Date post: | 12-Jan-2016 |
Category: |
Documents |
Upload: | ariel-mathews |
View: | 212 times |
Download: | 0 times |
Enterprise Risk Management Definition
Enterprise Risk Management (ERM) is the capability to protect enterprise value by managing risk:– With a coordinated and systematic approach,– Organization-wide, and – Across all types of risk.
Business Risk Profiling: Risk Drivers
Strategic Operational Stakeholder Financial Intangible
• Macro Trends• Competitor• Economic• Resource Allocation• Program/Project• Organization Structure• Strategic Planning• Governance• Brand/Reputation• Ethics• Crisis • Partnerships/JVs
• Processes• Physical Assets• Technology Infrastructure• Business Interruption• Legal• Human Resources• Environmental• Hazard
• Customers• Line Employees• Management• Suppliers• Government• Partners• Community
• Market• Accounting• Credit• Cash Management• Taxes• Regulatory Compliance
• Knowledge• Intellectual Property• Information Systems• Databases• Information for Decision Making
Business Impact Assessment
• Management challenges the numbers– Make it “real”
for senior management
– Typical approach/ measures often do not line up with how CEO, CFO, CIO evaluate their business and make decisions
Shareholder Value LeversShareholder Value Levers Risks That MatterRisks That Matter
Growth• Accelerate growth in current
businesses• Drive adoption of next
generation appliances, e-services and infrastructure in high growth markets
Cost and Efficiency• Value Web and Organizational
Efficiency• Streamline decentralized
operating model • Total Customer experience
approach
Capital• Take advantage of
strong balance sheet
Market Variables• Create e-services
ecosystems - place HP at the center
Risk Management Culture and Risk Management Culture and InfrastructureInfrastructure
RISK MANAGEMENT CULTURE AND
INFRASTRUCTURE
• Risk Strategy• Risk Management Processes• Technology• Functions• Culture and Capability• Governance
IMPROVEMENT INITIATIVES
• Senior Management Validation and Support
• eRisk Rapid Response (eR3) Process
• Risk Coverage Mapping• Risk Management Workbench• Detailed Risk Analysis• eBusiness Risk Management
Benchmark
• Customer Facing Business Models
• Virtual Supply Chain• Partnerships and Alliances• e-Business Infrastructure
• Venture Capital Investments• Human Resource• Organizational
Change/Allocation of Resources
• Intellectual Property
EHS
InternalAudit
Insurance
IT Security
PhysicalSecurity
Legal
BCP
GRM
Legal
ITSecurity
BCP
LegalPhysicalSecurity
ERM
InternalAudit
EHS
Risk Risk
Risk
Risk
Risk
Risk
Risk
Risk Management Process
RM ProcessRisk 1
Risk 2
Risk 3
Risk 4
Risk 5
Risk 6
Metrics and Reporting
Assess Risk
Treat Risk
Monitor & Report
•Coordination among risk functions to increase risk coverage and decrease cost•Enable business initiatives to address risks issues quickly to decrease time to market•Alignment with business strategies and objectives•Consistent and organization-wide processes•World-class risk management tools•Focus on risks that impact stakeholder value
Traditional
Cost
Assurance
Revenue
World-ClassTransformation
Knowledge Sources
RiskWeb
Risk Management
Tools
Risk StrategyAnd Framework
Practical Application: Hewlett-Packard ERM Transformation
Source: Hewlett-Packard – Used with permission
eBusiness: So What?• “The ‘telephone’ has too many shortcomings to be seriously considered a means of
communication.” – Western Union Internal Memo, 1876
• “This wireless music box has no imaginable commercial value. Who would pay for a message sent to nobody in particular?”
– David Sarnoff’s associates in response to his urgings for investment in Radio in the 1920’s
• “Who the hell wants to hear actors talk ?”– Harry M. Warner, Warner Bros, 1927
• “There is no reason for any individuals to have a computer in their home.”– Ken Olsen, President, Chairman and Founder of DEC, 1977
• “Heavier-than-air flying machines are impossible.”– Lord Kelvin, President, Royal Society 1895
• “Airplanes are interesting toys but of no military value.”– Marshall Ferdinand Foch, Professor of Strategy, Ecole Superiure de Guerre
eBusiness Trends
• Real Time Enterprise• Low Tech, High Impact• High Tech, Low Cost• Cyber-Activism
“Real Time” Enterprise
• “Ciscoize” and “Dellize” Every Business
• Adaptive architecture, evolvable applications• Federation NOT integration• Architecture to connect architectures• Rapid , incremental implementation• Instantaneous “financials”, metrics, supply chain, customer
support.…
“Spontaneous transaction flow and information transparency throughout the extended enterprise”
Customized from presentation “TECH WRECK or TECH TREND: Perspectives on Technology Investing”,Vinod Kholsa, Kleiner Perkins Caufield & Byers, September, 2001
Low Tech, High Impact• Terrorists have employed low tech weapons to inflict massive
physical or psychological damage– Box cutters– Envelopes
• Infrastructure is vulnerable to unsophisticated attacks• Identify assets at risk
– Strategic Initiatives– People– Process– Information Systems– Physical Infrastructure– Geography– Organization– Products– Flows (supplies, information, electricity, cash, etc.)
• Focus risk assessment on how the asset may be impacted
High Tech, Low Cost• Sophisticated technologies/tools that may be
employed as weapons of Mass Destruction/Interruption– Biological and chemical weapons– Technology
• Technologies/tools that have the ability to inflict massive damage are getting cheaper every day
• Sophisticated tools are increasingly affordable and are being used by competitors, customers, employees, litigation teams, etc.
Cyber Activism
• The Internet: “a powerful tool for communicating and coordinating action.”– Collection– Publication– Dialogue– Coordination of action– Direct lobbying of decision makers
eRisks….Just a Few
• Cyber terrorism• Hactivism• Data Privacy• Critical Infrastructure Failure• Intangible Property• Third Parties
Cyber terrorism
• “The convergence of terrorism and cyberspace”• Definition
– “Unlawful attacks and threats of attack against computers, networks, and information stored therein when done to intimidate or coerce a government or its people in furtherance of political or social objectives” – FBI Definition
• Tamil guerrillas send 800 emails a day to Sri Lankan embassies to “disrupt communications”
• NATO computers hit with e-mail bombs and denial-of-service attacks during 1999 Kosovo conflict
• Pro-Palestinian and pro-Israeli deface Israeli and Palestinian sites over a one month period in October, 2000.
Hacktivism
• Definition– Operations that exploit computers in ways that
are unusual and often illegal to further social causes.
• Methods– Virtual Sit-Ins and Blockades– E-Mail Bombs– Web Hacks and Computer Break-Ins– Computer Viruses and Worms
Data Privacy
• Credit card information• Identity theft• Bio-Metrics• Differences in Regulations
– United States– Canada– European Union– Other
Critical Infrastructure Failure
• Today’s business system– Complex– Tightly coupled– Heavily dependent on infrastructure
• Interconnectivity of infrastructure– Telecommunications– power generation and distribution– Transportation– Medical care– National defense– Other critical government services
• Ripple effects of infrastructure failure
Intangible Property
• Mismanagement– Lost or theft by competitors– Inability to profit– Sharing without compensation
• Poor use of risk management techniques– Insurance– Continuity planning– Business Controls
• Complicated by increase in # of third parties and “virtual” supply chain
Third Parties
• Risk appetite, strategy and sophistication variances
• Brand/reputation inequity• Regulatory compliance complications• Intangible property• Contingency planning
eBusiness Risk Management
• Risk Strategy• Risk Committees• Risk, Incident and Crisis Management• Risk Management Intranet Portals• Enterprise Risk Management
Risk Strategy
• Accept Risk: Management decides to continue operations as is with a consensus to accept the inherent risks
• Transfer Risk: Management decides to transfer the risk from (for example) from one business unit to another or from one business area to a third party (i.e.. insurer)
• Eliminate Risk: Management decides to eliminate risk through the dissolution of a key business unit or operating area
• Acquire Risk: Management decides that the organization has a core competency managing this risk, and seeks to acquire additional risk of this type.
• Reduce Risk: Management decides to reduce current risks through improvement in controls and processes
• Share Risk: Management attempts to share risk through partnerships, outsourcing, or other risk sharing approaches
Silos
• Silos exist in:– Functions and Business Units:
• Corporate and operations• Foreign and domestic
– Information Systems and Databases– Processes
• Risk management• Strategic planning• Legal
• Create processes, systems and tools to reach across silos to provide the “big picture”
• Focus corporate risk management resources on what matters the most
• Leverage the “silo” expertise through better coordination for complex risks
Risk Committees
• Informal Groups• Enterprise Risk
Council• Board of Directors
– Audit Committee– Risk Committee
Roles and Responsibilities• Provide risk management
program leadership, strategy and implementation direction
• Develop risk classification and measurement systems
• Develop and implement escalation metrics and triggers
• Develop and monitor early warning systems, based on escalation metrics and triggers
• Develop and deliver organization wide risk management training
• Coordinates risk management activities – some functions may report to CRO, while others will be coordinated
What is Incident and Crisis Management?
Event - An internal or external action or occurrence that may or may not impact the organization’s stakeholders, processes, technology, infrastructure, brand or intangible property
Incident - An unexpected, negative event involving potential damage to organization’s stakeholders, processes, technology, infrastructure, brand, or intangible property
Crisis - An unexpected, negative event that threatens the lives of stakeholders or could materially impairs the organization and it’s ability to operate
Example: Objectives of an Incident & Crisis Management
ProgramThe incident and crisis management process is designed enhance our interactions with our customers. The following areas will be addressed:
–Identify clear roles and responsibilities–Develop a consistent and coordinated approach–Improve communication to all stakeholders and
media–Reduce incident reporting, verification and response
time–Enable timely and efficient management of incidents–Leverage learnings and ensure process improvement
Risk, Incident and Crisis Management
Risk Management and Business Controls
Events
Incidents
Cri
ses
Impact Monitor & resolve the “critical few” with the crisis management team
Assess potential impact of events and implement appropriate risk management & business controls
Monitor & resolve quickly at most appropriate level using existing structure and processes
Incident Management Process
Crisis Management Process
EHS
InternalAudit
Insurance
IT Security
PhysicalSecurity
Legal
BCP
GRM
Legal
ITSecurity
BCP
LegalPhysicalSecurity
ERM
InternalAudit
EHS
Risk Risk
Risk
Risk
Risk
Risk
Risk
Risk Management Process
RM ProcessRisk 1
Risk 2
Risk 3
Risk 4
Risk 5
Risk 6
Metrics and Reporting
Assess Risk
Treat Risk
Monitor & Report
•Coordination among risk functions to increase risk coverage and decrease cost•Enable business initiatives to address risks issues quickly to decrease time to market•Alignment with business strategies and objectives•Consistent and organization-wide processes•World-class risk management tools•Focus on risks that impact stakeholder value
Traditional
Cost
Assurance
Revenue
World-ClassTransformation
Knowledge Sources
RiskWeb
Risk Management
Tools
Risk StrategyAnd Framework
Practical Application: Hewlett-Packard ERM Transformation
Source: Hewlett-Packard – Used with permission
Source: Hewlett-Packard – Used with permission
RiskWeb: Risk Function Collaboration
Source: Hewlett-Packard – Used with permission
RiskWeb: Knowledge Base
Source: Hewlett-Packard – Used with permission
RiskWeb: Resource Center
Source: Hewlett-Packard – Used with permission
RiskWeb: Discussion Forums
Tools• RiskWeb• Early Warning System• Assessment and Quantification tools
Culture• Knowledge Mgmt• Metrics• Training• Communication
Assess Risk
Treat Risk
Monitor & Report
Enterprise-wideIntegration• Strategic Planning• Programs/PMO• Processes• Functions
Risk Management Process
Allocation ofCapital
Control Cost
Drive Innovation
Manage Growth
Risk Attributes• Lifecycle• Individual• Portfolio• Qualitative• Quantitative
Organization• Enterprise Risk Committee• CRO or ERM Manager
Risk Strategy& Appetite
InternalAudit
RiskMgmt
ITSecurity
ERM
BCP
Legal
EH&S
Risk Strategy• Appetite• Prioritize• Treatment Approach
Program Strategy • Develop• Deploy• Continuously Improve
Risk Functions
Business Objectives Risk Drivers Strategy Capability
Capability• Functions• Process• Organization• Culture• Tools• Enterprise- Wide Integration• Risk Attributes
Risks• Strategic • Operational• Stakeholder• Financial• Intangible
ERM Framework