Implementing an Enterprise Risk Management program

Robert Serena

April 2015

About the author

Mr. Serena is a Risk Management and Actuarial executive with more than 25 years of experience across the energy, insurance,banking, professional services, and manufacturing industries.

He is an accomplished architect of business frameworks which optimize commercial results, control risk exposure, preventfinancial loss, and ensure compliance with regulatory requirements, and has a proven ability to develop and implementstrategies, processes, and tools to best identify, assess, and mitigate risks, with strong experience across all risk factors -Strategic, Enterprise, Operational, Market, Credit, Insurable, and Regulatory Compliance.

Areas of technical expertise:

• Insurance: Legal, contractual structure, and pricing considerations of Commercial insurance coverage lines (Property,Commercial General Liability, Workers Compensation, Business Interruption, Professional Liability, Excess Liability, andReinsurance), and Personal Insurance coverage lines (Life, Annuities, Disability Income, and Health).

• Enterprise Risk Management Frameworks: COSO, ISO 31000, Sarbanes Oxley.

• Financial/Quantitative Analytics: Discounted Cash Flow valuation, Insurance Product pricing, Asset Adequacy testing,Derivative valuation, Financial Planning & Analysis.

• Regulatory Compliance: Insider Trading legislation (Securities & Exchange Act of 1934 (US), Financial Services andMarkets Act 2000 (UK)), Anti-Bribery & Corruption legislation (Foreign Corrupt Practices Act (US), UK Bribery Act 2010),Gramm–Leach–Bliley Act (US), and Dodd-Frank.

• Information Risk Management: Medium and large-scale system implementations, Information Security frameworks,Software Development, Records Management, Data Privacy.

• Learning & Development: Developing robust and cost-effective suites of training materials across a range of topical areas,including Health, Safety and Environment concepts, legal and regulatory changes, risk management methodologies, andproject management techniques.

Robert Serena, FSA, CPCU, CFA, FRM

2

What is the definition of Enterprise Risk Management?

• Committee of Sponsoring Organizations (COSO) - Enterprise risk management is a process,effected by an entity’s board of directors, management and other personnel, applied in strategy settingand across the enterprise, designed to identify potential events that may affect the entity, and managerisk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entityobjectives.

• International Organization for Standardization (ISO 31000) - A strategic organizational approachthat supports the achievement of the institution’s objectives by addressing the full spectrum(reputational, strategic, financial, operational and compliance) of its risks and managing the combinedimpact as an interrelated set of risks.

• Society of Actuaries - Enterprise risk management (ERM) is the process of coordinated riskmanagement that places a greater emphasis on cooperation among departments to manage theorganization’s full range of risks as a whole. ERM offers a framework for effectively managing uncertainty,responding to risk and harnessing opportunities as they arise. Unlike previous risk management practices,the concept of ERM embodies the notion that risk analysis cuts across the entire organization. The goal ofERM is to better understand the shock resistance of the enterprise to its key risks and to better manageenterprise risk exposure to the level desired by senior management.

3

What are the different risk types that impact the “enterprise”?

• Strategic Risk - The risk associated with future business plans and strategies, including plans for entering new business lines, expanding

existing services through mergers and acquisitions, enhancing infrastructure, etc.

• Operational Risk - The risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events.

• Regulatory Risk - The risk that a change in laws and regulations will materially impact a security, business, sector or market. A change in

laws or regulations made by the government or a regulatory body can increase the costs of operating a business, reduce the attractiveness ofinvestment and/or change the competitive landscape.

• Insurable Risk - A risk that meets the ideal criteria for efficient insurance. The concept underlies nearly all insurance decisions. To be

insurable, several things must be true:• The insurer must be able to charge a premium high enough to cover not only claims expenses, but also to cover the insurer's expenses. In

other words, the risk cannot be catastrophic, or so large that no insurer could hope to pay for the loss.• The nature of the loss must be definite and financially measurable. That is, there should not be room for argument as to whether or not

payment is due, nor as to what amount the payment should be.• The loss should be random in nature, else the insured may engage in adverse selection (anti-selection).

• Financial (Market) - The risk that the value of a portfolio, either an investment portfolio or a trading portfolio, will decrease due to the

change in value of the market risk factors. The four standard market risk factors are stock prices, interest rates, foreign exchange rates, andcommodity prices.

• Financial (Credit) - The risk of loss when a counterparty fails to meet a payment obligation, or the risk associated with any single

exposure or group of exposures with the potential to produce large enough losses to threaten the firm’s operations, or the risk of loss arisingwhen a sovereign state freezes foreign currency payments (transfer/conversion risk), or when it defaults on its obligations (sovereign risk).

4

What are the benefits of a robust ERM program?

• Strong and scalable platform to identify and pursue strategically important opportunities.

• Integrated and holistic view of all risks that impact the organization.

• Significantly improved reputation with internal and external stakeholders.

• Improved credit ratings and reduced cost of debt and equity capital.

• Effective identification of commercial opportunities and capital deployment.

• Aligns risk appetite and strategy through risk quantification and risk mapping.

• Effectively deal with uncertainty and associated risks and opportunities.

• Increased resiliency in the face of catastrophic events.

• Leverages collaborative “knowledge” to enhance risk response decisions.

• Reduces operational surprises and losses.

5

How would an ERM program operate in practice?

Board of Directors/Audit Committee

Senior Management of the firm

1st Line of defense 2nd Line of Defense 3rd Line of Defense

Business Units and functional staff

Risk Management Internal Audit

“Own” the risks associated with their activities and execute risk management processes on anoperational basis

Designs & coordinates the implementation of the ERM program:• ERM & Project Risk• Compliance Risk• Information Risk• Insurance Risk• Operational

Excellence• HSSE & Business

Continuity/Disaster Recovery

Validates the effectiveness of the ERM program

Extern

al Au

dit

Re

gulato

ry Age

ncie

s

What determines the maturity of an ERM program?

7Source: The Institute of Risk Management

Traditional Risk Management • Purchase insurance to cover risks• Hazard-based risk identification and

controls• Compliance issues addressed

separately• Safety & emergency mgmt handled

separately• “Silo” approach – risk mgmt is not

integrated across the organization• Risk Manager is the insurance buyer

Advanced Risk Management• Greater use of alternative risk

financing techniques• More proactive about

preventing and reducing risks• Integrates claims mgmt,

contracts review, special event RM, insurance and risk transfer techniques

• Cost allocation used for education and accountability

• More collaboration – as departments are willing

• Risk Manager may be the risk owner

Enterprise-wide Risk Management• A wide range of risks are discussed

and reviewed, including reputational, human capital, strategic and operational

• Aligns RM process with strategy and mission

• May include “upside risks” (opportunities)

• Helps manage growth, allocate capital & resources

• Risks are owned by all & mitigated at the department level

• Many risk mitigation & analytical tools available

• Risk Manager is the risk facilitator and leader

Risk is bad – focus is on transferring risk

Risk is an expense – focus is on reducing cost-of-risk

Risk is uncertainty – focus is on optimizing risk to achieve goals

How has Risk Management evolved over the past 20 years?

8

What are the steps in the Risk Management Process?

Develop (or revise) thefirm’s set of strategicobjectives.

Facilitate interviews and/orworkshops with front-linepersonnel to identify risks tothese objectives. Use feedbackfrom interviews/workshops topopulate the corporate riskregister.

Capture the following attributes inthe risk register for each risk event:Risk Description, Risk Type, RiskOwner, Likelihood, Impact, currentControls/Mitigations, RiskTolerance, Residual Risk.

For all risk events where theresidual risk remains greater thanthe risk tolerance, developremediation action plans to bringthe risk back within limits.

Once all remediation plans have beencompleted, there are 4 potentialcourses of action for each risk event:

1) Avoid (get out of the activity)

2) Accept/Retain (Monitor)

3) Reduce (add additional controls)

4) Transfer (Partner or buy insurance)

Develop management reportingthat provides for timelymonitoring and reporting of thefirm’s risk profile.

9

Identify

Assess/MeasureRespond

Monitor & Report

Risk Estimation – Consider the effect of scale

Corporate level

Business Unit

Department

Functional group

Individual job role

Individual process

10

Level of risk increases the further up in

the organization one travels – a risk that occurs at the individual process level is

undoubtedly less material than a risk event that occurs at the

business unit or corporate level

How do we get started? (1 of 2)

With ERM programs, there is definitively not a “one size fits all” strategy. The optimal strategy depends on the industry,competitive pressures, regulatory framework, information technology infrastructure, workforce demographics, and ahost of other factors. Having said that , it’s always better to view an ERM program implementation in phases – Phase Ishould be modest in scope, requiring limited resources (time, money, people) and focus on assessing the organization’smost material risk factors. Complexity and greater analytical rigor can be added in later phases.

STEP 1 – Procure buy-in from senior management Develop simple and clear training materials to deliver to the executive team. Where possible, articulate the value proposition for ERM in clear economic terms – increased revenue, reduced

expenses, contingent losses avoided, etc. Once the buy-in is achieved, it’s critical that there be at least one project sponsor for the initiative, and additionally

each risk event has a named owner in the organization. Develop a multi-channel communication plan (e.g. email blasts, town hall meetings, organizational newsletters)

through which the program and its intent will be communicated to employees. Provide employees with a feedbackmechanism should they have follow-up questions.

STEP 2 – Assemble a small project team Resource the project team with current employees from other internal groups with a Risk Management focus –

Internal Audit, Regulatory Compliance, Finance, Environmental Health & Safety, HR, etc. Nominate a project director to lead the initiative. The individual doesn’t have to be a CRO, but must have a broad

knowledge of the organization’s business model, product lines, and competitive environment. And he/she must havestrong leadership skills and credibility with the executive team.

11

How do we get started? (1 of 2)

STEP 3 – Compile and review any recent internal risk assessment materials performed by other groups (within the lastyear) There is seldom a need to build an ERM program from scratch – it’s always more efficient to leverage existing work

performed by other groups. Aggregate all of the data and findings from these risk assessments into a normalized risk register format – risk

definition, risk category, likelihood assessment, severity assessment, current state controls and mitigations, riskowner, etc.

Once this data is normalized and tabulated, identify the top 5 existing risks (as measured by residual exposure) andpick a target business segment in which to run the Phase I ERM “pilot”.

STEP 4 – Perform a risk assessment in the target business segment Distribute an online questionnaire to selected individuals in the target business segment – functional leads and their

direct reports. The questionnaire doesn’t need to be long or complex – there are just a few simple questions:

What are the key strategic objectives of the business segment? (Look for consistency with the executive team) What are the top 7 to 10 mission critical operational processes that are required to realize these goals? What are the top 5 risks that could adversely impact these processes? What controls are currently place (the “as-is” state) to help mitigate these risks?

As a follow-on to the questionnaires and to reinforce the findings, chair multiple F2F sessions to gather additionalinformation. Invite the same individuals that were on the distribution list for the questionnaire.

STEP 5 - Identify gaps and formulate a remediation plan Tabulate all of the feedback gathered from the questionnaires and facilitated F2F sessions, combine with findings

from existing risk assessments, and develop a detailed gap analysis on the top 5 key risks. Present the findings to senior management with budget and time estimates for the remediation plan.

12

What elements go into the Total Cost of Risk (TCOR)?

Compensation and ancillary benefits for Risk Management staff members. Direct cash and incentive compensation. Employee benefits. Retirement plan costs – Defined Benefit/Defined Contribution.

Corporate-Level Hedging Programs. Commercial insurance premiums. Financial transaction costs – hedging Forex and Interest Rate exposures. Retained (within the policy deductible) or self-insured claims. Risk Control costs – Health & Safety inspections, risk-reduction techniques, etc. Development and implementation of training programs.

Legal and Regulatory Compliance. Financial penalties due to failure to perform on a contract. Unanticipated legal expenses – Responding to subpoenas, regulatory inquiries, non-standard advice, guidance on emerging regulation, etc. Explicit Regulatory fines.

Miscellaneous Costs Cost of 3rd-party service providers – insurance brokers, consultants on a project, external audit firms, Information Security assessments, etc. Infrastructure development costs – Risk databases, Management Information Reporting, etc.

13

By the numbers – What does ERM mean in economic terms?

14

Step 1 – The Financials

+Step 2 – The Risk factors

+Step 3 – Black Box

=

=Profitability Distribution

By the numbers – What does ERM mean in economic terms?

This is commonly referred to as the“median” of the normal distribution. In thecontext of a corporation’s financial health,this could also be interpreted as the“expected case” or P50 (50th percentile) ina forward-looking financial plan

The economic results/outcomes in this part of the distributionarise from catastrophic risk events that are commonly referredto as “tail events” or “black swan events”. These events, by theirvery nature, are often unexpected and can have dramaticimpacts on the affected parties…organizations, communities, andindividual citizens.

15

11

118

681

17131664

686

120

0

200

400

600

800

1000

1200

1400

1600

1800

2000

-200,000,000 -150,000,000 -100,000,000 -50,000,000 0 50,000,000 100,000,000 150,000,000 200,000,000

Projected change in economic position

Net worth at end of 5-year horizon

What are the critical success factors in building a successful ERM program?

“Tone from the Top” - must be present and strongly communicated throughout the organization.

Gain buy-in from stakeholders – Both internal and external. Transparency is key!

No “one size fits all” ERM program - The optimal design of a program is tightly linked with the unique attributesof each firm – corporate culture, strategic objectives, industry, operational complexity, competitive landscape,etc.

An ERM program is a dynamic, ongoing exercise – Not a simple project with a defined beginning and end date.

Product Development/M&A activities – Involving the ERM group in the early stages will serve to dramaticallyincrease the probability of success of any new product rollouts or prospective M&A targets.

Staffing Considerations - Several of the key drivers of ERM program success – deep understanding of the firm’sbusiness model and competitive landscape, familiarity with the firm’s culture, etc are most likely to be foundamong existing staff in other functional groups.

Embed Risk Management objectives into incentive schemes.

Risk Appetite and Risk Tolerance - Must be clearly defined and measurable.

16

APPENDICES

17

Appendix 1One possible structure for an ERM group (graphic)

18

Appendix 1 - ERM – Organizational model

Board of Directors

CEO/CFO/COO

Chief Risk Officer

Head of ERM and Project

Risk

Senior analyst

Senior Analyst

Junior Analyst

Junior Analyst

Head of Compliance

Risk

Senior Analyst

Senior Analyst

Junior Analyst

Junior Analyst

Head of Information

Risk

Senior Analyst

Senior Analyst

Junior Analyst

Junior Analyst

Head of Insurance Risk Management

Senor Analyst

Senior Analyst

Junior Analyst

Junior Analyst

Head of Operational Excellence

Senior Analyst

Senior Analyst

Junior Analyst

Junior Analyst

Head of HSSE and BC/DR

Senior Analyst

Senior Analyst

Junior Analyst

Junior Analyst

21

Appendix 1One possible structure for an ERM group

• CHIEF RISK OFFICER• Head of Transaction risk

• Market Risk• Credit Risk• Trade Control• Quantitative analytics

• Head of Compliance Risk• Policy development – Develops corporate governance policies• Compliance Monitoring – Monitors employees and vendors against corporate policies and SLAs• Regulatory Affairs – monitors emerging regulation.• Legal risk – monitors contractual agreements and related risks• Investigations

• Head of Information Risk• Risk oversight of s/w development projects• Technology asset management• Risk assessments• Awareness training• Records management

• Head of Insurance Risk Management• Commercial insurance procurement• Broker relationship management• Claims management• Coordinates with HSSE group on site visits and implementation of risk control techniques

• Head of Operational Excellence• SOX-related operational risks• Manage Delegated Authorities framework• Non-Sox, general operational risks• Integration and risk assessment of new commercial activities• Quality assurance/Quality management• All risks around large CAPEX projects/acquisitions

• Head of HSSE and Business Continuity/Disaster Recovery• Employee health & wellness• Adherence to environmental regulation• Management of backup and contingency sites• Asset decommissioning

19

Appendix 2What are the key personal attributes/requirements for a Chief Risk Officer (CRO)?

• Overall Mission - At a macro level, the role of a Risk Management group, and particularly the CRO, is to simultaneously sitoutside of the business and be independent and objective, but also be “of the business” – understand at an intimate level howthe firm generates revenue, the strategic & competitive landscape that confronts the firm, the culture of the firm, the regulatorylandscape, etc.

• Strong Educational Background - Highly analytical and quantitative discipline – mathematics, statistics, engineering,quantitative finance, hard sciences, etc.

• Broad functional experience - Human Resources, Technology/IT, Environmental Health & Safety (HSSE), Accounting & Finance,Sales & Marketing, Procurement, Operations, Ethics & Compliance, Legal, Public Relations, Regulatory Affairs, ProductDevelopment, etc.

• Intellectual Curiosity - Ability to scale from the high-level, “macro” view to the very detailed, “micro” view and back again withgreat agility.

• High levels of self-confidence, decisiveness, and assertiveness - Must be very comfortable in making tough decisions, oftenin the absence of complete information.

• Strong communication skills – Must possess a strong ability to distill complex and technical information and topics into simpleto understand concepts and actionable guidance.

• Strong leadership skills - Tough and demanding, but also fair and invested in the success of direct reports, with an unyieldingmoral compass.

• Visionary and diplomat - Risk Management must be more than simply a paycheck. All RM roles are very challenging anddemanding even on the best of days. The CRO should strongly believe that there is a broader social and fiduciary purpose to theirrole, well beyond the stated requirements of their specific job.

20

Appendix 3Risk Management Taxonomy (1 of 3 )

• Risk-Adjusted Return on Capital (RAROC) - A financial measurement that allows analysts to take into account the effect of riskwhen comparing profitability and performance across various businesses. It is calculated by dividing the risk adjusted return (netincome - expected loss from risk + income from capital) by the economic capital. Higher risk projects tend to bring higherrewards.

• Risk Control – The activity of applying a range of Administrative, Technical, and Physical controls to reduce the risks to anorganization’s assets.

• Risk Culture - The system of values and behaviors present in an organization that shapes risk decisions of management andemployees. One element of risk culture is a common understanding of an organization and its business purpose. Employees mustalso understand that risk and compliance rules apply to everyone as they work towards business goals. This understanding canensure a company “does the right thing” and is a fundamental part of good ERM practices.

• Risk Capacity - A firm’s ability to identify their financial resources, expertise, and operating mandate to determine how muchrisk they are able to take.

• Risk Owner - A person or entity that has been given the authority to manage a particular risk and is accountable for doing so.

• Key Risk Indicators (KRI) - A measure used in management to indicate how risky an activity is. It differs from a Key PerformanceIndicator (KPI) in that the latter is meant as a measure of how well something is being done while the former is an indicator of thepossibility of future adverse impact.

• Risk Criteria - The terms of reference against which the significance of a risk is evaluated. Risk criteria are based onorganizational objectives and external and internal context. Risk criteria can be derived from standards, laws, policies and otherrequirements.

21

Appendix 3Risk Management Taxonomy (2 of 3)

• Security Controls - The management, operational, and technical controls (i.e., safeguards or countermeasures) prescribed for aninformation system to protect the confidentiality, integrity, and availability of the system and its information.

• Confidentiality - Assurance that information is shared only among authorized persons or organizations. Breaches ofConfidentiality can occur when data is not handled in a manner adequate to safeguard the confidentiality of the informationconcerned. Such disclosure can take place by word of mouth, by printing, copying, e-mailing or creating documents and otherdata etc. The classification of the information should determine it’s confidentiality and hence the appropriate safeguards.

• Integrity - Assurance that the information is authentic and complete. Ensuring that information can be relied upon to besufficiently accurate for its purpose. The term Integrity is used frequently when considering Information Security as it isrepresents one of the primary indicators of security (or lack of it). The integrity of data is not only whether the data is 'correct',but whether it can be trusted and relied upon. For example, making copies (say by e-mailing a file) of a sensitive document,threatens both confidentiality and the integrity of the information.

• Availability - Assurance that the systems responsible for delivering, storing and processing information are accessible when

needed, by those who need them.

• Pure risk – A Risk event that only allows for losses with no chance of a gain .

• Speculative risk – A Risk Event that allows for either a gain or loss.

• Black Swan Events – An event that lies outside the realm of regular expectations, because nothing in the past can convincinglypoint to its possibility. Events of this type often result in catastrophic impacts, whether they be economic, environmental, orreputational.

22

Appendix 3Risk Management Taxonomy (3 of 3)

• Risk Assessment - The identification, evaluation, and estimation of the levels of risks involved in a situation, their comparisonagainst benchmarks or standards, and determination of an acceptable level of risk.

• Risk Appetite – The amount of risk that an organization is willing to seek or accept in the pursuit of its long-term objectives.

• Risk Tolerance – The boundaries of risk beyond which a given organization is not prepared to venture in pursuit of its long-termobjectives.

• Qualitative Risk Assessment - A collaborative process of assigning relative values to assets, assessing their risk exposure, andestimating the cost of controlling the risk. Differs from quantitative risk analysis in that it utilizes relative measures andapproximate costs rather than precise valuation and cost determination.

• Quantitative Risk Assessment - A process for assigning a numeric value to the probability of loss based on known risks andavailable, objective data. Used to determine potential direct and indirect costs to the company based on values assigned tocompany assets and their exposure to risk. For example, the cost of replacing an asset, the cost of lost productivity, or the cost ofdiminished brand reputation.

• Diversifiable risks - Risks whose adverse consequences can be mitigated simply by having a diversified portfolio of riskexposures.

• Non-diversifiable risks - Risks, shared by all persons or organizations, that cannot be mitigated by adding exposures to theportfolio.

23

Appendix 4Sample Risk Estimation Scales – Probability of event/Likelihood

24

Level Descriptor Description Indicative Frequency1 Very Rare Heard of

something like this

occurring

elsewhere

Once every 30 years.

2 Unlikely Low likelihood of

the event

happening. The

event does occur

somewhere from

time to time.

Once every 3 to 10 years.

3 Possible Medium likelihood

of the event

happening. The

event has occurred

at least once in

your career.

Once every 3 years.

4 Likely The event has

occurred several

times or more in

your career.

Once every year or less.

5 Almost Certain High likelihood of

the event

happening. The

event has occurred

in the last 6

months.

More than once per year.

Appendix 4 Sample Risk Estimation Scales – Economic Impact of Event

25

Level Descriptor Definition1 Very Low < $100 million

2 Low >= $100 million and <= $250 million

3 Moderate >= $250 million and <= $1 billion

4 High >= $1 billion and <= $5 billion

5 Very high > $5 billion

Appendix 4 Sample Risk Register (with linkage to strategic objectives)

26

Appendix 4 Sample Risk Heatmap (after the application of controls)

27

1 - Very Low 2 - Low 3 - Moderate 4 - High 5 - Very high

1 - Very rare

2 - Unlikely

3 - Possible

4 - Likely

5 - Almost Certain

MINOR

MODERATE

SIGNIFICANT

CATASTROPHIC

SEVERITY SCALE

Like

liho

od

Sca

le

Appendix 5 (1 of 2)Sample Objective set with linkage to risk appetite/tolerance

28

Appendix 5 (2 of 2)Sample Objective set with linkage to risk appetite/tolerance

29