Presentation Title 1 Guiding Principles for Implementing Enterprise Risk Management (ERM) SEAC Conference New Orleans November 15-17, 2006 Hubert Mueller (860) 843-7079 ©Towers Perrin © Towers Perrin 0 IMPLEMENTING ERM ERM raises many implementation challenges for senior executives Stakeholders have challenged senior executives to ask questions with regard to integrated, enterprise-level risk analysis and their decision-making: How can we identify the key and emerging risks that deserve senior management attention? How do we measure and manage operational risks to the same degree as financial risks? How much capital do we need and what return should we get on it? How should we deploy capital to business segments and evaluate their performance? How do we select our growth strategies, given our risk environment? How can we maximize our return on capital, given our risk appetite? How do we best invest our assets, given the structure of our exposures? How much, and on what terms, should we insure and hedge? How should we report our risk management results and communicate with external audiences about our risk management programs? How do we build a risk culture within the organization? How do we coordinate all of this? And how do we get started? © 2006 Towers Perrin 1 Friday, October 20, 2006 Presentation Title 2 IMPLEMENTING ERM Enterprise Risk Management should address key management issues at each stage of the journey from compliance to value creation Internal/External Dimension Companies Need to Manage Risks from Many Interrelated Areas Marketing Economy Legal/social Regulatory/political Competition Insurance People Processes Hazards Other Financial/Operational Dimension ERM Stages Management Issues Compliance and Governance What are my risks? Diagnostics and Analytics What is their impact? Solution Options What can we do about them? Execution How do I take action? © 2006 Towers Perrin 2 IMPLEMENTING ERM Guiding Principles: ERM as a means to add value to an organization 1. ERM serves strategic purpose — not for audit ERM is more than an audit. Risk management optimizes the risk/return relationship not only the avoidance of risk 2. ERM generates economic value Create value by reducing the cost of capital and by increasing profits through better risk-based decision making 3. ERM is focused on managing risks in an integrated manner, as a portfolio of risks Analyze risks in combination to reveal systemic risks and interactions, and explicitly considers the interrelationships and correlations between risks 4. ERM considers both “downside” risks and “upside” opportunities Optimize the risk/return profile of the enterprise 5. ERM is best operationalized by making it part of the normal business process Coordinate with corporate planning and the allocation of capital and resources to fully integrate into the mainstream of business decision-making © 2006 Towers Perrin 3 Friday, October 20, 2006 Presentation Title 3 IMPLEMENTING ERM 1. ERM serves strategic purpose — not for audit All businesses must take risks to earn returns. Risk management should therefore be the optimization of the risk/return relationship and not only the avoidance of risk Audit examines whether specified procedures and processes are being followed. It reduces risk, but does not consider the risk/return tradeoff Audit strategically mitigates risk, however, what to audit and how much time and effort to invest in audit is determined through a risk management process Audit Approach ERM Approach Starts with a checklist of risks Articulates strategy and identifies risks to achieving strategic objectives Defensive: Focuses only on downside risks Considers unexpected upside scenarios; identifies opportunities for risk taking based on relative ability to manage risks vs. competition Analyzes risks in silos Considers interaction of risks to expose areas of concentration and diversification Supports monitoring and reporting Supports decision making 4 © 2006 Towers Perrin IMPLEMENTING ERM “Risk Triage” process filters strategic risks from tactical risks Strategic Risks Corporate Risk Filters Business Unit Organizational Unit Organizational Unit Business Unit Organizational Unit Organizational Unit Tactical Risks © 2006 Towers Perrin 5 Friday, October 20, 2006 Presentation Title 4 IMPLEMENTING ERM 2. ERM generates value: Risk-Capital-Value Framework Value Creation Maximize value by relating a firm’s decisions on the risks it takes to the decisions on the capital it uses to finance its business Return on Risk Portfolio of Enterprise Risks Risk Structure Capital Costs Value Management Capital Adequacy Portfolio of Capital Resources Risk and Capital Management How much capital do I need? What type of capital do I need? Capital Structure Economic Capital © 2006 Towers Perrin 6 IMPLEMENTING ERM 3. ERM is focused on managing risks in an integrated manner, as a portfolio of risks Why manage risks in an integrated manner? Systemic risks − Risks which in isolation are small within each organization, but because of common causes can in the aggregate across the enterprise pose a significant risk Concentration of risk − Separate risk events that have common consequences Correlation of risks − When companies fail, often it is because several related risks occur simultaneously. Important to understand the interactions among risks − The lack of perfect correlation of risks means that the aggregate financial risk is less than the sum of each individual risk — may be overspending on risk management if managing risks independently Exposure of risk − Understand relative exposure across all risks to optimally allocate resources (financial and human) to mitigate risks Use risk analysis to develop risk-adjusted performance of business units — a best practice in the financial services sector © 2006 Towers Perrin 7 Friday, October 20, 2006 Presentation Title 5 IMPLEMENTING ERM Risk identification should capture the “Anatomy of Risk” Benefits of recognizing the anatomy of risk: Illustrates interactions among causal factors and consequences across risks to identify systemic risks and risk concentration Consequence 1 Cause 1 Risk Event 1 Consequence 2 Systemic Risk Cause 2 Consequence 3 Risk Event 2 Consequence 4 Concentration of Risk Cause 3 Consequence 5 Cause 4 Risk Event 3 Consequence 6 © 2006 Towers Perrin 8 IMPLEMENTING ERM 4. ERM considers both downside risks and “upside” opportunities A fundamental objective of ERM is to optimize the risk/return trade-offs The “downside” of each business activity is the risk of financial loss, the “upside” is higher profitability When evaluating options to mitigate the “downside” of risks, need to also consider whether it reduces the “upside” Identify and embrace risks that the company can manage better than competitors An insurance company that believes it can better price auto risk pursues riskier (and more profitable) drivers and even identifies competitors who are offering lower prices Better management of political, foreign exchange and supply chain risks creates a competitive advantage in considering strategy to enter developing countries These are generally core business risks, such as risks directly related to the manufacturing and distribution of core products © 2006 Towers Perrin 9 Friday, October 20, 2006 Presentation Title 6 IMPLEMENTING ERM 5. ERM is best operationalized by making it part of the normal business process, fully integrated into the decision-making activities ERM Analysis Business Plan Insurable risks Assets Assets Liabilities Mortality Current Assets Current Liabilities Property/Casualty Long-Term Liabilities Fixed Assets Human Resources Equity Market risks Impact of RiskManagement Decisions Interest rate Equity markets Foreign exchange Expenses Revenues Costs Operating Income Taxes Other Net Income Other Income Credit risks Operational Risks Begin Business Risks Business interruption Corporate image, brands Economic cycles Cash Flow End Operation Operation Investment Investment Financing Financing 10 © 2006 Towers Perrin IMPLEMENTING ERM Use assessment method that reflects true nature of risks Probability This is what risks look like.. …but the traditional method of assessing risks distorts the picture Likelihood Expected loss High >y% $ Risks Med x% - y% Probability Low < x% Low < $x Expected loss Med $x - $y High >$y Impact $ Simplifies distribution of loss scenarios into a single scenario — which scenario? Probability Underemphasizes real risks: low likelihood of large losses Expected loss © 2006 Towers Perrin $ Likelihood x Impact represents expected loss — not risk 11 Friday, October 20, 2006 Presentation Title 7 IMPLEMENTING ERM Implementing ERM: A 4-stage process at any level of the firm Identify Execute Solve Quantify What are my risks? Who is watching them? How much do they weigh? What is their impact What can we do about them? How do we decide? How do I take action? What value does it create? 12 © 2006 Towers Perrin IMPLEMENTING ERM The ERM Framework links strategy to the organization and processes that drive risk-based decision-making ERM Framework Organization Governance Accountability: Roles and Responsibilities Risk definition Goals and objectives Risk tolerance levels and guidelines Tools Strategy Process Identify Quantify Solve Execute Monitoring and Reporting © 2006 Towers Perrin 13 Friday, October 20, 2006