The Board’s Role in Enterprise Risk Oversight
Spence Hoole
Priya Cherian Huskins
Jim Deloach
Doug Solomon
SEC Risk Disclosure Requirements – new rules adopted in December ’09
Renewed Focus on Enterprise Risk Management (ERM)
Board’s Role in ERM Oversight?
What is ERM?
Current State or Risk Oversight Process
Practical Implementation of ERM and Risk Oversight
Case Study: Mid-size, international, SaaS company
Risk Oversight and D&O Insurance
Goals and Takeaways
Role of Directors & Officers Practical Implementation
Q&A
2
Overview
Public or private company?
Highly regulated industry?
Your Role1. Outside Director 2. Officer - CEO, CFO, COO, CIO 3. General Counsel, Treasurer, Risk Manager, HR
Status of risk management in your organization 1. Not yet developed 2. New and not mature3. Defined but still developing4. Formalized and mature 5. Optimized, leading edge, best practice
3
Where Are You in the ERM Landscape?
Board’s Role in Enterprise Risk Oversight
Priya Cherian Huskins
Senior Vice-President and Partner
Woodruff-Sawyer & Co.
July 2009: SEC releases proposed rules
December 2010: New rule finalized
Problem to be solved: SEC’s perspective
Problem created: “Disclosure friendly” process
Process analysis
Timing
Renewed Focus on ERM due to enhanced disclosure rules
In addition, disclose the extent of the board’s role in the risk oversight of the registrant, such as how the board administers its oversight function, and the effect that this has on the board’s leadership structure.*
6
Disclosure Rule
*Regulation S-K Item 407(h)
The Board oversees the management of risk through the complementary functioning of the Finance and Risk Management Committee and the Audit Committee. –AIG (5/2010)
One of the Board’s functions is oversight of risk management at Intel. “Risk” is inherent in business, and the Board seeks to understand and advise on risk in conjunction with the activities of the Board and the Board’s committees. –Intel (4/2010)
Our Board of Directors has overall responsibility for risk oversight with a focus on the more significant risks facing us. During the year, management and the Board of Directors jointly discuss major risks that they feel face our business. Throughout the year, the Board of Directors, and the committees to which it has delegated responsibility, dedicate a portion of their meetings to review and discuss specific risk topics in greater detail. --(Realty Income 3/2010)
7
Disclosure Samples
Board’s Role in ERM Oversight?
Facilitate v. Lead
Intersection between
Management ERM effort & Board priorities
Role of Senior Management
Top down buy-in
Implementation
Annual
8
Board’s Role in ERM Oversight
Current State of Risk Oversight Process and ERM
Finding the Keys to Making It Work
Jim DeLoach
Managing Director
Protiviti Inc.
10
Board Risk Oversight – Directors Survey • Given the intensive regulatory environment in the United States and other countries
as well, risk oversight has become a high priority on the agenda of most board directors
• Boards are taking a fresh look at the qualifications of their members, how they operate and their expertise to understand and manage the enterprise’s risks
• The “Committee of Sponsoring Organizations of the Treadway Commission (COSO)” commissioned Protiviti to conduct a survey to develop a deeper knowledge of the current state of the risk oversight process and the desired future state
• 201 directors responded
• The results of the survey provides valuable insights into how boards are fulfilling their risk oversight obligations, the maturity of their processes and the key areas offering opportunities for improvement of the risk oversight process
(1) There exists an opportunity to improve the robustness of the risk oversight process
• A strong majority of respondents agree that boards are not formally executing mature and robust risk oversight processes
• There is an overall dissatisfaction in the way risk is considered in the context of the organization’s strategy and there are one or more obstacles inhibiting the risk oversight process
(2) Organizations need to consider the benefits of enhancing risk reporting to the board
(3) There are opportunities to improve the risk appetite dialogue and action plans to address deviations from risk tolerance parameters
(4) Monitoring of the risk management process can be improved
(5) Organizations should consider doing more to enlighten the board of the most significant risk matters
(6) Boards’ self evaluation of the risk oversight process should be improved
11
Board Risk Oversight – Six General Themes
A recent survey noted:
76% communicate key risks on an ad hoc basis
Almost 70% don’t routinely report the entity’s top risks to the board
63% see change in volume and complexity of risks over the last five years
48% must improve KRI reporting to senior executives
Risk management processes are relatively immature and ad hoc
12
These Results Coincide with the Current State of ERM
* SOURCE: “2010 Report on the Current State of Enterprise Risk Oversight: 2nd Edition”, North Carolina State University, 2010
13
The Banking Industry’s Idea of Risk?
14
Did Anyone See It Coming?
* CNNMoney.com, March 1 & 13, 2007
At that time, California home prices had risen 209% in the prior 10 years while west coast inflation had risen about 30% (www.fhfa.gov).
What was known before this catastrophe?
From March 2007:*“Subprime lenders are already getting crushed.”
*Dean Baker, co-director of the Center for Economic and Policy Research: “…inventory is 20 percent higher than last year, vacancy rates have soared…”
*Center for Responsible Lending: “about 1 in 5 subprime loans written in the past two years will go into default, costing 1.1 million their homes and unleashing a flood of foreclosed homes on the market.”
*Mortgage Bankers Association: In 2006, 13.5 % of mortgages were subprime, compared to 2.6 % in 2000.
15
Was Risk Management to Blame?
Risk management isn’t blameless, but someone pushes the accelerator – the car doesn’t go on its own….
• Review• Inform• Advise• Monitor / Measure• Control• Resign (!)
Risk Management Can:
• Initiate• Decide
Risk Management Can’t:
16
The Oil Industry’s Idea of Risk?
17
Did Anyone See It Coming?
*From June 2007 – Feb. 2010, OSHA issued 761 “Egregious Willful Citations” for refineries.
*A Dec. 2007 internal BP presentation regarding Gulf of Mexico incidents found that a common theme was a failure to follow BP’s own procedures and an unwillingness to stop work when something was wrong.
Prior to the Deepwater Horizon Catastrophe, BP had the two biggest fines ever issued by OSHA and had $67 million in fines in 2009 alone, the highest BP fine level in at least the last five years.
What was known before this catastrophe?*
* Wall Street Journal, June 30, 2009 pp. A1, A18
18
Integration with What Matters is Key – Think About Four Elements
Enterprise Risk Management FrameworkInfrastructure IntegrationProcess
Become part of the Company’s DNA
Policies
Processes
Organization
Reporting
Methodology
Systems & Data
Key Planning Processes
Identify risks
Assess risks
Prioritize risks
Develop action plans
Integrate results
Test, and monitor
risks
Businessgoals,
objectives,and
strategies
Culture
Doug Solomon
Senior Vice President,
General Counsel & Secretary
NetSuite Inc.
Practical Implementation of ERM and Risk Oversight
Enterprise Risk Management Process Example
Case Study: Mid-size, International, SaaS Company Board Role-Up How NetSuite got there
20
Lessons Learned
NetSuite: Quick Take
6,600+ customers, 750+ software companies
Top 10 highest growth ERP solution according to Gartner and IDC
NetSuite runs NetSuite
Top 10 Cloud Companies to Watch
Fastest Growing Top 10 FMS Vendor
Founded 1998
Publicly traded on NYSE: “N”
Offices in 7 countries
$180M+ revenue
1000+ employees
5 Star Rating
#1 Cloud Business Suite Recognition
Background Performance
Risk Assessment BackgroundBackground: The Gov. Committee Chair requested management to review and report to the Board on the Company’s risk management process. Aligns with new SEC disclosure rule oversight.
GC and CFO led a management effort to inventory, organize, and report on the Company’s risk management processes.
Effort included a review and discussion of risks with a cross-functional team of senior functional area managers PLUS advisory services from Protiviti, a leading risk consulting company.
The following individuals representing key functional areas participated in this risk assessment process:
22
Name(s) Functional Area
SVP, Development Development
Director, Operations (Delivery of Companies Service/Product)
Operations
SVP, Sales Sales/Sales Ops
CFOFinance / ERM Report Lead
Chief Customer Officer (Services)/ Senior Director Services
Services (Professional Services, Support)
Name(s) Functional Area
Director, Legal Legal
SOX Compliance Director SOX/Internal Audit
VP, Information Technology
Information Technology
SVP and General Counsel
Legal /ERM Report Lead
Director, Systems & Compliance
SAS-70/Internal Audit
Risk Assessment Approach
23
NetSuite’s enterprise risk assessment approach is summarized below:
Management to:
Review prior identified risks (10-K)
Review generic ERM checklist
Review Company’s strategic plan and assess execution risks
Inventory existing risks from the following sources:
10-K, SOX, SAS 70
Internal Audit
Operations Contingency Planning
Security planning
Compensation risk & disclosure process
Review and analyze focus areas (highest level risks)
Prepare summary dashboard
Management discussion
Review with Board of Directors
Benchmark against peers
Gap analysis: Compare current practices with best practices
Prioritize gaps and recommend short term actions
Define long term road map
Identify Company’s High Level
Risks
Inventory & Document
Existing ERM Processes
Assess & Prepare Summary of ERM
Risks And Mitigation Activity
Recommendations for Future
Summary of Management’s Enterprise Risk Analysis
24
Management discussed and analyzed the enterprise’s risk management activities, capabilities, and responsibilities related to business risks in four different categories.
Categorization of NetSuite’s Business Risks:
Operational Risk – Operations may be inefficient and ineffective in satisfying customers and achieving the company's quality, cost and time objectives.
Financial Risk - Financial risk may include a broad spectrum of risks including: financial reporting errors, inadequate liquidity management, poor product pricing, customer credit risk, foreign currency management, and financial transactional risks.
Compliance Risk – Company’s processes may not comply with company policies, procedures, or government regulations. Nonconformance can result in quality issues, higher costs, lost revenues, financial penalties, and loss of reputation.
Strategic Risk – The organization may not be utilizing the appropriate organizational strategies in order to compete effectively in the marketplace.
Company Specific Enterprise Risks
Management identified the following high level business risks to the organization as a result of the risk assessment process and evaluated their overall impact to the organization based on significance to the organization and likelihood of occurrence:
25
1. Economic Conditions (Macro and Industry)
2. Material Software Defects
3. Changes in Effective Tax Rates
4. Key Employees
5. Security Breach
6. Changes in Accounting Standards……
7. Customer Contractual Terms/Liability
8. Fast Paced Technological Changes
9. Business Interruption – Temporary Loss of Service
10. Intellectual Property Protection
11. Intellectual Property Infringement Claims
16. Disaster Recovery
17. Failure to maintain proper internal controls
18. Government regulation & compliance
19. Employee or Insider Fraud (IT and Product Security)
20. Ethical Issues/ Side Agreements / Corruption
21. Foreign Currency Exchange Risk
22. Reputation Risk – Public Relations
23. International sales & operations risk
27. Slow Market Growth
28. Customer price sensitivity
29. Reliance on third party technology
30. New sales has a delayed impact on our financial results (i.e. revenue)
• Performance Incentives
• Organizational Performance Measures
• Organizational Culture
• Succession Planning
• Budget & Planning
• Technological Innovation
Note: Protiviti compared the risk assessment results to a standard list of risks for a software company and identified the additional risks stated above.
Additional Risks To Consider
Please note that the risks listed below are examples and do not reflect NetSuite specific risks
LEGEND
- High Impact
- Med Impact
- Low Impact
Risk Map Categorization
26
Strategic Financial
Operations Compliance
Board & Committees
1. Economic Conditions
11. CustomerContracts
Terms/Liability
13. Business Interruption
8. Key Employees
14. IP Protection
15. IP Infringement Claims
17. Maintenance of Internal Controls
18. Govt Regulations & Compliance
10. Changes in Accounting Standards
22. Foreign Currency
Risks
19. Employee or Insider Fraud
12. Fast PacedTechnological
Changes
4. Material Product Defects
7. Changes in effective tax rate
9. SecurityBreach
20. Ethical Issues/ Side Agreements /
Corruption
16. Disaster Recovery
Top Business Risks– Example
A number of business risks were identified based upon our discussions and analysis. Management prioritized these risks based on their significance and likelihood. In management’s view, the top business risks are as follows:
27
Risk Name Risk Description Risk Mitigation Activities
Economic Conditions (Macro & Industry)
Uncertain and sometimes volatile economic environment may continue to impact our business, operating results, and financial condition.
Economic conditions impact the general willingness of current and potential customers to make capital commitments to their IT systems.
The Company operates on a base plan and the finance team and management actively monitor financial performance and trends.
The Company can adjust spending or strategy when necessary, as the Company did during the 2008-09 recession.
MaterialProduct Defects
Any material defects in new versions or enhancements of our software could cause disruption of service, loss of customer data, and significant harm to our reputation.
Miscalculation bugs or viruses. Could have widespread impact and affect customers in a material way.
Company has a number of policies and procedures in place to help ensure that any upgrades/enhancements work properly and do not result in any customer down-time.
Phased release of new versions to customers
Potential Next Steps:Analyze how NetSuite can mitigate risks related to …..
Risk Map – Example Consideration of Potential Impact vs. Likelihood/Frequency
28
Likelihood of RiskLikelihood of Risk
Sig
nif
ican
ce o
f R
isk
Sig
nif
ican
ce o
f R
isk
LOW
LO
W
HIGH
HIG
H Significant Business Risks 1. Risk 12. Risk 23. Risk 34. Risk 45. Risk 56. Risk 67. Risk 78. Risk 89. Risk 910. Risk 1011. Risk 1112. Risk 1213. Risk 1314. Risk 1415. Risk 15
Operational Risk
Financial Risk
Strategic Risk
Compliance Risk
Legend
Top Risks
Low Risks
T
O
P
R
I
S
K
L
O
W
R
I
S
K
M
E
D
R
I
S
K
7
11
10
23
6
8
9
5
1
4
11
12
13
14 15
Suggested Next Steps Following Initial ERM Process
Board Level: Discuss board oversight process and determine role of committees oversee the risk management process going forward.
Management Level: Consider appropriate management approach and organizational structure to enterprise risk management. Management recommendations: Establish Risk Council
Determine appropriate membership (senior company leaders that will be responsible for managing the ERM process);
Develop charter Determine meeting frequency Consider use of internal audit resources for documentation and process management.
Continual Periodic Review: continue to periodically review, discuss, and evaluate enterprise risks and communicating results of analysis to the Board.
Review board charters and determine if revisions are required based on changes in responsibilities
Eventually, compare with peers and best practices for similar companies
29
Risk Oversight and D&O Insurance
Priya Cherian Huskins Spence Hoole
Senior Vice-President and Partner Managing Partner
Woodruff-Sawyer & Co. Diversified Insurance Group
The Financial Landscape and D&O Market
Economic Landscape – continued fallout of financial meltdowns, stock options backdating, subprime debacles
Litigation Environment – economic turmoil generally leads to increased D&O claims; however, overall number of securities class action claims has declined in 2010
Risk Currency - Market Security / Carrier Solvency
Importance of DIC A-side Coverage
31
D&O Market and Renewal Outlook – 2011
Will the really soft D&O market become even softer?
Insurance Carrier stability and solvency concerns
Trends in SEC enforcement activity
M&A case law development
What should board’s focus be in relation to:
Program Structure
Limits
Coverage Terms and Conditions
32
Q&A