s risks. Fortunately, we will also join with the FERMA certification of risk managers projects like the other European associations that are members of FERMA.

When we showed one example of a mature ERM implementation in North America, one of the Polish managers told us that ERM promoted by middle-level managers looks like “a cry for help” for those who would like to be recognized at the board level. Many risk management group discussions on LinkedIn only con- firm that statement. This is the most radical but real opinion on ERM we have ever heard. Again, this was a lesson for us; we, as a community, have to be well pre- pared to know what specifics strictly belong to ERM and how it can be integrated with strategic and value-based management.

WHAT NUMBERS SAY ABOUT ERM MATURITY One of our surveys showed that about 2 percent of the companies were willing to implement ERM in 2006, and this increased to around 12 percent in 2010. However, most of the companies that have implemented ERM have fewer than 250 employ- ees. Only 2 percent of companies with more than 250 employees had implemented ERM by 2010. This shows that Polish companies are still at the beginning of the ERM journey.

www.it-ebooks.info

CHALLENGES AND OBSTACLES OF ERM IMPLEMENTATION IN POLAND 593

The survey in 2006 was based on the information obtained from about 100 companies and in 2010 the information was collected from about 300 managers. The ERM implementation was divided into six stages, where stage 0 means no ERM and stage 5 means ERM is an integrated system. The characteristics of all stages are described as follows:

� No functions, organizational structure, and analytical tools are in place to be available for ERM, and there are no plans to implement ERM. (Phase 0: No ERM)

� There are some initial preparations toward ERM implementation. (Phase 1: ERM Introduction)

� There exist selected tools and instruments in the analytical area applied for ERM. (Phase 2: ERM Analytical Tools and Instruments)

� There are some functions, processes, procedures, and tools implemented for ERM. (Phase 3: ERM Functions, Processes, and Tools)

� There is a mature infrastructure applied to risk management, but an inte- grated ERM system doesn’t exist, which would be heading toward the holis- tic approach. There are plans to develop existing infrastructure toward an integrated ERM system. (Phase 4: ERM Mature but No Integrated System)

� There is an integrated system of ERM. (Phase 5: ERM Integrated System)

In Exhibit 33.4, we display in graphic mode the stages of ERM implementation in Poland and their major characteristics.

Exhibit 33.5 reflects the advancement of ERM within the companies in Poland in 2006. About 42 percent of the enterprises were not applying any type of ERM, and none of them had an ERM integrated system. Only 2 percent of the enterprises had mature ERM systems, 23 percent were in the introductory phase, 8 percent had

There is an integrated system of ERM

A mature infrastructure is applied but not an integrated system of ERM

Some functions, processes, procedures, and tools use ERM

Major tools and instruments are used in the analytical areas for ERM

Some initial preparations made toward ERM implementation

No functions, organizational structure, or analytical tools are in place for ERM Phase 0 Phase 1 Phase 2 Phase 3 Phase 4 Phase 5

No ERM ERM

Introduction

ERM Analytical Tools and

Instruments

ERM Functions,

Processes, and Tools

ERM Mature but No

Integrated System

ERM Integrated

System

The direction of more advanced models of ERM in Poland

Exhibit 33.4 Stages of ERM Development Source: Author research, Z. Krysiak.

www.it-ebooks.info

594 Implementing Enterprise Risk Management

Phase 0: No ERM 42%

Phase 1: ERM Introduction

23%

Phase 2: ERM Analytical Tools & Instruments

8%

Phase 3: ERM Functions,

Processes, and Tools 25%

Phase 4: ERM Mature but

No Integrated System 2%

Phase 5: ERM Integrated

System 0%

What is the stage of the ERM development? : 2006

Exhibit 33.5 Stages of ERM Development in 2006 in Poland Source: Author research, Z. Krysiak.

available analytical tools, and 25 percent implemented ERM functions, processes, and tools.

Exhibit 33.6 reveals the advancement in ERM within the companies in Poland in 2010. We observed that from 2006 until 2010 there was significant progress in the advancement of ERM implementation. An integrated ERM system was present in 12 percent of the companies versus 0 percent in 2006. We observed as well that in 2010 more enterprises (4 percent) had switched to mature ERM, compared to the 2 percent in 2006. In 2010, about 40 percent of the companies still were not engaged in ERM, which is very close to that observed in 2006 (42 percent). The advancement in ERM was made basically by the group of companies that in 2006 had started the process.

What is the stage of the ERM development? : 2010

Phase 0: No ERM 40%

Phase 1: ERM Introduction

20%

Phase 2: ERM Analytical Tools & Instruments

4%

Phase 3: ERM Functions,

Processes, and Tools 20%

Phase 4: ERM Mature but

No Integrated System 4%

Phase 5: ERM Integrated

System 12%

Exhibit 33.6 Stages of ERM Development in 2010 in Poland Source: Author research, Z. Krysiak.

www.it-ebooks.info

CHALLENGES AND OBSTACLES OF ERM IMPLEMENTATION IN POLAND 595

Did the Enterprise appoint a CRO? : 2006

Yes 22%

Yes 24%

No 78%

No 76%

Did the Enterprise appoint a CRO? : 2010

Exhibit 33.7 Appointment of CROs in Polish Companies Source: Author research, Z. Krysiak.

RISK MANAGEMENT FRAMEWORK—ACCOUNTABILITY In Exhibit 33.7, we show how many Polish companies have appointed a CRO. The responsibility for leading the risk functions in the company, as measured by appointing a CRO, was reported by 24 percent of companies in 2006, and 22 percent of companies in 2010. Approximately 80 percent of the companies did not see this as an important issue. In later research (i.e., the Polish Edition of the Aon Global Risk Management Survey), the existence of a risk management department or a CRO was reported as 29 percent in 2011 and 25 percent in 2013.

In Exhibit 33.8, we show who was appointed with the CRO responsibility. For 2010, the CRO function was performed in about 81 percent of the cases by finan- cial directors versus 43 percent in 2006. This shows that the responsibility of a CRO is moving to a more appropriate level, and that enterprises are recognizing the importance of ERM. The same scope of research in the Polish Edition of the Aon Global Risk Management Survey showed that if there is no risk management department in companies operating in Poland, then the CEO and CFO are the key job positions responsible for ERM; that is: CEO in 2009, 30 percent of answers; in

Financial Analyst

2%

Nobody 30%

Who in the Enterprise has the responsibility of the CRO? 2006

Financial Director

81%

Financial Director

43%

Chief Economist

0%

Chief Economist

5%

Chief Accountant

15%

Chief Accountant

20%

Financial Analyst

4%

Who in the Enterprise has the responsibility of the CRO? 2010

Exhibit 33.8 Functional Managers Charged with the Responsibility of the CRO in Enter- prises in Poland Source: Author research, Z. Krysiak.

www.it-ebooks.info

596 Implementing Enterprise Risk Management

2011, 39 percent; and in 2013, 34 percent; and CFO in 2009, 30 percent; in 2011, 52 percent; and in 2013, 31 percent. These results were different than in the Global Edition of Aon’s survey; that is, the CFO was the key role in 35 percent of the cases versus 25 percent for the CEO in 2013. In turn, if companies have a risk manage- ment department in Poland, the role of the CFO is a leader both in the Polish Edi- tion and the Global Edition of the Aon survey. The question “To whom does the Risk Management Department report?” was that RM reports to the CFO/treasury as follows: in 2009, 45 percent; in 2011, 42 percent; and in 2013, 51 percent.

IMPACT OF THE RISK ASSESSMENT TOOLS ON THE PERFORMANCE OF THE COMPANIES The quality of risk management depends very much on the tools, analytical mod- els, and resources available at the enterprise. This area was included in the research to find out how different risk and value measures and metrics are quantified, mod- eled, and used in the decision-making process during the creation and updating of the strategic planning and also the shaping of the overall ERM process. This study was based on approximately 100 companies in Poland operating in differ- ent businesses in several geographical markets, including international and global markets, and of different sizes. The criteria to diagnose the quality of risk manage- ment were:

� Type of methods used for the company valuation � Application of discounted cash flow (DCF) analysis for project appraisal � Utilization of Monte Carlo simulation � Evaluation of investment projects supported with the real option method � Assessment of the enterprise’s default risk in both the short term and the

long term � Comparison of the dynamics in company value and its risk � Estimation of the enterprise’s losses due to risk realization � Analysis study on the adequacy of the company’s capital against the esti-

mated risk � Credit, market, and operational risk analysis � Monitoring of the risk profile from different specific perspectives � CRO functions and responsibilities � Organizational and human resources dedicated to ERM � Stage of the development of ERM within the enterprise � Types of financial instruments and the scope of their applications to ERM

Based on these criteria, we evaluated the frequency and the quality of the prac- tice of all issues related to the criteria. The evaluation led to our rating of the risk management quality in the enterprises. The rating was designed to be an integrated measure to differentiate the quality of risk management among the enterprises. This rating was related to the financial results to reveal the impact of ERM on com- pany value. Proving a positive relationship between the rating of risk management and the enterprise value would provide a very attractive measure for the partial assessment of the risk management quality and the maturity of ERM.

www.it-ebooks.info

CHALLENGES AND OBSTACLES OF ERM IMPLEMENTATION IN POLAND 597

y = 0.0055x – 0.0293 R2 = 0.2223

0%

2%

4%

6%

8%

10%

12%

19171513119

N et

In co

m e/

T ot

al B

al an

ce

Rating

Relation between (Net Income/Total balance) and Rating of ERM (≥9)

Exhibit 33.9 Relationship between Net Income/Total Balance Ratio and Rating of ERM (Rating ≥9) Source: Author research, Z. Krysiak.

The relationship between the financial results and the rating of the risk man- agement quality is displayed in Exhibit 33.9. The financial results are reflected by the ratio of net income to total balance. The regression in Exhibit 33.9 relates to the enterprises with high ratings equal to or over 9. We can draw the conclusion that high ratings showing good quality of risk management have a positive impact on the financial results. From the statistical point of view this correlation is not very strong, but as a practical matter it can be interpreted as positive. The improvement in the quality of risk management in the future can be observed in an increasing value of R2. The high deviations of the financial results for the enterprises with the same ratings mean that the tools, models, instruments, and other technical resources in the process of ERM are applied in various companies with different final effects.

In contrast, Exhibit 33.10 shows no relationship between financial results and the rating of risk management quality for the enterprises with ratings below 9. Additionally, Exhibit 33.10 shows that the deviations of the financial results for the

y = 0.0018x + 0.0795 R2 = 0.0046

0%

5%

10%

15%

20%

25%

9876543210N et

In co

m e/

T ot

al B

al an

ce

Rating

Relation between (Net Income/Total Balance) and ERM Rating (≤8)

Exhibit 33.10 Relationship between Net Income/Total Balance Ratio and Rating of ERM (Rating ≤8) Source: Author research, Z. Krysiak.

www.it-ebooks.info

598 Implementing Enterprise Risk Management

9 21%

11.25 21%13.5

21%

15.75 26%

>15.75 11%

Frequency distribution of the ERM ratings (for high ratings ≥9)

Exhibit 33.11 Frequency Distribution of ERM Ratings for High Ratings ≥9 Source: Author research, Z. Krysiak.

same ratings are very high, which indicates that low ratings reveal a low quality of risk management.

In Exhibit 33.11 we show the frequency distribution of ERM ratings equal to or over 9. Exhibit 33.11 also demonstrates that the enterprises are in different stages of ERM implementation. The progress in the implementation of ERM tools for the companies with high ratings is quite evenly spread out. There are about 21 percent of the companies in each group with ratings of 9, 11.25, and 13.5. The rating of 15.75 was assigned to 26 percent of the studied companies, and 11 percent received ratings over 15.75.

The study of the more detailed financial reports for the companies with the high ratings, which was performed for the five years preceding the case study, indicates that the financial results of different types (i.e., from profit and loss, bal- ance sheet, and cash flow statements) reveal increasing trends and low volatility over time. The enterprises with high ratings show consistency between the goals stated in the strategy and the execution of the strategy. The companies operating in international markets, and those with foreign shareholders, usually achieved high ratings. Based on the outcomes shown in Exhibits 33.9 and 33.10, we can draw the very rough conclusion that the criteria used for the evaluation of the quality of risk management in this case study are useful to obtain a good diagnosis.

CAPITAL ALLOCATION: A FREQUENTLY MISSED PART OF THE ERM FRAMEWORK AND RISK TREATMENT One of the key issues in ERM is the allocation of capital based on the identified risks. The capital at risk or capital on risk (CoR) in financial institutions is called the economic capital and is estimated based on the value at risk approach (Jorion 2007). This capital should play an important role in protecting the enterprise against the default risk. The allocation of the capital for risk, based on the quantification of the potential risk impact, may be called a risk budgeting process. The ability to assess the capital based on risk may be perceived as a kind of maturity in the evolution of ERM. One of the important standards of ERM in supporting the development

www.it-ebooks.info

CHALLENGES AND OBSTACLES OF ERM IMPLEMENTATION IN POLAND 599

Capital on Risk (CoR)

Business Risk

Operations Risk

Control of Operations

IT Systems Production and

Logistic Infrastructure

Employee Relations

Market Risk

Business Events

Financial Factors

Credit Management

Regulatory Compliance

Service Competi- tiveness

Product

Capital

Exhibit 33.12 Examples of Main Risk Sources to Be Covered by Capital on Risk Source: Author research, Z. Krysiak.

of the strategy is the identification of the most important risks (e.g., the top 10) out of the dozens or hundreds inherent with the enterprise’s activities. From that perspective, the identification of risks and the quality of the budgeting process impact the accuracy of the estimated capital required.

The study of the risk profiles within the enterprises in Poland involved 36 types of different risks. These risks have been characterized by measures like the proba- bility of risky events, the exposure from risky events, and the level of control over risk drivers or risk sources. Exhibit 33.12 displays the classification of the studied risks. At the bottom there are 12 subgroups of risk. Each subgroup was further subdivided into three detailed risks, so that we finally obtained 36 specific risks.

The study was performed at the end of 2010 by obtaining information from approximately 300 managers from different types of companies. We think that the only approach to modeling of the economic capital underestimates its value because models do not consider decision-maker perceptions about the risks. We assumed that managers as the decision makers have appropriate business under- standing and that they provide substantial information about risk characteristics regarding all business processes. The collection of the data from the managers across the different businesses and functional areas of activity demonstrated an adequate knowledge about the risky events, the importance of particular types of risks, relationships between the risk outcomes, and the level of risk control. Based on this research, we determined the expected average risk impact across industries in Poland and the value of the economic capital.

Exhibit 33.13 shows the 10 most important risks and the level of control assigned to each risk. The level of control of 5 would be the highest control, while 0 would mean that no control is in place. The most important risks within the top 10 perceived by managers in Poland are shareholder and stakeholder relations, cost structure, and solvency and cash flow. At the very bottom of that list are investment projects’ strategy, business continuity and downtime, and fraud, theft, reliability, quality.

The research confirms also how an important part of the risk management pro- cess in ISO 31000 is communication and consultation with stakeholders. We have to implement very efficient controls here, such as high managerial competencies

www.it-ebooks.info

600 Implementing Enterprise Risk Management

Exhibit 33.13 Top 10 Risks in Enterprises in Poland in Respect to Level of Risk Control

Top Risks Level of Risk Control

Shareholder and stakeholder relations 3.80 Cost structure 3.76 Solvency and cash flow 3.53 Quality of products and services 3.47 Products and services offered 3.47 Credit capacity and creditworthiness 3.44 Liquidity of funding sources 3.44 Investment projects’ strategy 3.40 Business continuity and downtime 3.36 Fraud, theft, reliability, quality 3.36

Source: Author research, Z. Krysiak.

and communication skills in order to properly manage board perceptions (see the 10 key points listed earlier in the section titled “Board Perception of ERM.”

The assessment of the probability of risks, exposures, and level of controls was used to calculate expected losses, as presented in Exhibit 33.14, which afterward served to calculate the capital on risk. Based on the data obtained from the study, the expected value of the capital on risk should be three to five times that of the net income (NI).

This implies that by increasing the equity by the value of capital on risk, which should be invested in liquid and risk-free assets, the return on equity (ROE) would be reduced. Assuming that current ROE equals 20 percent, return on risk-free assets equals 5 percent, and there is no change in the net income, then the increase of the equity to between three and fives times NI would drop the ROE down to between 14.5 percent and 12.5 percent, respectively. The other consequence of that is the change in the structure of the capital, which potentially could lead to the increase in the weighted average cost of capital. The risk inherent in the enterprise

Exhibit 33.14 Top 10 Risks in Enterprises in Poland in Respect to Expected Losses

Top Risks Value of Expected Losses in Relation to Net Income

Cost structure 0.14 Management of malfunctions 0.14 Business continuity and downtime 0.13 Liquidity of funding sources 0.12 Account receivables 0.12 Fraud, theft, reliability, quality 0.12 Solvency and cash flow 0.12 Shareholder and stakeholder relations 0.11 Management and responsibilities 0.11 Products and services offered 0.10

Source: Author research, Z. Krysiak.

www.it-ebooks.info

CHALLENGES AND OBSTACLES OF ERM IMPLEMENTATION IN POLAND 601

is not cheap. This example shows that, on one hand, an enterprise pays approx- imately one-quarter of ROE, but on the other hand, this expense could save the enterprise in case one or more risk events materialize.

CONCLUSION If we want to change our companies to be risk-based managed companies, ERM must be sold as an integral part of a triple package: value-based management, strategic management, and strategy execution, with ERM as an important link between these. Critical changes in the positioning of ERM as part of such a package are necessary to move from governance-driven phases to being change driven (or the integrated phase of risk management maturity).

The top 10 risks identified by our research show that, from a framework per- spective, key risks are correlated with management and stakeholder expectations and perceptions. This confirms that the communication and consultation process is a critical part of the risk management process defined in ISO 31000, and it must be performed by highly skilled managers or other professionals with little tolerance for mistakes.

Experts and managers need to use consistent and easy-to-understand risk- related terminology across all stages of the risk management process to facilitate proper and efficient communication. The simpler, the better. People have prob- lems with differentiating data from information, hence the problem of mixing risk information with threat data or opportunity data instead of considering informa- tion on both threat and opportunity. It is important for communication to express that risk is a relationship between potential causes and effects, and these two may never be totally separated. Risk management is a never-ending learning experi- ence and reminds us to keep terminology and language consistent throughout, as to the principles, framework, and risk management process being integrated with strategy planning, execution, and value-based management and controls.

Exhibit 33.15 shows the results from our experience, business practice, and research. ERM in Poland is mainly driven by governance concerns, which apply to around 12 to 20 percent of 3,000 companies with over 250 employees. As for branches interested in holistic risk management (such as energy, gas and oil, con- struction, logistics, insurance, telecommunications, pharmaceuticals, chemicals, mining, public administration, aviation, and legal companies), this is a good basis for change. Because a public finance act and obligation include risk management as part of managerial supervision, risk awareness will be communicated to around 40 percent of the working population in Poland, as many people work in pub- lic administration. Taking into account the obstacles and challenges we have in Poland, there is much good news. It would be worth further research to observe how Poland progresses in relation to other countries. That would give us all, as an international community, the ability to observe how well ERM is progressing, worldwide or not. There is already some research in this area—for example, Aon’s Risk Maturity Index.

We must be aware of the weaknesses of risk management in the context of human attitudes. The perception of top executives and boards is that risk still has negative connotations in many languages and cultures and it is a natural barrier. Not everyone is keen to talk about risk; people like to concentrate on successes and

www.it-ebooks.info

602 Implementing Enterprise Risk Management

Exhibit 33.15 ERM Maturity Level in Poland’s Nonfinancial Industry

Stage 1 Stage 2 Stage 3 Stage 4

Terminology Risk specific Never-ending

challenge Principles Risk specific Governance

driven Framework Risk specific Governance

driven Process Risk specific Governance

driven Change driven A few

companies

Integrated A few companies on

the way, POLRISK members, energy industry

Source: Authors’ research.

opportunities. Also, managers may resist talking about risk in order not to be per- ceived as incompetent professionals. They assume that if they are professionally good at something, they should not be generating risks.

Medium-sized firms may need less integration of strategic management with risk management due to the lack of silos in those companies, as “the left hand knows what the right hand is doing.” What they need is up-to-date and online information, reports on how the business is performing, and what is the mar- gin level. They need a reasonable risk management tool kit and supervision of margins.

A strong risk management profession with a defined scope of knowledge is necessary to promote risk management. The natural reporting line for a risk man- ager within an organization structure should be to the CFO or higher, and be aligned with the value-based controlling and strategy department or unit. Those departments should be working in integrated ways so that proper capital and asset resource allocation is made toward identified risk levels and cost/benefit analysis with integrated risk treatment options across the company.

A strong risk management association is also necessary to promote best prac- tices in risk management and the gathering community of risk management pro- fessionals. In 2013, POLRISK changed its mission to the creation of value from effective risk management integrated with strategic management and value-based management. The promotion of ERM as a concept is no longer sufficient; there must be demonstrated value creation for a company arising out of it. The ERM journey continues.

QUESTIONS 1. List and describe the challenges of implementing ERM in Poland. 2. The quality of risk management depends on many criteria. Discuss the criteria that can

be used. 3. What were the main drivers for ERM implementation in Poland?

www.it-ebooks.info

CHALLENGES AND OBSTACLES OF ERM IMPLEMENTATION IN POLAND 603

NOTES 1. More information on the POLRISK Risk Management Association can be found at the

association’s website: www.polrisk.pl. 2. More information on the Federation of European Risk Management Associations can be

found at www.ferma.eu. 3. We would like to mention and honor here all the people we know, but we are aware

that this would be an imperfect and incomplete list. However, we are sure that on such a list there are at least POLRISK founding members; former presidents Rafal Rudnicki and Tomasz Miazek; current POLRISK board members Ewa Szpakowska, Hanna Gol̄aś, and Jerzy Podlewski; and all active previous and current POLRISK members.

4. The need for evaluating the quality and extent of risk treatments, including controls, is essential, and the techniques for including this in risk assessments are described in Enter- prise Risk Management: Today’s Leading Research and Best Practices for Tomorrow’s Executives, edited by John Fraser and Betty J. Simkins (Hoboken, NJ: John Wiley & Sons, 2010), on pages 162, 163, 166, 173, and 174.

5. The Statement of Context is an output from the “Establishing the context (5.3)” stage of the risk management process (Clause 5 Process in ISO 31000:2009 standard).

REFERENCES Antikarov, V. 2012. “Enterprise Risk Management for Non-Financial Companies—From

Risk Control and Compliance to Creating Shareholder Value.” ERM, Society of Actu- aries Monograph M–AS12–1, Chicago. www.soa.org/Library/Monographs/Other- Monographs/2012/April/2012-Enterprise-Risk-Management-Symposium/.

Bossidy, L., and R. Charan, with C. Burck. 2002. Execution: The Discipline of Getting Things Done. New York: Crown Business.

Copeland, T., and V. Antikarov. 2003. Real Options. New York: Texere. Fraser, John, and Betty J. Simkins, eds. 2010. Enterprise Risk Management: Today’s Leading

Research and Best Practices for Tomorrow’s Executives. Robert W. Kolb Series in Finance. Hoboken, NJ: John Wiley & Sons.

Jorion, Philippe. 2007. Value at Risk: The New Benchmark for Managing Financial Risk. New York: McGraw-Hill.

Kaplan, R. S., and D. P. Norton. 2008. The Execution Premium: Linking Strategy to Operations for Competitive Advantage. Boston: Harvard Business School Publishing.

Krysiak, Z. 2011. “Strong Risk Management Culture as a Major Factor at Modern Organi- zation” (Polish title, Silna kultura zarz

ℷ adzania ryzykiem jako cecha nowoczesnej organizacji).

e-Mentor 2:39, s. 24–31. Krysiak, Z. 2013. “The Value of the Operational Risk in the Holistic Approach” (Polish title,

Wartość ryzyka operacyjnego banku w uj ℷ eciu holistycznym). Bezpieczny Bank 1:50, s. 112–129.

Lam, James. 2003. Enterprise Risk Management: From Incentives to Control. Hoboken, NJ: John Wiley & Sons.

Monahan, Gregory. 2008. Enterprise Risk Management—A Methodology for Achieving Strategic Objectives. Hoboken, NJ: John Wiley & Sons.

Pagach, Donald, and Richard Warr. 2011. “The Characteristics of Firms That Hire Chief Risk Officers.” Journal of Risk and Insurance 78:1, 185–211.

Peters, T., and R. H. Waterman Jr. 1982. In Search of Excellence: Lessons from America’s Best-Run Companies. New York: Harper & Row; Profile Books, 2004.

Pijanowski, S. P. 2005–2006. “Is the Polish Stock Market Weak Form Efficient?” Inter- national Journal of Banking and Finance 3/4 (Special Issue), 33–62. (Journal of North Malaysia University.) The eight papers in this special issue were selected after

www.it-ebooks.info

604 Implementing Enterprise Risk Management

blind peer review as the top papers among 144 papers submitted for publication. http://epublications.bond.edu.au/cgi/viewcontent.cgi?article=1041&context=ijbf.

Purdy, G. 2010. “How Good Is Our Risk Management? How Boards Should Find Out.” Risk Watch, The Conference Board of Canada, December, 9–11.

Purdy, G. 2013. “Most Effective and Efficient Way of Managing Risk.” Workshop material for POLRISK Risk Management Association, Warsaw, May 9.

Rappaport, A. 1998. Creating Shareholder Value: A Guide for Managers and Investors. New York: Free Press.

Raynor, M. E. 2007. The Strategy Paradox. Warsaw: Studio EMKA. Shimpi, P. 1999. Integrating Corporate Risk Management. New York: Texere. Shimpi, P. 2005. “Enterprise Risk Management from Compliance to Value.” Financial Exec-

utive 21:6, 52–55. Welch, Jack, with Suzy Welch. 2005. Winning. New York: HarperBusiness. Wiklund, D., and B. Rabkin. 2009. “The Balance Sheet Perspective of Enterprise Risk Man-

agement.” Financial Executive 25:2, 54–58.

ABOUT THE CONTRIBUTORS Zbigniew Krysiak, PhD, is an Associate Professor of Finance at the Warsaw School of Economics in Warsaw, Poland. He gained a doctor of philosophy degree in eco- nomics from Warsaw School of Economics for his research into the application of options in default risk assessment and company valuation. He holds an MBA (mas- ter’s degree in banking and financial engineering) from the University of Toulouse, France. He was a visiting professor at Pepperdine University in Los Angeles and Northeastern Illinois University in Chicago. Currently, he is teaching students at Northeastern Illinois University on financial engineering in business applications. He is the author or coauthor of more than 100 publications, intended both for prac- titioners and for the academic community, concerning finance, risk management, financial engineering, and banking.

Dr. Krysiak has about 25 years’ experience in business, working for European and American nonfinancial and financial enterprises. The functions he has held include: management board member of Bank Guarantee Fund, managing director of the Property Finance division and adviser to the president at PKO Bank, vice president of the management board at Intelligo Bank, vice president at AIG Bank, financial manager at PepsiCo in Poland, and member of the supervisory board at the insurance company TU Europa. He was a member of the European Banking Industry Committee (EBIC), and a member of the Mortgage Funding Expert Group (MFEG) at the European Commission. He is a member of the Scientific Committee of the Warsaw Stock Exchange in Poland.

Sl̄awomir Pijanowski, PhD, is President of the POLRISK Risk Management Asso- ciation in Poland, where he is responsible for development of good risk manage- ment practices for the Polish market. He is a member of the Technical Committee No. 6 Management Systems at the Polish Committee for Standardization, a mem- ber of ISO/TC 262 Committee, where he was one of four task leaders elaborat- ing on the first draft of the ISO 31004 standard, Risk Management—Guidance for the Implementation. He is coauthor of Risk Management for Sustainable Business, published by the Polish Ministry of the Economy. He initiated and completed the

www.it-ebooks.info

CHALLENGES AND OBSTACLES OF ERM IMPLEMENTATION IN POLAND 605

project of adoption of the ISO 31000:2009 standard into Polish PN-ISO 31000:2012, Risk Management—Principles and Guidelines.

Dr. Pijanowski has had long-term experience in the areas of change management, organizational transformation, strategic-level program and project management, business continuity, IT security, banking, and business systems implementations. He was coauthor of the methodology of one of the first Polish implementations of ERM in a leading telecommunications company in Poland. He verified the quality of the risk registers of the Orange Technological Partnership in UEFA EURO 2012 Football Championships in Poland. He acted as an external expert for the National Foresight Program “Poland 2020” in the following research fields: safety, informa- tion technology (IT), and information and communications technology (ICT). His PhD is from the Poznań University of Economics, department of investment and capital markets, where he also graduated from the Faculty of Management with a specialty in capital investments and financial strategies of enterprises.

www.it-ebooks.info

www.it-ebooks.info

CHAPTER 34

Turning Crisis into Opportunity Building an ERM Program at General Motors

MARC S. ROBINSON Assistant Director, Enterprise Risk Management, GM

LISA M. SMITH Assistant Director, Enterprise Risk Management, GM

BRIAN D. THELEN General Auditor, GM

This case study chronicles the ground-up implementation of enterprise riskmanagement (ERM) at General Motors Company (GM), starting in 2010through the first four years of implementation. Discussion topics include lessons learned during implementation and some of the unique approaches, tools, and techniques that GM has employed. Examples of senior management reporting are also included.

I think risk management is an element of all good executive management teams and boards. It will ensure viability in downturns and high-risk periods. I think if that is done not only within the automotive industry, but on a global and specif- ically on a national scale, economies will be in better shape because it is additive. If everybody is doing their job in assessing and understanding risk, the ultimate outcome will be much more positive for our national economy and society, and it is incumbent that corporate leadership understands that responsibility.

—Daniel F. Akerson, Chairman and Chief Executive Officer, General Motors, October 2012

BACKGROUND AND IMPLEMENTATION The enterprise risk management (ERM) program at General Motors was founded in late 2010 at the direction of GM’s then newly appointed chief executive officer (CEO), Daniel F. Akerson, who sought to leverage the program as another means to achieve a competitive advantage in the industry. Having gone through bankruptcy in 2009 as a new board member, Akerson felt that a more robust risk management program would help guide the organization around the drivers of killer risks1

going forward. His goal was to help the company ensure that it was prepared,

607

www.it-ebooks.info

608 Implementing Enterprise Risk Management

agile, and fast to respond in an ever-changing world. Perhaps most importantly, Akerson wanted an ERM program that would focus not only on risks but on oppor- tunities as well.

A chief risk officer (CRO) was selected and appointed from within, and the Finance and Risk Policy Committee of the board of directors was chartered to over- see risk management as well as financial strategies and policies. In support of the program, a senior manager and director joined the team. Risk officers were also identified and aligned to all direct reports of the CEO; this helped to ensure that all aspects of the business were covered. The CEO is the ultimate chief risk officer, and his direct reports are the ultimate risk owners. Members of the risk officer team were carefully selected by senior leadership based on their strong business expe- rience, financial acumen, and most of all their ability to lead in the identification and discussion of risk in an objective and transparent manner. These representa- tives were expected to actively participate in the evolving ERM program while still handling their existing responsibilities.

In 2011, the general auditor and CRO roles were combined, and in support of this change, the Audit Committee assumed oversight of risk management. The Finance and Risk Policy Committee continued its focus on financial policy and decision making.

GENERAL MOTORS’ APPROACH TO ENTERPRISE RISK MANAGEMENT The ERM process was built with GM’s vision in mind: to design, build, and sell the world’s best vehicles (see Exhibit 34.1). The process itself was geared toward the identification and management of key (potential “killer”) risks. The ERM team assisted line management in developing a list of top company risks, identifying risk owners, assisting management in the development of risk mitigation plans in conjunction with the management teams, providing ongoing monitoring, and reporting results to senior management and the board.

The scope of GM’s initial ERM program intentionally did not fit the typical ERM definition of an all-encompassing, holistic approach. As a bottom-up imple- mentation, senior leadership wanted ERM to focus on those elements of risk and opportunity that were most important to the company. We at GM have since enhanced our program with additional high-impact features, which are detailed later in this chapter.

Overall, however, our approach was to move away from the typical ERM view, which focuses on “what can go wrong.” We took a more actionable view of “what can go right,” placing emphasis on both opportunities and risks, to ensure that we were leveraging our ERM program to be well-positioned in the industry.

Lessons Learned: Identifying Risks

A critical success factor that has been a part of our program since inception has been to continually seek out several views, including views from sources outside the company, of risks that the industry and company may face. In addition to reg- ular meetings with our risk officers, we conducted a number of focus groups and

www.it-ebooks.info

TURNING CRISIS INTO OPPORTUNITY 609

Risk Dashboard Established using the Risk Owners and Business Plan Assessment Risk Indicators

Design, Build, and Sell the World’s Best

Vehicles

Assess and Prioritize Output: Top Company Risks

(Key Factors: potential impact, likelihood, and velocity)

GM Risk Management Process

Monitor, Validate, Report Ongoing monitoring of the

environment, status on action place, and validation of actions

/ controls

Identify Key Risks Output: Risks that could significantly impact the

achievement of Business Objectives and Strategies

Develop Risk Management Plans

Risk owners develop action plans and identify Key Risk

Indicators to monitor

Risk Owners Assigned Responsibility for managing risks is dispersed throughout the business and as close to

source of risk as possible

Exhibit 34.1 GM Risk Management Process

workshops to gain insight into potential blind spots that may exist, and to cap- ture various views on emerging risks. To solicit this information, we reached out to deep thinkers and those with broad business experience both within and out- side of our organization and sought input across demographic groups, including Generation Ys or recent college graduates and young professionals.

The careful attention devoted to capturing several perspectives from various demographics, both inside and outside of the organization, has led to some great successes and has consistently influenced the composition of our top risks list. Our commitment to seeking out diverse views has helped us to avoid confirma- tion bias,2 and helped us to ensure that we are not seeing our world through rose- colored glasses.

Lessons Learned: Developing Top Risks Lists and Reporting to Senior Management

There is a tendency to underestimate risks. If you go back and look at the problems we ran into over the last four to five years, everybody knew there was a housing bubble there. Everybody knew the banks and others were stretched out. But rather than face up to the fact that you had this huge risk and understand what the con- sequences were of the risk materializing, it was relatively easy to say, “Well, it is a low-probability risk, so let’s go on—things look good.” It may be a low-probability event, but those low-probability events have a way of materializing, and therefore we need to better understand what happens.

—Mustafa Mohatarem, Chief Economist, General Motors, October 2012

www.it-ebooks.info

610 Implementing Enterprise Risk Management

While we understand the value of assessing probability and impact for risks, we have made additional improvements to our process for ranking and prioritizing risks. In the past, we facilitated meetings at which our risk officers were asked to score proposed risks individually along defined impact and probability scales. The output of the session was a typical “heat map” with risks that were ranked or plotted based on probability and impact scores.

However, we quickly learned that not only was this a very tedious process, but it injected a great deal of subjectivity since many of the participants did not really have specific knowledge of these parts of the business. We have also learned from various world events, such as the Fukushima disaster in Japan, that there may be a tendency to dismiss risks with the potential for very high impact because they have a very low probability of occurring. These low-probability events are often risks that companies cannot afford to miss. As we looked back on what has worked well or needed improvement, we thought there was a better way to provide our board and other stakeholders with more meaningful and actionable information. This prompted us to make a number of changes to improve the program.

First, we gave the responsibility for assessing the probability and impact rat- ings related to risk to the senior executives who were assigned the primary respon- sibility for overseeing the risks, since they were uniquely positioned to provide the most accurate assessment. We stopped the practice of asking risk officers to vote on impact and likelihood levels. Instead, when developing (or refreshing) the top risks list, we employed a real-time, web-based pairwise comparison3 tool to assist in prioritizing the risks in relation to each other. When developing our top risks, we briefed participants (risk officers) with precise risk descriptions to help enable their decisions when voting on each risk pair. Once we completed the various pairing sequences, the tool generated our preliminary risks list. This preliminary list was then subjected to various sense checks4 prior to delivering a proposed top risks list to our senior management or board.

Second, we moved away from using a ranked top risks list altogether. Too much time was being spent on whether a risk should be number 3 or number 5, for example, when the choice did not at all affect how the ERM team or management would address the risk. We moved instead to a three-tiered approach (Exhibit 34.2), which more broadly separated risks by their relative importance. We did not limit ourselves to any predefined number of risks in any given tier; we looked for natural breaks in terms of concurrence on what is a top risk (often looking at the pairwise scoring) versus what is more of an emerging risk.

Third, we focused on using three measures—the levels of inherent, current, and residual risk—as indicators of where the organization currently viewed the effect of its mitigation activity and where the level of risk was expected to be upon completion of the mitigation plans. We created a five-point scale with definitions surrounding the ratings for inherent and residual risks (see Exhibit 34.3), and asked the respective risk officers to provide these assessments in consultation with their Executive Committee members (GM senior leaders reporting directly to the CEO) using the ERM risk template. While just a minor modification to the previous ERM risk template, this assessment of current and expected future risk levels quickly became a focal point for senior management and the board committees when pre- sented. With current and future risk levels now documented, we were able to pro- vide the board with better insight into the status and projected movement of our

www.it-ebooks.info

TURNING CRISIS INTO OPPORTUNITY 611

Watch list. Complete templates; monitored by Risk Officer & Senior

Executive Owner.

Complete risk templates and send to Committee at least annually.

Top Risks. Closely followed & presented to Board / Committees

TIER 1

TIER 2

TIER 3

Exhibit 34.2 Three-Tiered Approach

top risks (see Exhibit 34.4). We continued to provide the standard heat map of risks, but the new chart provided the type of forward-looking insight and status that heat maps do not provide. The new chart has been very well received and we continue to utilize it.

Lessons Learned: Understanding Corporate Culture

The ERM implementation at General Motors has enjoyed great success for several reasons: There has been excellent support from the CEO and senior management; we have a strong, knowledgeable, and highly engaged ERM team and risk offi- cer organization that touches every part of the business; and we have been able to garner proactive involvement through understanding and properly leveraging corporate culture.

We recognized early on that we would need to ensure that the ERM environ- ment at General Motors was an open forum where people could share freely. In fact, the importance of objectivity and transparency cannot be understated in terms of the success of any ERM program. Perhaps it is attributable to human nature, but we found in the past that people had a tendency to identify a problem and keep it to themselves while they tried to resolve or address it, rather than putting it on the table for discussion. As this was not the culture that we wanted in the ERM program, we reduced the probability that this would occur by selecting the right people to lead by example.

We looked for several specific traits when selecting our risk officers:

� High potential executives and leaders � Strong business experience and good financial acumen, including strong

technical expertise in the region/function of responsibility � Superior communication skills; unafraid to speak up and discuss issues

openly � Big picture thinkers

www.it-ebooks.info

E xh

ib it

34 .3

Fi ve

-P oi

nt Sc

al e

612

www.it-ebooks.info

TURNING CRISIS INTO OPPORTUNITY 613

� The ability to reach across the organization and provide outstanding support to the top-line executive they represent

To the extent that we had any concerns regarding the ability of participants to be objective and transparent, we were able to largely avoid these issues by seeking out and selecting the right risk officer team members. The team has been highly engaged, and we are beginning to see evidence of this culture spreading through their various areas of accountability. We are now at the point where our services are often on a “pull” rather than “push” basis, which has been very rewarding to achieve.

My role as a risk officer is to look across the product development enterprise, and identify risks which are systemic that we may already be addressing, but I am taking a look to make sure that the risk is sufficiently addressed. Or, in the case of where it is a new technology or a new risk, working with the owner to take a look from a strategic perspective. What can they do more? What can they do better in terms of addressing the risk? Are they engaging all of the cross-functional groups? Do they really understand the societal impacts of the technology they are putting in place? As engineers, we tend to think about F=MA,5 but this is about expanding the scope a little bit more so that we take it at a holistic level.

The ERM program gets quite a bit of support from senior leadership. We reg- ularly review the status of our projects with leadership and we also seek advice and guidance from them on where they see risks in the enterprise that we might not otherwise be addressing in our regular channels.

—Katherine Johnson, Director, Global Product Development, General Motors, October 2012

Exhibit 34.4 Heat Map

www.it-ebooks.info

614 Implementing Enterprise Risk Management

We also understood that our risk officers came from various functional and regional positions, and would not necessarily be experts in risk management. As a result, we created an orientation/training for risk officers that was very well received. Once the first two individuals were given the orientation we did not have to contact anyone else to take it, as word quickly spread because it was seen as value-added and good use of their time. Risk officers contacted us to ask for the orientation, and this positively impacted the engagement of our program partici- pants.

It was during these orientations that we learned more about various micro cultures in the company. One of the slides in the orientation talked about various risk management techniques: to avoid, accept, reduce, or transfer risk. Early on, as we explained the slide to one risk officer—that there are many ways to deal with risk—he had an insightful comment: “You know, I am really glad that you are implementing this program. Some think that risk is bad and you have to eliminate it 100 percent.”

The orientation sessions provided an environment for healthy discussions about risk being ubiquitous and therefore always a part of doing business. We stressed that the intention of this program was to manage risk, not attempt to elim- inate all risk. To reinforce this, we discussed different ways to deal with identified risks, including accepting them. Going forward, we verbally included these points with every risk officer orientation. This was another means for us to support the transparency and objectivity we sought—people would not feel comfortable talk- ing about risks openly if they thought there was a corporate culture that mandated all risk was to be eliminated.

Our orientation session also included discussions about our risk templates (see Exhibit 34.5). While companies, including General Motors, seem to embrace the use of red-yellow-green-colored charts, the problem of course is that the use of red is often associated with a failure or poor result. We were concerned, given the prior comments, that people might not adequately assess their risks if they believed the point of the program was to make everything green on the charts. At one of our risk officer meetings, a risk officer presented a chart showing a key risk that was rated with an orange color, both before and after mitigation efforts. We took time in the meeting to point this out—that some risks “are what they are”—and there is only so much we can do to be prepared. The point is not to get the risk to be rated green, but to assess it accurately for what it is, and to ensure that we are prepared and doing everything we reasonably can to deal with it.

Lessons Learned: Strategic Risk Mitigation and Decision Support

The central philosophy of GM’s ERM approach is that the responsibility for risk mitigation and opportunity seizing rests with the operational leaders of the com- pany. No staff can or should address all the varied risks of the company; they lack the awareness, expertise, manpower, and authority. But ERM can provide—and has at GM even at this early stage—enormous value beyond the core and critical functions of risk identification and risk education. This is essential to have enter- prise risk management rather than enterprise list management. GM’s ERM is able to

www.it-ebooks.info

TURNING CRISIS INTO OPPORTUNITY 615

4 – Siqnificant

2 – Managed

2 – Low

Executive Owner:

[insert approved risk scenario] Inhernet Risk (before any actions) Current Level of Residual Risk Residual Risk

1. Insert Event 2. Insert Event 3. Insert Event 4. Insert Event

• Financial: • Strategic: • Reputation: • Other:

Name Name Name Name Name

Insert Related Risks / Additional Comments

Date Date Date Date Date

5. Insert Event

1. Insert Improvement Opportunity 2. Insert Improvement Opportunity 3. Insert Improvement Opportunity 4. Insert Improvement Opportunity 5. Insert Improvement Opportunity

Insert Key Risk Indicators

Once Implemented, will risk mitigation actions reduce exposure to an acceptable level? YES / NO

Risk Title

Risk Definition Assessment

Key Events That Trigger Risk Exposure Description of Residual Risk

Key Risk Indicators

Risk Mitigation Actions Responsibility

Related Risks / Additional Comments

Completed / Due Date

Exhibit 34.5 Risk Template

provide this value because of a combination of a unique perspective and expertise in a set of analysis, facilitation, and decision-support tools of particular relevance to risk mitigation and opportunity seizing.

Through the risk identification process, ERM staff is exposed to the entire range of global functions and issues, along with internal assessments of corpo- rate strengths and weaknesses, in a way that is typically limited to senior manage- ment. Risk identification also requires engaging with internal and external thought leaders and experts to think through emerging risks and blind spots to create an information base similar to a partner at a strategy consulting firm. The assignment to focus on risk and opportunity, with a corporate perspective and without oper- ational responsibilities, gives a frame of mind and freedom for strategic thinking that is often helpful to decision makers.

At GM, the unique perspective within ERM is made more valuable with a set of tools that helps decision makers better understand and evaluate issues involv- ing external risks and opportunities, and thereby improve their decisions. Any list of top risks will have both internal risks—typically involving execution or compliance—and external risks, whether from shocks, predictable events, evolu- tionary changes, or actions from outside actors like competitors, current or poten- tial partners, dealers, suppliers, governments, or unions. Internal execution risks are usually managed with special focus from operating units, while compliance risks are typically addressed by education and controls monitored by specialized

www.it-ebooks.info

616 Implementing Enterprise Risk Management

staffs such as security, information technology, human resources, legal, tax, and audit.

External risks, on the other hand, are more difficult for operating leaders to evaluate and react to appropriately. There is a natural human tendency to think that tomorrow’s external environment will be like today’s, only better. Operating leaders tend to focus on their own strategies, worldviews, and “day jobs,” failing to fully consider external players and uncertain events.

Even in a negotiation, the tendency to focus on the company’s perspective can be a problem. Of course, the negotiating team is aware of the other party at the table—whether a union, supplier, or potential partner. But even experienced nego- tiating teams can benefit from thinking through systematically what is truly impor- tant to both sides and how to improve negotiating leverage and to frame issues. However, the biggest blind spots for negotiators usually relate to parties not at the table or to the aftermath of a deal. For example, GM often engages in bargaining with its labor unions while those unions are simultaneously bargaining with other companies in the industry. Understanding the perspective and issues in those par- allel negotiations can be important to the outcome at GM, particularly since there is often an expectation that the pattern established with one company will apply to others. Union locals or subgroups can also have powerful effects on the final out- come. In other contexts, predicting possible rejection by regulators may lead to a different strategy on a merger or acquisition deal, or understanding legislative risk might alter a corporate initiative. Identifying stresses and differences in interests in advance can lead to favorable restructuring of a joint venture or early resolution of an underlying issue.

GM’s ERM staff has adapted a set of tools designed to improve decisions in complex, multiplayer situations or issues. The approach usually involves organiz- ing workshops with cross-functional leaders and subject matter experts, facilitated by ERM staff. When the issue or event is known—such as a major current negotia- tion or an announced change in fuel economy regulations 10 years in the future— the workshop focuses on answering three questions:

1. Who else can affect the outcome? (Players) 2. What can GM and others do? (Options) 3. What do GM and the other players want? (Preferences)

The importance of thinking through these questions systematically can be shown in a mistake from GM’s past. Like other auto companies, GM relies on inde- pendently owned dealers to sell its vehicles. In the late 1990s, some GM executives saw the potential for significant strategic benefits from having a few company- owned dealers, such as an unfiltered exposure to shoppers and a chance to test new marketing and retailing concepts. Though it was recognized that dealers would oppose the idea and that it would be illegal in some states, extensive planning pro- ceeded and a major initiative—GM Retail Holdings—was announced. Within days of the announcement, GM quickly realized this was a poor decision, and within months GM’s CEO went to the annual dealer association conference to announce the termination of the initiative and to apologize for it.

What happened to cause such an unfortunate outcome? First, the leaders of the initiative misread GM’s preferences. They thought that GM valued the potential

www.it-ebooks.info

TURNING CRISIS INTO OPPORTUNITY 617

benefits of the company-owned dealers more than they would regret an adverse dealer reaction. When the angry reaction came forcefully through many channels to numerous executives, it turned out that the assessment was wrong. Second, some options controlled by the dealers were not well understood. When dealers started pulling or threatening to pull some of those levers, GM recognized the deci- sion’s downside potential. Third, the executives forgot a player—state legislatures. Legislation was introduced in several states (where GM Retail Holdings was con- sidering the placement of dealerships) that would make company-owned stores illegal competition for the independent dealers, and it seemed likely that the legis- lation would pass. If you miss preferences, options, and/or a player, your strategy, negotiation, or initiative can fail.

GAME THEORY When GM’s actions will have an impact on what the others do (see Exhibit 34.6), a form of game theory can help avoid misunderstandings. Using game theory,6 the team can put themselves into the shoes of each player and ask whether they want each option to be taken (including options they do not control) and how important that option is relative to others on the list. With these assessments, it is possible to identify a natural outcome7—where momentum will lead the issue—as well as a danger outcome8 and a target outcome9 for GM. The information gathered is so rich that it can guide both strategy and tactics. Because there is a tight logical con- nection between the recommendations and the inputs provided by participants, decisions are often changed based on the analyses.

Since the combined knowledge of the participants about the external players and their options is usually strong, the predictions of their behavior are remarkably accurate. Even when there is disagreement or uncertainty about what other players want, the analysis can identify robust strategies or narrow the areas where addi- tional information is needed. GM used to have a Defense Operations unit that once developed a design for a military vehicle that the designers thought could displace the Humvee10 used by the U.S. Army. At the time, GM had recently acquired the Hummer brand (since discontinued), which sold a civilian version of the Humvee, so this idea generated significant controversy. Game theory analysis showed that the right actions for GM depended heavily on the preferences of the Army, with disagreement about what they were. GM leaders decided to ask the Army, invit- ing key generals to hear about the Defense Operations concept. The generals made

Issue/event knownOther players Issue/event uncertain

Other player(s) decisions important and affected by your actions

Game Theory Scenario gaming or tabletop

Other player(s) decisions are important but independent

War gaming Scenario planning

Exhibit 34.6 Game Theory

www.it-ebooks.info

618 Implementing Enterprise Risk Management

clear that they had no interest in switching from the Humvee, and further invest- ment was avoided.

The high value that GM leaders attach to the predictions and insights that the game theory process generates is reflected in the more than 120 times the tool has been deployed since 1999. The issues have included negotiations of all types, competitive strategy, public policy strategy, crisis management, and new business development, and have covered every region and most functions. Speed and effi- ciency are also major attractions; a complex issue can be analyzed and action plans developed and approved in less than one week. When the Risk Management func- tion was created, a natural home for these decision-making tools became obvious.

War Gaming and Scenario Planning

Even when GM decisions do not affect the decisions of other players—as often is the case with long-term product or technology strategies—it can be valuable to think through how other players will act, since that can give a more accurate and unbiased assessment of the risks and opportunities. War gaming workshops often start with known information on the strategies, strengths, weaknesses, and plans of key players. The key trend or issue that is the focus of the war game is explained; for example, there may be tighter fuel economy regulations scheduled to go into effect in some country in a few years. Then participants put themselves in the shoes of the other players and predict their responses to the trend or issue. Implications for GM’s strategy and opportunities to mitigate risks are then identified.

When events are highly uncertain or even have low probability, like an eco- nomic crisis or oil shock, it can still add value to assess how external actors would respond if the event were to occur. This helps to stress test the contingency plans and can identify potential opportunities or risks to mitigate. By adding external players to the scenario planning, the need to bring in additional functions becomes apparent. If and when the event occurs, the action or crisis team will have a broader perspective and connection to important expertise, and information will be easier to access. The ERM staff can facilitate this type of contingency planning and the cross-organization connections through the risk officer network.

Thinking through how an event can spread or become a crisis makes the orga- nization more sensitive to signals and triggers for more intense planning and preparation. A tool that GM has used in contingency planning is “DefCon” level,11

an idea borrowed from the U.S. Defense Department. When a risk with high impact but low likelihood is identified, it may not make sense to spend time and resources on detailed plans and preparations, particularly if there is likely to be significant notice or more urgent signals prior to the event. Instead, there can be a “plan to plan” with only preliminary analysis done at an early stage but commitment made for further analysis and action if particular indicators or signals are seen. The lead- ership group decides whether the event likelihood has reached a more serious DefCon level, triggering the appropriate preparations and actions.

External risks are difficult for any organization to understand and manage, particularly if the risks are only emerging or rare, or involve parties not at the table. By going beyond risk identification to helping decision makers achieve a 360 degree understanding of the external environment and players, ERM can aid good decision making. By using their unique perspective and a broad array of tools, ERM

www.it-ebooks.info

TURNING CRISIS INTO OPPORTUNITY 619

staff can frame the risks and opportunities and make actionable recommendations, thereby making the good decisions more likely and more robust.

LOOKING FORWARD As we enter our third year of ERM, we have a number of initiatives under way to enhance the ERM program and better integrate it with other internal control efforts. First, we have worked with our internal audit leadership to ensure that the top company risks are being considered in their annual internal audit risk assessment, which drives the internal audit plan. These top risks will be one of many factors used to assess which processes, areas, and functions in the company should be considered for an internal audit.

We continue to look for ways to identify and assess emerging and blind spot risks and opportunities earlier and more comprehensively. In that regard, we intend to engage the corporate Intelligence Network—a cross-functional and infor- mal group of people whose jobs require looking for societal, market, technology, and competitive trends relevant to GM around the world to supplement the knowl- edge and sources of the risk officer network and ERM team.

There is always room for improvement in the plans to mitigate risks and seize opportunities. Both the risk officer network and the ERM staff can be valuable resources to an individual risk officer or functional leader trying to analyze a risk, develop a plan, and check it for robustness. We intend to utilize these capabili- ties more fully and systematically, particularly for complex cross-functional and cross-regional issues.

While our initial ERM focus has been to identify and manage top risks, we also realize that this is only one part of a successful ERM program. With reason- able attention to the top risks now in place, we are ready to address oversight of the day-to-day operational controls. In this regard, we are in the process of develop- ing an enhanced program for operational control self-assessment (CSA),12 which is often cited as a fundamental and critical component of any successful ERM pro- gram. This program will begin with a joint risk assessment conducted across the organization in conjunction with internal audit.

GM implemented various versions of CSA over the years, but these processes waned over time and no longer fully support the business as intended, largely due to resources being redirected to support Sarbanes-Oxley resource requirements. There are many ways to achieve control self-assessment, and we recognize that typical programs are often criticized as not adding value because they lack sub- stance or are simply check-the-box exercises. On the other hand, Sarbanes-Oxley at its core is intended to be a management self-assessment of controls over financial reporting despite having evolved into requiring very in-depth, time-consuming assessments.

There is a need to avoid either creating a burden on the organization to the point where the cost outweighs the benefits (which is how many businesses have viewed Sarbanes-Oxley) or creating a program that is low-cost but lacks any sub- stantive value. Our goal in creating an improved CSA program is to strike a bal- ance so that we are maximizing value to the organization and our shareholders by enhancing operational control assurance while spending resources wisely.

www.it-ebooks.info

P er

fo rm

Q A

: E

sc al

at e

Is su

es to

P M

O a

s ap

pr op

ria te

:

Q ue

st io

ns r

eq ui

rin g

ad d’

l s up

po rt

S er

ve a

s co

ns ul

ta tiv

e in

te rn

al co

nt ro

ls li

ai so

n to

u ni

ts

Tr en

ds , l

es so

ns le

ar ne

d

N ee

d fo

r fr

am ew

or k

re vi

si on

s M

on ito

r C

om pl

et io

n of

C S

A ; f

ie ld

qu es

tio ns

A ss

ig n

C S

A co

nt ro

ls

R ec

ei ve

a nd

re vi

ew C

S A

co nt

ro l

qu es

tio n

Execution: Business Units

Oversight: Local ERM Rep

C re

at e

A ct

io n

P la

ns fo

r “n

o” re

sp on

se s

R es

po nd

to E

R M

qu es

tio ns

fr om

Q A

R ai

se Is

su es

an d

S ug

ge st

io ns

fo r

Im pr

ov em

en t

A ss

is t D

ra fti

ng C

us to

m Fr

am ew

or k

(a t

bu si

ne ss

u ni

t re

qu es

t)

A ns

w er

ye s/

no , a

tta ch

su pp

or t

(c on

su lt

E R

M w

ith q

ue st

io ns

)

D et

er m

in e

w he

th er

s up

po rt

is a

de qu

at e

& fo

llo w

u p

w ith

b us

in es

s un

it w

he re

ap pr

op ria

te

E ns

ur e

ac tio

n pl

an s

ad dr

es s

ro ot

c au

se

• • • •

E xh

ib it

34 .7

C SA

R oo

tC au

se

620

www.it-ebooks.info

TURNING CRISIS INTO OPPORTUNITY 621

The approach we have developed is a policy-based CSA that will start with asking business unit operations’ line managers simple yes or no questions with regard to their compliance on specific policy requirements. However, we are tak- ing this process a few steps further by requiring the managers to attach supporting evidence for their responses. To ensure that the supporting evidence is valid and sufficient, an ERM CSA representative will consult with the manager on control design and perform a quality assurance validation of the submission. The repre- sentative will also respond to any questions and assist in action plan development as needed. The ERM CSA representative will also review any action plans to cor- rect self-identified deficiencies to make sure that the action plan addresses the root cause of the issue (see Exhibit 34.7).

We prefer this approach because it strengthens accountability at the opera- tional level having frontline responsibility for internal controls. As a policy-based program, it drives behaviors that strengthen the company as a whole:

� Policy and process owners realize that they can leverage policies as a means to ensure results. If key risks are addressed in the policy, they will be assessed through CSA, and deficiencies will be uncovered and resolved by operating management.

� All business teams obtain a clear and consistent understanding of major activities and objectives of global or regional processes.

� CSA elevates the importance of up-to-date, accurate policies that address key risks.

Given that CSA is a global program, we expect that implementation will con- tinue well into 2014.

CONCLUSION We expect that the ERM tools we have implemented will improve GM’s ability to identify, exploit, or mitigate, and communicate risk to senior leaders and the board of directors. We view this as a competitive advantage for General Motors that will enable us to react more quickly with improved and well-defined actions. We believe that an integrated risk management process (ERM, Sarbanes-Oxley, CSA, and consolidation of other compliance/assessment types of activities) will enable GM to utilize its compliance resources much more efficiently. Importantly, it will enable the company to have a consolidated, holistic view of risk and allow management and the board of directors to take comfort knowing that mitigation activities will be visible and tracked, and owners will be held accountable.

QUESTIONS 1. What are the pros and cons of having risk officers as part-time assignments within dif-

ferent functions and business units? 2. Can you think of a company whose strategy failed due to their failing to consider the

actions of external players? 3. Do you think that companies need to experience a crisis to take risk seriously?

www.it-ebooks.info

622 Implementing Enterprise Risk Management

NOTES 1. Killer risks are those that would have a major effect on the short- or long-term profitabil-

ity of the enterprise. 2. Confirmation bias is the tendency of people to favor information that confirms their

beliefs. 3. Pairwise comparison is a method of ranking that compares a list two at a time. Earlier

assessments are used to reduce the total number of comparisons. 4. Sense checks are a means of avoiding large errors by reviewing preliminary results with

experts or management. 5. F = MA stands for the basic equation of mechanics: Force = Mass × Acceleration. 6. Game theory is a large topic. The tool described is a practical application that predicts

actions based on assessments of the options and preferences in the situation or “game.” 7. Natural outcome is a stable outcome (set of choices by the various players on the options

they control) that will result if players do not behave strategically. It can be thought of as momentum.

8. Danger outcome is a stable outcome that is worse than the natural outcome from the perspective of the project sponsor; it can result if assessments are mistaken or players make errors.

9. Target outcome is a stable outcome that is the best potentially attainable by the company, given the options and preferences of the various players. It is better for the company than the natural outcome and mitigates the risk of the danger outcome.

10. Commonly known as the Humvee, the High Mobility Multipurpose Wheeled Vehicle (HMMWV) is a military transport used by the U.S. Army for many functions and pro- duced by AM General.

11. DefCon is short for defense condition and is used by the U.S. military to describe the desired state of readiness. Wikipedia has a good description and history.

12. Control self-assessment is a technique that has managers review and certify the existence and quality of the controls around policies, procedures, and practices.

ABOUT THE CONTRIBUTORS Marc Robinson is Assistant Director of Enterprise Risk Management at GM. He is an economist with over 25 years as an internal consultant at GM. He has also taught at UCLA, Stanford University, and the University of Michigan, and was Senior Staff Economist on the Council of Economic Advisers under President George H.W. Bush.

Lisa Smith, CRMA, CCSA, is Assistant Director of Enterprise Risk Management at GM. She has served in a variety of audit-related roles since joining GM in 2002, including the global implementation of ERM starting in 2010. She has an MBA from the University of Michigan and also serves as an instructor for the Institute of Internal Auditors.

Brian Thelen has been General Auditor at GM since 2011, and served as Chief Risk Officer through July 2014. Prior to that, he was Vice President of Audit Services at Delphi Corporation, Vice President of Internal Audit Services at Waste Manage- ment, and general auditor at American Standard. He started his career at Ernst & Young and has a CPA and an MBA.

www.it-ebooks.info

CHAPTER 35

ERM at Malaysia’s Media Company Astro Quickly Implementing ERM and Using It to Assess the Risk-Adjusted Performance of a Portfolio of Acquired Foreign Companies

PATRICK ADAM K. ABDULLAH Vice President, Enterprise Risk Management, Astro Overseas Limited

GHISLAIN GIROUX DUFORT President, Baldwin Risk Strategies Inc.

This case study focuses on the implementation and use of enterprise risk man-agement (ERM) to screen proposed investments, assess the risk-adjustedperformance of a portfolio of foreign investments, and make key investment decisions at Astro Overseas Limited, the company responsible for all international investments (subsidiaries and joint ventures) for Astro Holdings Sendirian Berhad (herein known as “Astro”). We start by providing some background information on Malaysia, on its corporate governance code and practices, and risk manage- ment practices at Astro. We then describe how Astro Overseas Limited uses ERM to assess and filter potential investments, and subsequently, how ERM is imple- mented at successful investments. Finally, we explain how Astro Overseas Lim- ited combines information from the risk profile and financial performance of each investment, and reflects the performance on a dashboard together with all other investments in its portfolio to make better risk/return investment decisions.

MALAYSIA Situated between 2 degrees and 7 degrees to the north of the equator, Malaysia is a diversely populated federal democracy of 29.3 million1 Malays, Indians, Chinese, and many other ethnic groups2 who speak Malay (the official language), English, various Chinese dialects, Tamil, Telugu, and Malayalam. Its major reli- gions are Islam, Buddhism, Taoism, Hinduism, Christianity, and Sikhism. The life expectancy of its citizens ranges from 73 years (for men) to 77 years (for women), and the literacy rate is 89 percent.3

623

www.it-ebooks.info

624 Implementing Enterprise Risk Management

Exhibit 35.1 Map of Malaysia Source: U.S. Central Intelligence Agency’s World Factbook.

Geographically, Malaysia is almost as diverse as its culture (see Exhibit 35.1). Eleven states and two federal territories—Kuala Lumpur and Putrajaya— form Peninsular Malaysia, which is separated by the South China Sea from East Malaysia, where we find the states of Sabah and Sarawak on the island of Borneo and a third federal territory, the island of Labuan.

Malaysia’s main industrial sectors are rubber and palm oil processing and manufacturing, light manufacturing industry, logging, and petroleum production and refining. Its main exports are electronic equipment, petroleum and liquefied natural gas, wood and wood products, and palm oil. The country’s gross domestic product (GDP) per capita is equivalent to U.S. $8,800, and its currency is the ringgit (1 RM being equivalent to 0.3140 USD).4

The country’s capital, Kuala Lumpur, is at the center of the Multimedia Super Corridor (MSC), Asia’s equivalent of the United States’ Silicon Valley. That is where we find the head office of our company, Astro Malaysia Holdings Berhad, more precisely located at the All Asia Broadcast Center, in Technology Park Malaysia.

The Astro Group

Established in 1996, the Astro Group is a leading and growing integrated con- sumer media and entertainment group present in Malaysia, Southeast Asia, and regional foreign markets, with operations in four key areas of business: pay TV, radio, publications, and digital media.5 It has established partnerships in different countries with A&E, Google, Lionsgate, MSNBC, and other leading media compa- nies. Through Celestial Pictures, Astro also owns and distributes the Shaw Library, the world’s largest Chinese film library. It owns Adrep as well, a national radio air- time management and sales company operating in China.

www.it-ebooks.info

ERM AT MALAYSIA’S MEDIA COMPANY ASTRO 625

The Astro Group is comprised of Astro Malaysia Holdings Berhad (AMH), which was listed in the main board of the Malaysian Stock Exchange in 2012, and Astro Overseas Limited (AOL) overlooking all international investments.

AMH focuses on Pay-TV, Radio, Publications, and Digital operations in Malaysia and has a customer base of over 4 million residential pay TV customers or approximately 56 percent penetration of Malaysian TV households. Astro Radio operates Malaysia’s highest-rated stations across key languages.

AOL holds investments in a portfolio of companies involved in Pay-TV, radio, content aggregation, creation and distribution, digital and multimedia ser- vices, and includes companies in Australia, China, Hong Kong, India, Indonesia, Singapore, Vietnam, Saudi Arabia and the MENA region, United Kingdom, and North America (see Exhibit 35.2).

CORPORATE GOVERNANCE IN MALAYSIA The 1997 Asian financial crisis exposed many weaknesses in the region and spurred multiple reforms, including a drive to improve corporate governance.6 Malaysia introduced its first corporate governance code in 2000 and revised it in 2007. In 2011, its Securities Commission established a “Blueprint” to achieve excellence in corporate governance, and in 2012 delivered a new “comply or explain” code.7

According to its risk management guidance, the board of directors should:

� Establish a sound framework to manage risks. � Understand the principal risks of all aspects of the company’s business. � Recognize that business decisions involve the taking of appropriate risks. � Achieve a proper balance between risks incurred and potential returns to

shareholders. � Ensure that there are systems in place that effectively monitor and manage

these risks. � Determine the company’s level of risk tolerance and actively identify, assess,

and monitor key business risks to safeguard shareholders’ investments and the company’s assets.

� Disclose in the annual report the main features of the company’s risk man- agement framework and internal controls system.

According to the 2013 ASEAN Corporate Governance Scorecard published jointly by the ASEAN Capital Markets Forum and the Asian Development Bank,8

the performance of Malaysia’s Top 100 companies (PLCs) in terms of conformity to recommended corporate governance principles and practices “is commendable and at the same time presents opportunities for more improvement.” Among the areas for improvement identified by the report was the “lack of disclosure of key risks (other than financial risks).”

ENTERPRISE RISK MANAGEMENT AT ASTRO In the aforementioned corporate governance context, Astro’s listed vehicle, AMH states in its Annual Report 2013: “The Board is committed to applying and uphold- ing high standards of corporate governance to safeguard and promote the interests

www.it-ebooks.info

U S

A •

D ig

ita l

C on

te nt

U n

it ed

K in

g d

o m

• D

ig ita

l C on

te nt

S au

d i A

ra b

ia / M

E N

A •

D ig

ita l C

on te

nt •

M ob

ile C

on te

nt D

is tr

ib ut

io n

In d

ia :

• T

V •

R ad

io •

O nl

in e

• M

ob ileV

ie tn

am •

T V

C on

te nt

C h

in a

• A

dv er

tis in

g S

er vi

ce s

H o

n g

K o

n g

• T

V C

on te

nt

P h

ili p

p in

es •

A ni

m at

io n

z

A u

st ra

lia •

T V

• O

nl in

e •

B ro

ad ba

nd

S in

g ap

o re

• T

V C

on te

nt In

d o

n es

ia •

R ad

io C

on te

nt

E xh

ib it

35 .2

A O

L ’s

R eg

io na

lI nv

es tm

en ts

626

www.it-ebooks.info

ERM AT MALAYSIA’S MEDIA COMPANY ASTRO 627

of the shareholders and to enhance the long-term value of the Group. To this end, it has adopted the principles and recommendations set out in the Malaysian Code on Corporate Governance 2012.”9

The annual report states that the board is charged with, among other respon- sibilities, the review and approval of changes to management and control struc- tures, including ERM. “The Board is committed to the implementation of Group Risk Management (GRM) as an integral part of the Group’s planning practices and business processes, encapsulating the continuous identification, assessment, mon- itoring, and reporting of risks at all levels, from projects, [to] operations to strategy. The Group Risk Management Framework, consistent with the Committee of Spon- soring Organizations (COSO) enterprise risk management framework, sets out the risk management governance and infrastructure, risk management processes and control responsibilities.”10

The board of directors, through its Audit Committee, is assisted in these responsibilities by AMH’s Group Risk Management Committee (GRMC). The GRMC meets at least quarterly, includes senior management from each business segment and unit, and is chaired by AMH’s CEO. The CEO and CFO are account- able to the board of directors for the implementation of strategies, policies, and procedures to achieve an effective risk management framework.

Furthermore, Astro has linked senior executive pay to sound risk management up to the highest level of the organization: “Risk management has been identified as a key result area in the annual performance evaluation of the CEO and CFO.”11

If the lack of disclosure of key risks (other than financial risks) by top Malaysian companies was noted in the 2013 Corporate Governance Scorecard mentioned ear- lier, it is not the case at Astro, which also follows the guidance of the Global Report- ing Initiative Framework and discloses—in addition to financial risks—seven other key risks: market and competition; political, legal, and regulatory; services avail- ability; procuring exclusive and compelling content; technology and innovation; people; and branding and reputation.

Astro is also committed to what is increasingly recognized as a key success fac- tor of long-lasting ERM implementation: risk culture. “Risk awareness and control consciousness are integral in cultivating a good risk and governance culture among the Group employees. Risk and control briefings, online training, and a web portal are in place to facilitate the ease of reference and better understanding of the risk management framework and internal control procedures.”12

Finally, to ensure consistent practices, Astro has adopted the concepts and ter- minology of the ISO 31000 International Standard (Risk Management—Principles and Guidelines, 2009) and the COSO process to ensure the ERM program is effec- tively implemented.

ASTRO OVERSEAS LIMITED We now focus on the implementation and use of ERM to assess the risk-adjusted performance of a portfolio of foreign investments and to make key investment deci- sions at Astro Overseas Limited (AOL), the company responsible for all interna- tional investments (subsidiaries and joint ventures).

www.it-ebooks.info

628 Implementing Enterprise Risk Management

AOL’s board of directors is very experienced and oversees the company’s risk management framework. The board of AOL reiterates regularly that risk manage- ment is as important as maximizing profitability, and they should both be given equal weight in establishing investment performance benchmarks. AOL’s objec- tive is to achieve investment returns that are considered reasonable for markets in which it invests and the stage at which the investment is in its life cycle and risks for the investments. It looks at the long-term success of these investments, the risks of these companies over time and not necessarily to obtain short-term gain. While the board of directors is cognizant of ERM framework and methodology, they are also mindful that the approach to its implementation varies from one investment to another depending on the size and scale of each business. In this respect, influ- ence of the investee company’s board and audit committee plays an important role to ensure the process is successfully implemented. Senior management needs to fully understand and appreciate that although the process is a little provocative, it is value adding and has the potential to create a more robust business. Also, for investments which are smaller, resources and talent may be limited and there is a need for AOL to extend assistance to these investee companies to implement and manage the program until such time the investee company has adequate resources to do it on their own.

EVOLUTION OF ERM AT AOL As we will soon see in detail, AOL has reached a level of maturity sufficient to work with the management of the investee companies to implement its ERM Framework. The evolution of AOL’s ERM maturity over time is illustrated in Exhibit 35.3.

Exhibit 35.3 Evolution of AOL’s Risk Management

REACTIVE PROACTIVE

DISASTER RECOVERY

What if something happens?

• Actions are in response to what has just happened

• Typical action plans are insurance, incident reporting, response plans

Respond

BUSINESS CONTINUITY

When our business is disrupted

• Focus on response to continuity of services with the least amount of interruptions possible

• Requires proactive collaboration of all units within the organization

• Typical action plans are BCP plans, IT backup centers

ENTERPRISE RISK MANAGEMENT

How can we act for competitive gain?

• Shift from loss prevention to revenue protection and generation

• Acting before people or assets are impacted

• A culture of adapting and thriving in the face of complex changes while creating value

ADAPTIVE

Recover Continue Operations Revenue Preservation Pursue Opportunities

www.it-ebooks.info

ERM AT MALAYSIA’S MEDIA COMPANY ASTRO 629

Like many companies, AOL’s approach to risk management started in a reac- tive mode, with a basic ability to respond to negative events. It then progressed to being able to recover as quickly as possible from a potential interruption, and then moved on to a more proactive mode with business continuity planning (BCP)— being able to prepare to ensure the continuity of critical operations and business activities in almost any circumstance. Later on, AOL started to enter the adaptive mode, with a focus of the risk management function on revenue preservation.

Now well into the adaptive stage, AOL is able to use ERM for anticipating risks before they impact employees or assets, protecting revenue generation, gain- ing competitive advantage, and creating value by adapting to the complex and changing media business environments one finds while investing in foreign coun- tries and cultures. This ability plays an important part in the screening of potential investments by AOL and contributes to AOL’s profitable growth strategy through international expansion.

� AOL’s investment strategy is to focus on businesses in the media and enter- tainment sector including platforms, distribution of content, and businesses closely related to AMH’s core businesses, including media such as TV, radio, content creation and aggregation, Internet Protocol television (IPTV),13 and advertising. A major challenge for AOL is implementing ERM across its investment portfolio where it does not have a majority position. Other key challenges in terms of risk management include: Implementing ERM consis- tently across all investments.

� Managing differences in terms of cultures and obtaining buy-in from man- agement.

� Managing the expectations of board members.

ROLE OF ERM IN THE ACQUISITION PROCESS Astro is growing through acquisitions and therefore has developed a method to systematically and efficiently screen investment opportunities. Exhibit 35.4 shows how AOL makes investment decisions through a layered investment risk funnel.

A first risk review of the opportunity pipeline is performed by the senior lead- ership team of AOL.

If that first hurdle is cleared, a second risk review is conducted. This review is led by the Business Development (BD) Team in conjunction with the ERM Team. As anyone who has ever been involved in mergers and acquisitions knows, a full risk assessment prior to an acquisition is almost impossible to carry out during the due diligence process, owing to the speed at which negotiations evolve and to their highly confidential nature. When in the process of making an investment, it is not the right time to be running risk workshops. This being said, AOL’s ERM Team has established a number of key activities to be carried out during the preacquisition portion of the process, as we see in more detail in Exhibit 35.5. The result of this second risk review is either an approved investment proposal or a rejection of it.

A third risk review is performed by the BD Team during the negotiation period. After the negotiation, if the acquisition offer is accepted and the contract is signed, AOL’s ERM Team enters the most important portion of the process, the

www.it-ebooks.info

630 Implementing Enterprise Risk Management

Investment Risk Funnel

Opportunity Pipeline

Investment Proposal Approved

1st Risk Review (by Senior Management) • Review Opportunity Details • Conduct Impact Assessment • Discuss Investment Strategy

2nd Risk Review (jointly review by BD and ERM) • Prepare Business Investment Proposal Paper • Review All Major Risk Areas • Finalize Investment Cost

3rd Risk Review (by BD) • Review Negotiated Terms and Conditions • Review Transaction Detail • Receive Approval to Sign Contract

Negotiation

Operationalization

Pursue or Not Pursue

Draft Contract

Sign Contract

Exhibit 35.4 Making Key Investment Decisions

focus on implementing its ERM Framework: the operationalization phase, or the Monitor and Review panel of Exhibit 35.5.

During the Preacquisition portion of the process in Exhibit 35.5, the ERM Team uses a set of guidelines to determine a preliminary risk profile of each of the potential target companies. The word preliminary is important here. The initial evaluation will include issues related to political and regulatory risks,

The ERM Framework focuses on the “Monitor & Review” phase of AOL’s value chain

PostacquisitionPreacquisition

Focus of the AOL ERM Framework

Exhibit 35.5 Overview of ERM’s Role in AOL’s Acquisition Process

www.it-ebooks.info

ERM AT MALAYSIA’S MEDIA COMPANY ASTRO 631

partner management, skills, expertise and human resources, operational influence, the company’s business model, its strategy, growth plans, operations, and cultural fit. From the initial assessment come the preliminary key risks and existing risk treatments or mitigation plans required for the potential target. Once this prelim- inary risk profile has been obtained, the BD Team will then identify the potential acquisition’s funding structure, management fees, and return on investment, as well as exit strategy options. These analyses and scenarios are then put to the test or confirmed further. Finally, the preacquisition activities conclude with a “go/no- go” recommendation to the board of directors. If the board of directors approves the investment proposal, the approval will normally have recommendations and stipulated conditions that need to be met for the acquisition to proceed.

During the monitor and review phase, the ERM Team will further develop the preliminary risk profile using the strategic objectives approved by the board of the investee company as a starting point. Based on these objectives, the ERM Team will also use specific financial and nonfinancial targets set by management to under- take their assessments. The risk profile provides further evidence as to whether the current targets can be met under existing business conditions. It is then reasonable to assume that the strategic objectives, as well as the financial and nonfinancial targets, may be adjusted once the board of the investee company is fully apprised of the risks associated with the business. Designated directors from AOL who are on the board of the investee company will work with management to make the necessary adjustments. The adjustments made are normally to ensure that objec- tives are reasonable and adequately robust to meet set performance targets.

AOL’s ERM function adopts a consistent methodology and has an established risk dashboard and reporting templates for all companies within its portfolio. It also has developed appropriate and effective mechanisms for its implementa- tion and use. The initial risk-based strategy review is followed by regular annual reviews over the life of the investment. Finally, AOL’s ERM function has oversight and regularly monitors the risk management process of the investee company.

The postacquisition stage is concerned with the execution of an appropriate exit/divestment strategy. In the preacquisition phase, potential exit strategies are identified. In the monitor and review step, these strategies are constantly reviewed and relevant triggers determined and tracked. These are indicators or metrics with thresholds set so as to trigger the consideration of exit strategy options and even- tual execution of one of them—terminating the investment. The divestment pro- cess starts when the monitoring of triggers has resulted in the decision to execute an exit strategy. The ERM Team contributes to the escalation of the recommenda- tion to divest, through management and to the board of directors of AOL, with a focus on the risk/return aspect of the recommendation. Once the decision has been obtained from the board, where required, the ERM function helps the divestiture team to set the negotiation guidelines, assess the risk profile of potential buyers, and manage sensitive confidential information until the divestiture is closed.

The Monitor and Review Step—Focus of AOL’s ERM

As mentioned, the monitor and review step is focused on the effective implemen- tation of AOL’s ERM Framework. Once the investment has been made, AOL seeks to work with management to adopt and integrate AOL’s ERM Framework quickly.

www.it-ebooks.info

632 Implementing Enterprise Risk Management

To that effect, AOL has instituted a number of key measures to ensure not only that ERM is implemented quickly and effectively, but in addition, it seeks to have the ERM framework adopted by the business for the long term. The key measures put in place to ensure those results are achieved include:

� A risk key performance indicator (KPI) (with an estimated weight of 10 per- cent tied to the compensation package) is assigned to the business heads of each investment to ensure that they are vigilant in managing their risks and implementing the necessary mitigation strategies.

� Risk management performance is monitored on a quarterly basis, after which a report card is developed outlining the areas of compliance and areas where gaps have been identified (i.e., the proportion of their risk manage- ment actions that are on target).

� Results are consolidated on an annual basis for review by the Remuneration Committee of the board of directors.

� To further inculcate the ERM culture, an “Introduction to ERM” course has been included as part of the core syllabus for induction training.

AOL is sufficiently experienced at implementing ERM that it rolls out its Framework using typically 60 person-days of its own ERM Team over a three- to four-month period. However, as mentioned earlier, the plan can only materi- alize if there is full support from the board and audit committee of the investee company, and there is management commitment in ensuring the program meets its objectives.

Shortly after AOL has completed the investment, AOL’s ERM Team identi- fies two or three persons from the investee company who will be trained into AOL’s ERM approach and brought on board as soon as the implementation project starts. We will collectively refer to them as the Joint ERM Team (JET). The overall ERM implementation process is illustrated in Exhibit 35.6. It will culminate in the investee company having an up-to-date risk profile consisting of a risk map, a risk register, and details for each risk identified (causes, treatments, controls, action plans, and steps required to complete each action plan).

This process is performed in three steps: Planning, Rollout, and Sustainability. At the Planning step, the JET starts the stakeholder management activity, first

engaging with the investee company’s senior management team (SMT) to explain the process, reach mutual understanding, and obtain buy-in. A risk champion is determined among the SMT members. This senior executive will be the sponsor of the ERM implementation process. A Risk Committee, which also constitutes the ERM steering committee during the implementation stage, is also formed. It will include the CFO, other senior executives, and their direct reports.

Then, the implementation project plan is devised, including its scope, time line, the project team membership, and delegation structure (number ”1” in Exhibit 35.6).

As mentioned earlier, the Rollout step is performed in three phases over the aforementioned three- to four-month period, using most of the 60 person-days of AOL’s ERM Team.

Phase I uses approximately 30 person-days of AOL’s ERM Team and starts with awareness training sessions. The JET enters into the information gathering activity

www.it-ebooks.info

ERM AT MALAYSIA’S MEDIA COMPANY ASTRO 633

Planning Roll-Out (In Phases) Sustainability

Stakeholder Management

Engagement with Senior Management Team

Awareness Training Board Reporting

Project Plan

Scoping

Time Line

Project Team Structure

Information Gathering

Focus Group Discussions Interviews Workshops

Development of Risk Profile

Identification of Risk Owners

Development of Action Plans

Monitoring of Risk Profile

Monitoring / Revision to Risk

Profile

1 2

3 4

Exhibit 35.6 Typical ERM Implementation Process for Operating Entities

(number ”2” in Exhibit 35.6), organizing the first risk workshop with the SMT. This part of Phase I uses a top-down approach. The JET members discuss the industry and business challenges of the company with the SMT. The workshop will produce a laundry list of risks, and they ask the SMT, as an initial assessment, to rank them simply, using their best judgment, as low, medium, or high.

This is then followed by the interviews stage. They may interview up to one- third of the organization (for example, 100 out of a total of 300 employees) from the bottom up. Based on the company’s objectives, they ask participants what their objectives and targets are, what may impede them from meeting their objectives (these become their risks), their causes, and the risk treatments and/or controls that are already in place. The JET also uses the high-level risk list from the SMT workshop to prompt and facilitate discussions if necessary. The AOL ERM Team calls this the Level 1, or ground level, risk identification. At this level, risks are neither screened nor validated (they are not yet what they call “sanitized”).

Then, the JET interviews Level 2 managers, who are the direct supervisors of Level 1 interviewees. As with the previous stage, they perform first a zero-based risk identification discussion with Level 2 managers. This is followed by discus- sions on the list of risks and causes as identified during the Level 1 analysis/results. The JET looks for agreements and disagreements and tries to balance them out.

Based on Level 1 and Level 2 results, the JET “sanitizes” the risks and causes, which means that they regroup some risks and eliminate others that seem out of place based on the JET’s business judgment and experience in risk management. They then bring the “sanitized” and prioritized risk list to the company’s SMT. At this point, the risk register is constituted of only a one-dimensional rating (low, medium, or high), together with the causes of risks and treatments and controls in place.

www.it-ebooks.info

634 Implementing Enterprise Risk Management

This is the end of Phase I, and the AOL ERM Team gives the investee company a period to consider, analyze, and think about both the top-down risk list and the bottom-up one, before starting Phase II.

Phase II uses approximately 20 person-days of AOL’s ERM Team. Combin- ing the top-down and bottom-up results, the JET typically finds that 75 percent of the risks are common and 25 percent may be different. The JET and SMT recon- cile them through what AOL calls a “dispute/validation” workshop. The investee company’s risk register is then agreed to. Next, the JET asks the SMT to assign, among themselves, a risk owner for each of the identified risks.

Depending on the nature and size of the business, there may be between 10 to 20 risks for each investee company. Those risks are managed by the investee company, and AOL has oversight of the process. The JET and SMT use the overall rating of low, medium, and high to determine the company’s top 10 risks.

The JET then commences the risk profile development activity (number ”3” in Exhibit 35.6). The team members discuss each risk with its owner individually. During the meeting, they address the risk’s causes, its probability of occurrence, and the impact (or “consequence” in ISO 31000 terminology) if it materializes, tak- ing into consideration the existing risk treatments and controls already in place as the case may be. To identify the root causes of the risk, the team drills down to a reasonable depth. This process requires judgment and experience. As an indica- tion, they may go as far back as three years in terms of data history, but not much more, as they find that drilling further down tends to bring diminishing returns compared to the expense and effort involved. The JET and risk owner also look at the strength of each of the controls in place, asking themselves: “Is it sufficient or not?” In other words, they use a binary decision method. If the JET and risk owner find that control is lacking, the JET works with the risk owner to determine what should be done and to establish action plans to treat the risk accordingly. This is the end of Phase II.

The JET populates the risk profile, including the risk map, and sends them back to risk owners with their action plans. Following the end of this phase, the JET and risk owners enter a two-week period of follow-up and challenges. The JET encourages risk owners to think outside the box while also considering the costs of their existing treatments, controls, and key action plans.

Phase III uses approximately 10 person-days of AOL’s ERM Team. This phase starts with a third SMT risk workshop. The company’s risk profile, including the risk map and the key risk action plans, are reviewed collectively and challenged. Again, this is a validation workshop. The validation process allows the SMT, for instance, to ensure that one action plan does not duplicate or contradict another action plan or existing treatment and/or control. Once the key risk action plans have been validated by the SMT, the JET meets again with risk owners indi- vidually to revise those action plans and reassess their cost/benefit analyses as required. The JET returns to the SMT with the risk map and action plans, including their cost/benefit analyses. The SMT provides final validation of the risk profile, including risk map, action plans, costs or budgets needed, and the time line to implement the action plans.

Finally, the Sustainability step is performed on a continuous basis (number ”4” in Exhibit 35.6). It consists of monitoring the risk profile of the investee company and reporting it to the board (see Exhibit 35.7).

www.it-ebooks.info

ERM AT MALAYSIA’S MEDIA COMPANY ASTRO 635

E R

M O

ve rs

ig h

t

E R

M O

ve rs

ig ht

Risk Committee

D ay

-t o-

D ay

M an

ag em

en t o

f A ct

iv iti

es

Risk Owner

Applicable to Investee

Company Applicable to AOL

Board of Directors

R isk R

ep o

rtin g

Risk Owner

Corporate Assurance

Risk Reporting within the

organization will employ a

bottom-up approach

Overseeing Risk

Management of the

organization would require a top-down approach

Head of Investee Company

Risk Champion

Audit Committee

EXCO

Head of ERM

ERM Division

CEO

Exhibit 35.7 Reporting and Monitoring Structure

The risk owners selected by the investee company will then implement key action plans by project-managing the deliverables. The action plans are broken down into key action steps and target dates for completion. The ERM Framework (see Exhibit 35.8) is handed over to the local ERM Team, which consists of the local members of the JET and must include at least two persons who have been trained by AOL’s ERM Team.

The Vice President of Enterprise Risk Management (VPERM) of AOL’s ERM Team, serves as a liaison between the operating company’s ERM Team and the SMT to ensure that everyone is on the same page in understanding what is expected in terms of risk management. AOL’s VPERM undertakes reviews with the investee company (and all other companies in the portfolio) every six months by meeting and discussing with the CEO, the SMT, and the local ERM team, to monitor the risk management process at a high level.

In between those reviews, there are monthly meetings and a comprehensive formal quarterly review by a representative of the AOL’s ERM Team, the local ERM team, and the risk owners to monitor the execution of the action plans, revisions required for the risk profile, and reporting on risks.

Once action plans for a risk have been completed, they become treatments or controls. The ERM team monitors the effectiveness of these controls and if they are working effectively, it contributes to the establishment of the risk’s trend in ranking—stable, up, or down—as part of the regular reporting process.

Emerging risks are also considered regularly. Once a key emerging risk has been identified and considered significant, an assessment process similar to the rollout described earlier, including phases I, II, and III, is performed for that risk.

www.it-ebooks.info

Id en

tif y A

ss es

sm en

t

Tr ea

tin g

M on

ito rin

g &

R ep

or tin

g

R is

k m

an ag

em en

t i s

an o

n- go

in g

pr oc

es s…

T he

k ey

s te

ps a

re …

Id en

tif y

A ss

es sm

en t

T re

at in

g M

on ito

rin g

&

R ep

or tin

g

• T

ra ns

fe r

• A

vo id

• M

iti ga

te •

E xp

lo it

• A

cc ep

t

• R

is k

In ve

nt or

ie s

• B

ra in

st or

m •

S ce

na rio

A na

ly si

s •

S W

O T

• W

or ks

ho ps

Li ke

lih oo

d

Impact

• Q

ua rt

er ly

re

po rt

in g

• P

er io

di c

ra nd

om

te st

in g

• Q

A r

ev ie

w s

A O

L E

R M

F ra

m ew

or k

B oa

rd A

ud it

C om

m itt

ee (

A C

)

G ro

up E

nt er

pr is

e R

is k

C om

m itt

ee (

E R

M C

)

In ve

st ee

C om

pa ny

R

is k

C om

m itt

ee (

R C

)

R is

k O

w ne

rs a

t In

ve st

ee C

om pa

ny

le ve

l

O nc

e th

e G

ro up

R is

k P

ro fil

e an

d in

di vi

du al

B U

s’ r

is k

pr of

ile s

ar e

de lib

er at

ed an

d en

do rs

ed a

t t he

E R

M C

, t he

A ud

it C

om m

itt ee

w ou

ld b

e up

da te

d (o

n a

qu ar

te rly

b as

is ).

O n

a pe

rio di

c ba

si s,

E R

M w

ou ld

m ee

t w ith

in di

vi du

al r

is k

ow ne

r to

d is

cu ss

th e

pr og

re ss

o f r

is k

m iti

ga tio

n st

ra te

gi es

in cl

ud in

g th

e im

pl em

en ta

tio n

of a

ct io

n pl

an .

O n

a m

on th

ly b

as is

, E R

M w

ou ld

m ee

t w ith

th e

H ea

d of

e ac

h O

pe ra

tio n

E nt

ity to

u pd

at e

th e

pr og

re ss

a nd

d is

cu ss

a ny

e m

er ge

nc e

of n

ew r

is ks

.

E ac

h In

ve st

ee C

om pa

ny h

as it

s ow

n ris

k co

m m

itt ee

th at

m ee

ts o

n a

qu ar

te rly

ba

si s

to d

is cu

ss th

e pr

og re

ss o

f r is

k m

iti ga

tio n

st ra

te gi

es a

nd id

en tif

y em

er gi

ng

ris ks

.

T he

E R

M C

, c ha

ire d

by th

e G

ro up

C F

O , m

ee ts

o n

a qu

ar te

rly b

as is

to d

el ib

er at

e on

G ro

up R

is k

P ro

fil e.

A dd

iti on

al ly

, e ac

h O

pe ra

tio n

E nt

ity w

ou ld

u pd

at e

th e

C om

m itt

ee o

n th

e st

at us

o f t

he ir

ris k

pr of

ile s.

E xh

ib it

35 .8

A O

L ’s

R is

k M

an ag

em en

tP ro

ce ss

636

www.it-ebooks.info

ERM AT MALAYSIA’S MEDIA COMPANY ASTRO 637

RISK PROFILE: RISK MAP AND ACTION PLANS As explained earlier, the investee company’s risk profile includes its risk map and set of assessments and action plans for each key risk. As shown in Exhibit 35.8, AOL’s risk map is represented using a 4 × 4 matrix of impact versus like- lihood/probability, with scales ranging from 1 to 4, “4” representing the highest probability or impact. When two risks are symmetrically placed in the matrix vis- à-vis its diagonal, for instance, one with ratings of probability “2” and impact “3” and the other with ratings of probability “3” and impact “2,” a higher priority is given to the risk with the higher impact.

Exhibit 35.9 illustrates how AOL tracks its summary risk profile on risk maps, identifying the inherent or gross risk rating (the level of risk that would prevail in the absence of treatments), the residual or net risk rating (the actual level of risk given the existing treatments in place), and the target risk rating (the appetite for that risk, which will be achieved through the execution of the key action plans).

To give these concepts more concrete meaning, consider a hypothetical investee company of AOL, Trex Radio, operating in the Socialist Republic of Vietnam. To simplify matters, let’s assume it focuses on six key risks, as displayed on the summary risk map of Exhibit 35.10, where risks are displayed on a net basis (residual risks).

As can be seen from Exhibit 35.10, AOL uses a numbering system whereby the first number represents the likelihood (or probability), and the second one the potential impact if the risk materializes. This map shows simply the existing risks, but as the legend at the bottom of the chart indicates, AOL can also high- light existing risks that have been redefined and/or reranked, as well as new/ emerging risks.

For illustration purposes only, Exhibit 35.11 shows what this means concretely for one hypothetical yet realistic key risk, that of R2, the ability to develop creative and compelling content.

LIKELIHOOD

M od

er at

e (2

) Lo

w (1

)

Certain (4)Possible (2)Unlikely (1) Likely (3)

IM P

A C

T H ig

h (3

)

Measures that reduce likelihood

Target Risk

Residual Risk

Gross Risk

Measures that reduce impact

Future risk response at improving the existing level of treatment to achieve the target level

Existing treatments will be assessed by management to arrive at the residual risk

• Inherent / Gross Risk Rating – risks that exist before considering the effectiveness of existing controls

• Residual / Net Risk Rating – risks taking existing controls into consideration • Target Risk Rating – management’s desired risk level

Exhibit 35.9 Risk Map Displaying Inherent/Gross, Residual/Net, and Target Risk Ratings

www.it-ebooks.info

L IK

E L

IH O

O D

Moderate

(2)

Low

(1)

C er

ta in

( 4)

P os

si bl

e (2

) U

nl ik

el y

(1 )

R is

k R

an ki

n g

: L

ik el

ih o

o d

, I m

p ac

t

Li ke

ly (

3)

IMPACT High

(3)

Very High

(4)

R 3

R 4

R 5

R 1

R 2

R 6

R 1

A bi

lit y

to e

xp an

d sa

le s

re ve

nu e

st re

am s

or m

ar ke

t s ha

re in

a c

os t-

ef fe

ct iv

e m

an ne

r 3,

4

R 2

A bi

lit y

to d

ev el

op c

re at

iv e

an d

co m

pe lli

ng c

on te

nt

4, 2

R 3

C om

pe tit

io n

4, 2

R 4

M an

ag in

g br

an d

pe rc

ep tio

ns

3, 2

R 5

A bi

lit y

to e

xp an

d an

d im

pr ov

e br

oa dc

as t

co ve

ra ge

3,

2

R 6

A bi

lit y

to in

cr ea

se m

ar ke

t s ha

re v

ia n

ew t

ec hn

ol og

ie s

3, 1

- U

nc ha

ng ed

r is

k R

X X

- R

ed ef

in ed

r is

k R

X X

- N

ew /

E m

er gi

ng ri

sk R

X X

R X

X -

R er

an ke

d ris

k R

X X

- R

er an

ke d

& R

ed ef

in ed

r is

k

E xh

ib it

35 .1

0 R

is k

M ap

of T

re x

R ad

io ,V

ie tn

am ,a

H yp

ot he

ti ca

lA O

L In

ve st

ee C

om pa

ny

638

www.it-ebooks.info

ERM AT MALAYSIA’S MEDIA COMPANY ASTRO 639

Risk R2 Ability to develop creative and compelling content

Risk Ranking Gross Nett Target

4,3 4,2 2,2

Risk Explanation

Content is key for increasing listenership. Therefore, it is essential to fulfil the demand by establishing / acquiring quality production of compelling content and procuring exclusive content rights to differentiate ourselves from the competitors including management of brand perception.

Consequences • Loss of listenership • Loss of advertising revenue

Risk Owner

Potential Causes Controls Key Action Plans

Changing listeners’ trends and preferences

Various forms of market research are regularly conducted to identify listenership trends and preferences such as: • Listener Advisory Board (biannually) • Auditorium Music Testing (minimum annually) • Perceptual studies on DJ personalities • Music research • AC Nielsen media survey (twice yearly)

• Quarterly review of breakfast benchmarks • Biannually conduct breakfast show and

breakfast talent perceptual review • Continuation of breakfast show producer

training • Key shift producers to be migrated into

employment contracts and away from vendor relationship

• Introduce a KPI for producers to track the increase in audience listenership by 100% from current standing through direct engagement over radio, social media, mobile apps, and phone listenership

• Review pay and reward for breakfast shift producers

• Identify and develop one shift, which could be used to replace key breakfast shift on core stations.

Use of Xrater (online survey) to track changing listener habits apart from existing research, which is available.

Trex Radio nurtures own talent by informal mentoring / coaching by respective superiors in selected departments.

Exhibit 35.11 Detail of Risk Profile—R2

This example considers a typical key risk that any media company faces, which is the ability to develop creative and compelling content that attracts and retains a target audience. In this illustration, we consider the radio programming of the hypothetical Vietnam subsidiary, Trex Radio. To better understand the following considerations, the reader should note that the key radio period for listenership in Vietnam is the morning breakfast time period.

As can be seen from the Risk Explanation section, Trex Radio needs to acquire/develop and protect unique quality content that will differentiate itself from the competition and sustain or increase listenership and advertising rev- enues. One of the potential causes that may put this ability at risk has been identified as “Changing listeners’ trends and preferences” that would not be matched by the company. Without any risk treatment, Trex Radio has determined that the gross risk rating is “4,3,” which means probability 4, impact 3, which lies in the “red zone” (upper right area in chart).

The existing treatments/controls are also explained: Trex Radio commissions traditional market research and online surveys, and it nurtures its own talent to differentiate itself. With these treatments in place, the current net risk rating is “4,2,” which means that the existing treatments do not reduce the probability that the risk will occur, but will reduce its impact if it does occur—yet not sufficiently to move it from the “red zone.”

The appetite for that risk, the target risk rating, is “2,2” (which would bring the risk in the “green zone,” lower left area in chart). Some key action plans have been identified and selected to bring the probability down two notches, and they

www.it-ebooks.info

640 Implementing Enterprise Risk Management

Risk R5 Ability to expand and improve broadcast coverage

No Detailed Action Plan Action by Target date Status Remarks

1

Finalize the Vietnam Telecom contract and complete upgrade of antennas and transmitters for the key markets in the next 10 years, and focus on improving transmission quality of the existing transmission.

Trex

a) Liaise with General Counsel on contract matters and finalize it.

Trex / Vietnam Telecom

Apr 2012 Completed

b) Obtain signatures from both parties Trex / Vietnam Telecom

May 2012 Draft contract completed and

agreed. Pending review and sign-off by

Vietnam Telecom

c) Vietnam Telecom orders antennas and transmitters from supplier

Trex / Vietnam Telecom

June 2012 As per schedule

d) Commence installation of antennas and transmitters Trex / Vietnam Telecom

Dec 2012 As per schedule

e) Carry out system and transmission test Trex / Vietnam Telecom

Aug 2013 As per schedule

f) Commissioning and handover Trex / Vietnam Telecom

Oct 2013 As per schedule

Exhibit 35.12 Detailed Action Plan—R5

are listed in the exhibit. One of them is: “Key shift producers to be migrated into employment contracts and away from vendor relationship.” How would this action reduce the probability of the risk that changing listeners’ preferences creates a mismatch between their needs and the company’s programming? The answer is that by enticing key shift producers to become employees as opposed to freelancers (for instance, by revising their pay and reward upward—see next key action in the list of the exhibit), the company will be in a better position than its competitors to quickly anticipate the programming changes necessary to keep in line with poten- tial shifts in its audience’s needs. Also, another action plan geared toward increas- ing emotional attachment of the producers to the station is: “Introduce a KPI for producers to track the increase in audience listenership by 100 percent from cur- rent standing through direct engagement over radio, social media, mobile apps, and phone listenership.” This action plan is geared toward building loyalty, and producers are rewarded accordingly for meeting the set targets.

Of course, all of these treatments and action plans have a cost. As explained previously, a cost/benefit analysis of these actions must be performed and a bud- get justified and approved.

Exhibit 35.12 illustrates a hypothetical yet realistic action plan for another typ- ical risk for a radio company, Trex Radio’s R5 risk: the ability to expand and improve broadcast coverage.

As explained previously, action plans are broken down into key action steps featuring “Action by,” “Target date,” “Status,” and “Remarks” columns. In this case, key action number 1 to reduce the risk R5 (ability to expand and improve broadcast coverage) is to contract the telecom company Vietnam Telecom to upgrade and improve Trex Radio’s transmission in key markets for 10 years. It has been broken down into six action steps, from a) Liaise with General Counsel to f) Commissioning and handover. The Status column has four possible states: (1) a

www.it-ebooks.info

ERM AT MALAYSIA’S MEDIA COMPANY ASTRO 641

check mark when the action step has been completed, (2) a green circle when it is on target, (3) a yellow circle when it is at risk of delay, and (4) a red circle when it is overdue. This is to ensure that the agreed action plan is project-managed and delivered on a timely basis. Note: Since the exhibit is printed in grayscale, green appears as the lightest shade in the exhibit, yellow as the middle shade, and red as the darkest shade.

THE INVESTMENT PERFORMANCE DASHBOARD As is appropriate for a book on ERM cases, we have focused much of the chapter on AOL’s ERM Framework. But since our goal is to show how it is used in practice to make risk-based investment decisions on a portfolio of foreign investee companies, we now turn our attention to the investment side of the equation. Exhibit 35.13 illustrates AOL’s formula to build its investment performance dashboard.

The investment performance dashboard is a matrix that allows comparing the operating entities in the portfolio to one another using their current investment value on one axis and their total investment performance score (TIPS) on the other (see Exhibit 35.13). The former is obtained through recognized valuation method- ologies such as the discounted cash flow (DCF) method, while the latter is the sum of two risk scores: the qualitative investment risk score and the quantitative finan- cial risk score.

The qualitative investment risk score is obtained by using the risk map of the top 10 risks of the investee company. AOL’s approach to obtain this score is to multiply the probability by the impact for each of the top 10 risks and to add them up. A lower score means a safer investment with a lower risk profile (safer from an investment standpoint). The maximum score possible is 10 × 4 × 4 = 160.

Investment Risk Analysis

• What are the top 10 risks faced by this company and its associated rankings (L x I)?

• Top 10 risks extracted for each Investee Company

• Scoring based on sum of likelihood x impact

• Max score of 160 • The higher the score, the

greater the risk

Qualitative assessment of an investment

Financial Risk Analysis

• What are the cumulative YTD financial variances for Gross Revenue, PATMI, EBITDA, and Free Cash Flow (in %)?

• For each criteria, a score is determined based on the variance between budget and actual

• 0 = positive or no variance while 10 ≤ –50% variance

• The lower the score, the more robust is the financial management

Quantitative assessment of an investment

Total Investment Performance Score

• What is the investment’s risk exposure relative to its investment size?

• Sum of both scores provides an overview of the risk exposure of the investee company

• Plotted against the Total Investment Value to provide an overview of its performance, relative to others

Investment Performance Dashboard

Exhibit 35.13 Investment Performance Dashboard Formula

www.it-ebooks.info

642 Implementing Enterprise Risk Management

80 240160 320 High

High

Low

100

50

25

>100

Total Investment Performance Score (in points)

Investment Risk Analysis + Financial Risk Analysis for each investment

Valuation @ Current Investment

Value (USD mil)

Periodic valuation of each investment based

on appropriate evaluation methodologies such as

discounted cash flow, etc.

Exhibit 35.14 Investment Performance Dashboard

The quantitative financial risk score is obtained by looking at the deviations from the plan of four financial metrics: gross revenue; profit after tax and minority interests (PATMI); earnings before interest, taxes, depreciation, and amortization (EBITDA); and free cash flow. For each metric, a score is derived from the variance between its budgeted amount and the actual number realized. The score can range from 0 (when there is a positive variance or no variance) to 10 (when the variance is –50 percent). A lower score is indicative of a more robust financial management and means a safer investment from a financial point of view.

As stated earlier, the investment performance dashboard (Exhibit 35.14) allows AOL to compare its portfolio of operating companies based on their value on the vertical axis and their total investment performance score on the horizontal axis. In the matrix, the higher the value of the investment, the more sensitive AOL is to its risk score. Investments of low value (bottom row) are in the green zone as long as they don’t reach the 240 TIPS point. Conversely, investments of USD 50 million or more are never in the green zone and require a regular monitoring of their risk score—from both an ERM and a financial variance point of view. Note: Since the exhibit is printed in grayscale, yellow appears as the lightest shade in the exhibit, green as the middle shade, and red as the darkest shade.

Exhibit 35.14 places the hypothetical AOL investee company, Trex Radio (investee company B1 in the chart), alongside eight others on the investment per- formance dashboard for comparison purposes. We can see that Trex Radio is in the green zone and that AOL would probably track more closely other subsidiaries such as B9 (TV Manila), B4 (Channel 2 HK), and B5 (IPTV Dubai).

As the legend states, the color-coding of the dashboard is based on:

� The value of AOL’s investment � The financial performance and risk management of the investee company � The effectiveness and timeliness of key risk action plans

www.it-ebooks.info

ERM AT MALAYSIA’S MEDIA COMPANY ASTRO 643

The green zone (the lightest shade of gray) represents investee companies where the potential impact on AOL is low due to the size of the investment and/or there are adequate controls in terms of risk management and financial perfor- mance. The yellow zone (the middle shade) indicates a medium potential impact due to the investment’s size and/or deficiencies in management (e.g., not meeting targets or delays in completion of plans). The red zone (darkest shade) indicates a need for urgent attention because of a high potential impact due to the size of the investment and/or performance is far below expectations—the company cannot produce results and suffers major delays in the completion of action plans.

Of course, these are simplified guidelines that need to be filtered through sound business acumen. A large investment that performs impeccably might not require urgent attention but consistent monitoring and review, while a smaller one that performs poorly may fall in the red zone instead of the yellow one. These guidelines have proved useful over time in assisting with the management of AOL’s portfolio of investee companies.

AOL tracks its portfolio’s investment performance dashboard on a quarterly basis (see Exhibit 35.15). Exhibit 35.16 displays a hypothetical variation from one quarter to the next. AOL’s ERM Team is able to explain the variations in terms of either the valuation of the investment, the financial risk variance, or the investment risk score. It should be noted that a reduction in value of the investment is consid- ered positive insofar as it is voluntary, for instance, when AOL sells a portion of its participation. If the reduction in value happens without a change in AOL’s stake in the company, further investigation is required to determine the risk associated with such a negative change and to make adequate investment recommendations to the board of directors, as will be shown in the next exhibit.

HELPING THE BOARD MAKE INVESTMENT DECISIONS Exhibit 35.17 shows how AOL’s ERM Framework ultimately assists its board of directors in making key investment decisions about its portfolio of foreign investee companies.

Horizontal movements in the investment performance dashboard represent a change in the performance score. On that front, an increase in the performance score requires more attention. But a decrease in the performance score (financial or risk scores) may also call for further analysis, because, as we know from the risk/return relationship, a reduction in the risk profile may also mean a corre- sponding decrease in profitability that, if sustained, would mean a relative stagna- tion in AOL’s investment value in the future. Possible strategic decisions for that axis of the dashboard range from reviewing the business model, the strategies, or the financial processes, the capital required to sustain or grow the business or to simply divest it.

Vertical movements in the investment performance dashboard represent a change in investment value. As explained earlier, a reduction in value indicates a lower risk in the matrix as long as it is a result of selling a portion of the busi- ness. Otherwise, a decrease in valuation is obviously a negative sign. The possible actions are similar to those above: review with a view to maintain or to divest.

www.it-ebooks.info

>100 >100 100

Valuation @ Current Investment Value (Nov ’13) (USD million)

50 25

T o

ta l I

n ve

st m

en t

P er

fo rm

an ce

( F

in an

ci al

& R

is k)

S co

re s

(i n

P o

in ts

) 80

24 0

16 0

Le ge

nd C

ur re

nt B

ub bl

e

T he

im pa

ct to

th e

G ro

up is

L ow

b as

ed o

n th

e am

ou nt

in ve

st ed

a n

d /

o r

th e

fin an

ci al

p er

fo rm

an ce

a nd

e ffo

rt s

to m

iti ga

te th

e ris

ks fo

r th

e in

ve st

m en

t ar

e on

tr ac

k ag

ai ns

t s et

ta rg

et s.

A ct

io n

P la

ns a

re e

ffe ct

iv e

to m

iti ga

te th

e ris

ks a

nd a

re c

om pl

et ed

o n

a tim

el y

ba si

s.

T he

im pa

ct to

th e

G ro

up is

M ed

iu m

b as

ed o

n th

e am

ou nt

in ve

st ed

a n

d /

o r

th e

fin an

ci al

p er

fo rm

an ce

a nd

e ffo

rt s

to m

iti ga

te th

e ris

ks fo

r th

e in

ve st

m en

t ar

e no

t m ee

tin g

se t t

ar ge

ts . A

ct io

n P

la ns

im pl

em en

te d

ar e

no t a

ch ie

vi ng

th e

de si

re d

re su

lts a

nd th

er e

ar e

de la

ys in

c om

pl et

io n.

T he

im pa

ct to

th e

G ro

up is

H ig

h ba

se d

on th

e am

ou nt

in ve

st ed

a n

d /

o r

th e

fin an

ci al

p er

fo rm

an ce

a nd

e ffo

rt s

to m

iti ga

te th

e ris

ks fo

r th

e in

ve st

m en

t ar

e fa

r be

lo w

e xp

ec te

d th

e ta

rg et

s se

t. A

ct io

n P

la ns

im pl

em en

te d

ca nn

ot pr

od uc

e th

e de

si re

d re

su lts

a nd

th er

e ar

e m

aj or

d el

ay s

in c

om pl

et io

n. U

rg en

t m an

ag em

en t f

oc us

is r

eq ui

re d.

B ub

bl e

po si

tio ni

ng fr

om th

e pr

ev io

us q

ua rt

er

32 0

R ef

B u

si n

es s

U n

it

N am

e

B 1

T re

x R

ad io

B 2

R ad

io In

di a

B 3

C ha

nn el

1 (

H K

)

B 4

C ha

nn el

2 (

H K

)

B 5

IP T

V (

D ub

ai )

R ef

B u

si n

es s

U n

it

N am

e

B 6

R ad

io In

do ne

si a

B 7

T V

In do

ne si

a

B 8

T V

V ie

tn am

B 9

T V

M an

ilaB 1

xx

xx

B 2

B 3

B 5

B 6

B 7

B 4

B 9

B 8

E xh

ib it

35 .1

5 In

ve st

m en

tP er

fo rm

an ce

D as

hb oa

rd C

om pa

ri so

n

644

www.it-ebooks.info

ERM AT MALAYSIA’S MEDIA COMPANY ASTRO 645

Exhibit 35.16 Investment Performance Dashboard—Quarterly Movements

Exhibit 35.17 Assisting the Board in Making Key Decisions

Movements Description Plausible Strategic Decisions

Increase in investment score

An indication that either the company has increased its risk exposure or is unable to achieve the budgeted financial targets.

- Review of business strategies. - Review of budget process. - Need for additional fund injection

either via debt or equity. - Possible divestment due to

unfavorable changes in the business / regulatory environment or other factors.

Decrease in investment score

An indication that either the company has decreased its risk exposure or achieved its budgeted financial targets. However, it is important to further analyze data to determine actual performance.

- Possible increase in investment stake due to good performance.

- Review business model / practices and consider replicating success stories across other companies.

- Could arise out of poor management of strategy implementation. Exit?

Increase in investment value

Depending on the method used for valuation, this is usually a positive indication that the company is doing well.

- Possible increase in investment stake.

- Consideration for upside sale of the company.

Decrease in investment value

Depending on the method used for valuation, this usually means the company may not be able to break even.

- Possible divestment in investment stake.

- Need for additional fund injection either via debt or equity.

10 0

V al

u at

io n

@ C

u rr

en t

In ve

st m

en t

V al

u e

(N o

v ’1

3) (

U S

D m

ill io

n )

50 25

Total Investment Performance (Financial & Risk) Scores (in Points) 80

> 10

0

240160 320

B2

B5

B4

B2

B4

B9

B9

B5

XXXX Bubble positioning from the previous quarterCurrent Bubble

Downward movement representing a reduction in investment value of the particular company

Reduction in investment score could indicate a decrease in either financial risk or investment risk or both

Increase in investment score could indicate an increase in either financial risk or investment risk or both

Upward movement representing an increase in investment value of the particular company

www.it-ebooks.info

646 Implementing Enterprise Risk Management

CONCLUSION This case study illustrates how a structured and diligent approach to ERM imple- mentation, monitoring, and reporting can add value not only to the investee com- pany adopting it, but also to the parent company having to make investment deci- sions for its portfolio of direct foreign investments. For this case study, we showed how the investment performance dashboard could allow a company to compare investment value to total investment risk score and compare profitability to overall risk. Without being fully quantitative, this approach brings the management of a portfolio of direct investments closer to the risk/return management of a portfolio of financial investments.

QUESTIONS 1. Identify some reasons why risk management practices might not take off and/or be

embedded effectively in an investee company. 2. Who should participate in the ERM process to ensure successful implementation of this

on-going program? 3. What should the CEO’s role be for the successful implementation and on-going perfor-

mance of an ERM process? 4. How will senior management benefit from supporting ERM implementation? 5. Does ERM require reporting to executive management? If so, what types of reports are

most suitable for executive management? 6. What do you think is the best approach in ensuring a successful implementation of ERM?

Please provide a few different elements.

NOTES 1. BBC News Asia-Pacific, May 23, 2013. www.bbc.co.uk/news/world-asia-pacific-

15367879. 2. Tourism Malaysia, November 17, 2013. www.tourism.gov.my/en/my/Web-

Page/About-Malaysia. 3. National Geographic, November 18, 2013. www.travel.nationalgeographic.com/travel/

countries/malaysia-facts. 4. Financial Times, November 18, 2013. www.ft.com/intl/markets/currencies. 5. Astro Malaysia Holdings Berhad’s Annual Report 2013. 6. Ibid.; Corporate Governance on Asia, Asian Roundtable on Corporate Governance,

OECD, 2011. 7. Malaysian Code on Corporate Governance 2012, Securities Commission Malaysia,

March 2012. 8. “ASEAN Corporate Governance Scorecard, Country Reports and Assessments 2012–

2013,” Joint Initiative of the ASEAN Capital Markets Forum and the Asian Development Bank, Asian Development Bank, 2013.

9. Astro Malaysia Holdings Berhad’s, “Go Beyond: Annual Report 2013,” 48. 10. Ibid., 55. 11. Ibid., 55. 12. Ibid., 56. 13. Internet Protocol television is a system through which television services are delivered

using the Internet Protocol suite over a packet-switched network such as the Internet, instead of being delivered through traditional terrestrial, satellite signal, and cable tele- vision formats.

www.it-ebooks.info

ERM AT MALAYSIA’S MEDIA COMPANY ASTRO 647

REFERENCES Asian Development Bank. 2013. “ASEAN Corporate Governance Scorecard, Country

Reports and Assessments 2012–2013,” Joint Initiative of the ASEAN Capital Markets Forum and the Asian Development Ban.

Astro Malaysia Holdings Berhad. 2013. “Go Beyond: Annual Report 2013.” Securities Commission Malaysia. 2012. Malaysian Code on Corporate Governance.

ABOUT THE CONTRIBUTORS Patrick Adam Kanagaratnam Abdullah is the Vice President of Enterprise Risk Management (ERM) for Astro Overseas Limited (AOL). He specializes in the implementation of ERM practices across AOL’s investments, which are located primarily in Asia Pacific. He has over 21 years of experience in safety and crisis management and 17 years in risk management that includes ERM and Business Continuity planning. He is also responsible for statutory compliance monitoring and reporting for AOL group of companies. He has a BSC (Hons) in Environmen- tal Management from the Science University of Malaysia (USM). He also has an Accredited Safety Auditor Certification from Edith Cowan University, Western Australia. He represent Malaysia as a Board member of Pan-Asia Risk and Insur- ance Management Association (PARIMA) which has been set up to promote pro- fessionalism and a high and efficient standard of competence for risk management practices in Asia. When required, he also presents ERM and Business Continu- ity planning papers at conferences, and facilitates work group discussions on risk management practices.

Ghislain Giroux Dufort is President of Baldwin Risk Strategies Inc., a consult- ing firm advising boards of directors and management teams on risk governance and ERM. He has 25 years of experience in management, risk, international busi- ness, and consulting, including at Transcontinental, Willis, Hydro-Québec Inter- national, the Mathematical Research Center, and Export Development Canada. He headed an international business program and taught at the HEC Montreal Business School. He is a graduate of the London Financial Times Non-Executive Director Diploma, has an MBA from McGill University, and an M.Sc. in Applied Mathematics and a B.Sc. in Physics from the University of Montreal. He is a mem- ber of the Strategic Risk Council of the Conference Board of Canada, of the London- based Institute of Risk Management (including its Global Education Advisory Board and Panel of Judges for its Global Risk Awards), and of the Institute of Risk Management of South Africa. He writes on risk and participates in international risk conferences as chair and speaker.

www.it-ebooks.info

www.it-ebooks.info

About the Editors

J ohn R.S. Fraser is the Senior Vice President, Internal Audit, and former ChiefRisk Officer of Hydro One Networks Inc., Canada, one of North America’slargest electricity transmission and distribution companies. He is a Fellow of the Institute of Chartered Accountants of Ontario, a Fellow of the Association of Chartered Certified Accountants (U.K.), a Certified Internal Auditor, and a Certi- fied Information Systems Auditor. He has over 30 years of experience in the risk and control field, mostly in the financial services sector, including areas such as finance, fraud, derivatives, safety, environmental, computers and operations. He is a member of the Faculty at the Directors College for the Strategic Risk Over- sight Program, and has developed and teaches a masters degree course entitled Enterprise Risk Management in the Masters in Financial Accountability Program at York University where he is an adjunct professor. He is a recognized author- ity on enterprise risk management (ERM) and has co-authored several academic papers on ERM. He is co-editor (with Betty Simkins) of a best-selling university text-book released in 2010, Enterprise Risk Management: Today’s Leading Research and Best Practices for Tomorrow’s Executives.

Betty J. Simkins, PhD, is Williams Companies Chair of Business and Professor of Finance at Oklahoma State University. Betty received her PhD from Case Western Reserve University. She has had more than 60 publications in academic and prac- titioner journals. She has won awards for her teaching, research, and outreach, including the top awards at Oklahoma States University: Regents Distinguished Teaching Award, Regents Distinguished Research Award, and Outreach Excel- lence Award. Her primary areas of research are risk management, energy finance, and corporate governance. Betty serves on the editorial boards of nine academic journals, including the Journal of Banking and Finance; is past coeditor of the Jour- nal of Applied Finance; and is past president of the Eastern Finance Association. She also serves on the Executive Advisory Committee of the Conference Board of Canada’s Strategic Risk Council. In addition to this book, she has published two others: Energy Finance and Economics: Analysis and Valuation, Risk Management and the Future of Energy and Enterprise Risk Management: Today’s Leading Research and Best Practices for Tomorrow’s Executives (co-edited with John Fraser). Prior to enter- ing academia, she worked in the corporate world for ConocoPhillips and Williams Companies. She conducts executive education courses for companies globally.

Kristina Narvaez is the president and owner of ERM Strategies, LLC (www.erm strategies.com), which offers ERM research and training to organizations on

649

www.it-ebooks.info

650 About the Editors

various ERM-related topics. She graduated from the University of Utah in envi- ronmental risk management and then received her MBA from Westminster Col- lege. She is a two-time Spencer Education Foundation Graduate Scholar from the Risk and Insurance Management Society and has published more than 25 articles relating to enterprise risk management and board risk governance. She has given many presentations to various risk management associations on topics of ERM. She is an adjunct professor at Brigham Young University, teaching a business strategy course for undergraduates.

www.it-ebooks.info

Index

Abdullah, Patrick Adam Kanagaratnam, 13–14, 623, 647

Ability Housing Association, 126, 134–136 Abraham, Janice, 152, 153 Academic research, 23, 34 Accenture and Deloitte, 153 Accessahome database, 135 Access rights policy, 453 Accident avoidance, 61 Accountability, 299, 595–596 Accounting firms, 307 Accreditation agencies, 144, 174 Acquisition process, 629–636 Action plans, 637–641 Active risk and opportunity planning (AROP),

95, 99–100 Active risk oversight, 107 Activity Risk Holder (ARH), 381 Ad hoc risk management, 229 Advantage risk profiles, 503 Adverse event incidents, 80, 81 Affordable Homes program, 120 Affordable rent market, 121 Aggregation of risk, 52–54 Agricore Cooperative, 108, 111, 113, 115 Agricore United (AU), 108, 113–116 Akawini Copper, 12, 539–543 Akerson, Daniel F., 607–608 Alaska, University of, 154 Alberta Municipal Government Act, 282 Allen, Linda, 491 Allocation committees, 82 Alpaslan, M. C., 145, 151, 175 Alviniussen, Alf, 5, 69

biography, 73 A.M. Best Company, 208, 224, 271 American Association of University Professors

(AAUP), 174 American International Group (AIG), 310, 561,

569 American National Standards Institute (ANSI),

86 American Productivity & Quality Center

(APQC), 2–3 American University, 143, 174

Anderson, Ann, 155, 172 Anderson, Lorin W., 20, 26, 97 Andretti, Mario, 104 Anti-Dumping regulations, 443, 444 Antikarov, V., 579 Aon, 390, 391 Aon Global Risk Management Survey, 595–596 Arbitrage traders, 466 Archer Daniels Midland (ADM), 115–116 Arena, M., 148 Armajaro Holdings, 342–343 Arnaboldi, M., 148 ASEAN Corporate Governance Scorecard, 625,

627 Asia, 13–14, 46 As low as reasonably achievable (ALARA)

principle, 198 As low as reasonably practical (ALARP)

principle, 198–201, 199–200 AS/NZS 4360:2004, 437, 577 Asset/Liability and Capital Committee (ALCO),

246 Asset/liability management (ALM), 261 Asset/Liability Management and Investment

Committee (ALMIC), 279 Asset returns, 503 Association of Governing Boards of Universities

and Colleges (AGB), 152, 153 Association of Insurance and Risk Managers in

Industry and Commerce, 261 Astro

background, 624–625 ERM at, 625–627 executive pay, 627 Group Risk Management (GRM), 627 risk culture, 627

Astro Group, 624–625 Astro Malaysia Holdings Berhad (AMH), 625,

627 Astro Overseas Limited (AOL), 13–14

action plans, 637–641 assistance with key decisions, 643–646 background, 627–628 Business Development (BD) Team, 629–631 ERM at, 627–646

651

www.it-ebooks.info

652 Index

Astro Overseas Limited (AOL) (Continued) investment performance dashboard, 641–643 investment strategy, 629 Joint ERM Team (JET), 632–634 monitor and review phase, 631–635 risk maps, 637–641 risk profiles, 637–641 role of ERM in acquisition process, 629–636

Atlantic Lottery Corporation, 181 Auburn University, 26 Audit Committee

British Columbia Lottery Corporation (BCLC), 187, 188

General Motors (GM), 608 JAA Inc., 430

Audit function, 246 Augustana College, 153 Australia, 581

Mars, Inc. in, 43–44, 45, 46, 56, 57 risk management in higher education, 151 risk management standard, 185

Australian and New Zealand Hand Book HB 436, 10

Automobile industry, 364, 369, 370 Autorité des Marchés Financiers, AMF

(Financial Markets Authority), 470, 481 Available financial resources (AFR), 278 Aven, Eyvind, 61, 67 Aviva, 137 Azzone, G., 148

Back-testing, 499 Baker, Ken, 8, 281, 303 Balance of power, 22 Bank capital regulation, 32–33 Banking industry, 463–464 Bank of Nova Scotia (ScotiaBank), 108, 113 Banque Nationale de Paris (BNP), 463 Barnds, Ken, 153 Basis points, 499 BCLC Annual Service Plan Report, 180 BC Ombudsman, 183–184 Bean, John C., 19, 20, 21, 26 BearStearns, 472, 479, 482, 570 Behavioral biases, 520–521 Bellerophon, 131 Benchmarking, 187, 232, 391–393 Bent, Andrew, 397

biography, 425 Bergand, Emile, 428 Bergand, Frank, 428 Bergand, Robert, 428 Bhatnagar, A., 143 Bickmore, 86, 89 Bim Consultants, Inc. (fictionalized case), 11,

525–527 Birnbaum, Robert, 145–146, 147

Black, Lowell, 332 Bloom, Benjamin S., 20, 21, 26, 27 Blue Wood Chocolates (fictional organization),

9, 335–359 background, 335–338 business description, 338–340 business plan, 336–337 competitive factors, 340–341 ERM at, 335–359 financial performance, 335–338, 345–348 market overview, 340–345 production, 338–339 statements of income and retained earnings,

348–352 Blumberg, Phyllis, 21, 22 Board level risk committees, 308 Board of Governors of the Federal Reserve,

308 Board Risk Oversight Committee, Workers

Compensation Fund (WCF), 209–213, 218, 221, 224

Boards of directors (BODs) authorization levels defined by, 454 communication with, 587, 588 composition, 550 perception of ERM by, 586–587 risk oversight role of, 547–552 roles and responsibilities of, 451 term limits, 551–552 women on, 551, 552 Zurich Insurance Group, 259–261

Bolman, Lee G., 146, 147 Bon Boulangerie (fictional company), 12,

555–557 Bossidy, Larry, 583, 584–585 Boudoukh, Jacob, 491 Bouton, Daniel, 462, 464, 467, 470, 472, 478, 481,

486 BP, 390, 392 Bradford, Dallas, 209 Brand loyalty, 340 Brand recognition, 340 BRIC countries, 340 British Columbia, Canada, 179–180 British Columbia Lottery Corporation (BCLC),

6–7, 179–204 Audit Committee, 187, 188 background, 179–180 benchmarking exercise, 187 champions, 193–194 chief financial officer (CFO), 188 early ERM experience, 180–181 enterprise risk assessment, 184, 197–202 Enterprise Risk Management Advisory

Committee (ERMAC), 183–184, 186, 187, 188, 193–194, 197

Enterprise Risk Manager, 183–184, 192–193

www.it-ebooks.info

INDEX 653

Enterprise-wide Risk & Opportunity Management (EROM), 180–181

ERM Advisory Team, 182 ERM maturity, 187, 203 ERM program development, 183–184 ERM program revitalization, 184–186 ERM program update, 181–182 ERM roles and responsibilities, 193–194 external review of ERM program, 188–189 Finance and Corporate services division, 188 gambling mandate, 180 governance, risk, and compliance (GRC), 194 impact scale evaluation exercise, 198, 199 Internal Audit, 180–182, 184–185, 188,

193–194, 195, 198 management effectiveness metric, 197 organizational structure, 182 prize payout process investigation, 183–184 project risk assessment, 184 residual risk assessment, 185, 197–198 Residual Risk Rating Matrix, 197 Risk Advisory Services, 193 risk analysis and evaluation approach,

195–202 risk assessment, 181, 196–197 risk champions, 193–194 risk criteria, 185, 188, 195 risk descriptions, 189–192 Risk Management Guidelines, 192 Risk Management Planning Group, 188, 194 risk management policy, 185–186 risk oversight, 188 risk profiles, 189–193 risk registers, 185 risk reviews, 188 risk tolerance, 188 risk universe, 189–193 risk workshops, 195 senior management, 193–194 strengthening the ERM program, 187–189 values, 180 visual mapping, 198 voting technology, 195, 197–198

British Columbia Treasury Board, 180 Budget, Hope City, 324–325, 326, 330 Budget simulation, 97–98 Bugalla, John, 6, 118, 305, 311

biography, 317–318 Bureaucratic structure, 146–148 Burgalla, John, 8 Burns, Robert L., 33 Bush, Tony, 146, 147 Business continuity, 276, 307, 446, 453 Business Continuity Management (BCM),

Zurich Insurance Group, 273 Business Development (BD) Team, Astro

Overseas Limited (AOL), 629–631

Business Impact Analysis, Zurich Insurance Group, 274

Business interruption analysis, 275 Business Interruption Modeling, 272–273 Business Resilience Program, Zurich Insurance

Group, 271–277 Business resilience tools, 271–277 Business risk, 2 Business Software Corporation (BSC), 535–536 Business strategies, 310–311 Business units (BUs)

ERM program rollout and, 45 evaluation of, 67 needs of, 44 risk mapping and, 64–66 risk opportunities and, 42, 45 suboptimal decisions and, 66 summary reports by, 47–50

Cadbury Code, 148 California, University of, 154 California, University of, Center for Health

Quality and Innovation (CHQI), 83, 85 California, University of, Health System, 5

2013 Risk Summit, 89, 90 Center for Health Quality and Innovation

(CHQI), 85–86 Controlled Risk Insurance Company (CRICO)

Comprehensive Risk Intelligence Tool (CRIT), 83

ERM at, 75–91 ERM panel, 76–77 ERM program, 75–83 evaluation of incidents, events, and claims,

80–81, 82 health care services, 75 Medical and Hospital Liability Program, 83 Office of General Counsel (OGC), 81, 82 Office of Risk Services, 78, 80, 89–90 premium rebate program, 83–85 Protected Heath Information Value Estimator

(PHIve), 86–90 risk-aware culture, 78 specialized programs, 78–83 Third Party Claims Administrator, 81

California, University of, Professional Medical and Hospital Liability Program (PL), 83

Canada exchange rates, 371–372 grain business, 108–109 power window assemblies manufacturing in,

363–364 risk assessment workshops, 40–41 United Grain Growers (UGG), 107–116

Canadian Wheat Board (CWB), 108–109 Capital adequacy risk, 244, 271 Capital allocation, 598–601

www.it-ebooks.info

654 Index

Capital allocation theory, 508 Capital asset pricing modeling (CAPM), 504 Capital budgeting models, 285 Capital grant funding, 127 Capital Management Policy, 244 Capital Management Program, 269–271 Capital on risk (CorR), 598–599 Captive insurance unit, Statoil, 66 Case (claim) reserving, 218, 219 Case studies, 2–3, 19, 22, 26 Casinos, 180 Cassidy, D. L., 152 Cauce, Ana Mari, 166 Cause and effect analysis, 400–402, 413, 417, 418,

420 Cause and effect diagram, 421 CBC Fifth Estate, 183 Center for Health Quality and Innovation

(CHQI), 83, 85–86 Center for Health Quality and Innovation

Quality Enterprise Risk Management (CHQIQERM), 85–86

Centralized Compliance Management approach, 160

CFO magazine, 107 Champions, 193–194 Chan, Sharon Pian, 158 Change, Jean, 145 Change resistance, 59 Charan, Ram, 583, 584–585 Charitable assets protection, 127 Charitable organizations, 119–141 Cherry, Elizabeth, 158–159, 175 Cheshire Foundation Housing Association, 134 Chessfield, Inc. (fictional organization), 12

alleged corruption at, 547–552 board of directors, 547–548 CEO compensation, 549–550 governance review, 548–550 recommendations for, 551–552 risk management, 550

Chief administrative officer (CAO), Hope City, 324–325

Chief executive officer (CEO) compensation issues, 549–550 in Poland, 595–596 risk management and, 588–589 Zurich Group Risk Management and, 258–261

Chief financial officer (CFO) British Columbia Lottery Corporation

(BCLC), 188 corporate strategy and, 284 ERM program rollout and, 45 at Kilgore Custom Milling, 368 in Poland, 595–596 risk profiles and, 49 Statoil, 61

Chief internal auditor (CIA), 427–428 Chief of Police Service Board, 325–327 Chief risk officer (CRO)

constructive dialogue and, 567 ERM development and, 427–428, 439 financial crisis of 2008 and, 268–269, 567 at General Motors (GM), 607 insurance risk and, 244 job description, 209–210 learner-centered teaching (LCT) approach to,

28 MECO, 380 orientation/training, 614 in Poland, 591–592, 595 regulation and, 308 risk oversight and, 443 roles and responsibilities of, 309–310, 451, 613 senior management and, 613 at TD Bank Group, 246 traits of, 611, 613 at University of California Health System,

75–77, 82, 83 at University of Washington, 171 value at risk (VaR) calculations and, 489 at Workers Compensation Fund (WCF),

209–214, 218 at Zurich Insurance Group, 258–261, 260

Child sexual abuse, Penn State, 143–145, 174 China, 43, 45, 46 Ching, Ward, 11, 501

biography, 520 Chocolate market, 340–345 Chocolate production, 341–344 Citigroup, 561, 569, 570 Citizens against Racism, Hope City, 330–331 City Auditor’s Report (Edmonton, Alberta),

282–283 City Council, Hope City, 323, 324 Clark, Edmund, 563, 568 Clearance rate, 325, 334 Clery Act, 174 Cocoa, 337, 339, 341–343 Cognitive Learning Taxonomy (Bloom), 20, 21,

27 Cognitive reasoning, 22 Collaborative Enterprise Risk Management, 156,

158, 160 Collaborative ERM Report, 155 Collaborative leadership, 107 Collateralized debt obligation (CDO) funds, 468 Collateralized mortgage obligations (CMOs),

490 Colleges and universities

accreditation agencies, 144, 174 business practices of, 145 characteristics of, 146 collegial model of, 146–148

www.it-ebooks.info

INDEX 655

credit rating agencies and, 144 emergence of ERM at, 148–152 ERM adoption by, 152–155 ERM implementation by, 143–177 formal or structural model of, 146–148 higher education environment, 144–148 institutional culture, 145–148 laws and regulations affecting, 145 lawsuits against, 175 leadership, 167 organizational structures in, 145 risk management in, 151–152 risks affecting, 148, 149–151 scrutiny of, by stakeholders, 143 strategic planning by, 155 Washington, University of, ERM program,

155–173 Colleges and Universities Compliance Project,

144 Collegial model, 146–148 Committee of Sponsoring Organizations

(COSO), 40, 167–170, 282, 306, 627 Internal Control—Integrated Framework, 75

Commodity Credit Corporation, 345 Common risk framework, 228 Communication

with boards of directors, 587, 588 infrastructure, 442 JAA Inc., 430, 439

Community groups, 330–331 Community Police Survey of Hope City,

333–334 Compensation Committee, 432–433 Competitive factors

in chocolate industry, 340–341 marketing strategies, 444 in original equipment manufacturing (OEM),

365, 367–368 quality as, 367

Compliance, Operations, and Financial Council (COFI), 166

Compliance Council, University of Washington, 159

Compliance department, JAA Inc., 434 Compliance Group, TD Bank Group, 246 COMSTAT, 328, 334 Concentration risk, 446 Concept fans, 413–416, 417 Conditional tail expectation (CTE), 506 Conference Board of Canada, 282 Conflict of interest policy, 453 Conrad, Linda, 8, 253

biography, 279–280 Consequence scales, 440, 441 Conservatism bias, 519 Consolidated statements of income and retained

earnings, 353–356, 357–359

Consolidation of risk exposure, 98 Constructive dialogue

benefits of, 563–564 defined, 561 ERM and, 561–572 promotion of, 567

Consumer price index (CPI), 122 Continuity planning, 307 Controlled Risk Insurance Company (CRICO)

Comprehensive Risk Intelligence Tool (CRIT), 83

Controlled risk-taking culture, 107 Controls, for risks, 169 Control self-assessment (CSA), 619–621, 622 Copulas formulas, 507–508 Core risks, 64, 67, 71 Core values, 59, 71 Corporate and Investment Banking (CIB)

division, Sociéte Générale, 463–469 Delta One Listed Products (DLP), 466

Corporate business goals, 305 Corporate Business Risk Planning (CBRP), 282 Corporate culture. See Organizational culture Corporate ethics policy, 452 Corporate governance, 547–552 Corporate Leadership Team (CLT), 297, 299 Corporate planning, 393–394, 395 Corporate risk exercise, 383–394 COSO 2004 Enterprise Risk

Management-Integrated Framework, 2, 59, 182, 307, 590

COSO II 2004 Enterprise Risk Management-Integrated Framework, 577, 579

Cost of risk analyses, 77, 110 Cost variability and management, 445 Countrywide, 568–570, 569, 570 Covariance matrix, 496 Creative financing, 307 Credit checks, 277 Credit derivatives, 463 Credit du Nord, 463 Crédit Lyonnais, 463 Credit risks, 29, 98, 243, 268 Credit value at risk (CVaR), 469, 480 Crickett, Grace, 75

biography, 90–91 Crime/crime rates

five whys analysis, 400–402 force field analysis, 411 Hope City, 325, 328, 332 influence diagrams, 412 violent crime case study, 415–424

Criteria of Control Board of the Canadian Institute of Charted Accountants (CICAs), 457

Criticality of failure, 405, 408

www.it-ebooks.info

656 Index

Crop Production Services, United Grain Growers (UGG), 113, 114

Cross, Christian, 489, 494 Culture, organizational. See Organizational

culture Culture of compliance, 157–158 Culture of innovation, 297, 299 Culture-specific ERM programs, 160 Cunha, Paul, 7, 241

biography, 250 Currency crisis, 44 Currency exchange. See Exchange rates Currency futures contacts, 373 Currency hedging, 372–374 Currency options, 374 Currency swaps, 372–373 Current risk assessment, 610–611 Customer risks, 277 Customer satisfaction, 446, 452, 529–532

Daley, Bill, 564 Damison, Matt, 427, 429, 434–435 Danger outcome, 617, 622 Databases, 100 Data risks, 414 Dawson, Irene, 337 Deal, Terrence E., 146, 147 Decent Homes Program, 121, 140 Decent Homes Standard, 119, 121, 140 Decision making

Astro Overseas Limited (AOL), 643–646 collegial model and, 146–148 governance and, 256 risk-adjusted, 310 risk taking and, 588–589 total risk optimization and, 65–68 uncertainty and, 588

DefCon, 618, 622 Defense Operations unit, General Motors (GM),

617 Del Bel Belluz, Diana, 12, 555

biography, 558 Deloitte and Touche, 181, 183, 203 Delta One Equity Derivatives, 467 Delta One Listed Products (DLP), 466, 470,

473–474, 478 Denmark, 104–105 Dentiger, Boris, 429 Denver, University of, 154 Development charges, 334 Diamond, M. A., 145, 151, 175 Dimon, Jamie, 563, 571–572 Directional plans, 301–302 Dirty data, 328 Disaster preparedness planning, 307 Disclosure Committee, TD Bank Group, 246 Discounted cash flow (DCF) method, 641

Disruption understanding, 275 Dobbelstyn, Casey, 368 Dodd-Frank Wall Street Reform and Consumer

Protection Act, 307, 308, 310 Section 165, 308

Domestic market controls, 344 Dow Jones Industrial Average (DJIA), 499 Downside risk, 62, 63 Driven: Business Strategy, Human Actions, and the

Creation of Wealth (Frigo and Litman), 103 Driving forces, 411 Drucker, Peter, 305 Dufort, Ghislain Giroux, 13, 623

biography, 647 Duke University, 154 Du Plessis, Julian, 427, 458 Dynamic financial analysis (DFA), 504

Earnings before interest and taxes (EBIT), 67 Earthquake risk, 508–516 Easop, Ed, 224 East End Residents Association, Hope City, 331 Economic capital, 598, 599 Economic recession, 209 Economist, The, 6, 107, 112 Edison, Thomas, 116 Edmonton, City of, Alberta

background, 281–282 city government, 282 current ERM development, 283 early ERM development, 282–283 ERM and strategic planning, 281–302 ERM framework, 294–295 lessons learned, 297–300 recommended strategic ERM plan, 295–297 strategic plan, 283–285, 301–302 strategic risk management model testing,

285–293 summary plan, 301–302

Edmonton Police Service (EPS), 294 Efficiency, 504 Efficient frontier analysis (EFA), 11

behavioral concerns, 519–521 benefits of, 516 ERM and, 516–517 insurance framework, 507–508 modern portfolio theory (MPT) as foundation

for, 503–505 sample case study, 508–516 strategic risk management (SRM) and,

501–521 Efficient market, 518 Efficient market hypothesis (EMH), 589 Efficient risk profiles, 504 Einhorn, David, 491 Elkington, John, 307 Elliot, T. S., 489

www.it-ebooks.info

INDEX 657

ELM Exchange, 83 Embracing ERM: Practical Approaches for Getting

Started (Frigo and Anderson), 97 Emergency response planning, 307 Emerging risk, 53 Emerging Risk Group (ERG), Zurich Insurance

Group, 260–261, 277 Emerging Risk Identification process, 247–248 Emerging Risk Management (IRM), 261 Emerging Risk Radar, Zurich Insurance Group,

260–261 Emmert, Mark, 155, 157–160, 164 Emmert, Mark A., 158 EMMI Solutions information consent program,

83, 84–85 Emory University, 154 Employee ERM survey, 213–214, 224 Employee health and safety, 96 Employee turnover, 530, 532 Endmonton, City of, Alberta, Canada, 8 Energy commodities, 495 Energy prices, 67 Enhanced Prudential Standards and Early

Remediation Requirements for Covered Companies (R-1438), 308–309

Enterprise compliance management (ECM), 40, 119–141

Enterprise Reputational Risk Committee, 244 Enterprise risk assessment, 184, 197–202 Enterprise risk budgeting (ERB), 69 Enterprise Risk Framework (ERF), TD Bank

Group, 242–243 Enterprise risk management (ERM)

accountability in, 179–204 in acquisition process, 629–636 Astro, 625–627 Astro Overseas Limited, 627–646 benefits of, 59, 60–61, 516–517 Blue Wood Chocolates, 335–359 board perception of, 586–587 books on, 583, 584–585 British Columbia Lottery Corporation

(BCLC), 187, 203 California, University of, Health System,

75–91 capital allocation and, 598–601 case studies, 2–3 Center for Health Quality and Innovation

(CHQI) and, 85–86 colleges and universities, 143–177 company expectations, 224 constructive dialogue and, 561–572 control self-assessment (CSA) and, 619–621 corporate business goals and, 305 critical success factors for, 173 culture-specific ERM programs, 160 defined, 578–579

design principles, 42 early adopters of, 39 early development, 282–283 efficient frontier analysis (EFA) and, 516–517 evolution of, 1–2, 8, 41, 436–437, 628–629 experts and, 588–589 external view of, 311 failures of, 10 financial crisis of 2008 and, 567–568 frontiers of, 69–71 General Motors Company (GM), 607–621 ghost programs, 59 history of, 305–306 by housing associations, 119–141 internal view of, 311 Intuit, 227–239 JAA Inc., 427–457 Kilgore Custom Milling, 363 learner-centered teaching examples, 26–34 LEGO Group, 95 literature search on, 158–159 management buy-in for, 587–589 Mars, Inc., 39–57 maturity, 187, 203, 592–594 mini-cases, 11–12 misunderstanding of, 582–583, 586–587 nonprofit organizations, 153 objectives, 42, 254 optimizing total risk, 65–68 organizational placement of, 590 organizational size and, 590–591, 602 ownership and responsibility for, 228 perceptions of, 310–312 performance measurement and, 284–285 planning process for, 51–52 in Poland, 577–603, 592–594 process, 78 process adoption, 234–235 program development, 4–7, 535–536 project risk management (PRM) and, 379–380 public safety agencies and, 397–398 purpose of, 306–308 regulatory requirements, 148, 152 results-based budgeting and, 284–285 specialized aspects of, 8–11, 335–338 special situations, 55–56 stages of, 579, 592–594 Statoil, 59–72 strategic planning and, 89–90, 119, 253–254,

281–302 strategic risk management (SRM) and, 7–8, 93,

305–316 success factors, 57 sustainability and, 307–308 TD Bank Group, 241–249 teaching, 19–34 technology and, 51–54, 77–78

www.it-ebooks.info

658 Index

Enterprise risk management (ERM) (Continued) traditional risk management and, 80–83 training in, 387, 614, 632 tree model, 306–308, 318–321 United Grain Growers (UGG), 107–116 value at risk (VaR) and, 490 Workers Compensation Fund, 207–225 Zurich Insurance Group, 253–279

Enterprise Risk Management Advisory Committee (ERMAC), British Columbia Lottery Corporation (BCLC), 183–184, 186–188, 193–194, 197

Enterprise Risk Management Committee, TD Bank Group, 246

Enterprise risk management (ERM) framework defined, 255 development of, 306–308 Edmonton, City of, 294–295 marketing of, 306–307 in Poland, 595–596 reexamination of purpose, 306–308 selection, 337–338, 363–364 Zurich Insurance Group, 255–258

Enterprise risk management information system (ERMIS)

automated reports, 76–77 dashboard samples, 79 technology for, 76–77 tools, 76–77 University of California Health System, 76–78

Enterprise Risk Management Program Manager, Edmonton, City of, 281

Enterprise Risk Management: Today’s Leading Research and Best Practices for Tomorrow’s Executives (Fraser and Simkins), 2, 3, 19, 26, 363

Enterprise Risk Management Toolkit, University of Washington, 170–171

Enterprise Risk Manager, British Columbia Lottery Corporation (BCLC), 183–184, 192–193

Enterprise-wide Risk & Opportunity Management (EROM), British Columbia Lottery Corporation (BCLC), 180–181

Enterprise-Wide Stress Testing, 248 Environmental protection, 382–383, 455 Environmental sensitivity, of creditors, 447 Equity Arbitrage group, Sociéte Générale, 466 Equity options trading, 464 Erickson, Mark, 158 ERM Advisory Team, British Columbia Lottery

Corporation (BCLC), 182 ERM charter, 311, 316 ERM panel, University of California Health

System, 76–77 ERM tree model, 218–221, 306–308 Ernst & Young, 187, 188, 390, 392

Ethnic population, 324, 326–327, 328, 331 European Sugar, 41, 56–57 European Union (EU), 44, 261, 443 Evaluation procedures, 25 Excel tools, 51–52 Exchange rates, 347, 368, 370, 371, 372–374 Execution (Bossidy and Charan), 583, 584–585 Execution Premium, The (Kaplan and Norton),

584–585 Executive dashboards, 237 Executive Risk Committee, Zurich Insurance

Group, 260 Executive Risk Oversight Committee (EROC),

432, 433, 439, 443, 446 Expatriate population, 378, 394 Expected risk, 506 Experts, 588–589 Exploitable risk profiles, 503 External auditors, 435–436 External communications policy, 454 External influence risks, 414 External risks, 189, 615–616, 618–619 External stakeholders, 261–263

Fabric production and dye technologies, 447 Facilitation skills, 45 Failure mode, effects, and criticality analysis

(FMECA), 402–410, 413, 417, 418, 422–424 Failure mode and effects analysis (FMEA), 232,

413 Fair trade products, 341, 360 Fannie Mae, 472, 485, 567–570 Faris, Andrew, 158–159, 162–163, 176 Fault tree methodology, 218–221 Federal Reserve, 308, 310 Federation of European Risk Management

Associations (FERMA), 261, 577, 581, 592 Feed-in tariffs (FITs), 445 Ferguson, John, Junior, 335, 338–339, 346 Ferguson, John, Senior, 338 Finance and Risk Policy Committee, General

Motors Company (GM), 608 Finance risk management, 382 Financial crisis of 2008, 12–13, 209, 308, 363, 369,

561–573 successful firms, 563–568 unsuccessful firms, 568–572

Financial derivatives, 109, 112 “Financial Impact of Breached Protected Health

Information, The” (ANSI), 86 Financial institutions, 307, 310 Financial Markets Authority (Autorité des

Marchés Financiers, AMF), 470, 481 Financial performance, 448–449

Blue Wood Chocolates, 335–338, 345–348 Kilgore Custom Milling, 366 London & Quadrant, 128, 129–130

www.it-ebooks.info

INDEX 659

Financial Reporting Council (FRS), 134, 457 Financial risks

British Columbia Lottery Corporation (BCLC), 189

examples, 305 in housing associations, 122–123 learner-centered teaching (LCT) approach to,

31–32 sources of, 414 strategy development, 372–374 teaching approaches, 23 Zurich Insurance Group, 266

Financial scandals (mid-1990s), 109 Financial Stability Oversight Council (FSOC),

310 Finkelstein, Sydney, 569–570 Fishbone analysis, 413 Five-point risk scale, 610, 612 Five whys analysis, 398–399, 417, 419 Flexible performance measures, 231 Floating Support, 135 Force field analysis, 408, 411, 413, 417, 419, 420 Forecasting errors, 519 Foreign exchange (FX) derivative policy, 66 Foreign exchange (FX) risk management, 9,

66–68 Fortune, 564 Framing, 520 Fraser, John R. S., 1, 2, 3, 4, 11, 12, 19, 22, 23, 24,

26, 124, 363, 525 biography, 14–15, 527

Freddie Mac, 472, 485, 568–570 Freeh, Louis, 143, 174 Freeh Report, 143–144, 152 Freeh Sporkin & Sullivan, LLP, 143–144, 174 French Banking Commission (Commission

Bancaire, CB), 472, 484 Frigo, Mark, 5, 103, 105

biography, 106 Frigo, Mark L., 93, 96, 97

Gallagher Group, 153 Gambling, 180 Game theory, 316, 617–619, 622 Gaming industry, 187 Gap analysis, 40, 273–274, 277 Garnelas, Jason, 535 GE Capital, 310 General Insurance Global Underwriting

Committee (ALMIC), 279 General liability insurance, 508–516 General manager (GM), 44, 45 General Motors Company (GM), 13

Audit Committee, 608 background, 607–608 control self-assessment (CSA), 619–621 corporate culture, 611–614

Defense Operations unit, 617 ERM approach, 608–617 ERM implementation, 607–608 ERM improvement, 619–621 ERM program, 607–621 Executive Committee, 610–611 Finance and Risk Policy Committee, 608 game theory, 617–619 GM Retail Holdings, 616–617 risk identification, 608–609, 614–617 risk management process, 609 risk mitigation, 614–617

General risk management policies, 452–455 Georgia State University, 154 Ghost ERM programs, 59 Gillespie, Frank, 427, 429, 436–437 Global AntiMoney Laundering (AMI) group,

TD Bank Group, 247 Global Chief Underwriting Officer for General

Insurance, 279 Global Equities & Derivatives Solutions (GEDs),

273, 466–474, 484 Global Head of Group Insurance, 279 Global Risk Report (World Economic Forum),

261 GM Retail Holdings, 616–617 Goals, 42, 61, 287–288, 305 Goldman Sachs, 565–566 Gouillart, Francis, 96 Governance

corporate corruption and, 547–552 ERM framework as, 255 JAA Inc., 430–435 Penn State, 144–145 risk management frameworks and, 589–590

Governance, risk, and compliance (GRC), 194, 307

Goy, Jacquetta, 6 biography, 205

Graham, Andrew, 8–9, 321 biography, 334

Grain industry, 108–109, 112–114 Grasgreen, Allie, 143 Green movement, 307–308 GreenSquare Academy, 137 GreenSquare Community Housing Association,

137 GreenSquare Group Limited, 126, 136–139 Group Balance Sheet Committee (GBSC), 260,

269, 278 Group Executive Committee (GEC), 260 Group Finance and Risk Committee (GFRC),

260, 278–279 Group Reinsurance Committee (GRC), 279 Group Risk Management (GRM), 256, 258–261,

627 Grow Enterprise Wales (GrEW), 131, 132, 133

www.it-ebooks.info

660 Index

Growth strategy, 94 Guldimann, Till, 490, 497 Gurevitz, Susan, 148, 153

Hadfield, Chris, 281 Hair, Dan M., 7, 207, 209, 225 Hampel Report, 148 Hargreaves, John, 6, 119, 141 Harvard University, 6, 107, 144 Hazard analysis, 265 Hazard management, 96 Hazard risks, 305, 316 HAZID (hazard identification), 417 HAZOP technique, 417 HB 436, 427–457, 437 Health and safety, 127, 446 Health Insurance Portability and Accountability

Act of 1996, 214 Heat maps, 216, 234, 286, 314, 583, 610, 613 Helsloot, I., 148 Hendrix, Sally, 430, 435 Hershey Company, 345, 353–356 Higher education. See Colleges and universities Higher Education Act, 175 Higher Education Funding Council of England,

151 Highway infrastructure, 324, 330, 331 Hodge, David, 158, 159, 160, 164 Hoffman, K., 64 Hog price risk, 114 Holistic risk management, 583 Holton, Sally, 335–338, 345–347 Homeforce, 131–133 Homelessness, 400–402, 416 Home ownership, 119, 120 Homes and Communities Agency (HCA), 120,

122, 137 Homicides, 416 Hope City (fictional community), 321–334 Hope City Chamber of Commerce, 329–330 Hope City Citizens for Responsible

Government, 332 Hope City Police Service (fictional

organization), 8–9 background, 322–323 budget and, 325, 326 city plans affecting, 324–325 community views on police issues, 333–334 consultant interviews with affected groups,

323–333 context of, 321–322 ERM interviews with, 327–329 evaluation of, 327–329 hiring practices, 329 information technology (IT), 328 intelligence-led policing, 326 officer turnover, 328

Provincial Adequacy Standards, 325 strategic risk planning for, 321–333 succession planning, 326 training requirements, 329

Hope City Telegraph, 330 Hostile takeovers, 116 Housing associations, 6, 119–141

Ability Housing Association, 126, 134–136 as charitable organizations, 122–123 ERM and, 119–141 examples, 124–139 financial associations, 122–123 functions of, 119–120 generic strategies, 120–122 GreenSquare Group, 126, 136–139 London & Quadrant, 124–128 RCT Homes Limited, 126, 128–134 regulation of, 122–123 risk management, 122–123 sector issues, 120–123

Housing market, 119–122 Housing with Support, 135 How Colleges Work (Birnbaum), 145 Hoyt, R. E., 175 Huber, C., 151 Human attitudes, 600–601 Human resources, 11, 53, 414, 446, 453 Human rights complaints, 332 Humvee, 617–618, 622 Huntsman, Lee L., 158 Hurricane Katrina, 143, 174

ICE contracts, 342 IHS Global Insight, 65 Illinois Wesleyan University, 155 Impact scale evaluation exercise, 198, 199 Incident reporting, 80, 81, 82 IndyMac Bank, 472 Influence diagrams, 411–413, 417 Information processing errors, 519 Information risks, 414 Information security, 269 Information systems policy, 453 Information technology (IT), 96, 111, 328,

379–381 Infrastructure, 324, 330, 331, 442 Inherent likelihood, 195–196 Inherent risk assessment, 185, 610–611 Injury Fund, 207 Innovation strategy, 94 Input indicators, 231 In Search of Excellence (Peters and Waterman),

583, 584–585 Institute of Risk Management (IRM), 261, 387 Institutional culture, 145–148, 156–157 Institutions of higher education (IHFs), 144. See

also Colleges and universities

www.it-ebooks.info

INDEX 661

Insurance, 505–508, 518 Insurance brokers, 307 Insurance Financial Strength Rating (IFSR), 271 Insurance policy, 455 Insurance risks, 244, 267, 508–516 Integrated Assessment and Assurance (IAA),

258 Integrated risk-financing program, 107–108,

112–113, 115 Integrated risk management, 2, 229 Integrative thinking, 321 Intelligence-led policing, 326 Intelligence Network, 619 Intercontinental Exchange (ICE), New York, 342 Interest rates, 122 Internal Audit

British Columbia Lottery Corporation (BCLC), 180–182, 184–185, 188, 193–194, 195, 198

ERM perspective and, 311 JAA Inc., 427–457, 430, 431, 434–436 MECO, 380, 387 TD Bank Group, 246 University of Washington, 166 Zurich Insurance Group, 256

Internal Capital Adequacy Assessment Process (ICAAP), 248

Internal communications policy, 454 Internal Control Framework (ICF), 248, 258 Internal Control System (OR 728A), 258 Internal Revenue Service (IRS), 144, 153, 175 Internal Risk Committee (IRC), 212–214, 216, 224 Internal risks, 189, 615–616 International Advisory Council, 261 International Financial Reporting Standards

(IFRS), 271 International oil companies (IOCs), 377 International Organization for Standardization

(ISO), 306 Interprovincial Lottery Corporation, 180 Interview templates, 45 Intuit, 7, 227–239

ERM at, 227–239 ERM core principles, 228 ERM maturity model, 229–230 ERM program development, 227–220 history of, 227 performance assessment, 228, 230–238

Investment Management Advisory Council, 261

Investment performance dashboard, 641–643 Iowa, University of, 154 Iowa State University, 154 Ishikawa analysis, 413, 417. See also Cause and

effect analysis ISO 14001 (Environmental Management)

standard, 295–297

ISO 31000, Risk Management, 2, 8, 10, 185, 189–193, 294–295, 295–297, 306, 369, 386, 390, 427, 456, 457, 539, 542, 578, 580, 581, 590, 591, 599, 627

ISO/TC 262 Working Group, 591 ISO TR 31004, 591

JAA Inc., 427–457 Audit Committee, 430 board of directors, 431–432 business background, 428–430 business objectives, 430 business operations, 434–435 communication, 430, 439–442 Compensation Committee, 432–433 context for, 427–428, 437–438 employees, 429 Executive Risk Oversight Committee (EROC),

432, 433, 439, 443 external auditors, 435–436 financial statements, 448–449 general risk management policies, 452–455 governance system, 430–435 Internal Audit, 427–457, 430, 431, 434–436 management of uncertainty by, 443–447 manufacturing facility, 429 operating segments, 428 product imitation, 447 Risk and Strategy Committee (RSC), 432, 433,

443 risk criteria for, 438–439 risk management, 430, 436–437, 450–455 risk oversight, 443, 451 Risk Oversight Committee (ROC), 443 roles and responsibilities, 451 strategic planning, 430 strategy oversight, 443 terminology, 450–451

Jankensgård, Håkan, 5, 64, 69, 70 biography, 73

Japan, 46, 56, 364, 370 Johnson, Katherine, 613 Johnson, Lyndon, 175 Johnson & Wales, 154 Joint ERM Team (JET), 632–634 Jong, W., 148 Jorion, Filippe, 490, 598 J.P. Morgan, 490 JPMorgan Chase, 472, 563, 564–565,

570–572

Kahl, Kerry, 159, 162–163, 176 Kallman, James, 8, 305, 311

biography, 318 Kaplan, Robert S., 1, 583, 584–585 Kapstad, Petter, 60–61, 67 Kedem, K, 174

www.it-ebooks.info

662 Index

Kerviel, Jérôme, 461–487, 466–487 chronology of events, 477–486 civil lawsuit against, 462, 472 criminal trial of, 461–462, 472, 486–487 interactive case study, 475–476 joins Sociéte Générale, 467 media attention to, 461–462 primary control framework of, 473 questions raised about, 468–472 as rogue trader, 461–462 speculation by, 467–469 unauthorized trading by, 467–469, 470, 472,

474–475 Key performance indicators (KPIs)

characteristics of, 231 defined, 76, 230 examples of, 231 on executive dashboards, 237 measuring improvement with, 76 risk mitigation and, 632 Statoil, 67, 68 University of California Health System, 76 updating, 76 Zurich Insurance Group, 274, 276

Key risk indicators (KRIs) defined, 230, 233 development of, 233 examples of, 233 on executive dashboards, 237 at Zurich Insurance Group, 274, 276

Kilgore Custom Milling, 363–374 automobile manufacturing and, 365–368 background, 365–368 cash management system, 368–369 financial risk management, 372–373 financial statements, 366 management team, 368–369 new contract, 369–372 profitability of, 371–372

Killer risks, 607, 608, 622 King Code of Governance (King III), 457 Klein, Robert, 336 Kloman, Felix, 1–2 Kneader, Rick, 557 Knight, Kevin W., 578 Kovacevich, Richard, 566–567 Krathwohl, David R., 20, 26 Kristiansen, Ole Kirk, 93–94 Krysiak, Zbigniew, 13, 577

biography, 604 Kuala Lumpur, 624

Labor unions, 616 Læssøe, Hans, 5, 93, 96, 97, 100–104, 105

biography, 106 Lagging indicators, 231 Lake, Peter, 174

Lam, James, 516–517, 578, 581 Land costs, 127 Lange, David R., 4, 19

biography, 35 Large, complex financial institutions (LCFIs),

574 Large-scale voluntary transfers (LSVTs), 121 Larsen, Alexander, 9, 377

biography, 393–394 Lawsuits, 347 Leadership. See also Senior management

collaborative, 107 colleges and universities, 167 United Grain Growers (UGG), 107, 110–112 University of Washington, 158–159

Leading indicators, 231 Learner-centered teaching (LCT), 3, 4, 19–34

balance of power and, 22 benefits of, 19, 21 case study method and, 19, 26 content function and, 22–23 defined, 19–21 ERM examples, 26–34 evaluation procedures, 25 responsibility in, 24–25 steps in, 21–24 teacher lecture (TL) and, 19, 20, 22, 23–24, 27 workshop facilitation tips, 24

Learner Centered Teaching (Weimer), 19, 21, 26 Learning, 20, 22, 24–25. See also Learner-centered

teaching (LCT) Learning notes (LN), 26–27 Leblanc, Richard, 12, 547, 552

biography, 554 Lee, Allissa A., 10, 489

background, 499 Legalbill, 81 Legal departments, 11–12, 88–89, 434 Legal risk, 33–34, 446 LEGO Games System, 94 LEGO Group, 5

active risk and opportunity planning (AROP), 95, 99–100

corporate strategy, 94 growth strategy, 94 history of, 93–94 innovation strategy, 94 Monte Carlo simulation, 97–98 PAPA model, 101, 102–103 Park, Adapt, Prepare Act (PAPA), 102–103 risk tolerance, 98–99 strategic risk management, 93–106

Lehman Brothers, 568–570, 569 Levels of status indicators, 236 Liebenberg, A. P., 175 Lindo, Steve, 10

biography, 488

www.it-ebooks.info

INDEX 663

Lines of defense model TD Bank Group, 245 at Zurich Insurance Group, 256

Liquidity risks, 243–244, 268–269 Literature search, 158–159 Litman, Joel, 103 Livestock risk, 113–114 Livestock Services division, UGG/AU, 113 Local culture, 378–379 London Housing Trust, 126 London International Financial Futures and

Options Exchange (LIFFE), 342 London & Quadrant, 124–130 Long Term Capital Management (LTCM), 464 Loughlin, Michael, 567 Lovell, David, 156 Low-probability risks, 610 L&Q Foundation, 128 Luchtel, Daniel, 156 Lundquist, Anne E., 6, 143

biography, 177–178

MacLinden, Steve, 363–364, 365, 368, 372–374 Malaysia

background, 623–624 corporate governance in, 625 ERM implementation in, 13–14, 623–646 Securities Commission, 625

Management Committee, MECO, 380, 385, 387, 390–394

Management Discussion and Analysis (MD&A), 249

Management effectiveness metric, 197 Management of Risk (MoR) Framework, 590 Manufacturing industry, 363–368, 429–430 Manufacturing workers, 365 Maricopa County Community College District

(MCCCD), 154 Market demand, 340 Marketing strategies, 444 Market renting, 120 Market risk, 29, 63, 243, 266–268, 278, 446, 455 Market Risk Control, 243 Markowitz, H.M., 503 Marks, Norman D., 11–12, 535 Mark-to-market accounting, 565 Mars, Inc., 5

commitment to ERM, 39 ERM at, 39–57 ERM program design, 41–45 ERM program history, 39–41 global ERM program rollout, 45–46 major acquisition by, 56–57 mission statement, 42 Operating Plan workshops, 50–51 reporting, 46–50 risk aggregation, 52–54

risk assessment workshops, 40–41 risk profiles, 46–48 segment management teams, 45–46, 53 senior management goals, 42 special situations, 55–56 technology, 51–52 templates, 45, 54–55

Maryland, University of, 154 McCormack, Richard, 158 McPhie, Stephen, 9, 335, 363, 375

biography, 360–361 Meadow Prospect, 131 MECO (composite oil and gas company),

377–395 company background, 377–378 corporate planning, 393–395 corporate risk exercise, 383–394 environmental protection, 383 exploration, 378 Internal Audit, 380, 387 law department, 383 local culture, 378–379 Management Committee, 380, 385, 387,

390–394 Operational Excellence plan, 393 organizational culture, 378 Risk Committee, 387, 391, 392 Risk Framework, 385–386 risk management approach, 386–390 risk management background, 379–380 risk management practices, 380–383 risk policy, 386–390 structure, 379

Medical and Hospital Liability Program, University of California Health Services, 83

Medical Staff Risk Management Committee, University of California Health Services, 82

Medicare and Medicaid billing practices, University of Washington, 155, 158

Menevse, Alpaslan, 10, 427, 458–459 Menorix, Michael, 429, 430, 435 Mental accounting, 520 Mergers & acquisitions (M&A) risks, 267 Merrill Lynch, 478, 480 Middle East

oil and gas companies, 9, 377–395 risk management in, 377–395

Mikes, Anette, 561 Milk industry, 344–346, 402–407 Millard, Elizabeth, 21 Minnesota, University of, 159, 160 Mitroff, I. I., 145, 151, 175 Modern portfolio theory (MPT)

assumptions, 517–518 criticism of, 505 efficient frontier analysis (EFA) and, 503–505 formulas, 505–508

www.it-ebooks.info

664 Index

Modern portfolio theory (MPT) (Continued) key assumptions of, 504–505 limitations of, 517–519 portfolio preference, 506–507 questions answered by, 504 sample case study, 508–516

Mohatarem, Mustafa, 609 Monitor and review phase, 631–635 Monte Carlo simulations, 95, 97, 104, 507, 510 Moody’s Investors Service, 144, 174, 271 Mordensti, Mary, 429 Mortgage-backed securities (MBSs), 466, 490 Multidimensional risk management measure

performance, 237 Mustier, Jean-Pierre, 464, 467, 472, 478, 484,

486 My Managed Risk (MMR) portal, 78, 80

Narvaez, Kristina, 1, 2, 7, 8, 241, 253 biography, 15, 250, 280

Nasburg, Janet, 7 biography, 239

Nason, Rick, 9, 335, 363, 375 biography, 360–361

NatCat—Location Risk, Zurich Insurance Group, 275

National Affordable Housing Programme (NAHP), 137

National Association of College and University Attorneys (NACUA), 173

National Association of Colleges and University Business Officers (NACUBO), 152, 153

National Association of Insurance Commissioners (NAIC), 225

National Catastrophe Advisory Council, 261 National Practitioner Data Bank, 82 Natural outcome, 617, 622 Negative risks, 446 Negoi, R., 143 Negotiations, 616 Nelson, John, 144 Nerds Galore (NG), 529–532 Net earnings at risk (EaR), 99 New York ICE, 342 New York Stock Exchange, 432 New Zealand, 581 Nickel, Loren, 11, 501

biography, 520 Nonexecutive directors (NEDs), 443 Nonfinancial industry, 579, 602 Nonprofit organizations, 151–152, 153 Nonquantifiable risks, 441 Norsk Hydro, 60 Norton, David P., 583, 584–585 Norway, 59, 68 Notre Dame, University of, 154 NYSE Euronext Exchange, London, 342

Objective-focused performance measures, 231 Office for Civil Rights (OCR), U.S. Department

of Health and Human Services, 88 Office of Financial Management, University of

Washington, 159 Office of General Counsel (OGC), University of

California Health Services, 81, 82 Office of Risk Services, University of California

Health System, 78, 80, 89–90 Office of the City Auditor (OCA), Edmonton,

Alberta, 282 Ohio University, 154 Oil and gas companies

environmental protection and, 382–383 Middle Est, 9 risk management and, 377–395 Statoil, 59–72

Oil City (fictional community), 415–424 Oil prices, 68 Oil spills, 382–383 One-balance-sheet approach, 278 Operating plan workshops, 50–51 Operational (bottom-up) assessment, 276 Operational control self-assessment (CSA),

619–621 Operational Excellence plan, MECO, 393 Operational planning and budgeting, 253–254 Operational repercussions of a breach, 89 Operational risk, 30–31, 63, 96, 189, 244, 254, 266,

268–269, 305, 370, 555–557 Operational Risk Oversight Committee, TD

Bank Group, 246 Operational tactics review, 405–408 Optimizing total risk, 65–68 Orange Book Risk Management Principles and

Concepts (Polish Ministry of Finance), 577 Organizational culture, 442, 453

colleges and universities, 145–148 constructive dialogue and, 563–568 ERM credit financing and, 113 financial crisis of 2008 and, 562–568 MECO, 378 risk assessment and, 611–614 risk concerns and, 562 University of Washington, 156–157

Organizational health risks, 189 Organizational pyramid, 110–111, 117 Organizational size, 590–591, 602 Organizational structure, 146–148, 379 Orientation/training, 614 Original equipment manufacturing (OEM), 9,

365, 367–368 ORSA model legislation, 225 Outcome performance measures, 231 Output indicators, 231 Outsourcing and contract management policy,

444, 453

www.it-ebooks.info

INDEX 665

Overall risk ratings, 237 Overconfidence, 519 Ownership policy, 452–453 Oxbode, 126, 137 Oxford Citizens Housing Association, 126,

137

Pairwise comparisons, 610, 622 Pane, Ray, 555–556 Pareto analysis, 232, 413 Park, Adapt, Prepare, Act (PAPA) model, 101,

102–103 Participatory management, 110–111, 116, 117 Patents, trademarks, and copyrights policy,

454–455 Paulson, Karl, 321–322, 323, 325–327, 328, 329 Pennsylvania, University of, 159, 160 Pennsylvania State University, 143–145, 152, 174 Pension funds, 337, 339–340 People risks, 266, 269 Performance assessment, 228 Performance measurement

benefits of, 230–233, 237–238 defined, 230 Intuit, 233–238, 235–236 results-based budgeting and, 284–285 strategic planning and, 284

Performance measures, 67, 232–238 Personal health information (PHI), 86 Perstay, Michael, 429 Peters, Tom, 583, 584–585 Pickup, Ray, 209 Pijanowski, S ¯lawomir, 13, 577, 578, 589

biography, 604–605 Planning process, 51–52, 51–522, 632 Player First Program, 184 PlayNow, 180 Plessis, Julian du, 10 Pm2Consulting. See also Risk Scorecard model

framework, 294–295 model success factors, 297–300 risk scorecard methodology, 285–294

PN-ISO 31000:2012, Risk Management, Principles, and Guidelines, 581

Poland chief risk officer (CRO) in, 591–592 ERM expertise in, 581 ERM implementation in, 13, 577–603 ERM issues, 579–585 ERM stages in, 579, 592–594 perception of ERM by boards of directors,

586–587 risk assessment in, 599–601 risk management, 595–596 risk maturity levels and, 580 risk profiles in, 599 top risks in, 600

Police forces, 8–9, 417–424. See also Hope City Police Service (fictional organization)

Policy Governance Framework, 248 Polish Committee for Standardization, 578, 581 Polish Ministry of Finance, 577 Political risk, 108 POLRISK Risk Management Association, 577,

578, 581, 583, 587–588, 591–592, 602, 603

Pontiggia, Laura, 21 Portfolio performance, 505, 623–646 Portfolio volatility, 491, 505 Porthcwlis, 131 Postacquisition process, 631 Potential repercussions of a breach, 87 Power of Co-Creation, The (Ramaswamy and

Gouillart), 96 Power window assemblies, 363–364, 367–368 Preacquisition process, 630–631 Precautionary capital, 114 Premium Rebate Program, 83–85 President’s Advisory Committee on ERM

(PACERM), 156, 163, 166–167, 171 Pressure testing, 68 Price supports, 344 PricewaterhouseCoopers (PwC), 2, 152, 472, 474,

484 Prince, Charles, 569 Private equity funds, 339 Probability scales, 442 Process indicators, 231 Producer Price Index, 371–372 Product imitation, 447 Professional Liability Prescription Program

(PLPP), 83, 84–85 Professional liability (PL) program, 82–83 Professional Medical and Hospital Liability

Program (PL), University of California, 83 Professional risk management organizations,

261 Profitability, 591 Profit Risk Exposure, 275 Project management office (PWO), 55 Project risk assessment, 184 Project risk management, 379–383 Project risk management (PRM), 379–380 Property prices, 127–128 Prospect theory, 520 Protected Health Information Value Estimator

(PHIve), 86–90 Provincial Adequacy Standards, 325 Provincial Ministry of Public Safety, 333 Prudential Financial, Inc., 310 Public Company Accounting Reform and

Investor Protection Act, 148 Public Finance Group, Moody’s Investors

Service, 144

www.it-ebooks.info

666 Index

Public safety agencies, 9–10, 397–398, 405, 409–412

Purdy, Grant, 12, 427, 539, 545, 579

Quadrant Construction Services, 128 Quadrant Housing Association, 126 Quadrant Housing Finance, 126 Quail, Rob, 11, 529

biography, 532–533 Qualitative risks, 230, 454, 641 Quality, 341, 367 Quantifiable effects, 440 Quantitative risks, 29, 70, 112, 114, 230, 454, 641,

642

Rahmat, D., 64 Ramaswamy, Venkat, 96 Rate of return (ROR), 494 Rating agencies

colleges and universities and, 144 ERM and, 224, 261 Workers Compensation Fund (WCF) and, 208 Zurich Insurance Group and, 271

RCT Homes Group Board, 132 RCT Homes Limited, 126, 128–134 Registered social landlord (RSL), 134 Regression analysis, 232 Regret avoidance, 520 Regulations

chocolate making and, 341 ERM, 308–310 of milk market, 345 oil spills, 382–383 working with external shareholders, 261

Rennie, David, 337 Rents, 127, 132 Reporting standards, 255 Reporting templates, 49 Reputational repercussions of a breach, 87–88 Reputational Risk Committee, TD Bank Group,

246 Reputational Risk Policy, 244 Reputation risks, 244, 269, 565–566 Reserve failures, 218 Resident Scrutiny Panel, 137 Residual risk assessment, 185, 197–198, 610–611 Residual Risk Rating Matrix, 197 Restraining forces, 408, 411, 419–420, 424 Results-based budgeting (RBB) model, 284–285,

290, 299 Return on capital employed (ROCE), 70 Rhea, Maureen, 158–159 Richardson International, 116 Ring-fencing, 135, 140 Risk

correlations between, 313 defined, 490

defining levels of, 442 emerging, 53 external, 615–616, 618–619 internal, 615–616 low-probability, 610 measuring, 490 as opportunity, 42–43, 45, 72, 308, 313 optimizing total risk, 65–68 subcauses of, 401–402 time duration of, 313

Risk-adjusted decision making, 310 Risk-adjusted performance, 623–646 Risk-adverse culture, 299 Risk Advisory Services, British Columbia

Lottery Corporation (BCLC), 193 Risk aggregation, 52–54, 68–69 Risk analysis, 124, 195–202 Risk Analysis: Standard for Natural and Man-Made

Hazards to Higher Education Institutions (American Society of Mechanical Engineers—Innovative Technologies Institute), 143

Risk analysis worksheet, 223 Risk and Control Self-Assessment (RCSA),

247–248 Risk and Insurance Management Society

(RIMS), 261, 501 Risk and Strategy Committee (RSC), 432, 433,

443 Risk appetite, 70, 123–124, 221, 242, 246, 277,

382, 502, 544–545, 589 Risk Appetite Governance Framework, 242 Risk Appetite Statement, 242, 245–246 Risk assessment

British Columbia Lottery Corporation (BCLC), 181, 196–197

corporate culture and, 611–614 Edmonton, City of, 286 financial performance and, 596–598 five-point scale, 610, 612 inherent, 185 Intuit, 228, 234 methodology, 124 PHIve, 87 residual, 185 responsibility for, 610–611 three-tiered approach, 610–611 Washington, University of (UW), 169, 170 Workers Compensation Fund (WCF), 208,

221–223 Zurich Insurance Group, 275, 276

Risk assessment workshops, 40–50, 47–50, 53–55, 55–56

Risk attitude, 446, 454, 544–545 Risk avoidance, 588 Risk-awareness, 78, 299 Risk awareness, 563

www.it-ebooks.info

INDEX 667

Risk-based capital (RBC), 254, 271, 277–279 Risk categories, 168, 266–269 Risk champions, 193–194 Risk Committee, 259–260

MECO, 387, 391, 392 regulation and, 308–310 Statoil, 61, 67–68, 71 Zurich Insurance Group, 259–260

Risk Committee of the Board (RCoB), 242, 245–246

Risk consolidation, 384–385 Risk control, 248–249 Risk criteria

British Columbia Lottery Corporation (BCLC), 185, 188, 195

context for, 438 defined, 438–439, 545 development of, 439 establishment of, 454

Risk culture Astro, 627 TD Bank Group, 242, 243–244 Zurich Insurance Group, 255

Risk descriptions, 189–192, 384, 591 Risk dictionary, 189–191 Risk discovery, 502 Risk dysfunction, 570 Risk evolution, 315 Risk exposure, 98, 236 Risk financing, 382 Risk Framework, MECO, 385–386 Risk-free rate, 506 Risk governance approach, 256–257 Risk governance structure, 245–247 Risk identification, 221, 243, 312, 313

General Motors (GM), 608–609, 614–617 senior management and, 609–611 United Grain Growers (GG), 111 violent crime case study, 418 Washington, University of (UW), 169

Risk indicators, 28. See also Key risk indicators (KRIs)

Risk intelligence, 230 Risk inventory, 243–244 Risk leadership, 230 Risk levels, 442 Risk likelihood, 195–196, 234–235, 289, 442, 445

inherent, 195–196 Risk management

challenges of, 589–591 Chessfield, Inc., 550 in colleges and universities, 151–152 as a control function, 311 defined, 2 evolution of, 316, 436–437 financial risk, 372–374 frameworks, 542–543, 589–590

General Motors (GM) process, 609 history of, 27 by housing associations, 122–123 human attitudes and, 600–601 information gathering exercise, 383–394 information technology (IT) and, 379–381 integrating into ERM, 80–83 integrative thinking about, 321 JAA Inc., 430, 434 at Kilgore Custom Milling, 363–364 major activities, 579 measuring effectiveness of, 231 MECO, 379–383, 380–383, 386–390 Middle Eastern oil and gas companies,

377–395 oversight of, 308 process, 591 public safety agencies and, 397–398 quality of, 596 regulatory requirements for, 148, 152 responsibility for, 78, 83 socialist economic systems and, 582 strategic planning and, 153 as a strategic support function, 311 at TD Bank Group, 247–248 terminology, 583–584, 589 transformation process, 539–543 United Grain Growers (UGG), 109–110 Zurich Insurance Group, 259–260

Risk Management: An Accountability Guide for University and College Boards (Abraham), 152

Risk Management and Own Risk and Solvency Assessment (ORSA) model legislation, 225

Risk Management Committee, United Grain Growers (UGG), 109

Risk Management Councils, 261 Risk Management Framework tool, 282 Risk Management Group, 260 Risk management information system (RMIS),

394 Risk management methodology, 452 Risk Management Planning Group, British

Columbia Lottery Corporation (BCLC), 188, 194

Risk management policy British Columbia Lottery Corporation

(BCLC), 185–186 JAA Inc., 438–439 MECO, 386–390 objectives, 450 in Poland, 589 purpose, 450 risk oversight principles, 451 scope, 450 terminology, 450–451

Risk management workshops, 24, 34

www.it-ebooks.info

668 Index

Risk maps, 196, 445 Astro Overseas Limited (AOL), 637–641 benefits and limitations of, 68–69, 312, 313 defined, 312 downside risk, 62 optimizing total risk, 65–66 process, 64–65 risk aggregation and, 68–69 Statoil, 61–65 upside potential, 62

Risk matrix, 196, 216, 386, 583 Risk maturity, 229–230, 387, 388–389, 390, 391,

580, 592–594 Risk maturity matrix, 390 Risk measurement, 248, 505–508 Risk mitigation, 588, 614–617

Edmonton, City of, 393 Intuit, 235–236 in Poland, 581 Workers Compensation Fund (WCF), 214,

218, 221 Risk modification, 581 Risk monitoring, 274 Risk numbers, 384 Risk/opportunity assessment tools, 221 Risk oversight, 188, 209, 443, 451 Risk ownership, 235, 590 Risk Planning and Mitigation manager, 184–185 Risk portfolio, 70–71, 305–306 Risk profiles

Astro Overseas Limited (AOL), 637–641 British Columbia Lottery Corporation

(BCLC), 189–193 categorizing, 46–47 defined, 544 learner-centered teaching (LCT) approach to,

28–29 management of uncertainty and, 443–444 MECO, 384 in Poland, 599 summary reports, 45–50 Zurich Insurance Group, 278

Risk quantification, 248 Risk registers, 68–69, 384, 591

benefits and limitations of, 313 British Columbia Lottery Corporation

(BCLC), 185 defined, 311 development of, 305 Edmonton, City of, 286, 297, 298 purpose of, 312 Workers Compensation Fund (WCF),

214–216, 218 Risk register templates, 384 Risk retention, 504 Risk reviews, 188 Risk Room methodology, 265–266, 275

Risk Scorecard model, 285–286 determining indicators and mitigation

measures, 293 effectiveness of, 290 initial planning, 286–287 key risk elements identification, 289 linking programs, initiatives, and risks,

289–293 model power and user-friendliness of, 297 phasing in, 300 process diagram, 287 risk elements scoring, 289 steps in, 286–297 strategy identification, 287–289 success factors, 297–300

Risk Scorecard workshop, 286 Risk sensing, 502 Risk Services, University of California Health

Services, 81, 82–83, 86 Risk setting, 508 Risk statements, 189–192 Risk templates, 614, 615 Risk tolerance, 264, 386, 502

at LEGO Group, 98–99 Zurich Insurance Group, 254–255, 276–277,

278 Risk training material, 387 Risk transfer, 504 Risk treatments, 43, 54–55, 581, 598–601 Risk types, 31, 149–151, 168 Risk-weighted assets (RWA), 469 Risk workshops, 195–196, 198, 428, 442 Robinson, Marc S., 13, 607

biography, 622 Rocky Mountain Chocolate Factory, Inc., 345,

357–359 Rogue equities, 463 Rogue trading, 461–487 Rohn, Jim, 489 Rollout step, 631–632 Root cause analysis (RCA), 232, 397–425

cause and effect analysis, 400–402 common tools, 398 concept fans, 413–415 failure mode, effects, and criticality analysis

(FMECA), 402–408, 422–424 five whys analysis, 398–399 force field analysis, 409–411 influence diagrams, 411–413 public safety and, 397–398 tool comparisons, 413 uses of, 397–398 violent crime case study, 415–422

Rosenblum, Jack, 562 Rossi, Clifford, 570 Russel Sage Foundation, 207 Russia, 44, 45

www.it-ebooks.info

INDEX 669

Saga Petroleum, 60 Sample size bias, 520 Sandusky, Gerald A., 174 Sarbanes-Oxley (SOX), 33–34, 148, 182, 619 Saskatchewan Wheat Pool (SWP), 113, 115–116 Saunders, Anthony, 491 Scenario analysis, 232 Scenario planning, 618 Schanfield, Arnold, 427, 458 Schneider Truck Yard Tornado Damage, 29 Schoening-Thiessen, Karen, 2 ScotiaBank (Bank of Nova Scotia), 108, 113 Scott, James P., 21, 27 Seasonal demand, 340 Securities and Exchange Commission (SEC),

148, 153, 308 Securities Commission, Malaysia, 625 Securities Exchange Act, 432 Security readiness score, 87 Segal, Sim, 218 Segment management teams, 45–46, 53 Segregation of duties policy, 454 Senior management. See also Leadership

British Columbia Lottery Corporation (BCLC), 193–194

buy-in to Risk Scorecard model, 297 Edmonton, City of, and, 299, 300 ERM framework selection and, 363–364 Kilgore Custom Milling, 368–369 perceptions about risk and risk management,

311 risk identification and, 609–611 risk management transformation and,

542–544 risk officers and, 613

Sense checks, 610, 622 Service-level agreements (SLA), 444 Sexual abuse, Penn State, 143–145, 174 Shareholders, 253, 579, 599–600 Sharif, Mohammed, 557 Sheen, Fulton, 229 Shell, 390, 393 Sheltered Housing Remodeling Programme, 132 Shibley, Ivan A., Jr., 19, 20, 21, 27 Short-term forward contracts, 373 Silkwood, Joe, 557 Silo-based approach, 590, 602 Simkins, Betty J., 1, 2, 3, 4, 10, 12, 19, 22, 23, 24,

26, 124, 363, 489, 500 biography, 15, 35–36

Six-Stage Business Continuity Management Life Cycle, Zurich Insurance Group, 273–274

Slot machines, 179 Smart, Karl L., 21, 27 Smith, Lisa M., 13, 607

biography, 622 Social Assistance Agency Funding Model, 422

Social housing, 119–120 Socialist economic systems, 582 Sociéte Générale, 10, 461–487

chronology of events, 477–486 control environment, 473 Corporate and Investment Banking (CIB)

division, 463–469 damage control by, 469–472 financial performance, 464–469 financial profile, 465, 476–477 growth of, 463–464 interactive case study, 475–476 losses of, 470, 472–475 managerial supervision, 472–473 outcome, 476–487 questions raised by, 468–472 remedial action plan, 473 summary income statement, 476–477 trading, 462–463

Society of Actuaries, 189 Solvency III, European Union, 261 Solvency management, 269–271 Southern Association of Colleges and Schools

Commission on Colleges (SACS COC) Standard 2.10.4, 174

Southern California, University of (USC), 145 Sparks, Dan, 563, 565 Specific Risk Impact/Likelihood Evaluation

exercise, 198, 200 Spiral, The: Memoirs of a Trader (Kerviel), 475, 486 Stakeholders, 599–600 Standardized performance measures, 231 Standard & Poor’s, 261, 271, 499 Stanford University, 159 Stanton, Thomas H., 12–13, 561

biography, 574–575 State Insurance Fund, 207 State legislations, 617 Statement of Context, 591 Statements of income and retained earnings,

348–352 Statoil

core risks, 64 ERM frontiers, 69–71 ERM history, 60–61 ERM implementation, 5, 59–72 ERM philosophy, 61–64, 69 ERM processes, 64–65 geographical regions, 60 goals of, 61 risk aggregation, 68–69 Risk Committee, 61, 67–68 risk mapping, 61–64 total risk optimization, 65–68 upstream activities, 60 value chain, 62 value creation, 61, 63

www.it-ebooks.info

670 Index

STDEVP function, Excel, 492, 494 Steinberg, Esther R., 26 Stobes, Jeeves, 529, 531 Strategic dialogue, 501–502 Strategic management (SM), 583 Strategic paths, 70–71 Strategic planning

colleges and universities, 155 embedding ERM into, City of Edmonton,

281–302 ERM and, British Columbia Lottery

Corporation (BCLC), 189 ERM strategy links to, 283–284 learner-centered teaching (LCT) approach to,

27–28 replacement of, 430 risk management and, 153 weighting goals and objectives, 287–288 Zurich Insurance Group, 253–279

Strategic risk, 243, 305 Strategic Risk Initiative Review Committee

(SRIRC), 159, 165 Strategic risk management (SRM)

defined, 501, 502–503 diagram, 502 efficient frontier analysis (FEFA) and, 501–521 elements of, 95 ERM and, 7–8, 93 framework, 502–503 lab commentary, 95–96, 97, 99, 100 LEGO Group, 93–106 leveraging ERM to practice, 305–316, 310–312 models, 285–293 return on investment, 103–104 Zurich Insurance Group, 263–266

Strategic Risk Management Lab, DePaul University, 93

Strategic risk planning community views and, 333–334 consultant interviews on, 322–333 context of, 321–322 for Hope City Police Service, 321–333 integrative thinking about, 321

Strategic risks British Columbia Lottery Corporation

(BCLC), 189 at LEGO Group, 96 Zurich Insurance Group, 266, 267

Strategic (top down) scenarios, 276 Strategy, 310 Strategy choice, 124 Strategy execution, 583, 584–585 Stress testing, 276 Stripling, Jack, 144, 152 Structural model, 146–148 Stumpf, John, 567 Suboptimal decisions, 65–66

Subprime mortgage market, 33–34, 467, 479, 480, 482, 565

Sugar markets, 341, 343–344 Sullivan, Rory, 368, 373, 374 Summary reports, 47–50, 49, 54–55 Summerhay, Layne, 208 Supplier contract management, 444 Supply Chain Risk Assessment, Zurich

Insurance Group, 273 Supporting People program, 134, 135, 141 Sustainability, 307–308, 455, 632, 633, 634 Sweet, Janice, 556–557 Swiss Financial Market Supervisory Authority

(FINMA), 271 Swiss Re, 112 Swiss Solvency Test (SST), 261, 271, 277–278 Systemically important financial institutions

(SIFIs), 310

Tail conditional expectation (TCF), 506, 510 Tail value at risk (TVaR), 506–508 Taleb, Nassim, 491 Tangible performance measures, 231 Tanserki, Francine, 429 Target customers, 447 Targeted hoc risk management, 229 Target outcome, 617, 622 Tariff rate quotes, 344 TD Bank Group

background, 241–242 business lines, 241 ERM at, 7, 241–249 Internal Audit, 246 lines of defense model, 245 risk control, 248–249 risk culture, 243–244 risk governance structure, 245–247 risk management, 247–248 risk measurement, 248

Teacher lecture (TL), 19–23, 27 Teachers, 23–25 Technology, 51–54, 77–78 Technology Risk Management and Information

Security Program, 248–249 Technology risks, 189 Templates

evolution of, 54–55 interview, 45 reporting, 49 risk, 614, 615 risk register, 384 risk treatments, 54–55

Terminology, 450–451, 583–584, 589, 590 Terms of reference, 186 Terrorism Risk and Insurance Act (TRIA), 307 Tertiary Education Quality Standards Agency

(TEQSA), 151

www.it-ebooks.info

INDEX 671

Texas, University of, system, 159, 160 Texas A&M University System, 154 Thelen, Brian D., 13, 607

biography, 622 Third Party Claims Administrator, University of

California Health System, 81 Thornton, Grant, 153 Threat analysis, 232–233 Threat/opportunity matrix, 217 Tornado charts, 216 Toronto Dominion (TD) Bank, 567–568 Toronto Stock Exchange (TSX), 109, 111 Total investment performance score (TIPS), 641 Total risk optimization, 65–68 Total Risk Profiling (TRP), Zurich Insurance

Group, 254, 263–264, 274, 275, 276 Toxic assets, 562 Traffic, Hope City, 330, 331 Training policy, 453 Transforming Edmonton Committee (TEC),

299 Transportation, 108–109, 287 Trend reports, 80 Trex Radio, 639–640 Triangle Shirtwaist Factory fire, 207 Tribalism, 379 Troubled Asset Relief Program (TARP), 485 Tufano, Peter, 151, 155 Turnbull Report, 148

UBS, 569 UC Action, 82, 83 UGG/AU, 113–114 UGG Financial, 108, 113, 115 UK Charities Act of 2006, 122–123 UK Corporate Governance Code, 457 Uncertainty

decision making and, 588 management of, 443–444 preparing for, 95, 100–102

United Educators, 152, 153 United Educators Insurance, 152 United Grain Growers (UGG), 5–6, 107, 316

Annual Report (1994), 110–111 creative financing, 307 Crop Production Services, 113, 114 ERM at, 107–116 ERM credit financing outcomes, 113–115 hostile takeover attempt, 111 integrated risk-financing program, 107–108,

112, 115 integrated risk outcomes, 112–113 leadership, 110–112 merger with Agricore Cooperative, 113, 115 operating environment, 108–109 participatory management, 110–111, 116, 117 risk identification, 111

Risk Management Committee, 109 risk management program, 109–110

United Kingdom housing associations, 119–141 housing market, 119–120

United Minerals, 539–540 University of California Health System

chief risk officer (CRO), 75–77, 82 cost of risk study, 77 enterprise risk management information

system (ERMIS), 76–78 Medical Staff Risk Management Committee,

82 My Managed Risk (MMR) portal, 78, 80 Risk Services, 81, 82–83, 86

University Risk Management and Insurance Association (URMIA), 148, 152–153

Upside potential, 62 U.S. Army, 617, 622 U.S. Defense Department, 618 U.S. Department of Agriculture, 344 U.S. Department of Education, 174 U.S. Department of Health and Human Services

Office for Civil Rights (OCR), 88 U.S. Energy Information Administration,

495–497 U.S.- European Union Free Trade Agreement,

446 U.S. Financial Crisis Inquiry Commission

(FCIC), 561–562, 569 U.S. Food and Drug Administration (FDA), 341 U.S. Petcare, 46 U.S. Securities and Exchange Commission

(SEC), 536 U.S. subprime mortgage market, 463, 467–468,

472, 479, 480, 482 Utah, 208 Utah Department of Insurance, 208, 225 Utah Labor Commission, 208 Utah State University, 175 Utah Supreme Court, 207, 208 Utah Workers’ Compensation Act, 207

Value-added tax (VAT), 133, 140 Value at risk (VaR), 10, 489–497

advantages and criticisms of, 491–492 assumptions of, 491 calculating, 491–497 examples, 492–493 history of, 490 misuses of, 491–492 parametric method for calculating, 499 portfolio examples, 494–497 purpose of, 490 Zurich Insurance Group, 277

Value-based management (VBM), 583 Value chain, 62, 63–64

www.it-ebooks.info

672 Index

Value chain risks, 63 Value creation, 61, 63, 274–277, 312, 579 Value maps, 8, 313–315 Vanderbilt Patient Advocacy Reporting System

(PARS), 83 Vane Mallory Investment Bank, 10, 489–497 VARP function, Excel, 492, 494 Verdiger, Jillian, 429 Vermont, University of, 154 Viniar, David, 565 Violent crime case study, 415–424 Virginia, University of, 143, 174 Virginia Tech, 143, 174 Visual mapping, 198 Volatility

calculating, 494 value at risk (VaR) and, 491, 499

Volatility traders, 466 Von Moultke, Helmuth, 312 Vonnegut, Kurt, 365 Voting technology, 195–196, 198

Walker, Paul, 1, 2 Walker, Russell, 565 Ward, Anthony, 343 War gaming, 618 Warner, Larry, 5

biography, 58 Warren, V’Ella, 158, 159, 160, 164, 166 Warsaw Stock Exchange (WSA), 592 Washington, University of (UW), 6, 154, 155–173

Advisory Committee recommendations, 160 background, 155–173 Board of Regents, 158 Committee of Sponsoring Organizations

(COSO), 167–170 Compliance, Operations, and Financial

Council (COFI), 166 Compliance Council, 159 critical success factors for ERM at, 173 culture of compliance and, 157–158 ERM Annual Report, 155, 171–172 ERM evolution, 162–164 ERM future, 172–173 ERM implementation, 148 ERM implementation timeline, 164 ERM integrated framework, 167–170 ERM model, 167–171 ERM outcomes and lessons learned, 171–172 ERM process, 168–170 ERM program objectives, 156 ERM program philosophy, 161–162 ERM structure, 165–171 ERM tools and techniques, 170–171 institutional culture, 156–157 institutional profile, 156 Internal Audit, 166

leadership, 158–159 Medicare and Medicaid billing practices, 155,

158 Office of Financial Management, 159 organizational structure, 161, 168 president and provost, 167 President’s Advisory Committee on ERM

(PACERM), 166–167 program staff, 165–166 risk categories, 168 scope of the risk framework, 160 sentinel event, 155, 158 student enrollment, 157 units, 165

Washington Mutual (WaMu), 568–570 Waterman, R. H., Jr., 583, 584–585 Way Ahead, The (Edmonton strategic plan), 281,

283, 284, 301–302, 387–394 Ways reports (Edmonton strategic plan), 283,

284, 302 Way We Live, The (Community Services), 285,

286, 294–295 Way We Move, The (Transportation Plan), 285,

286, 287, 294–295 Weather, 108–109, 112, 114 Web-based clinical incident reporting, 80 Weimer, Maryellen, 19, 20–26, 27 Welch, Jack, 583, 584–585 Welfare benefits, 121 Welfare reform, 127, 128, 132 Wells Fargo, 566–567 Welsh Housing Quality Standard, 131 Western Canada Lottery Corporation, 179 Westlea Housing Association, 136–137, 1265 Whistle-blowers, 33–34, 548 Whitfield, R. N., 152 Why Some Firms Thrive While Others Fail:

Governance and Management Lessons from the Crisis (Stanton), 562

Williams, Cathy, 363–364, 368, 369, 371, 372–374 Willson, C., 143 Wilson, Richard F., 155 Wilson, Timothy D., 19, 20, 21, 27 Winning (Welch), 583, 584–585 Witt, Christine, 21, 27 Wohlfarth, DeDe, 21 Women, on boards of directors, 551, 552 Workers Compensation Act, Utah, 207 Workers’ compensation claims, 218 Workers Compensation Fund (WCF), 7, 207–225

all-employee ERM survey, 213–214, 224 Board Risk Oversight Committee, 209–213,

218, 221, 224 chief risk officer (CRO), 209–214, 218 credit rating, 208 current operation of, 207–208 economic recession and, 209

www.it-ebooks.info

INDEX 673

ERM program initiation, 208–209 ERM program maturity, 214–223 ERM risk management matrix values, 211–212 history of, 207–208 initial ERM actions, 209–214 Internal Risk Committee (IRC), 212–214, 216,

224 management style, 209 risk analysis worksheet, 223 risk appetite, 221 risk assessment, 208 risk assessment framework, 221–223 risk matrix, 216 risk mitigation, 214, 218 risk policy, 211–212 risk registers, 214–216, 218 state regulation of, 208

Workers’ compensation insurance, 207, 208, 508–516

Working Smarter initiative, 89 World Economic Forum, 261 World Trade Organization (WTO), 443 Wright, Gloria Brown, 21, 27 Wyman, Oliver, 570

Yale University, 154 Yang, Xiaomei, 21 Youth crime, 331

Zarinovic, Jelena, 557 Zurich Economic Capital Market (Z-ECM),

270–271 Zurich Economic Capital Market Available

Financial Resources (Z-ECM AFR), 271 Zurich Economic Capital Market Economic

Solvency Ratio (Z-ECM ration), 271 Zurich Hazard Analysis methodology, 264–265 Zurich Insurance Group, 8

Business Resilience Program, 271–277 business resilience tools, 271–274 capital management, 269–271 chief risk officer (CRO), 258–261 creating new value with ERM tools, 274–277 credit ratings, 271 ERM at, 253–255 ERM framework, 255–258 ERM methodologies and tools, 263–266 ERM objectives, 254 external stakeholders and, 261–263 proprietary tools, 263–266 Risk-Based Capital (RBC) model, 277–279 risk categorization at, 266–269 strategic approach to ERM, 253–279

Zurich Risk Governance Overview, 257 Zurich Risk Policy, 256–261, 278–279 Zurich Risk Radar, 262 Zurich Risk Room, 265–266, 274

www.it-ebooks.info

WILEY END USER LICENSE AGREEMENT

Go to www.wiley.com/go/eula to access Wiley’s ebook EULA.

www.it-ebooks.info

  • IMPLEMENTING ENTERPRISE RISK MANAGEMENT
    • Contents
    • Foreword
  • 1 Enterprise Risk Management Case Studies: An Introduction and Overview
    • The Evolution of Enterprise Risk Management
    • Why the Need for a Book with ERM Case Studies?
    • Summary of the Book Chapters
    • Part I: Overview and Insights for Teaching ERM
    • Part II: ERM Implementation at Leading Organizations
    • Part III: Linking ERM to Strategy and Strategic Risk Management
    • Part IV: Specialized Aspects of Risk Management
    • Part V: Mini-Cases on ERM and Risk
    • Part VI: Other Case Studies
    • Conclusion
    • Notes
    • References
    • About the Editors
  • PART 1 Overview and Insights for Teaching ERM
    • 2 An Innovative Method to Teaching Enterprise Risk Management: A Learner-Centered Teaching Approach
      • Learner-Centered Teaching: The WHY
        • Learner-Centered Teaching
        • Why LCT?
      • Five Key Changes to Practice the WHAT
        • The Balance of Power
        • The Function of Content
        • The Role of the Teacher
        • The Responsibility for Learning
        • Evaluation Purpose and Process
      • Conclusion
      • Questions
      • Appendix: LCT ERM Examples from the HOW
        • Example #1. Chapter : A Brief History of Risk Management
        • Example #2. Chapter : ERM and Its Role in Strategic Planning and Strategy Execution
        • Example #3. Chapter : Becoming the Lamp Bearer—The Emerging Roles of the Chief Risk Officer
        • Example #4. Chapter : Identifying and Communicating Key Risk Indicators
        • Example #5. Chapter : How to Prepare a Risk Profile
        • Example #6. Chapter : Quantitative Risk Assessment in ERM
        • Example #7. Chapter : Market Risk Management/Credit Risk Management
        • Example #8. Chapter : Operational Risk Management
        • Example #9. Chapter : Types of Risk
        • Example #10. Chapter : Managing Financial Risk
        • Example #11. Chapter : Bank Capital Regulation and Enterprise Risk Management
        • Example #12. Chapter : Legal Risk Post-SOX and the Subprime Fiasco
        • Example #13. Chapter : Academic Research on Enterprise Risk Management
        • Example #14. Chapter : How to Plan and Run a Risk Management Workshop; Chapter: Who Reads What Most Often?
      • References
      • About the Contributors
  • PART 2 ERM Implementation at Leading Organizations
    • 3 ERM at Mars, Incorporated: ERM for Strategy and Operations
      • Mars ERM History
        • Failure and Retrenchment
      • Phase 2—Success
      • Global Rollout
      • Reporting
      • 2007 Operating Plan Workshops
      • Technology
      • Aggregation
      • Template Evolution
      • Special Situations
      • Major Acquisition
      • Conclusion
      • Questions
      • Note
      • About the Contributor
    • 4 Value and Risk: Enterprise Risk Management at Statoil
      • ERM at Statoil: A Brief History
      • ERM Foundations
      • ERM Processes in Statoil Today
      • Optimizing Total Risk
      • Total Risk Optimization: Lessons Learned
      • Risk Aggregation
      • The Frontiers
      • Conclusion
      • Questions
      • Notes
      • References
      • About the Contributors
    • 5 ERM in Practice at the University of California Health System:
      • The Enterprise Risk Management Program
        • Leveraging Technology to Support ERM
        • Creating a Risk-Aware Culture
        • Health System Specialized Programs
      • Premium Rebate Program
      • ERM and the Center for Health Quality and Innovation
      • Protected Health Information Value Estimator (PHIve)
        • Reputational Repercussions
        • Financial Repercussions
        • Legal and Regulatory Repercussions
        • Operational Repercussions
        • Clinical Repercussions
        • Total the Impacts
        • ERM and Strategy
      • Questions
      • Notes
      • About the Contributor
    • 6 Strategic Risk Management at the LEGO Group: Integrating Strategy and Risk Management
      • About the LEGO Group
      • The LEGO Group Strategy
      • LEGO Strategic Risk Management
        • Strategic Risk Management Lab Commentary
      • Enterprise Risk Management (Step 1)
        • Strategic Risk Management Lab Commentary
      • Monte Carlo Simulation (Step 2)
        • Risk Tolerance
        • Strategic Risk Management Lab Commentary
      • AROP: Active Risk Assessment of Business Projects (Step 3)
        • Common Language and Common Framework
        • Strategic Risk Management Lab Commentary
      • Preparing for Uncertainty: Defining and Testing Strategies (Step 4)
        • Four Strategic Scenarios
      • The PAPA Model
        • Strategic Risk Management Lab Commentary
      • Stategic Risk Management Return on Investment
        • Strategic Risk Management Lab Commentary
      • Conclusion
      • Questions
      • Notes
      • References
      • About the Contributors
    • 7 Turning the Organizational Pyramid Upside Down: Ten Years of Evolution in Enterprise Risk Management at United Grain Growers
      • Background—Operating Environment
      • Governance
        • Leadership
        • ERM/Integrated Risk Outcomes
      • ERM Credit Financing Outcomes
      • Agricore United
      • Harvesting Value
      • Conclusion
      • Questions
      • Acknowledgments
      • Notes
      • About the Contributor
    • 8 Housing Association Case Study of ERM in a Changing Marketplace
      • Background
      • Sector Issues
      • Charitable Status
        • Sector Risks
      • Some Useful Methodology
        • Risk Appetite Determination
        • Risk Assessment Methodology
      • Four Associations
      • Association A: London & Quadrant
        • Mission Statement
        • Perceived Risks
        • Choices Made in 2012/2013
      • Association B: RCT Homes
        • The RCT Subsidiaries
        • Perceived Risks
      • Association C: Ability Housing Association
        • Perceived Risks
      • Association D: GreenSquare
        • Objectives and Strategy
      • Questions
      • Notes
      • References
      • About the Contributor
    • 9 Lessons from the Academy: ERM Implementation in the University Setting
      • The Higher Education Environment
        • Organizational Type Impacts Institutional Culture
        • Risks Affecting Higher Education
      • Emergence of ERM in Higher Education
      • Adopting and Implementing ERM in Colleges and Universities
      • The University of Washington: A Journey of Discovery
        • Institutional Profile
        • Culture at UW
        • Implementation History at UW
        • Leadership from the Top: President Outlines the Charge
        • Advisory Committee Recommendations: Create a Culture-Specific ERM Program
        • Scope of the Risk Framework
        • Organizational Structure
        • Philosophy of the Program
      • Evolution of ERM at UW
      • ERM Structure at UW
        • UW Units
        • ERM Program Staff
        • Compliance, Operations, and Finance Council (COFi)
        • Presidents Advisory Committee on ERM (PACERM)
        • Internal Audit
        • UW President and Provost
      • UWs ERM Model
        • Adopting and Adapting the COSO Model
        • Tools and Techniques
      • Outcomes and Lessons Learned
      • What Next?: Current Priorities and Future Direction
      • Conclusion
      • Questions
      • Notes
      • References
      • About the Contributor
    • 10 Developing Accountability in Risk Management: The British Columbia Lottery Corporation Case Study
      • Background
      • The Beginnings of the Risk Management Journey
      • Learning from the First ERM Initiative
      • Restarting the Program–2006–2008
      • Key Steps in the Development of the ERM Program
      • Revitalizing the ERM Program—2009–2010
      • Strengthening the Program—2010–2013
      • Building the Risk Profile
      • The Role of Risk Managers, Champions, and Committees
      • Developing a More Sophisticated Approach to Risk Analysis and Evaluation
      • Conclusion
      • Questions
      • Notes
      • References
      • About the Contributor
    • 11 Starting from Scratch: The Evolution of ERM at the Workers’ Compensation Fund
      • Toward ERM Program Initiation
      • Initial Actions
      • Maturing: Years 1 and 2
      • The Future
      • Questions
      • Notes
      • About the Contributor
    • 12 Measuring Performance at Intuit: A Value-Added Component in ERM Programs
      • Intuits ERM Journey
      • ERM Maturity Model
      • Benefits of Measuring Performance in ERM Programs
        • Using Key Performance Indicators to Measure Risk Management Effectiveness
        • Analyzing Performance Data
        • Using Key Risk Indicators to Understand Potential New Risks or Changing Risks
      • ERM Performance Measurement and Reporting at Intuit
        • First Evolution: ERM Process Adoption
        • Second Evolution: Risk Mitigation Progress Measurement
        • Third Evolution: Multidimensional Risk Management Performance Measurement
      • Conclusion
      • Questions
      • About the Contributor
    • 13 TD Bank's Approach to an Enterprise Risk Management Program
      • Background
        • ERM at TD Bank
        • Understanding an Organizations Risks Helps Reinforce the Risk Culture
        • Risk Governance Structure
        • Risk Identification, Assessment, and Reporting
        • Risk Measurement
        • Risk Control
        • Risk Monitoring and Reporting
      • Conclusion
      • Questions
      • References
      • About the Contributors
  • PART 3 Linking ERM to Strategy and Strategic Risk Management
    • 14 A Strategic Approach to Enterprise Risk Management at Zurich Insurance Group
      • Enterprise Risk Management at Zurich
        • Tangible Results
        • Optimizing the Risk and Reward Balance at Zurich
        • Risk Culture at Zurich
      • Zurich Groups Enterprise Risk Management Framework
        • Risk Governance Approach at Zurich with Three Lines of Defense
        • Integrated Assessment and Assurance
        • Internal Control Framework
      • Role of the Chief Risk Officer and Group Risk Management at Zurich
        • Board-Level Risk Committee and Executive Risk Committee Responsibilities
        • Emerging Risk Group
      • Working with External Stakeholders
      • Zurichs Proprietary Tools Used in ERM Framework
        • Total Risk Profiling Tool
        • Zurich Hazard Analysis Tool
        • Zurichs Risk Room
      • Categorizing Various Risks at Zurich
        • Strategic Risks
        • Insurance Risks
        • Market Risks
        • Credit Risks
        • Liquidity Risks
        • Operational Risks
        • Reputation Risks
      • Capital Management
        • Zurich Economic Capital Model
        • Analysis of Capital Adequacy
      • Zurichs Business Resilience Tools
      • How Zurich Uses Its ERM Tools to Create New Value
      • Conclusion
      • Appendix
      • Questions
      • References
      • About the Contributors
    • 15 Embedding ERM into Strategic Planning at the City of Edmonton
      • Context—City of Edmonton
        • City Government
      • ERM Development in the Past
        • City Auditors Report
      • Current Overall ERM Development
      • Links to Strategic Plan and to Other Strategic Tools
        • Results-Based Budgeting
        • Capital Budgeting Models
      • Selecting and Testing a Strategic Risk Management Model
        • Pilot pm2 Risk Scorecard Methodology
        • Initial Planning
        • Step 1: Identify Strategy
        • Step 2: Identify Key Risk Elements
        • Step 3: Score Risk Elements
        • Step 4: Link Programs, Initiatives, and Risks
        • Step 5: Determine Indicators and Mitigation Actions
      • Selecting an ERM Framework
        • Comparison of pm2 and ISO 31000 Frameworks
      • Recommended Strategic ERM Model
      • Lessons Learned
        • Key Success Factors
        • Findings on the Process of Selecting and Implementing a Framework
      • Conclusion
      • Appendix: Summary of THE WAY AHEAD, Edmontons Strategic Plan
      • Questions
      • Notes
      • About the Contributor
    • 16 Leveraging ERM to Practice Strategic Risk Management
      • ERM: A Reexamination of Purpose
      • Regulatory Environment
      • Leveraging ERM to Practice Strategic Risk Management
      • Managing and Measuring Value Creation
      • Risk Management Fault Line
      • Value Maps
      • Additional Tools and Techniques
      • Conclusion
      • Questions
      • Notes
      • About the Contributors
  • PART 4 Specialized Aspects of Risk Management
    • 17 Developing a Strategic Risk Plan for the Hope City Police Service
      • The Context
      • Some Background on the Hope City Police Service
      • What the Consultant Heard
        • Chief Administrative Officer of the City
        • Chair of Police Service Board
        • Interviews within the Police Service
        • President of the Police Association
        • Chair of Hope City Chamber of Commerce
        • Editor of the Hope City Telegraph
        • Citizens against Racism Community Group
        • East End Residents Association
        • Hope City Citizens for Responsible Government
        • Other Input
      • Community Views on Police Issues
      • Questions
      • Notes
      • About the Contributor
    • 18 Blue Wood Chocolates
      • Background
      • The Company
      • Market Overview
        • Major Competitive Factors
        • Cocoa Markets Overview
        • Sugar Markets Overview
        • Milk Markets Overview
      • Blue Wood Financial Performance
      • Conclusion
      • Appendix I: Blue Wood Chocolates
      • Appendix II: The Hershey Company
      • Appendix III: Rocky Mountain Chocolate Factory, Inc.
      • Questions
      • Notes
      • About the Contributors
    • 19 Kilgore Custom Milling
      • Background
      • Kilgore Custom Milling
      • The Management Team
      • The Company
      • The New Contract
      • The Financial Risk Management Meeting
      • Questions
      • About the Contributors
    • 20 Implementing Risk Management within Middle Eastern Oil and Gas Companies
      • Company Background
      • Organization Culture
      • Local Culture
      • MECO Structure
      • MECO Risk Management Background
      • Risk Management Practices within MECO
        • Information Technology
        • Project Management
        • Finance
        • Environmental Protection Department
        • Law
      • Corporate Risk Exercise
        • Risk Management Information Gathering Exercise (January 2010 to June 2011)
        • Consolidation
        • Risk Framework
        • Risk Management Approach
        • Management Committee Meeting, December 2011
        • Operational Excellence, June 2012 to December 2012
        • Risk Management Move to Corporate Planning, December 2012 to Present
      • Conclusion
      • Questions
      • Notes
      • About the Contributor
    • 21 The Role of Root Cause Analysis in Public Safety ERM Programs
      • Policing and Risk
        • Getting to the Root of the Problem
      • Five Whys Analysis
      • Cause and Effect Analysis
        • Example: Cause and Effect Analysis on Homelessness and the Criminal Justice System
      • Failure Mode, Effects, and Criticality Analysis
        • FMECA Example 1: Engineering Process
        • FMECA Example 2: Operational Tactics Review Process
      • Force Field Analysis
      • Influence Diagrams
        • Comparing RCA Tools
      • Concept Fans
      • Case Study Example: Tackling Violent Crime
        • Case Facts: General Background
        • Specific Issue
        • Developing the Approach
        • Understanding the Issues
      • The FMECA Process
        • Bringing It All Together
      • Conclusion
      • Questions
      • Notes
      • References
      • About the Contributor
    • 22 JAA Inc.—A Case Study in Creating Value from Uncertainty: Best Practices in Managing Risk
      • Setting the Context
        • Business Background
        • Initial Steps: Strategic Planning and Business Objectives
        • Establishing the Governance System
        • Business Operations
        • External Auditors
        • Evolution of Risk Management
      • Introduction of ISO 31000 and HB 436 to the Company
        • Defining the Context of JAA
        • Defining Risk Criteria
        • Bringing Everything Together
        • Moving Forward: Overseeing Strategy and Risks
        • Looking to the Future: JAAs Management of Uncertainty
      • Appendix A: JAA Inc. Financial Statements
      • Appendix B: Risk Management Policy
        • Purpose
        • Scope
        • Objectives of Risk Management
        • Terminology
        • Risk Oversight Principles
        • Roles and Responsibilities
        • Risk Management Methodology
        • General Risk Management Policies
      • Part A – Questions
      • Part B – Questions
      • Notes
      • References
      • About the Contributors
    • 23 Control Complacency: Rogue Trading at Société Générale
      • Part One: Kerviels Trial—A Media Circus
        • Société Générale—The Rise of Trading
        • From Business to Retail to Investment Banking, from Private to Public to State Ownership
        • CIB Gets a Boost from Trading Talent
        • Société Générale Group Snapshot, December 2006
        • Jérôme Kerviel, an Ambitious Outsider
        • At First a Few Side Bets, Then Massive Speculation
        • Discovery, Damage Control, and Retribution
        • Postmortem
        • Managerial Supervision
        • Control Environment
        • System Reliability
        • Risk-Sensitive Culture
        • Who Was to Blame?
        • Exercise
      • Part Two: Outcome and Lessons Learned
        • What Actually Happened
      • Questions
      • References
      • About the Contributor
    • 24 The Role of VaR in Enterprise Risk Management: Calculating Value at Risk for Portfolios Held by the Vane Mallory Investment Bank
      • Risk and Value at Risk Overview
        • Value at Risk
        • History, Characteristics, and Assumptions of VaR
        • Advantages and Criticisms of VaR
        • Calculating Value at Risk
      • Your Task: Calculating Portfolio VaR for Vane Mallory
        • Portfolio 1: Energy Commodities
        • Portfolio 2: Equities
      • Conclusion
      • Questions
      • Notes
      • References
      • About the Contributors
    • 25 Uses of Efficient Frontier Analysis in Strategic Risk Management: A Technical Examination
      • Strategic Risk Management Framework Examined
      • Modern Portfolio Theory as a Foundation for Efficient Frontier Analysis
      • Practical Applications of Risk Measurement for Insurance
        • Modern Portfolio Theory (MPT)
        • Efficient Frontier Insurance Framework
      • Sample Case Study
        • Case Study General Findings
      • Intended Uses for Our Approach
      • Modern Portfolio Concerns Contained in the Framework
      • Consideration of Behavioral Concerns inStructure
      • Questions
      • Acknowledgments
      • Notes
      • References
      • About the Contributors
  • PART 5 Mini-Cases on ERM and Risk
    • 26 Bim Consultants Inc.
      • Questions
      • About the Contributor
    • 27 Nerds Galore
      • Questions
      • About the Contributor
    • 28 The Reluctant General Counsel
      • Questions
      • About the Contributor
    • 29 Transforming Risk Management at Akawini Copper
      • The Acquisition and Due Diligence
      • The Transformation Process
      • Gaining Senior Management Ownership for Transformation
      • The Transformation Plan
      • Questions
      • Notes
      • Reference
      • About the Contributor
    • 30 Alleged Corruption at Chessfield: Corporate Governance and the Risk Oversight Role of the Board of Directors
      • Chessfield Inc. and Its Board of Directors
      • Whistle-Blower Complaint
      • Message from the CEO Requesting to Meet the Author
      • Governance Documents, Interviews, and On-Site Observation Requested by the Author
        • Document Review
        • Interview Data
      • CEO Compensation Issue
      • Risk Management
      • Self-Dealing Issue
        • Board Composition
        • Preparation of the Authors Report and Communication with the Regulator
      • Chessfield Board Meeting to Discuss the Authors Recommendations
      • Two Contentious Recommendations
        • Recommending a Woman to Serve on the Board
      • Conclusion
      • Questions
      • Notes
      • References
      • About the Contributor
    • 31 Operational Risk Management Case Study: Bon Boulangerie
      • Question
      • About the Contributor
  • PART 6 Other Case Studies
    • 32 Constructive Dialogue and ERM: Lessons from the Financial Crisis
      • Constructive Dialogue: The Essential Difference between Firms That Navigated the Crisis and Those That Failed
      • Successful Firms: JPMorgan Chase, Goldman Sachs, Wells Fargo, and TD Bank
        • JPMorgan Chase
        • Goldman Sachs
        • Wells Fargo
        • Toronto Dominion Bank (TD Bank)
      • Firms That Failed to Navigate the Crisis
      • JPMorgan Chase after the Crisis: The Perils of Hubris
      • Conclusion
      • Questions
      • Notes
      • About the Contributor
    • 33 Challenges and Obstacles of ERM Implementation in Poland
      • Methodology to Diagnose the Status of ERM Implementation
      • Main Issues in Polands ERM Implementation
      • Board Perception of ERM: “We Have to Change the Way We Run the Business, Because Lack of ERM Creates Inefficient Management”
      • Who Is Getting Management Buy-In for ERM?
      • Specific Challenges and Obstacles Observed in Risk Management
        • Terminology
        • Principles
        • Risk Management Frameworks
        • Risk Owners
        • Organizational Placement of ERM
        • The Influence of the Size of Organizations
        • Risk Management Process
      • We Have to Build the Chief Risk Officer Risk Manager Profession from Scratch
      • What Numbers Say about ERM Maturity
      • Risk Management Framework—Accountability
      • Impact of the Risk Assessment Tools on the Performance of the Companies
      • Capital Allocation: A Frequently Missed Part of the ERM Framework and Risk Treatment
      • Conclusion
      • Questions
      • Notes
      • References
      • About the Contributors
    • 34 Turning Crisis into Opportunity: Building an ERM Program at General Motors
      • Background and Implementation
      • General Motors' Approach to Enterprise Risk Management
        • Lessons Learned: Identifying Risks
        • Lessons Learned: Developing Top Risks Lists and Reporting to Senior Management
        • Lessons Learned: Understanding Corporate Culture
        • Lessons Learned: Strategic Risk Mitigation and Decision Support
      • Game Theory
        • War Gaming and Scenario Planning
      • Looking Forward
      • Conclusion
      • Questions
      • Notes
      • About the Contributors
    • 35 ERM at Malaysia's Media Company Astro: Quickly Implementing ERM and Using It to Assess the Risk-Adjusted Performance of a Portfolio of Acquired Foreign Companies
      • Malaysia
        • The Astro Group
      • Corporate Governance in Malaysia
      • Enterprise Risk Management at Astro
      • Astro Overseas Limited
      • Evolution of ERM at AOL
      • Role of ERM in the Acquisition Process
        • The Monitor and Review Step—Focus of AOLs ERM
      • Risk Profile: Risk Map and Action Plans
      • The Investment Performance Dashboard
      • Helping the Board Make Investment Decisions
      • Conclusion
      • Questions
      • Notes
      • References
      • About the Contributors
  • About the Editors
  • Index
  • EULA