1 © 2003 DelCreo, Inc. All rights reserved. | U.S. Toll-free 866.DELCREO | International 001/801.756.4180 [email protected] | www.delcreo.com Changed World, New Risks Mark Carey, CPA, CISA
Dec 18, 2015
1© 2003 DelCreo, Inc. All rights reserved. | U.S. Toll-free 866.DELCREO | International 001/801.756.4180 [email protected] | www.delcreo.com
Changed World, New Risks
Mark Carey, CPA, CISA
2
© 2003 DelCreo, Inc. All rights reserved. U.S. Toll-free 866.DELCREO | International 001/[email protected] | www.delcreo.com
ERM Definition
An consistent and organization-wide approach to develop and implement a comprehensive risk strategy and program in order to:– Provide a baseline level of protection of value creating assets, or
– Use risk management strategies and tools to assure success of strategic objectives and improve organizational returns (as defined by key stakeholders)
3
© 2003 DelCreo, Inc. All rights reserved. U.S. Toll-free 866.DELCREO | International 001/[email protected] | www.delcreo.com
Office of Homeland Security
Government LessonUS faces many new, non-conventional threats:
– Terrorism– Proliferation of weapons of mass destruction– Attacks on critical infrastructure– International drug trade– etc.
No single department, agency, state, local or private sector entity can handle alone, up to 46 different federal agencies are responsible for addressing the non-conventional threats
The Office of Homeland Security was created to “coordinate the executive branch's efforts to detect, prepare for, prevent, protect against, respond to, and recover from terrorist attacks within the United States.”
Business ApplicationBusinesses also face new, non-conventional and complex conventional threats
that require coordinated risk management through an enterprise-wide risk management organization/function
4
© 2003 DelCreo, Inc. All rights reserved. U.S. Toll-free 866.DELCREO | International 001/[email protected] | www.delcreo.com
Homeland Security Council
Government Lesson
The Homeland Security Council was established to:
– Advise and assist the President with respect to all aspects of homeland security
– Ensure coordination of homeland security-related activities of executive departments and agencies
– Effective development and implementation of homeland security policies
Business Application
Consider establishing an enterprise risk council to:
– Provide relevant risk information to CXO’s and BOD
– Coordinate risk management activities of various functions and business units
– Develop and implement corporate risk management policies
5
© 2003 DelCreo, Inc. All rights reserved. U.S. Toll-free 866.DELCREO | International 001/[email protected] | www.delcreo.com
Silos
Government Lesson
Silos exist in:– departments and agencies,
• Federal, state and local• Foreign and domestic• US, allies and other
– Information Systems and Databases– Processes
• Intelligence gathering and dissemination activities
Business Application
Create processes, systems and tools to reach across silos to provide the “big picture”
Focus corporate risk management resources on what matters the most
Leverage the “silo” expertise through better coordination for complex risks
6
© 2003 DelCreo, Inc. All rights reserved. U.S. Toll-free 866.DELCREO | International 001/[email protected] | www.delcreo.com
Low Cost, High Tech
Government Lesson
Sophisticated technologies that may be employed as weapons of Mass Destruction
– Biological and chemical weapons
– Technology
Tools that have the ability to inflict massive damage are getting cheaper
Business Application
Sophisticated tools are increasingly affordable and are being used by competitors, customers, employees, litigation teams, etc. Understand impact there tools may have on your organization
7
© 2003 DelCreo, Inc. All rights reserved. U.S. Toll-free 866.DELCREO | International 001/[email protected] | www.delcreo.com
Low Tech, High ImpactGovernment Lesson
Terrorist have employed low tech weapons to inflict massive physical or psychological damage
– Box cutters
– Envelopes
Business Application
Identify assets at risk
– Strategic Initiatives
– People
– Process
– Information Systems
– Physical Infrastructure
– Geography
– Organization
– Products
– Flows (supplies, information, electricity, cash, etc.)
Focus risk assessment on how the asset may be impacted
Consider best and worst case scenarios (to ensure preparation for best and worst times)
8
© 2003 DelCreo, Inc. All rights reserved. U.S. Toll-free 866.DELCREO | International 001/[email protected] | www.delcreo.com
Incident Management
Government Lesson
The Executive Branch lacked a formal terrorist incident management process, coordinator and team
The Homeland Security Director will be the individual primarily responsible for coordinating the domestic response in the event of an imminent threat, and during and in the immediate aftermath of a terrorist attack
Business Application
Define a formal incident management process with pre-incident planning activities, escalation triggers, defined responsibilities and response pathways
9
© 2003 DelCreo, Inc. All rights reserved. U.S. Toll-free 866.DELCREO | International 001/[email protected] | www.delcreo.com
Early Warning System
Government Lesson
Silos prevented effective aggregation of early warning signals
Local decisions to disregard significant information
Lack of appropriate escalation metrics and thresholds
Many early warning signals were not deemed credible
Business Application
Develop and constantly enhance quality of information collected and of early warning tools
10
© 2003 DelCreo, Inc. All rights reserved. U.S. Toll-free 866.DELCREO | International 001/[email protected] | www.delcreo.com
ERM Definition
An consistent and organization-wide approach to develop and implement a comprehensive risk strategy and program in order to:
– Provide a baseline level of protection of value creating assets, or
– Use risk management strategies and tools to assure success of strategic objectives and improve organizational returns (as defined by key stakeholders)
11
© 2003 DelCreo, Inc. All rights reserved. U.S. Toll-free 866.DELCREO | International 001/[email protected] | www.delcreo.com
Business Case: Improve Total Cost of Risk
Gaps in Risk Coverage and Information– Emerging risk areas– Strategic Planning and Decision Making Processes do not receive
complete, reliable and timely risk information– Programs/Projects with multiple vulnerabilities– Vulnerabilities that require multiple skills, aggregation of data, etc
to mitigate
Cost of Managing Risks– Poor use of process enabling technology– Knowledge management– Modeling/Data aggregation tools– Coordination and communication between risk functions,
business organizations, and management
12
© 2003 DelCreo, Inc. All rights reserved. U.S. Toll-free 866.DELCREO | International 001/[email protected] | www.delcreo.com
Case Studies: Fortune 50 Company Emerging Risk Areas
GrowthCost and EfficiencyAllocation of Capital
Value Drivers
StrategicProcessIntangibleInformation SystemInfrastructurePeopleSuppliersCustomersCompetitors
Rapid Risk Assessment ProcessRisk Management PortalToolkit DevelopmentRisk CouncilERM Strategic Plan
Key Risks Risk Management Program
13
© 2003 DelCreo, Inc. All rights reserved. U.S. Toll-free 866.DELCREO | International 001/[email protected] | www.delcreo.com
Strategic Planning and Risk Analysis
Decision MakingProcess
1 2 3 4 5
Filters
Information
Action or Decision
1. People’s cognitive limitations
2. Operating goals, rewards and incentives
3. Information, measurement, and communication systems
4. Organizational and geographical structure
5. Tradition, culture, folklore and leadership
14
© 2003 DelCreo, Inc. All rights reserved. U.S. Toll-free 866.DELCREO | International 001/[email protected] | www.delcreo.com
Strategic Planning and Risk Analysis
Maps
WordsDiagramsFriendly Algebra
Simulation
Qualitative ModelsGaming SimulatorsQuantitative Models
Concepts & Theory
Facilitation
Changing Business Environment
Recognized Strategic Issue(Opportunity or Threat)
Executive Debate and Dialogue
Action Plans and Change
15
© 2003 DelCreo, Inc. All rights reserved. U.S. Toll-free 866.DELCREO | International 001/[email protected] | www.delcreo.com
Risk Profiling Process
Coverage– Strategic Initiatives– People– Process– Information Systems– Physical Infrastructure– Geography– Organization– Products– Flows (supplies, information, electricity, cash, etc.)
Risks
Approach– Stakeholder Value Based– Focus on Risks that Impact Stakeholder Value
Use of Technology
16
© 2003 DelCreo, Inc. All rights reserved. U.S. Toll-free 866.DELCREO | International 001/[email protected] | www.delcreo.com
Value Driver/Risk Analysis Road Map
Industry Analysis
CompetitiveAdvantage
Strategy and Execution
Market & Segment Analysis
Value Drivers
Risk Drivers
Determine Scope and
Effort
Validate and Refine
Define Baseline
Protection
17
© 2003 DelCreo, Inc. All rights reserved. U.S. Toll-free 866.DELCREO | International 001/[email protected] | www.delcreo.com
Some Key Elements of a Successful ERM Program
Strategy
• Program Strategy• Go to Market• 30-60-90 Day Plan
People
• Sponsor• Program Manager• Technical Expertise• Workers
Processes
• Program Management• Organizational Change • Internal Marketing• Knowledge Management• Performance Measurement and Reporting• Risk Management
Technology
• Intranet Risk Portal• Automated and Integrated Risk Tool• Quantitative Analysis• Scenario and Simulation Tools• Program Management Tools
18
© 2003 DelCreo, Inc. All rights reserved. U.S. Toll-free 866.DELCREO | International 001/[email protected] | www.delcreo.com
You Probably Have a Business Case When….
Baseline protection of assets is not in place
Rising cost of risk events
High cost of risks compared to peers
Returns are less than required for a given risk profile
Projected or unanticipated change(s) impact the items above
19
© 2003 DelCreo, Inc. All rights reserved. U.S. Toll-free 866.DELCREO | International 001/[email protected] | www.delcreo.com
Why ENTERPRISE Risk Management is Necessary
Continually provides necessary and consistent risk information and measures to decision makers
Risk measures are a key factor in most, if not all decision making and valuation approaches
Risks may hedge, aggregate with, magnify or be uncorrelated with other risks
• All of the above scenarios present opportunities and challenges
The real impact of risk is often separated by time and space from the occurrence
One really big risk, or a swarm of small risks can put you out of business
20
© 2003 DelCreo, Inc. All rights reserved. U.S. Toll-free 866.DELCREO | International 001/[email protected] | www.delcreo.com
Really Why ENTERPRISE Risk is Necessary
Speak the language of business executives;
Align your function with the value drivers and strategies of the organization;
Enhance your professional success by making yourself, your job and your function more relevant to the value creating activities of your organization;
While creating value for your organization!
21
© 2003 DelCreo, Inc. All rights reserved. U.S. Toll-free 866.DELCREO | International 001/[email protected] | www.delcreo.com
Enterprise Risk Management: Getting Started
Develop Risk Framework
– Determine Value Drivers for Your Stakeholders
– Identify Risk Drivers
Risk Management Profiling
– Identify and Qualify/Quantify Risks
– Identify and assess current risk management capabilities, processes and practices
Build Business Case
– Identify Gaps and Overlaps in Risk Management Coverage
– Identify risk management inefficiencies
Create Future Vision
– Design future vision of risk management
– Create strategic plan
22
© 2003 DelCreo, Inc. All rights reserved. U.S. Toll-free 866.DELCREO | International 001/[email protected] | www.delcreo.com
Enterprise Risk Management: Getting Started
Pilot
– Pilot implementation of future vision on limited scale
– Adjust strategy
– Plan for full implementation
Full Implementation
Ongoing Operations and Improvement
23
© 2003 DelCreo, Inc. All rights reserved. U.S. Toll-free 866.DELCREO | International 001/[email protected] | www.delcreo.com
FREE Risk Resources
DelCreo is committed to the continual improvement of the risk community.
DelCreo offers a FREE monthly eZine with up-to-date information concerning risk issues and risk professionals. In addition, we have a FREE workbook Strategy Planning Workbook for Risk Professionals.
DelCreo also offers a number of free presentations, articles and other pieces of valuable information for download on our website. www.delcreo.com/delcreo/free.cfm