erm excellence: pushing past barriers€¦ · erm excellence: pushing past barriers randy nornes...
TRANSCRIPT
ERM Excellence:
Pushing Past Barriers
Randy Nornes
Executive Vice President
Aon Risk Services
ERM Roundtable – NC State University
Raleigh, NC
February 23, 2007
1
Risk Consulting
This information is confidential and proprietary to Aon and should not be released to third parties without Aon’s written consent.
q Current state of ERM
q Defining value
q Implementation ideas
q Risk Management Excellence
q Case studies
q The Path Forward
Agenda
Current State of ERM
3
Risk Consulting
This information is confidential and proprietary to Aon and should not be released to third parties without Aon’s written consent.
Balance Diverse Interests of Internal and External Stakeholders
RISK MANAGEMENT
Business Units Pressure to grow revenue Focus on business opportunities Upside of risk
Internal Requirements External Requirements Shareholders / Investors
Pressure to maximize value creation Focus on stock price performance Expect attractive returns on capital
Debtholders / Policyholders / Rating Agencies / Regulators
Emphasis on capital structure Minimize risk of default Sound Risk Management practices
Control and Compliance Emphasis on control of earnings volatility and
business performance consistency Compliance regulatory and internal requirements
Growth
Capital Governance
Returns
Organizational
Goals & Objectives
Value Creation Performance Productivity
Risk vs. Reward
Financial Strength Conformance Adequacy
Risk vs. Capital
4
Risk Consulting
This information is confidential and proprietary to Aon and should not be released to third parties without Aon’s written consent.
Elements of ERM as outlined in the framework:
q Is a process q Is effected by people q Is applied in strategy setting q Is applied across the enterprise q Is designed to identify potential events q Manages risks within risk appetite q Provides “reasonable assurance” q Supports achievement of key objectives
Source: COSO ERM Framework
ERM Framework
5
Risk Consulting
This information is confidential and proprietary to Aon and should not be released to third parties without Aon’s written consent.
Critical Components of an ERM Framework
Develop Strategies, Implement Solutions, Optimize Cost of Risk
Design an ERM Structure for Value Creation
Assess and Measure Risks
Monitor and Report what Matters,
Continuously Improve
Business Objectives
and Strategies
6
Risk Consulting
This information is confidential and proprietary to Aon and should not be released to third parties without Aon’s written consent.
• Risk Assessment and Mapping
• Risk Bearing Capacity/ Appetite
• Risk Quantification • Benchmarking • Gap Analysis
Baseline & Gap Analysis
Implem
entation Plan
RM Strategies &
Solutions Design
IT security
Crisis Management & Recovery
Business / Revenue Continuity
Employee Selection & Retention
RM Practices and Controls
Hedging, Forward Contracts
Riskbased Capital Allocation
Lobbying, Regulatory Monitoring
Assess Design Execute Value capture
Safety & Security Programs
Organizational • Riskbased Decision Making
• Accountability & Discipline
• Ethics & Integrity
• Compliance
Economic • Net Income Lift • Balance Sheet Protection
• Earnings Volatility Benefit
• Recovery Benefit
Risk Evaluation
Measurement, Reporting, Continuous Improvement Data / IT Support
Risk Financing, Insurance Program
Have we made this too complex?
7
Risk Consulting
This information is confidential and proprietary to Aon and should not be released to third parties without Aon’s written consent.
Current State Assessment q Risk management is becoming more complex q Most companies have a widerange of risk management
activities underway ü ERM ü SarbanesOxley ü Compliance ü Operations ü Risk committees
q Unfortunately, many companies lack a coherent vision for risk management
q Senior management and board members often have differing views of what information they would like to see from risk management
q Rating agencies are assessing risk management quality as part of their overall rating process
8
Risk Consulting
This information is confidential and proprietary to Aon and should not be released to third parties without Aon’s written consent.
ERM: Are we there yet?
q ERM has emerged as a major force
q Companies are pouring significant human and financial resources into ERM efforts
q Results have been mixed
q Some companies have experienced significant, measurable results
q Other companies have seen promising ERM efforts fade due to lack of resources, lukewarm support or lack of focus
q Many companies find it difficult to build sustainable value after completing the framework phase
Defining Value
10
Risk Consulting
This information is confidential and proprietary to Aon and should not be released to third parties without Aon’s written consent.
Defining Value
ERM Value Propositions
Improved resource allocation
Increased operational efficiency
Greater transparency of risk Possible reduction in earnings volatility
Optimized capital allocation
Improved regulatory standing
Consistent framework for risk
Enhanced risk reporting
Improved compliance
Enhanced risk corporate governance Keeping resources focused on those activities that matter most to the organization
Common and deep knowledge of critical business and organizational risks Structured process to allocate
capital based on those businesses that are the most risky to the organization
Everyone in the organization has the ability to define, treat, and manage risk in a homogeneous fashion
Provide confidence that risks are being identified and managed in a constructive fashion
11
Risk Consulting
This information is confidential and proprietary to Aon and should not be released to third parties without Aon’s written consent.
ERM Potential Benefits q Integrate with business planning and value management processes
q Avoid missing key risks and losing vital opportunities
q Optimize balance between capital preservation and growth/profitgeneration
Establish Sustainable Competitive Advantage
q Support more informed/proactive risk management decisions aligned with business objectives/strategies
q Link to enterprise performance, measurement and monitoring
q Reduce volatility and prevent surprises
Improve Business Performance
q Minimize risk averse behavior q Develop costeffective risk strategies and solutions
q Eliminate redundant or unnecessary risk controls
Manage Risk at a Lower Cost
Implementation Ideas
13
Risk Consulting
This information is confidential and proprietary to Aon and should not be released to third parties without Aon’s written consent.
q Changing culture to be more risk assumptive through better risk adjusted decision making
q Proactive engagement on and awareness of all key risks
q More effective postloss response through improved risk event readiness
q Consistent and actionable risk metrics
q Value added management and governance reporting
q Analytical and data supported risk assessments
q Communication clarity through common risk vocabulary
ERM Strategic Objectives
14
Risk Consulting
This information is confidential and proprietary to Aon and should not be released to third parties without Aon’s written consent.
Defining Risk Assessment Objectives
Measures and metrics will be driven by an organization’s objectives as well as the intended audience: q Board reporting
q External reporting
q Internal management
q Capital allocation
q Regulatory compliance
15
Risk Consulting
This information is confidential and proprietary to Aon and should not be released to third parties without Aon’s written consent.
Critical Success Factors
q Senior management support
q Clearly defined vision
q Regular and open communication among the team
q Realistic expectations regarding timelines and deliverables
q Sufficient resource allocation for implementation and followthrough
q Linkage to organizational success factors, strategies and processes
16
Risk Consulting
This information is confidential and proprietary to Aon and should not be released to third parties without Aon’s written consent.
Common Obstacles
q Inability to demonstrate immediate, quantifiable return on investment
q Internal competition among business units
q Easy to get lost in the “framework” or “run out of gas”
q Cultural incompatibility
q Limited technology / tools
q Inadequate or conflicting executive support
q Fail to grow beyond project phase into a sustainable process
17
Risk Consulting
This information is confidential and proprietary to Aon and should not be released to third parties without Aon’s written consent.
ERM Process Outcomes
q Improved competitive position
q Improved strategic planning process
q Optimize capital allocation
q Continued rating agency confidence
q Effective critical event response
q Acceptable approach for measuring intangible or “soft” risks
q Better decision making relative to risks assumed
q Satisfy governance need for risk information
18
Risk Consulting
This information is confidential and proprietary to Aon and should not be released to third parties without Aon’s written consent.
Defining Risk Appetite
Defining an organization’s risk appetite creates a focal point for relevant measures and metrics
q Measurements may focus on:
ü Financial terms
ü Operational parameters
– Business disruption
– Quality
– Customer satisfaction
ü Reputation impact
19
Risk Consulting
This information is confidential and proprietary to Aon and should not be released to third parties without Aon’s written consent.
Creating a Dynamic Process
q What role will technology play in the process?
ü Risk assessment tools
ü Risk modeling
ü Risk dashboard
q How will information be updated?
q How will risk owners, risk management, internal audit share information?
Risk Management Excellence
21
Risk Consulting
This information is confidential and proprietary to Aon and should not be released to third parties without Aon’s written consent.
Risk Management Excellence
q Risk management excellence transcends the various projects and activities that comprise risk management within an organization
q In order to define risk management excellence, the company must resolve a series of key questions: ü What are the goals of the company’s risk management efforts?
ü How does the company define risk management excellence?
ü What is the current state of risk management?
ü Where are the gaps?
ü What are the priorities?
ü How will success be measured?
q In the end, risk management must deliver measurable impact on the company’s operating performance
22
Risk Consulting
This information is confidential and proprietary to Aon and should not be released to third parties without Aon’s written consent.
Risk Management Excellence Process
Phase I Information Gathering
• Conduct interview / gather information
• Identify risk universe
• Define and develop cost of risk data
• Conduct gap analysis
Phase II Setting the Stage
• Develop overall risk management vision
• Create risk management scorecard / Gap analysis
• Identify key risk projects / activities needed to achieve risk management excellence
• Understand cost / benefit of potential risk management strategies
Phase III Executive Support
• Obtain support of risk management leaders
• Present overall objectives and plan to senior management
• Develop teams and tools
• Get moving
• Deliver defined projects
• Update progress toward overall vision
• Measure performance
• Create linkage to next steps
• Build feedback loop to ensure continued progress toward goals
Phase IV Implementation
23
Risk Consulting
This information is confidential and proprietary to Aon and should not be released to third parties without Aon’s written consent.
Using Scorecards to Identify Gaps
24
Risk Consulting
This information is confidential and proprietary to Aon and should not be released to third parties without Aon’s written consent.
Avoid
Determine Risk Strategies § Avoid § Retain § Reduce § Transfer § Leverage
Taking Action
Retain
Reduce
Transfer
Leverage
§ Divest § Prohibit § Stop § Target § Screen § Eliminate • Accept
• Reprice • Self insure • Offset • Plan
• Disperse • Control • Reorganize • Reengineer
• Insure • Reinsure • Hedge • Securitize • Share • Outsource • Indemnify
• Allocate • Diversify • Expand • Create • Redesign • Arbitrage • Renegotiate • Influence
25
Risk Consulting
This information is confidential and proprietary to Aon and should not be released to third parties without Aon’s written consent.
Risk Management Excellence
Defined Risk Objectives
Cost of Risk Model
Data Strategy • Exposure • Losses • Reporting •Technology
Riskbearing Capacity
Risk Assessment • Internal • External
Benchmarking
Risk Mapping • Prioritization • Impact / Likelihood
Risk Quantification • Gross vs. Net • Portfolio Analysis
Risk Mitigation • Process change • Loss control
Risk Transfer • Limits • Retentions • Captive structures
Alternative Risk Transfer • Captives • Capital Markets • Finite Risk
Management / Board Reporting Tools
Dynamic Cost of Risk Tracking
Risk Dashboard
Enterprise Risk Structure • Risk committee • Chief Risk Officer • Crossfunctional risk group
Core Components Analysis Strategy
Execution /
Monitoring
Case Studies
27
Risk Consulting
This information is confidential and proprietary to Aon and should not be released to third parties without Aon’s written consent.
Case Study #1: Fast Growing Company
q Highly successful, profitable company
q Recent patent litigation surprise created temporary cash and credit crunch
q Audit committee wanted an overview of key risks facing the company
q Risk committee was formed to coordinate the effort
q Team conducted interviews with over 50 executives, supplemented by over 80 surveys
28
Risk Consulting
This information is confidential and proprietary to Aon and should not be released to third parties without Aon’s written consent.
Project Objectives
q Has the company identified all its critical risks ?
q Does the company have effective controls for managing its critical risks?
q Are the risks greater now than they were 12 24 months ago (earnings pressure, continued acquisitions and internal strategic initiatives)?
q Are these risks within acceptable limits?
q Is the right level of information reported to Senior Management and the Board?
29
Risk Consulting
This information is confidential and proprietary to Aon and should not be released to third parties without Aon’s written consent.
Project Results
q Provided information to senior management and the Audit Committee
q Developed models for key risks based on potential impact on:
ü Revenue
ü EPS
ü Cash
ü Reputation
q Examined current and potential risk mitigation opportunities, including risk transfer and selffunding
q Created a framework for more effective decisionmaking regarding supply chain management, site selection and inventory management
30
Risk Consulting
This information is confidential and proprietary to Aon and should not be released to third parties without Aon’s written consent.
Case Study # 2: Manufacturing Company
q Company had a welldeveloped risk management process
q Top risks for each of the business were routinely assessed and evaluated
q Due to lack of internal data, limited effort had been made to quantify the potential impact of events
q Recent supply chain problems had highlighted previous unmeasured vulnerabilities
q Project team developed customized risk models for the top five risks of each business unit
31
Risk Consulting
This information is confidential and proprietary to Aon and should not be released to third parties without Aon’s written consent.
Project Results q Delivered working risk models to each business unit
q Risk models were used to develop “underwriting models” for potential risk transfer / mitigation solutions
q Company expanded the use of existing captive insurance company and finite risk insurance arrangements to address key issues
q Event risk maps helped uncover critical decision points that could substantially alter the overall risk exposure
q Changes were made in supply contracts, inventory levels and contingent business interruption coverage as a result of the analysis
32
Risk Consulting
This information is confidential and proprietary to Aon and should not be released to third parties without Aon’s written consent.
Case Study #3: Consumer Products Company
q Fortune 100 consumer products company
q Treasurer and Risk Manager had identified 17 key risks under their charge
q Company wanted to develop a quantitative approach to better evaluate risk decisions
q Solution: Risk modeling project to help evaluate the optimal risk strategy
33
Risk Consulting
This information is confidential and proprietary to Aon and should not be released to third parties without Aon’s written consent.
Project Results
q Project focused on the analysis of internal and external risk data
q Creation of individual and portfolio risk models
q Risk mitigation and transfer alternatives were tested using the models, resulting in significant changes
q Company was able to demonstrate the value of additional risk retention and the use of internal funding (via a captive insurance subsidiary)
q Risk finance and mitigation resources were reallocated to optimize the company’s risk management efforts
34
Risk Consulting
This information is confidential and proprietary to Aon and should not be released to third parties without Aon’s written consent.
Case Study #4: Hospital
q Mediumsized hospital looking to achieve excellence in health care by surpassing standards set in “The New American Hospital” and the Malcolm Baldrige National Quality Award
q Key objective: conduct a comprehensive risk assessment
q Project involved:
ü Interviews with key personnel (management, physicians and nurses)
ü Creation of a risk inventory
ü Benchmarking of current risk management approaches and quality of care against industry standards and best practices
ü Evaluation of current risk mitigation methods
35
Risk Consulting
This information is confidential and proprietary to Aon and should not be released to third parties without Aon’s written consent.
Hospital ERM Project Results
q Identified and prioritized key enterprise risks
q Recommended improved approaches for risk management
q Opportunities for improvement included:
ü Implementation of clinical best practices and rapid response teams to reduce cardiac complication rates
ü Diversification of services to counteract the impact of Medicare reform
ü Contingency planning around key physicians and sole source service providers
ü Improvement of the contract oversight and document retention process to minimize legal liabilities
36
Risk Consulting
This information is confidential and proprietary to Aon and should not be released to third parties without Aon’s written consent.
Case Study #5: Capital One
Capital One's stock plummeted by 39%, falling from a $50.60 per share close on July 16 to $30.48 per share by the close of July 17; a drop of roughly $4B in market value.
Capital One signed an "informal memorandum of understanding" with bank regulators. More than a dozen class actions were filed charging the credit card issuer with securities fraud for misleading shareholders about its financial health and its compliance with bank regulations.
July 2002, 8K filing: the company publicly commits to enhance its enterprise risk management and internal control environment.
Risk management capabilities designed and implemented across the organization.
The Path Forward
38
Risk Consulting
This information is confidential and proprietary to Aon and should not be released to third parties without Aon’s written consent.
Policies, processes
and practices defined and formalized across the organization
Risks measured,
managed and aggregated
on an enterprise wide basis
Organization focused
on RM as a source of competitive advantage
and continuous improvement
Initial Established Uniform Managed Optimizing
Capabilities are
characteristic of individuals, not of the
organization
Process established
and repeating: reliance on people is reduced
OPPORTUNITY RISK
Systematically Build and Improve Risk Management Capabilities
The Path Forward Building Risk Capabilities
39
Risk Consulting
This information is confidential and proprietary to Aon and should not be released to third parties without Aon’s written consent.
Questions to Consider
q Is ERM adding value for your organization?
q Is the ERM effort stalled or is progress being made?
q Are there parallel risk management efforts that fall outside of the ERM process?
q What can be done to automate the ERM process?
q Are there high impact “drilldown” projects that will deliver ERM value?
q Is ERM sustainable after the project team has moved on to other assignments?
40
Risk Consulting
This information is confidential and proprietary to Aon and should not be released to third parties without Aon’s written consent.
Randy Nornes Aon Risk Services
Enterprise Risk Management
312.381.4539 [email protected]
41
Risk Consulting
This information is confidential and proprietary to Aon and should not be released to third parties without Aon’s written consent.
We recognize that our clients’ industries are extremely competitive and maintaining confidentiality is of the utmost importance. Accordingly, Aon takes seriously its obligation to protect the confidentiality of client information.
Similarly, we view our approaches and insights as proprietary and therefore look to our clients to protect Aon interests in our presentations, methodologies, and analytical techniques. Under no circumstances should the material in this report be shared with any third party without the written consent of Aon.
Copyright © 2007 Aon
Confidentiality