IIA / ISACA Joint Meeting December 11, 2012

University of Michigan Dearborn

Enterprise Risk Management: Building the Foundation

Jay R. Taylor, CIA

1

2

Topics

• Foundation building blocks

• What we do

• How you can add value to your organization

3

WHAT IS RISK MANAGEMENT?

First, let’s ask…

What is risk?

Risks are the things that, if they

occur, can keep a company from achieving its objectives

4

FOCUS OF RISK MANAGEMENT

Rather than ask “what keeps you up at

night?” …

You should ask,

“What must go right for you to achieve your

objectives?”

5

6

7

8

• Create a competitive advantage with a great product launch!

RISK IS ALSO ABOUT OPPORTUNITY

• Be well positioned if external events such as

fuel prices do increase

… or decrease

Or …

ESSENTIAL BUILDING BLOCKS

1. Senior leadership support

2. Framework

3. Risks

4. Scales to evaluate risk

9

10

First – Determine What Senior Management and the Board Wants

• “What are the things that could put us out of business?”

• “Help me see around the corner and identify what I don’t know about already”

• “Do we really do a good job protecting our reputation and how we are perceived in the market?”

The answers will be different for every organization. Examples:

Senior Leadership support for the

program is critical!

Second – Adopt a Framework

COSO ERM Definition

A process, effected by all of the entity’s personnel including the board

of directors and management, applied across the enterprise and in

strategy-setting, designed to identify potential events that may effect

the entity, and manage risk, to provide reasonable assurance

regarding the achievement of entity objectives.

AZ/NZ Standard ERM Definition

The culture, processes and structures that are directed toward

realizing potential opportunities whilst managing adverse effects.

ISO 31000 Risk Management Definition

Risk management is conceived as integral with the organization’s

structures, roles and responsibilities and objectives. It is not an

afterthought to be done when all the real work is finished. It is part

and parcel of regular objective and result driven decision making.

Risk Management is also subjected to the same performance

measurements, monitoring, assurance, review and other

management techniques to track how well objectives are met by

results.

11

12

Third – Determine What Types of Risk to Include in the ERM Program

• Internal / Preventable

• External

• Strategic

Different

strategies are

needed to

address these

13

Types of Risk

• Category I: Internal / Preventable

Examples:

• Breakdowns in routine

operations

• Unauthorized, illegal,

unethical, incorrect or

inappropriate actions

by managers

• Rouge trader How to manage them:

• Active prevention

• Guiding people’s behaviors through

communicating values, company policy

and compliance checking

• Monitoring operational processes

• CSA

• Internal audit

14

Types of Risk

• Category II: External Examples:

• Arise through outside

events

• Often beyond our

influence or control

• Natural and political

disasters

• Major macroeconomic

shifts

How to manage them:

• Active identification

• Focus on mitigation of the impact

• Techniques include:

• DRP

• Scenario Planning & Analysis

• Stress Testing

• War Gaming

15

Types of Risk

• Category III: Strategic Examples:

• Taking on credit risk to

finance a customer

• Drilling in deep water in the

Gulf of Mexico to extract oil

• Risk vs. Opportunity - Design

product portfolio aligned with

competitors and trends

How to manage them:

• Cannot be managed through rule-based models

• Need to reduce the probability that the assumed

risks actually materialize, and

• Improve the company’s ability to manage or

contain the risk events, should they occur

Organizations voluntarily accept some risk

in order to generate superior returns for its

strategy.

WHAT WE DO

1. ERM program defined

2. What we consider a “key” risk

3. Program objectives

4. Risk measurement tools and sample templates

5. Role of the risk officer

6. How we support their management of risk

16

17

Defining Enterprise Risk Management

Enterprise

Risk

Management

(ERM) is

about

facilitating

discussions

about risk:

A process applied in strategy setting

and across the enterprise,

designed to identify potential events that may affect the entity,

and manage risk to be within our risk appetite,

to provide reasonable assurance regarding the achievement of

our business objectives.

So ERM must:

• Take an entity-level portfolio view of risk

• Identify potential events affecting us in either direction (positive or

negative)

• Able to identify too much risk being taken

Ultimately, the program is designed to provide assurance to senior management and

board of directors

18

Defining Key Risks

• A key risk is a risk that could keep GM from achieving its objectives of designing, building and selling the world’s best vehicles at a profit.

• Generally speaking, these risks usually have high or very high potential impact to the company ($1B or more), and can range in likelihood of occurrence from low to very high.

Risk Management Vision and Objectives

Key Objectives:

• Develop a program that is “part of doing business” – integrated with existing management processes

• Key Company Risks are identified, properly assessed and addressed in a timely manner

• Provide objectivity and transparency in assessing risks and mitigation plans

• Develop clear accountability for risk

• Build confidence of key stakeholders

Create a Competitive Advantage

Prepared, Agile and Fast

19

20

Risk Officer Team

Monthly Risk Officer Meeting

Risk Management Team

Treasury Corp Strategy

& Bus Dev Tax

Insurance Risk

Management

GM Asset

Management

Controller’s

GM Financial

Product

Development Communications

Human

Resources

Planning &

Portfolio Public Policy

GPSC Research &

Development

Global

Connected

Consumer

Legal Information

Technology Audit Services

North

America

South

America IO Europe

Objective: Ensure the

organization has the right

structure and tools to

systematically identify, assess,

and effectively manage key

company risks in a continuously

changing environment.

Risk Officer Duties: Will be

discussed in a later presentation

21

Tools for Risk Management

• Tools to identify and capture risk

• Templates to summarize risk definition, inherent and residual risk, ownership and action plan

• Resources to assist management in dealing with their risk

We will discuss:

22

Risk Identification

• Survey of risk officers

– Identify new and emerging risks

– Obtain perceptions of changes in significance (e.g. Top Risks versus others)

– Focus on risk description and inherent risk level

• Tools

– Email

– Excel

– Powerpoint

– Other

23

Risk Assessment

• Workshop with all risk officers

– Software:

• Individual risk owner determination

– Action plan and timing

– Residual risk

• Critical - CRO and Board “sense check” the ratings

Inherent Risk – Assessing the Level of Risk

24

Inherent Risk Definition

• Inherent Risk: the level of business risk in the absence of any actions management might take to alter either the risk’s likelihood of occurring, or its impact.

• While there are many types of business risks, typically inherent financial risk measures the potential impact on earnings, cash flow or liquidity.

• Inherent risk levels may change with changes in the economy and other non-controllable factors, and considers the impact, persistence (time period), and velocity (speed of impact if the event is realized), and our response readiness.

Inherent Risk Scale

Rating Definition

1 – Minimal Minimal level of business risk.

2 – Low The inherent risk could at most result in an impact under USD $500 million or produce a relatively minor impact on the

company’s ability to meet strategic goals or execute its priority initiatives.

3 - Moderate The inherent risk could at most allow financial exposure up to USD $1 Billion, or have a moderate negative impact on the

company’s ability to meet strategic goals or execute priority initiatives.

4 - Significant

The inherent risk could result in significant negative consequences as measured by either: Financial impact of USD $1 -

5 Billion; Important impediments to achieving strategic business initiatives; Corporate, brand or reputational risk. Senior

management attention is required to support risk mitigation plans as well as reduce impediments.

5 - Critical Potential for catastrophic, negative impact to the company if financial, strategic or reputational risk is not properly

managed. Financial exposure could exceed USD $5 billion. Senior management and Board attention to these risks is

needed.

Note that the level of inherent risk implies the risk strategies to be employed and the controls and monitoring procedures to be used (e.g., riskier approaches need more monitoring and more control)

Residual Risk – Assessing What Remains

25

Residual Risk Definition

• Residual Risk: the risk that remains after management implements risk mitigation plans.

• The level of residual risk is determined after applying one or more risk management techniques: Avoid, Accept, Reduce, Share or Transfer.

• Risk is a part of doing business. Risk mitigation involves reducing, not eliminating, the likelihood or impact of risks. The goal for any risk is to ensure that the residual risk is at a level acceptable to senior management, and within any defined tolerance level for that risk.

Residual Risk Scale

Rating Definition

1 – Acceptable The implemented mitigation plans provide assurance that the amount of residual risk is minimal and within the

company’s risk tolerance (if defined).

2 – Low The residual risk could at most result in an impact under USD $500 million or produce a relatively minor impact on the

company’s ability to meet strategic goals or execute its priority initiatives.

3 - Moderate The residual risk that remains once mitigation plans have been implemented could at most allow exposure up to USD

$1 Billion, or have a moderate impact on the company’s ability to meet strategic goals or execute priority initiatives.

4 - Significant

While mitigation plans are in place the level of residual risk status could still result in significant negative consequences

as follows: Financial impact of USD $1 - 5 Billion; Important impediments to achieving strategic business initiatives still

exist; or significant corporate, brand or reputational risk still exists. Senior management attention is required to

support risk mitigation plans as well as reduce impediments.

5 - Critical Mitigation plans are either not yet in place or cannot reduce the amount of residual risk to a reasonable level. Potential

for catastrophic, negative impact to General Motors if financial, strategic or reputational risk not properly managed.

Financial exposure could exceed USD $5 billion. Senior management and Board attention to these risks is needed.

Things to Consider when Prioritizing Risks

• Impact

– Important to consider:

• Financial loss

• Strategic impact

• Revenue targets

• Reputation

• Likelihood

– Also consider the time horizon that an event could arise to trigger the risk

• Persistence

– The time period over which the event is dealt with after an occurrence

• Example: The lingering reputational impact of a major recall

• Velocity

– Speed with which the full impact of the event is realized (i.e. required reaction time)

• Example: Sudden change in exchange rates vs. a chronic warranty issue causing customer dissatisfaction

• Response Readiness

– Preparedness to manage/respond to an event or a series of events (including contingency plans)

26

Risk Title Executive Owner:

27

Inherent Risk (before any actions) 4 - Significant

Current Level of Residual Risk 2 - Managed

Residual Risk (after mitigation actions complete) 3 - Moderate

Risk Definition Assessment

Key Events that Trigger Risk Exposure Description of Residual Risk

Risk Mitigation Actions Completed

Responsibility / Due Date

Key Risk Indicators Related Risks / Additional Comments

Once implemented, will risk mitigation actions will reduce exposure to an acceptable level? YES / NO

[Insert approved risk scenario]

1. Insert Event 2. Insert Event 3. Insert Event 4. Insert Event 5. Insert Event

• Financial: • Strategic: • Reputation: • Other:

1. Insert Improvement Opportunity 2. Insert Improvement Opportunity 3. Insert Improvement Opportunity 4. Insert Improvement Opportunity 5. Insert Improvement Opportunity

Name Date Name Date Name Date Name Date Name Date

Insert Key Risk Indicators Insert Related Risks / Additional Comments

Risk Management Template Example

Tools for identifying what is most important

LIK

EL

IHO

OD

IMPACT

Risk Prioritization

Legend

A Liquidity

B Capital Availability

C Reputation

D Competitor

E Equipment Reliability

F Environment

G Regulatory/Compliance

H Knowledge Capital – Training

I Health & Safety

J Raw Material Sourcing

A E

H

I

J

F

G

B

C D

Risk – High Risk – Moderate to High Risk – Moderate

Risk – Low Risk – Low to Moderate Risk – Moderate

Risk – Very High Risk – High Risk – Moderate to High

28

How We Support the Risk Owners’ Management of Risk

• For risk officers:

– Provide orientation and training

– Facilitate discussions in monthly meetings

– Questions at any time

• Provide a range of services, on a “pull” basis:

• Stress Testing

• Scenario Planning & Analysis

• War Gaming

• Other services 29

“Risk management” tools are helping to improve a wide

range of GM decisions on major risks and opportunities

• Game Theory: Analyze issues/negotiations with partners/suppliers/

unions/ governments/dealers where GM actions can affect others’

• War Gaming: Predict market, competitive, and regulatory

environment and draw implications for GM on product or strategy

• Contingency/Scenario Planning: Assess implications of potential

events for current GM decisions and preparations

• Economic Analysis: Improve decisions with better estimates of

marginal revenue and cost

• Lessons Learned: Improve or cement policies and procedures with

“after-action” review and analysis

Example Tool: Risk Management Techniques

• Outsource

• Securitize

• Indemnify

Avoid

Accept

• Divest

• Prohibit

• Stop

• Retain

• Re-price

Reduce

Transfer

• Disperse

• Control

• Respond

• Diminish

• Isolate

• Insure

• Reinsure

• Hedge

• Transfer

• Test

• Improve

• Relocate

• Redesign

• Diversify

• Target

• Screen

• Eliminate

• Self Insure

• Offset

Eliminate risk by preventing exposure to future

possible events from occurring

Maintain the risk at its current level

Implement policies and procedures to lower the

risk to an acceptable level

Shift the risk to a financially capable, independent

counterparty

31

HOW YOU CAN ADD VALUE IN YOUR ORGANIZATION

1. Improve the process

2. Help identify and capture risk information

3. Share risk information to get action

32

33

1 - Can You Help to Improve the Process?

IPPF Standards

(2013)

2100 – Nature of

Work

The internal audit

activity must evaluate

and contribute to the

improvement of

governance, risk

management, and

control processes

using a systematic

and disciplined

approach.

34

2 - Assisting in Risk Identification

• Internal: Audit finding trends; Meetings with company leaders; Changes in the business

• Strategic: CEO speeches; Company announcements; Outside analyst reports; Industry press; Google keyword flagging

• External: Monitoring services; Industry groups; Newspapers and other media; Blogs; Friends

Existing / Known Risks

Emerging and Unknown Risks Continually scan various sources to help identify risk in your organization:

35

Before the oil spill, there were 761 egregious and willful safety citations issued to U.S. oil facilities

CASE STUDY: BRITISH PETROLEUM

Question: How many were issued to

BP?

Why were the signs ignored?

Are you monitoring the signs in your

organization?

760!

36

Risk Capture

• Record the existence of a potential risk – Avoid tendency to

forget

• Facilitates ability to watch the risk change over time

So now that you’ve identified a potential risk …

Example: Emerging Risk Database in SharePoint

Example for illustration only

- not actual data -

38

3 –Take Action on Risk Identified • Suggestions:

• Audit managers and directors discuss newly-identified risks with leadership

during periodic update or service line meetings.

• Consider whether data analytics or other research should be performed to

further quantify or understand the risk.

• Risks captured in the database are reviewed when preparing Audit Committee

presentations.

• After elevating a risk -- update the database about the discussion and results.

Getting Action on Emerging Risks Identified by Internal Audit

Emerging Risk

Desig

n

Man

ufa

ctu

re

Sell

Su

pp

ort

Remarks Newly Identified Risks Since Last Meeting Potential Impact Area

Collaboration Tool Risk - Risk of sensitive, confidential, or personally-identifiable information being stored within collaborative or shared work sites such as xxxxx without appropriate access security controls.

a

a

a

a

This issue was identified xxxxx and a comprehensive

xxxxxx to address xxxxxx was begun in xxxx.

A GMAS audit ixxx ss had xxxx to ixxxx appropriate

corrective actions.

XYX Risk - Risk of xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.

a

a

New Issue – several GMAS audits since 2008 have

identified weaknesses in the way xxxxxxxxx xxxxxxx

xxxxxxxxxxx.

GMAS in process of working with management to identify

next steps.

Updates on or Closure of Previously Identified Risks Potential Impact Area

ABC Risk: Risk of someone accessing, corrupting or taking xxxxx ssssssco.

a

a

Discussed with management. Initiatives are in process to

address the risk.

GMAS began an audit in February 2011 .

Below is an example of how potential risks are communicated while we are in the process of gathering information and

evaluating to determine whether further action may be needed.

40

Internal audit should also be asking …

What is not

on the list?

And finally …

41

QUESTIONS?

42

Appendix: Defining Risk Appetite

43

What is Risk Appetite?

A scale to help determine if we are taking on too much risk when making business decisions.

Without this – how would we know?

Business

Decisions

Our

Appetite

for Risk

44

Defining the Risk Appetite

Risk Appetite is the amount of risk we are willing to accept in to meet our business objectives.

What is Our

Risk Profile?

What is Our

Risk

Capacity

Risk

Tolerance

What is the

risk / return

equation?

Defining

Our Risk

Appetite

Maximum potential

impact the company

can withstand

45

Different Levels of Risk Appetite

The level of risk appetite often varies with the types of risk involved…..

Heath & Safety Matters

Regulations

Laws

Insider Trading

Zero Appetite

Capital expenditures Product launches

Political contributions Acceptance of gifts

Hedging Write-offs

Generally limited to strategic opportunities /

risks at the senior management / Board level

Low to Moderate

Appetite

High Appetite

These types of risks are

typically covered by

existing policies and

procedures defining risk

tolerance (e.g., DOA)

46