© 2003 DelCreo, Inc. All rights reserved. | U.S. Toll-free 866.DELCREO | International 001/801.756.4180 [email protected] | @delcreo.com.

1© 2003 DelCreo, Inc. All rights reserved. | U.S. Toll-free 866.DELCREO | International 001/801.756.4180 [email protected] | www.delcreo.com

Changed World, New Risks

Mark Carey, CPA, CISA

2

© 2003 DelCreo, Inc. All rights reserved. U.S. Toll-free 866.DELCREO | International 001/[email protected] | www.delcreo.com

ERM Definition

An consistent and organization-wide approach to develop and implement a comprehensive risk strategy and program in order to:– Provide a baseline level of protection of value creating assets, or

– Use risk management strategies and tools to assure success of strategic objectives and improve organizational returns (as defined by key stakeholders)

3


Office of Homeland Security

Government LessonUS faces many new, non-conventional threats:

– Terrorism– Proliferation of weapons of mass destruction– Attacks on critical infrastructure– International drug trade– etc.

No single department, agency, state, local or private sector entity can handle alone, up to 46 different federal agencies are responsible for addressing the non-conventional threats

The Office of Homeland Security was created to “coordinate the executive branch's efforts to detect, prepare for, prevent, protect against, respond to, and recover from terrorist attacks within the United States.”

Business ApplicationBusinesses also face new, non-conventional and complex conventional threats

that require coordinated risk management through an enterprise-wide risk management organization/function

4


Homeland Security Council

Government Lesson

The Homeland Security Council was established to:

– Advise and assist the President with respect to all aspects of homeland security

– Ensure coordination of homeland security-related activities of executive departments and agencies

– Effective development and implementation of homeland security policies

Business Application

Consider establishing an enterprise risk council to:

– Provide relevant risk information to CXO’s and BOD

– Coordinate risk management activities of various functions and business units

– Develop and implement corporate risk management policies

5


Silos

Government Lesson

Silos exist in:– departments and agencies,

• Federal, state and local• Foreign and domestic• US, allies and other

– Information Systems and Databases– Processes

• Intelligence gathering and dissemination activities


Create processes, systems and tools to reach across silos to provide the “big picture”

Focus corporate risk management resources on what matters the most

Leverage the “silo” expertise through better coordination for complex risks

6


Low Cost, High Tech

Government Lesson

Sophisticated technologies that may be employed as weapons of Mass Destruction

– Biological and chemical weapons

– Technology

Tools that have the ability to inflict massive damage are getting cheaper


Sophisticated tools are increasingly affordable and are being used by competitors, customers, employees, litigation teams, etc. Understand impact there tools may have on your organization

7


Low Tech, High ImpactGovernment Lesson

Terrorist have employed low tech weapons to inflict massive physical or psychological damage

– Box cutters

– Envelopes


Identify assets at risk

– Strategic Initiatives

– People

– Process

– Information Systems

– Physical Infrastructure

– Geography

– Organization

– Products

– Flows (supplies, information, electricity, cash, etc.)

Focus risk assessment on how the asset may be impacted

Consider best and worst case scenarios (to ensure preparation for best and worst times)

8


Incident Management

Government Lesson

The Executive Branch lacked a formal terrorist incident management process, coordinator and team

The Homeland Security Director will be the individual primarily responsible for coordinating the domestic response in the event of an imminent threat, and during and in the immediate aftermath of a terrorist attack


Define a formal incident management process with pre-incident planning activities, escalation triggers, defined responsibilities and response pathways

9


Early Warning System

Government Lesson

Silos prevented effective aggregation of early warning signals

Local decisions to disregard significant information

Lack of appropriate escalation metrics and thresholds

Many early warning signals were not deemed credible


Develop and constantly enhance quality of information collected and of early warning tools

10


ERM Definition

An consistent and organization-wide approach to develop and implement a comprehensive risk strategy and program in order to:

– Provide a baseline level of protection of value creating assets, or

– Use risk management strategies and tools to assure success of strategic objectives and improve organizational returns (as defined by key stakeholders)

11


Business Case: Improve Total Cost of Risk

Gaps in Risk Coverage and Information– Emerging risk areas– Strategic Planning and Decision Making Processes do not receive

complete, reliable and timely risk information– Programs/Projects with multiple vulnerabilities– Vulnerabilities that require multiple skills, aggregation of data, etc

to mitigate

Cost of Managing Risks– Poor use of process enabling technology– Knowledge management– Modeling/Data aggregation tools– Coordination and communication between risk functions,

business organizations, and management

12


Case Studies: Fortune 50 Company Emerging Risk Areas

GrowthCost and EfficiencyAllocation of Capital

Value Drivers

StrategicProcessIntangibleInformation SystemInfrastructurePeopleSuppliersCustomersCompetitors

Rapid Risk Assessment ProcessRisk Management PortalToolkit DevelopmentRisk CouncilERM Strategic Plan

Key Risks Risk Management Program

13


Strategic Planning and Risk Analysis

Decision MakingProcess

1 2 3 4 5

Filters

Information

Action or Decision

1. People’s cognitive limitations

2. Operating goals, rewards and incentives

3. Information, measurement, and communication systems

4. Organizational and geographical structure

5. Tradition, culture, folklore and leadership

14


Strategic Planning and Risk Analysis

Maps

WordsDiagramsFriendly Algebra

Simulation

Qualitative ModelsGaming SimulatorsQuantitative Models

Concepts & Theory

Facilitation

Changing Business Environment

Recognized Strategic Issue(Opportunity or Threat)

Executive Debate and Dialogue

Action Plans and Change

15


Risk Profiling Process

Coverage– Strategic Initiatives– People– Process– Information Systems– Physical Infrastructure– Geography– Organization– Products– Flows (supplies, information, electricity, cash, etc.)

Risks

Approach– Stakeholder Value Based– Focus on Risks that Impact Stakeholder Value

Use of Technology

16


Value Driver/Risk Analysis Road Map

Industry Analysis

CompetitiveAdvantage

Strategy and Execution

Market & Segment Analysis

Value Drivers

Risk Drivers

Determine Scope and

Effort

Validate and Refine

Define Baseline

Protection

17


Some Key Elements of a Successful ERM Program

Strategy

• Program Strategy• Go to Market• 30-60-90 Day Plan

People

• Sponsor• Program Manager• Technical Expertise• Workers

Processes

• Program Management• Organizational Change • Internal Marketing• Knowledge Management• Performance Measurement and Reporting• Risk Management

Technology

• Intranet Risk Portal• Automated and Integrated Risk Tool• Quantitative Analysis• Scenario and Simulation Tools• Program Management Tools

18


You Probably Have a Business Case When….

Baseline protection of assets is not in place

Rising cost of risk events

High cost of risks compared to peers

Returns are less than required for a given risk profile

Projected or unanticipated change(s) impact the items above

19


Why ENTERPRISE Risk Management is Necessary

Continually provides necessary and consistent risk information and measures to decision makers

Risk measures are a key factor in most, if not all decision making and valuation approaches

Risks may hedge, aggregate with, magnify or be uncorrelated with other risks

• All of the above scenarios present opportunities and challenges

The real impact of risk is often separated by time and space from the occurrence

One really big risk, or a swarm of small risks can put you out of business

20


Really Why ENTERPRISE Risk is Necessary

Speak the language of business executives;

Align your function with the value drivers and strategies of the organization;

Enhance your professional success by making yourself, your job and your function more relevant to the value creating activities of your organization;

While creating value for your organization!

21


Enterprise Risk Management: Getting Started

Develop Risk Framework

– Determine Value Drivers for Your Stakeholders

– Identify Risk Drivers

Risk Management Profiling

– Identify and Qualify/Quantify Risks

– Identify and assess current risk management capabilities, processes and practices

Build Business Case

– Identify Gaps and Overlaps in Risk Management Coverage

– Identify risk management inefficiencies

Create Future Vision

– Design future vision of risk management

– Create strategic plan

22


Enterprise Risk Management: Getting Started

Pilot

– Pilot implementation of future vision on limited scale

– Adjust strategy

– Plan for full implementation

Full Implementation

Ongoing Operations and Improvement

23


FREE Risk Resources

DelCreo is committed to the continual improvement of the risk community.

DelCreo offers a FREE monthly eZine with up-to-date information concerning risk issues and risk professionals. In addition, we have a FREE workbook Strategy Planning Workbook for Risk Professionals.

DelCreo also offers a number of free presentations, articles and other pieces of valuable information for download on our website. www.delcreo.com/delcreo/free.cfm

© 2003 DelCreo, Inc. All rights reserved. | U.S. Toll-free 866.DELCREO | International 001/801.756.4180 [email protected] | @delcreo.com.

Documents

delcreo international

coordinated risk management

aspects of homeland

enterprise risk council

use risk management

relevant risk information

comprehensive risk strategy

cisa slide