erm excellence: pushing past barriers€¦ · erm excellence: pushing past barriers randy nornes...

ERM Excellence:

Pushing Past Barriers

Randy Nornes

Executive Vice President

Aon Risk Services

ERM Roundtable – NC State University

Raleigh, NC

February 23, 2007

1

Risk Consulting

This information is confidential and proprietary to Aon and should not be released to third parties without Aon’s written consent.

q Current state of ERM

q Defining value

q Implementation ideas

q Risk Management Excellence

q Case studies

q The Path Forward

Agenda

Current State of ERM

3

Risk Consulting


Balance Diverse Interests of Internal and External Stakeholders

RISK MANAGEMENT

Business Units Pressure to grow revenue Focus on business opportunities Upside of risk

Internal Requirements External Requirements Shareholders / Investors

Pressure to maximize value creation Focus on stock price performance Expect attractive returns on capital

Debtholders / Policyholders / Rating Agencies / Regulators

Emphasis on capital structure Minimize risk of default Sound Risk Management practices

Control and Compliance Emphasis on control of earnings volatility and

business performance consistency Compliance regulatory and internal requirements

Growth

Capital Governance

Returns

Organizational

Goals & Objectives

Value Creation Performance Productivity

Risk vs. Reward

Financial Strength Conformance Adequacy

Risk vs. Capital

4

Risk Consulting


Elements of ERM as outlined in the framework:

q Is a process q Is effected by people q Is applied in strategy setting q Is applied across the enterprise q Is designed to identify potential events q Manages risks within risk appetite q Provides “reasonable assurance” q Supports achievement of key objectives

Source: COSO ERM Framework

ERM Framework

5

Risk Consulting


Critical Components of an ERM Framework

Develop Strategies, Implement Solutions, Optimize Cost of Risk

Design an ERM Structure for Value Creation

Assess and Measure Risks

Monitor and Report what Matters,

Continuously Improve

Business Objectives

and Strategies

6

Risk Consulting


• Risk Assessment and Mapping

• Risk Bearing Capacity/ Appetite

• Risk Quantification • Benchmarking • Gap Analysis

Baseline & Gap Analysis

Implem

entation Plan

RM Strategies &

Solutions Design

IT security

Crisis Management & Recovery

Business / Revenue Continuity

Employee Selection & Retention

RM Practices and Controls

Hedging, Forward Contracts

Riskbased Capital Allocation

Lobbying, Regulatory Monitoring

Assess Design Execute Value capture

Safety & Security Programs

Organizational • Riskbased Decision Making

• Accountability & Discipline

• Ethics & Integrity

• Compliance

Economic • Net Income Lift • Balance Sheet Protection

• Earnings Volatility Benefit

• Recovery Benefit

Risk Evaluation

Measurement, Reporting, Continuous Improvement Data / IT Support

Risk Financing, Insurance Program

Have we made this too complex?

7

Risk Consulting


Current State Assessment q Risk management is becoming more complex q Most companies have a widerange of risk management

activities underway ü ERM ü SarbanesOxley ü Compliance ü Operations ü Risk committees

q Unfortunately, many companies lack a coherent vision for risk management

q Senior management and board members often have differing views of what information they would like to see from risk management

q Rating agencies are assessing risk management quality as part of their overall rating process

8

Risk Consulting


ERM: Are we there yet?

q ERM has emerged as a major force

q Companies are pouring significant human and financial resources into ERM efforts

q Results have been mixed

q Some companies have experienced significant, measurable results

q Other companies have seen promising ERM efforts fade due to lack of resources, lukewarm support or lack of focus

q Many companies find it difficult to build sustainable value after completing the framework phase

Defining Value

10

Risk Consulting


Defining Value

ERM Value Propositions

Improved resource allocation

Increased operational efficiency

Greater transparency of risk Possible reduction in earnings volatility

Optimized capital allocation

Improved regulatory standing

Consistent framework for risk

Enhanced risk reporting

Improved compliance

Enhanced risk corporate governance Keeping resources focused on those activities that matter most to the organization

Common and deep knowledge of critical business and organizational risks Structured process to allocate

capital based on those businesses that are the most risky to the organization

Everyone in the organization has the ability to define, treat, and manage risk in a homogeneous fashion

Provide confidence that risks are being identified and managed in a constructive fashion

11

Risk Consulting


ERM Potential Benefits q Integrate with business planning and value management processes

q Avoid missing key risks and losing vital opportunities

q Optimize balance between capital preservation and growth/profitgeneration

Establish Sustainable Competitive Advantage

q Support more informed/proactive risk management decisions aligned with business objectives/strategies

q Link to enterprise performance, measurement and monitoring

q Reduce volatility and prevent surprises

Improve Business Performance

q Minimize risk averse behavior q Develop costeffective risk strategies and solutions

q Eliminate redundant or unnecessary risk controls

Manage Risk at a Lower Cost

Implementation Ideas

13

Risk Consulting


q Changing culture to be more risk assumptive through better risk adjusted decision making

q Proactive engagement on and awareness of all key risks

q More effective postloss response through improved risk event readiness

q Consistent and actionable risk metrics

q Value added management and governance reporting

q Analytical and data supported risk assessments

q Communication clarity through common risk vocabulary

ERM Strategic Objectives

14

Risk Consulting


Defining Risk Assessment Objectives

Measures and metrics will be driven by an organization’s objectives as well as the intended audience: q Board reporting

q External reporting

q Internal management

q Capital allocation

q Regulatory compliance

15

Risk Consulting


Critical Success Factors

q Senior management support

q Clearly defined vision

q Regular and open communication among the team

q Realistic expectations regarding timelines and deliverables

q Sufficient resource allocation for implementation and followthrough

q Linkage to organizational success factors, strategies and processes

16

Risk Consulting


Common Obstacles

q Inability to demonstrate immediate, quantifiable return on investment

q Internal competition among business units

q Easy to get lost in the “framework” or “run out of gas”

q Cultural incompatibility

q Limited technology / tools

q Inadequate or conflicting executive support

q Fail to grow beyond project phase into a sustainable process

17

Risk Consulting


ERM Process Outcomes

q Improved competitive position

q Improved strategic planning process

q Optimize capital allocation

q Continued rating agency confidence

q Effective critical event response

q Acceptable approach for measuring intangible or “soft” risks

q Better decision making relative to risks assumed

q Satisfy governance need for risk information

18

Risk Consulting


Defining Risk Appetite

Defining an organization’s risk appetite creates a focal point for relevant measures and metrics

q Measurements may focus on:

ü Financial terms

ü Operational parameters

– Business disruption

– Quality

– Customer satisfaction

ü Reputation impact

19

Risk Consulting


Creating a Dynamic Process

q What role will technology play in the process?

ü Risk assessment tools

ü Risk modeling

ü Risk dashboard

q How will information be updated?

q How will risk owners, risk management, internal audit share information?

Risk Management Excellence

21

Risk Consulting



q Risk management excellence transcends the various projects and activities that comprise risk management within an organization

q In order to define risk management excellence, the company must resolve a series of key questions: ü What are the goals of the company’s risk management efforts?

ü How does the company define risk management excellence?

ü What is the current state of risk management?

ü Where are the gaps?

ü What are the priorities?

ü How will success be measured?

q In the end, risk management must deliver measurable impact on the company’s operating performance

22

Risk Consulting


Risk Management Excellence Process

Phase I Information Gathering

• Conduct interview / gather information

• Identify risk universe

• Define and develop cost of risk data

• Conduct gap analysis

Phase II Setting the Stage

• Develop overall risk management vision

• Create risk management scorecard / Gap analysis

• Identify key risk projects / activities needed to achieve risk management excellence

• Understand cost / benefit of potential risk management strategies

Phase III Executive Support

• Obtain support of risk management leaders

• Present overall objectives and plan to senior management

• Develop teams and tools

• Get moving

• Deliver defined projects

• Update progress toward overall vision

• Measure performance

• Create linkage to next steps

• Build feedback loop to ensure continued progress toward goals

Phase IV Implementation

23

Risk Consulting


Using Scorecards to Identify Gaps

24

Risk Consulting


Avoid

Determine Risk Strategies § Avoid § Retain § Reduce § Transfer § Leverage

Taking Action

Retain

Reduce

Transfer

Leverage

§ Divest § Prohibit § Stop § Target § Screen § Eliminate • Accept

• Reprice • Self insure • Offset • Plan

• Disperse • Control • Reorganize • Reengineer

• Insure • Reinsure • Hedge • Securitize • Share • Outsource • Indemnify

• Allocate • Diversify • Expand • Create • Redesign • Arbitrage • Renegotiate • Influence

25

Risk Consulting



Defined Risk Objectives

Cost of Risk Model

Data Strategy • Exposure • Losses • Reporting •Technology

Riskbearing Capacity

Risk Assessment • Internal • External

Benchmarking

Risk Mapping • Prioritization • Impact / Likelihood

Risk Quantification • Gross vs. Net • Portfolio Analysis

Risk Mitigation • Process change • Loss control

Risk Transfer • Limits • Retentions • Captive structures

Alternative Risk Transfer • Captives • Capital Markets • Finite Risk

Management / Board Reporting Tools

Dynamic Cost of Risk Tracking

Risk Dashboard

Enterprise Risk Structure • Risk committee • Chief Risk Officer • Crossfunctional risk group

Core Components Analysis Strategy

Execution /

Monitoring

Case Studies

27

Risk Consulting


Case Study #1: Fast Growing Company

q Highly successful, profitable company

q Recent patent litigation surprise created temporary cash and credit crunch

q Audit committee wanted an overview of key risks facing the company

q Risk committee was formed to coordinate the effort

q Team conducted interviews with over 50 executives, supplemented by over 80 surveys

28

Risk Consulting


Project Objectives

q Has the company identified all its critical risks ?

q Does the company have effective controls for managing its critical risks?

q Are the risks greater now than they were 12 24 months ago (earnings pressure, continued acquisitions and internal strategic initiatives)?

q Are these risks within acceptable limits?

q Is the right level of information reported to Senior Management and the Board?

29

Risk Consulting


Project Results

q Provided information to senior management and the Audit Committee

q Developed models for key risks based on potential impact on:

ü Revenue

ü EPS

ü Cash

ü Reputation

q Examined current and potential risk mitigation opportunities, including risk transfer and selffunding

q Created a framework for more effective decisionmaking regarding supply chain management, site selection and inventory management

30

Risk Consulting


Case Study # 2: Manufacturing Company

q Company had a welldeveloped risk management process

q Top risks for each of the business were routinely assessed and evaluated

q Due to lack of internal data, limited effort had been made to quantify the potential impact of events

q Recent supply chain problems had highlighted previous unmeasured vulnerabilities

q Project team developed customized risk models for the top five risks of each business unit

31

Risk Consulting


Project Results q Delivered working risk models to each business unit

q Risk models were used to develop “underwriting models” for potential risk transfer / mitigation solutions

q Company expanded the use of existing captive insurance company and finite risk insurance arrangements to address key issues

q Event risk maps helped uncover critical decision points that could substantially alter the overall risk exposure

q Changes were made in supply contracts, inventory levels and contingent business interruption coverage as a result of the analysis

32

Risk Consulting


Case Study #3: Consumer Products Company

q Fortune 100 consumer products company

q Treasurer and Risk Manager had identified 17 key risks under their charge

q Company wanted to develop a quantitative approach to better evaluate risk decisions

q Solution: Risk modeling project to help evaluate the optimal risk strategy

33

Risk Consulting


Project Results

q Project focused on the analysis of internal and external risk data

q Creation of individual and portfolio risk models

q Risk mitigation and transfer alternatives were tested using the models, resulting in significant changes

q Company was able to demonstrate the value of additional risk retention and the use of internal funding (via a captive insurance subsidiary)

q Risk finance and mitigation resources were reallocated to optimize the company’s risk management efforts

34

Risk Consulting


Case Study #4: Hospital

q Mediumsized hospital looking to achieve excellence in health care by surpassing standards set in “The New American Hospital” and the Malcolm Baldrige National Quality Award

q Key objective: conduct a comprehensive risk assessment

q Project involved:

ü Interviews with key personnel (management, physicians and nurses)

ü Creation of a risk inventory

ü Benchmarking of current risk management approaches and quality of care against industry standards and best practices

ü Evaluation of current risk mitigation methods

35

Risk Consulting


Hospital ERM Project Results

q Identified and prioritized key enterprise risks

q Recommended improved approaches for risk management

q Opportunities for improvement included:

ü Implementation of clinical best practices and rapid response teams to reduce cardiac complication rates

ü Diversification of services to counteract the impact of Medicare reform

ü Contingency planning around key physicians and sole source service providers

ü Improvement of the contract oversight and document retention process to minimize legal liabilities

36

Risk Consulting


Case Study #5: Capital One

Capital One's stock plummeted by 39%, falling from a $50.60 per share close on July 16 to $30.48 per share by the close of July 17; a drop of roughly $4B in market value.

Capital One signed an "informal memorandum of understanding" with bank regulators. More than a dozen class actions were filed charging the credit card issuer with securities fraud for misleading shareholders about its financial health and its compliance with bank regulations.

July 2002, 8K filing: the company publicly commits to enhance its enterprise risk management and internal control environment.

Risk management capabilities designed and implemented across the organization.

The Path Forward

38

Risk Consulting


Policies, processes

and practices defined and formalized across the organization

Risks measured,

managed and aggregated

on an enterprise wide basis

Organization focused

on RM as a source of competitive advantage

and continuous improvement

Initial Established Uniform Managed Optimizing

Capabilities are

characteristic of individuals, not of the

organization

Process established

and repeating: reliance on people is reduced

OPPORTUNITY RISK

Systematically Build and Improve Risk Management Capabilities

The Path Forward Building Risk Capabilities

39

Risk Consulting


Questions to Consider

q Is ERM adding value for your organization?

q Is the ERM effort stalled or is progress being made?

q Are there parallel risk management efforts that fall outside of the ERM process?

q What can be done to automate the ERM process?

q Are there high impact “drilldown” projects that will deliver ERM value?

q Is ERM sustainable after the project team has moved on to other assignments?

40

Risk Consulting


Randy Nornes Aon Risk Services

Enterprise Risk Management

312.381.4539 [email protected]

41

Risk Consulting


We recognize that our clients’ industries are extremely competitive and maintaining confidentiality is of the utmost importance. Accordingly, Aon takes seriously its obligation to protect the confidentiality of client information.

Similarly, we view our approaches and insights as proprietary and therefore look to our clients to protect Aon interests in our presentations, methodologies, and analytical techniques. Under no circumstances should the material in this report be shared with any third party without the written consent of Aon.

Copyright © 2007 Aon

Confidentiality

erm excellence: pushing past barriers€¦ · erm excellence: pushing past barriers randy nornes...

Documents