Managing Enterprise Risks in a Global Airline IAAIA Conference 11 October 2010 Istanbul, Turkey
Managing Enterprise Risks in a Global Airline
IAAIA Conference11 October 2010Istanbul, Turkey
2
Discussion Agenda
Discuss enterprise risk management (ERM) in the context of an enterprise governance, risk, compliance (GRC) programDiscuss developing a risk taxonomy/vocabulary Airline risk register“A day in the life…” Managing enterprise risks and compliance in a global airline (demonstration leveraging NeoGRC)
© 2010 Neohapsis, Inc. – Proprietary & Confidential
3
Defining Risk
Risk defined – anything that has the potential to keep you from achieving your business objectives
Risks are measurable– Magnitude of impact– Likelihood of occurrence– Velocity of onset
© 2010 Neohapsis, Inc. – Proprietary & Confidential
4
Hallmarks of an Effective ERM Program
ERM activities and GRC approach are driven by the organization’s strategy.An executive level individual is given the responsibility for driving the ERM process.Common risk and process vocabulary are used to assess, communicate, and respond to risks.Risk management is an ongoing management process.High-value information useful for management and stakeholders is generated.A culture of sound business practices and ethics is deep-rooted throughout the entity.Management has a strong understanding of its goals and approach to managing risk.Efficient processes are implemented to monitor and manage risks.Allows for distributed, cross-departmental, “bottom up” accumulation of key data elements and input.Leveraging a centralized platform that provides efficiency, scalability, and timeliness to relevant ERM information.
© 2010 Neohapsis, Inc. – Proprietary & Confidential
5
ERM Journey
Informal risk management activities Formal risk management process
Risk loosely understood Formal risks are understood by management
Risks considered within function / BU Risk considered in the context of business strategy
Risk universe not defined Formal risk universe is established and prioritized
Risks are locally addressed Risks are addressed universally
Reporting is inconsistent and focused on easy to quantify historical data
Qualitative and quantitative data (financial, operational, attitudes, etc.) is analyzed to provide insight for decision making
Reporting is local and fragmented Reporting is structured within ERM process
No defined ownership of risks Clearly defined ownership of risks
Informal monitoring Formal monitoring
From: To:
© 2010 Neohapsis, Inc. – Proprietary & Confidential
6
Evolving GRC Expectations
© 2010 Neohapsis, Inc. – Proprietary & Confidential
• Strong corporate governance includes effective and ongoing risk management• Integrating risk management functions at an enterprise level improves organizational
performance and reduces costs• Managing risks across the enterprise requires common methods and processes
Value
Time
Financial Risk Management Decision Support
Competitive Advantage
Innovation
Business Integration
Reactive, Financial Loss Avoidance
Compliance Risk Management
Strategic Risk Management
Operational Risk Management
Enterprise GRC
How do we communicate risk?
8
Consequence Classes
a. Class I - Catastrophic. A condition that may cause death or permanently disabling injury, facility destruction on the ground, or loss of crew, major systems, or vehicle during the mission; schedule slippage causing launch window to be missed; cost overrun greater than 50 percent of planned cost.
b. Class II - Critical. A condition that may cause severe injury or occupational illness, or major property damage to facilities, systems, equipment, or flight hardware; schedule slippage causing launch date to be missed; cost overrun between 15 percent and not exceeding 50 percent of planned cost).
c. Class III - Moderate. A condition that may cause minor injury or occupational illness, or minor property damage to facilities, systems, equipment, or flight hardware; internal schedule slip that does not impact launch date; cost overrun between 2 percent and not exceeding 15 percent of planned cost.
d. Class IV - Negligible. A condition that could cause the need for minor first aid treatment but would not adversely affect personal safety or health; damage to facilities, equipment, or flight hardware more than normal wear and tear level; internal schedule slip that does not impact internal development milestones; cost overrun less than 2 percent of planned cost.
NASA Risk Model
Source: www.nasa.gov© 2010 Neohapsis, Inc. – Proprietary & Confidential
9
Seve
rity
Category Definition
Insignificant (1-2) The risk may have almost no financial implications.
Minor (3-4) The risk may have a minimal impact on financial performance.
Moderate (5-6) The risk may have a significant impact on financial performance.
Major (7-8) The risk may have a substantial impact on financial performance requiring a multi-year recovery period.
Extreme (9-10) The risk may have a significant impact on corporate solvency.
Category DefinitionRare (1-2) The risk has a negligible probability of impact in the next 12-24 months.
Unlikely (3-4) The risk has a low probability of impact in the next 12-24 months.
Possible (5-6) The risk has a medium probability of impact in the next 12-24 months.
Likely (7-8) The risk has a high probability of impact in the next 12-24 months.
Almost Certain (9-10) The risk is affecting the organization right now or almost certainly will in the next 12-24 months.Li
kelih
ood
MasterCard Worldwide – Spencer Schwartz 11/2/07
MasterCard Risk Model
© 2010 Neohapsis, Inc. – Proprietary & Confidential
10
Example Airline Risk Model
Exposure (E) - How often are we exposed to the opportunity for the event sequence to occur?
– 0 — No Exposure– 1 — Seldom Exposed – Seldom exposed to
the opportunity for the event sequence to occur.
– 2 — Occasionally Exposed – Occasionally exposed to the opportunity for the event sequence to occur.
– 3 — Frequently Exposed – Frequently exposed to the opportunity for the event sequence to occur.
– 4 — Constantly or Continuously Exposed –Constantly exposed to the opportunity for the event sequence to occur.
Probability (P) - What is the probability of that sequence of event happening, including the consequence?
– 0 — Extremely Improbable; Mishap impossible; 10-9 and above
– 1 — Extremely Remote; Postulated event. (Has been planned for, and may be possible, but not known to have occurred); 10-7 — 10-9
– 2 — Remote; Has occurred rarely. (Known to have happened, but a statistically credible frequency cannot be determined) ; 10-5 — 10-7
– 3 — Reasonably Probable; Has occurred infrequently. (Occurs on order of less than once per exposure interval and is likely to reoccur within this interval) ; 10-3 — 10-5
– 4 — Frequent; Has occurred frequently. (Occurs on order of one or more per exposure interval and is very likely to reoccur within the this interval); 10 — 10-3
© 2010 Neohapsis, Inc. – Proprietary & Confidential
Risk Index Risk Level Action0 — 10 Level One Minimum Risk. Proceed after considering all elements of risk.11 — 30 Level Two Moderate Risk. Continue after taking action to manage overall level of risk> 30 Level Three High Risk. STOP
Risk Index (P x E x S = Risk)
11
Example Airline Risk Model (cont.)
© 2010 Neohapsis, Inc. – Proprietary & Confidential
Severity (S)0 —Negligible 1 —Minor 2 —Moderate 3 —Major 4 — Catastrophic
Personnel No injuries. First aid injury, no disabilityor lost time.
Lost time injury or passenger injuries (i.e. broken bone), no disability.Difficult for crew to cope with adverse conditions.
Disability or severe injuries.Crew extended because of workload or environmentalconditions.
Fatal injuries to personnel or passengers. Public exposed to life threatening hazard.
Operations Minor operational delay with no immediate costs.
May result in operating limitations, or emergency procedures. Operational delay requiring airline to incur relatively minimal costs.
Operational delay requiringgrounding of an aircraft and causing the operator substantial costs. May result in significant reduction in safety margins.
Operational delay grounding air operator’s fleet. May result in a large reduction in safety margins.
Operational delay grounding all operating certificates for the subject aircraft/engine/major component. Removal of the operating certificate for subject aircraft/engine /major component or airline.
Equipment No damage or minor technical delay with no immediate costs.
Technical delay requiring grounding of aircraft and causing the operator to incur relatively minimal costs.
Technical delay requiring grounding of an aircraft and causing the operator relatively substantial costs.
Technical delay grounding aircraft fleet causing substantial costs and long delays to return the aircraftto service.
Loss of aircraft.
Environment No environmental impact. Contained release. Small uncontained release. Moderate uncontained release.
Large uncontained release.
Media No media attention. Media attention that requires Briefing and Question Period notes and executive attention.
Media attention that elevates occurrence to High profile status requiring executive response
Media attention that initiates legal action
Media attention that requires resignations of the key executives.
Public Confidence No loss of public confidence.
May be lowered, but public still find situation acceptable.
Significantly lowered with high profile media coverage and numerous requests.
Shaken to the point where significant numbers do not fly on a particular aircraft type, or airline.
Public demonstrations organized.
12
Risk Model Example - #2
Rating Description Likelihood of Occurrence
1 RareHighly unlikely, but it may occur in exceptional circumstances. It could happen, but probably never will.
2 UnlikelyNot expected, but there’s a slight possibility it may occur at some time.
3 PossibleThe event might occur at some time as there is a history of casualoccurrence at similar organizations.
4 LikelyThere is a strong possibility the event will occur as there is a history of frequent occurrence at this or similar organizations.
5Almost Certain
Very likely. The event is expected to occur in most circumstances as there is a history of regular occurrence at this and similar organizations.
Risk Likelihood Descriptors
Risk = Likelihood * Consequences
© 2010 Neohapsis, Inc. – Proprietary & Confidential
13
Ris
k C
on
seq
uen
ce D
esc
rip
tors
Rating Description Financial Impact Clients & Staff Health & Safety
Business Interruption Reputation & Image Corporate Objectives
1 Insignificant Minimal financial loss; Less than $300,000
No or only minor personal injury; First Aid needed but no days lost
Negligible; Critical systems unavailable for less than one hour
Negligible impact Resolved in day‐to‐day management
2 Minor $300,000 to $2M; not covered by insurance
Minor injury; Medical treatment & some days lost
Inconvenient; Critical systems unavailable for several hours
Adverse local media coverage only
Minor impact
3 Moderate $2M to $5M; not covered by insurance
Injury; Possible hospitalization & numerous days lost
Client dissatisfaction; Critical systems unavailable for less than 1 day
Adverse capital city media coverage
Significant impact
4 Major $5M to $10M; not covered by insurance
Single death &/or long‐term illness or multiple serious injuries
Critical systems unavailable for 1 day or a series of prolonged outages
Adverse and extended national media coverage
Major impact
5 Catastrophic Above $10M; not covered by insurance
Fatality(ies) or permanent disability or ill‐health
Critical systems unavailable for more than a day (at a crucial time)
Demand for government inquiry
Disastrous impact
Risk Model Example - #2 (cont.)
Risk Consequence Descriptors
Airline Industry Risk Register
15
Airline Industry Risk Register Background
Researched 25 leading airlines to identify relevant industry risks and prevailing trendsSample included…– Global and regional– Premium and discount– Largely focused on publicly owned
airlines or airlines that published annual reports
– Annual revenues ranged from approx€300 million ($390 million USD) to €22 billion ($28 billion USD)
Analysis focused on the airline’s disclosed risks
© 2010 Neohapsis, Inc. – Proprietary & Confidential
16
Airline Risk Register Trends and Data Points
Two most notable expense categories– Fuel costs
• Ranged from €1.35 to €1.65 per gallon, €1.51 per gallon average over the sample set
• Ranged from 18% to 34% of total revenue, 26.4% average over data set
– Employment costs• Ranged from 20% to 34% of total revenue, 25.3% average over
data set
Declared Risks (from annual reports)– 5 to 28 declared risks per airline– Risk register totaled 45 declared airline industry risks– The most common risk declared by 96% of the airlines– The top 10 risks declared by 50% of the airlines
© 2010 Neohapsis, Inc. – Proprietary & Confidential
17
Most Common Airline Industry Risks
Rank Risk Cat Declared Risk % Declared
1 Operational Fuel Availability/ Fuel Cost & Hedging 95.83%
2 Credit Adequate Liquidity/ Downgrade of Credit Rating 75.00%
3 Credit Availability of Credit 66.67%
4 Financial Foreign Exchange Rate Changes/ Devaluation 62.50%
5 Financial Interest Rate Fluctuations 58.33%
5 Strategic Low Cost Competition/ Price Discounting 58.33%
7 Legal/ Regulatory Government Intervention/ Laws 50.00%
7 Operational Supply Chain Risks/ Key Supplier/Counterparty 50.00%
7 Operational Employee/ Labor Relations/ Retention of Key Personnel 50.00%
7 Strategic Global Economic Uncertainty 50.00%
11 Geopolitical Terrorism/ International Hostilities/ Military Escalation 45.83%
11 IT IT Failures ‐ Technology and e‐Commerce 45.83%
13 Financial Fixed Obligations/ Debt, Other Financial Commitments 41.67%
13 Operational Volatile or Seasonal Demand/ Tourism 41.67%
© 2010 Neohapsis, Inc. – Proprietary & Confidential
Source: Neohapsis airline industry research based on publically disclosed risks.
Managing Enterprise Risks in a Global Airline
A day in the life…
19
Demo Scenario
© 2010 Neohapsis, Inc. – Proprietary & Confidential
Source: Neohapsis airline industry research based on publically disclosed risks.
20
NeoGRC
The Business Case for NeoGRCPrimary drivers for implementing a GRC solution are the need to achieve regulatory compliance and manage risk. NeoGRC not only addresses these needs but also delivers positive business value. As a comprehensive, enterprise-wide GRC platform, NeoGRC helps organizations:
Improve efficiency of compliance and risk management activities. – NeoGRC enables you to automate, consolidate, analyze, and manage complex
compliance and risk management processes and controls for better results using the same or fewer resources.
Reduce organizational risk.– In addition to reducing the risk of non-
compliance, NeoGRC provides the ability to measure risk, monitor losses, and facilitate remediation to reduce overall organizational risk.
Improve business strategy and performance.
– NeoGRC enables you to integrate risk and compliance factors in corporate strategy and decision making, which leads to better decisions and improved performance.
© 2010 Neohapsis, Inc. – Proprietary & Confidential
21
Thank you!
Kevin [email protected]+1 773.269.6350
George [email protected]+44.0.20.8481.3883
Mark [email protected]+1 603.598.8586
© 2010 Neohapsis, Inc. – Proprietary & Confidential
22
About Neohapsis
Neohapsis provides GRC products and services to address the risk management, regulatory, and information protection needs of global enterprises and government agencies.
Through advanced GRC products and proven consulting services, Neohapsis delivers trusted infrastructures and fully integrated GRC products. Neohapsis solutions provide unprecedented visibility into the complex interrelationships between business objectives, people, information, risks, controls, and the state of compliance. Neohapsis leverages the power of the security and GRC relationship to enable sustainable governance frameworks that improve operational integrity and business performance.
To learn more about Neohapsis, visit www.neohapsis.com
© 2010 Neohapsis, Inc. – Proprietary & Confidential
The Power of Security & GRCCambridge, Massachusetts215 First Street, Suite 005Cambridge, MA 02142 USA
Chicago, Illinois217 North Jefferson Street, Suite 200Chicago, IL 60661 USA
San Jose, California2665 North First Street, Suite 202San Jose, CA 95134 USA
London, England 12B Talisman Business CenterBicester RoadOXON OX25 5HRUnited Kingdom
Chennai, IndiaSreyas, Chamiers Towers, 8th Floor, East WingNew No 37, Old No 23 & 24, ChamiersRoadTeynampet, Chennai - 600018.Tamil Nadu, India