ERM Enterprise Risk Management CIE Course. Enterprise Risk Management “Are you on board with enterprise risk management? You had better be. It’s the future.

ERMERM

Enterprise Risk ManagementEnterprise Risk Management

CIE CourseCIE Course

Enterprise Risk ManagementEnterprise Risk Management

““Are you on board with enterprise Are you on board with enterprise risk management? You had better risk management? You had better be. It’s the future of how businesses be. It’s the future of how businesses will be run.”will be run.”

Scott Berinato, “Risk’s Rewards,” Scott Berinato, “Risk’s Rewards,” CIO CIO MagazineMagazinehttp://www.cio.com.au/index.php?http://www.cio.com.au/index.php?id=1998213643&eid=-154id=1998213643&eid=-154

For Example:For Example:

What would you do if, two months What would you do if, two months after your company went public, one after your company went public, one of the two major markets you sell of the two major markets you sell products to simply vanished? If, in products to simply vanished? If, in the span of seven days, $500 million the span of seven days, $500 million in sales just disappeared? in sales just disappeared?

Possible Response:Possible Response: Would you throw your hands up and Would you throw your hands up and

say, No one could have foreseen the say, No one could have foreseen the events of 9/11, and then just stand by events of 9/11, and then just stand by as the company tore off a half-dozen as the company tore off a half-dozen bad quarters? Would you just absorb bad quarters? Would you just absorb the discomfiting cuts to your budget the discomfiting cuts to your budget and your staff, and eschew any and your staff, and eschew any strategic plans you had set up to help strategic plans you had set up to help the business grow, because, well, no the business grow, because, well, no one could have been prepared for one could have been prepared for such a catastrophe? such a catastrophe?

The Rockwell Collins Response:The Rockwell Collins Response:

Or, would you be like Rockwell Collins, the Or, would you be like Rockwell Collins, the supplier of military and commercial aircraft supplier of military and commercial aircraft parts, which suffered the precise fate parts, which suffered the precise fate described above and yet had a contingency described above and yet had a contingency plan in place within 10 days. Despite the fact plan in place within 10 days. Despite the fact that Rockwell's commercial market - 20 that Rockwell's commercial market - 20 percent of its business - vanished after 9/11, percent of its business - vanished after 9/11, IT still contributed to the business's growth. IT still contributed to the business's growth.

The company has turned a profit every single The company has turned a profit every single quarter after 9/11. And in January 2004, quarter after 9/11. And in January 2004, Forbes called Rockwell Collins the best-Forbes called Rockwell Collins the best-managed aerospace firm in America. managed aerospace firm in America.

Rockwell Collins Secret?Rockwell Collins Secret?

Rockwell Collins executive Rockwell Collins executive management attribute their unusual management attribute their unusual resiliency to the fact that they had, resiliency to the fact that they had, prior to 9/11, cultivated a corporate prior to 9/11, cultivated a corporate mindset of “risk management.”mindset of “risk management.”

Rockwell Collins ERM HistoryRockwell Collins ERM History For Rockwell Collins, ERM's value has For Rockwell Collins, ERM's value has

been proven time and again. been proven time and again. Several years ago, a project manager Several years ago, a project manager

named John-Paul Besong named John-Paul Besong implemented a bet-the-company SAP implemented a bet-the-company SAP system using ERM principles. "Every system using ERM principles. "Every decision became a risk decision," he decision became a risk decision," he says. says.

The project went so smoothly that The project went so smoothly that Besong was named Rockwell Collins's Besong was named Rockwell Collins's CIO shortly thereafter.CIO shortly thereafter.

Advantages of ERMAdvantages of ERM Helps companies prepare for Helps companies prepare for

events on the scale of a 9/11. events on the scale of a 9/11. It improves the way a company It improves the way a company

handles the more predictable risks handles the more predictable risks that businesses face every day. that businesses face every day.

Allows a company to avoid bad Allows a company to avoid bad investments.investments.

Allows companies to make good Allows companies to make good investments that might intuitively investments that might intuitively seem too risky. seem too risky.

ERM makes IT governance better. ERM makes IT governance better.

ERM is HardERM is Hard

Make no mistake, ERM is hard. Make no mistake, ERM is hard. It changes how everyone does their jobs. It changes how everyone does their jobs. It took Rockwell Collins the better part of a It took Rockwell Collins the better part of a

decade to become an organization decade to become an organization governed by risk. governed by risk.

It shouldn't take you that long, because It shouldn't take you that long, because much of the trail has been blazed for you, much of the trail has been blazed for you, but it won't be a six-month job either. but it won't be a six-month job either.

But, you’ll be seeing positive results in six But, you’ll be seeing positive results in six months.months.

What is ERM?What is ERM? ERM: The integrated management of:ERM: The integrated management of:

• business risk, business risk, • financial risk, financial risk, • operational risk and operational risk and • risk transferrisk transfer

to maximize a firm's shareholder value". to maximize a firm's shareholder value".

That is, making a company more That is, making a company more profitable by creating a single view of all profitable by creating a single view of all risks, internal and external, and an risks, internal and external, and an executive-level management strategy to executive-level management strategy to deal with those risks. deal with those risks.

5 Principles of ERM:5 Principles of ERM:

1.1. An integrated view of risk.An integrated view of risk.

2.2. A pan-corporate view of risk.A pan-corporate view of risk.

3.3. A bottom-line view of risk.A bottom-line view of risk.

4.4. A risk officer’s view of risk.A risk officer’s view of risk.

5.5. A longitudinal view of risk.A longitudinal view of risk.

Principle #1: Principle #1: An Integrated View of RiskAn Integrated View of Risk

IT, HR, Finance, Operations, Sales, IT, HR, Finance, Operations, Sales, and every other silo already has and every other silo already has some language, metrics and tools to some language, metrics and tools to help manage risk.help manage risk.

You must find/develop a You must find/develop a standardized language, metrics standardized language, metrics and toolsand tools to integrate all silos into to integrate all silos into one overall risk management picture.one overall risk management picture.

Principle #2:Principle #2:A Pan-Corporate View of RiskA Pan-Corporate View of Risk

ERM ERM is notis not collecting each silo’s collecting each silo’s risks into it’s own silo.risks into it’s own silo.

ERM ERM isis collecting each silo’s risks to collecting each silo’s risks to each other and to the company as a each other and to the company as a whole.whole.

Principle #3:Principle #3:A Bottom-Line View of RiskA Bottom-Line View of Risk

Risks always get expressed in terms of their Risks always get expressed in terms of their potential impact on the business as a potential impact on the business as a whole, not in terms of their impact on any whole, not in terms of their impact on any given silo. given silo.

When FBI CIO Sherry Higgins decided she When FBI CIO Sherry Higgins decided she needed to hire professional project needed to hire professional project managers for the Trilogy project, she had to managers for the Trilogy project, she had to sell FBI Director Robert Mueller on that. She sell FBI Director Robert Mueller on that. She didn't focus on the potential for the project didn't focus on the potential for the project to fail. She sold him by explaining that the to fail. She sold him by explaining that the FBI ran the risk of being unable to do its job. FBI ran the risk of being unable to do its job.

Principle #4:Principle #4:A Risk Officer’s View of RiskA Risk Officer’s View of Risk

Yep, you’re gonna need a CRO (or at Yep, you’re gonna need a CRO (or at least a “Risk Officer”)least a “Risk Officer”)

In a growing number of companies, In a growing number of companies, ERM is facilitated by an executive-ERM is facilitated by an executive-level risk office that provides the level risk office that provides the expertise and resources you don't expertise and resources you don't have the time or money to acquire. have the time or money to acquire.

Many risk experts argue that if you Many risk experts argue that if you don't have a risk office, you're not don't have a risk office, you're not really doing ERM. really doing ERM.

Principle #5:Principle #5:A Longitudinal View of RiskA Longitudinal View of Risk

Risk is:Risk is:• an ongoing behavior, an ongoing behavior, • A corporate mindset,A corporate mindset,• not a regularly scheduled process. not a regularly scheduled process.

Risk management isn’t new, but the Risk management isn’t new, but the breadth of the vision of ERM is new.breadth of the vision of ERM is new.

ERM? Are you kidding?ERM? Are you kidding? ERM's idealistic goal - to unify risk ERM's idealistic goal - to unify risk

management across an entire company - management across an entire company - makes it a daunting undertaking (and so makes it a daunting undertaking (and so far, a rare one). far, a rare one).

George Westerman, a research scientist George Westerman, a research scientist who is studying ERM in relation to who is studying ERM in relation to information technology at MIT, says that in information technology at MIT, says that in its current state, ERM reminds him of what its current state, ERM reminds him of what someone once said about e-commerce in someone once said about e-commerce in the 90s.the 90s.

"The topic is so big and scary," Westerman "The topic is so big and scary," Westerman says, that people decide not to try. says, that people decide not to try. However, he adds, "It's so important to just However, he adds, "It's so important to just get started." get started."

So Why Now?So Why Now?

Macro trends have accrued to expose Macro trends have accrued to expose operational risks from IT that were operational risks from IT that were previously ignored:previously ignored:• Y2K—realization that IT systems were vulnerableY2K—realization that IT systems were vulnerable• 9/11 exposed many IT based risks to business9/11 exposed many IT based risks to business• Computer security has reached a fever pitch with Computer security has reached a fever pitch with

sometimes dire consequences in the form of sometimes dire consequences in the form of business interruption and bad P.R.business interruption and bad P.R.

• ID TheftsID Thefts• Realization that in some environments, one bad Realization that in some environments, one bad

IT decision could put the business at riskIT decision could put the business at risk

More “So Why Now?”More “So Why Now?”

The regulatory environment:The regulatory environment:• Basel II accord by the Group of 10 Basel II accord by the Group of 10

countries dictates that by 2007, some countries dictates that by 2007, some form of ERM must be used to assess form of ERM must be used to assess impact of IT systems on financial impact of IT systems on financial systemssystems

• COSO is an effort to jumpstart ERM in COSO is an effort to jumpstart ERM in corporationscorporations

• SarboxSarbox

More “So Why Now”More “So Why Now” Growing body of evidence that it really works:Growing body of evidence that it really works:

• Westerman at MIT has identified correlations Westerman at MIT has identified correlations between business-IT alignment and risk confidence. between business-IT alignment and risk confidence. That is, the more confident a CIO was in his ability That is, the more confident a CIO was in his ability to manage his operational risk, the more aligned he to manage his operational risk, the more aligned he said he was with the business. said he was with the business.

• J Davidson Frame, academic dean of the University J Davidson Frame, academic dean of the University of Management and Technology, worked with a of Management and Technology, worked with a company that introduced risk management and company that introduced risk management and then made business unit vice presidents sign off, then made business unit vice presidents sign off, Sarbanes-Oxley style, on the risks that IT projects Sarbanes-Oxley style, on the risks that IT projects presented to the business. Project success rates presented to the business. Project success rates increased immediately. Perhaps more important, increased immediately. Perhaps more important, the number of project initiatives taken on by this the number of project initiatives taken on by this company decreased by 25 percent in three months. company decreased by 25 percent in three months.

Bottom Line on ERM:Bottom Line on ERM:

ERM improves decision making ERM improves decision making by by • helping companies avoid costly helping companies avoid costly

failures from operations that prove failures from operations that prove too risky, and too risky, and

• by facilitating successes for good by facilitating successes for good decisions.decisions.

But I Don’t Have Time For This!But I Don’t Have Time For This!

““The experts expect you to be hard-The experts expect you to be hard-line resisters to enterprise risk line resisters to enterprise risk management because you don't management because you don't understand it. So we posed some of understand it. So we posed some of your potential reservations and let your potential reservations and let them counter those reservations with them counter those reservations with reasons why you need to get on reasons why you need to get on board.”board.”

Reservation: Reservation: I've got a full load I've got a full load already, and now you're asking already, and now you're asking

me to start this massive new me to start this massive new project.project.

Rebuttal: Rebuttal: Yes, some groundwork needs to be Yes, some groundwork needs to be laid. But, for the most part, becoming part of laid. But, for the most part, becoming part of an ERM-driven company doesn't mean more an ERM-driven company doesn't mean more work or some additional bureaucratic system work or some additional bureaucratic system to administer; rather it's a new way to to administer; rather it's a new way to approach your job. If you're doing ERM right, approach your job. If you're doing ERM right, you're not really aware that you're doing it. you're not really aware that you're doing it. Besong calls it "the new normal for us". Besong calls it "the new normal for us". Weymouth says: "I manage through risk." Weymouth says: "I manage through risk."

Reservation: Reservation: I don't have the I don't have the expertise to do this or the staff with expertise to do this or the staff with the expertise to do this. And I don't the expertise to do this. And I don't

have time to take a bunch of courses have time to take a bunch of courses

or read five books.or read five books. Rebuttal: Rebuttal: This is precisely why risk This is precisely why risk

officers are here. It's the job of a officers are here. It's the job of a corporate risk expert, such as a chief corporate risk expert, such as a chief risk officer, to provide whatever tools risk officer, to provide whatever tools and education IT needs to get and education IT needs to get started, says Lam. started, says Lam.

Reservation: Reservation: I'm already instituting I'm already instituting governance mechanisms.governance mechanisms.

Rebuttal: Rebuttal: Peter Weill, director of the Peter Weill, director of the Centre for Information Systems Centre for Information Systems Research at MIT, has shown that good IT Research at MIT, has shown that good IT governance leads to more successful governance leads to more successful companies. ERM is a framework for companies. ERM is a framework for better IT governance. "What IT and CIOs better IT governance. "What IT and CIOs need to realize is ERM is an need to realize is ERM is an opportunity," says Larry Ponemon, opportunity," says Larry Ponemon, chairman and founder of The Ponemon chairman and founder of The Ponemon Institute. "It makes you more Institute. "It makes you more competitive. It helps you make better competitive. It helps you make better decisions. It makes you smarter." decisions. It makes you smarter."

Reservation: Reservation: Statistics! Statistics! Rebuttal: Rebuttal: Don't be scared. Yes, companies Don't be scared. Yes, companies

fully immersed in risk will use a statistical fully immersed in risk will use a statistical approach to assessing it; probability and approach to assessing it; probability and economic concepts, such as annual loss economic concepts, such as annual loss expectancy, are commonly applied tools. But expectancy, are commonly applied tools. But the risk experts know enough about the the risk experts know enough about the numbers, and anyway, the numbers aren't as numbers, and anyway, the numbers aren't as important as the qualitative analysis. important as the qualitative analysis.

More than any other reservation, risk experts More than any other reservation, risk experts say CIOs will cite this one. It could be because say CIOs will cite this one. It could be because IT is a profession that rewards precision, so the IT is a profession that rewards precision, so the natural inclination of CIOs is to want to get natural inclination of CIOs is to want to get their probability and impact statistics exactly their probability and impact statistics exactly right. right.

But risk - especially on the enterprise level - is But risk - especially on the enterprise level - is not about precision. It's about accuracy. not about precision. It's about accuracy.

OK, Fine. How Do I Start?OK, Fine. How Do I Start?

This is a three step process:This is a three step process:

1.1. Risk identificationRisk identification

2.2. Risk assessmentRisk assessment

3.3. Risk mitigationRisk mitigation

Risk IdentificationRisk Identification This is, basically, brainstorming. "It's almost too This is, basically, brainstorming. "It's almost too

simple," says Higgins. "All it is is 'What if?' simple," says Higgins. "All it is is 'What if?' "McCann's Sharon, in a previous job as a risk "McCann's Sharon, in a previous job as a risk officer, says he handed out questionnaires asking officer, says he handed out questionnaires asking IT staff and business end users to rate risk in five IT staff and business end users to rate risk in five categories. You'll have meetings with the leaders of categories. You'll have meetings with the leaders of HR, IT, legal, finance and so on to brainstorm risks HR, IT, legal, finance and so on to brainstorm risks to the company. IT will be asked to talk about, say, to the company. IT will be asked to talk about, say, the environmental risks IT poses to the company. the environmental risks IT poses to the company. Then, the discussion moves to the enterprise: If the Then, the discussion moves to the enterprise: If the systems go down, what does that mean to our systems go down, what does that mean to our business? Loss of revenue? Reputational damage business? Loss of revenue? Reputational damage from call centres being unable to help customers? from call centres being unable to help customers? And so forth. And so forth.

The point is to talk, and in talking, to find the risks The point is to talk, and in talking, to find the risks that otherwise might have slipped through the that otherwise might have slipped through the cracks. cracks.

Risk AssessmentRisk Assessment You've identified your enterprise You've identified your enterprise

risks. Now you need to categorize risks. Now you need to categorize them. The easiest way to start this is them. The easiest way to start this is to map them on a probability-impact to map them on a probability-impact chart. A simple chart with "low, chart. A simple chart with "low, medium, high" on each axis will medium, high" on each axis will allow you to map the probability and allow you to map the probability and impact of each risk. impact of each risk.

Once again, the key here is not Once again, the key here is not precision but accuracy. precision but accuracy.

Risk MitigationRisk Mitigation Eventually, you'll have a map of your Eventually, you'll have a map of your

enterprise risks. From there, you'll look at enterprise risks. From there, you'll look at how you are controlling risks, see how how you are controlling risks, see how effective those controls are and decide what effective those controls are and decide what else you need to do. While you play a else you need to do. While you play a supporting role to the risk office in supporting role to the risk office in identifying risks, when it comes to identifying risks, when it comes to mitigation, you'll be counted on to lead. The mitigation, you'll be counted on to lead. The risk office can arbitrate the identification of risk office can arbitrate the identification of risks, such as that of using unlicensed risks, such as that of using unlicensed software. But only you can assess the software. But only you can assess the countermeasures you have in place, such countermeasures you have in place, such as routine software inventories or controls as routine software inventories or controls on desktop configurations, which will offset on desktop configurations, which will offset those risks. those risks.

Final ThoughtFinal Thought

Once ERM starts, it doesn't stop. The Once ERM starts, it doesn't stop. The real value of enterprise risk real value of enterprise risk management comes when it becomes management comes when it becomes a continuous part of everyday a continuous part of everyday business. Running a huge risk business. Running a huge risk assessment once every six months will assessment once every six months will help you manage enterprise risk the help you manage enterprise risk the same way looking at your cupboard same way looking at your cupboard once every six months will help you once every six months will help you manage your grocery shopping.manage your grocery shopping.