Texas Roadhouse Enterprise Risk Mapping Executive Session
Download
Report
Transcript Texas Roadhouse Enterprise Risk Mapping Executive Session
Enterprise Risk:
Overview and A Start Up Experience
NC State ERM Roundtable Series
October 2005
Chris Duncan
404.995.3600
[email protected]
Overview
Increasingly, companies are expanding ERM efforts
– 91% planning to, or in process of, expanding ERM efforts (Conference Board)
– Driven by desire to impact shareholder value, improve governance,
communications
Delta Air Lines initiated ERM effort after 9/11, established CRO position
Chose to focus (initially) on subjective risk evaluation process rather
than “quant” emphasis
Focused on building process, interaction with risk leaders rather than
“centralized” CRO role
Management’s Role in Managing Risk
– Resources/Infrastructure, Mitigation, Communication/Governance
Key to ERM is delivering value that is understood and
makes a difference to bottom line, brand, survivability
2
Changing Risk Requires New Approach
“Here is Edward Bear, coming downstairs now,
bump, bump, bump, on the back of his head,
behind Christopher Robin.
It is, as far as he knows, the only way of coming
downstairs,
But sometimes he feels that there really is another way,
if only he could stop bumping for a moment and think of
it.”
Opening lines of “Winnie-The-Pooh”
by A. A. Milne
3
Risk Drivers on Value
From ‘93 - ‘98, 10% of Fortune 1000 lost > 25% stockholder value in one month…
strategic and operating risk led the way, but many “big” risks effectively hedged
30
Customer
Demand Shortfall
25
20
Competition
15
10
Cost Overruns
M&A Problems
Products
Pricing
Loss Customer
Accounting Irregularities
Management Ineffectiveness
Supply Chain Issues
Macroeconomics
Commodity Prices
Interest Rates
Lawsuit
Natural
Disasters
Regulatory
R&D
Delays
5
0
Supplier
Strategic
Operational
Financial
Hazard
Source: Marsh/Mercer; used with permission
4
Sidebar: Board vs. Management Roles
Sarbox and NYSE rules require Boards to have oversight on the
effectiveness of the risk management processes
– Does not mean the Board manages risk
– Increasingly, rating agencies, institutional investors are asking questions
on risk, and ERM
Ultimately, management is challenged to prioritize risk, and figure
out the risk infrastructure, resources, process and
communication/governance to ensure the right risks are
managed appropriately
– Does not mean management must eliminate all risks
– Does mean that appropriate levels of management understand risks, roles
and responsibilities
One doesn't discover new lands without consenting to lose
sight of the shore for a very long time. Andre Gide
5
Various Levels of Risk Management
Risk Management occurs on many different levels, each adding value in
different ways, and the “sweet spot” varies by company, culture
Shareholder Value
Enhancement
Operating
Performance
• Societal focus
• Brand/reputation risk focus
• Risk competence as competitive tool
Compliance &
• Integration into corporate governance
Prevention
• Risk planning in business strategy
• Achieving traditional risk best practice status
• Integrating risk approach across functional silos
• Protect P&L, balance sheet from surprises
• Prevent accidents, crisis
6
• Meet compliance/fiduciary responsibility
Risk Management Environments
Cross Functional & Emerging View of Risks
Safety /
Security
Financial
Business/
Strategic Operational
• civil
• fuel
• brand
• technology
• flight safety
• criminal
• interest
• reputation
• environment
• regulatory
• foreign
exchange
• service
• info
security
Legal
• contractual
• insurance/
financing
• alliances
• expansion
• e-business
• employee
safety
• continuity
• security
• revenue
Audit
• financial
controls
• process
risks
• disclosure
• fraud
Most companies (and Delta) have deep functional risk identification
and management; challenge is addressing (cross functional) and
forward-looking “horizon” risks
7
Not All Risks Are Created Equal
Management’s challenge is figuring out what to focus on, and when…
Reputation
Management
Risk Financing,
Insurance, Projects,
And Initiatives
Safety, Claims, Compliance,
Administration
+
+
Company Killers,
Customer Impact,
Loss of Brand
Safety Net
for P&L,
Balance Sheet
Cost
-
Risk Management is the allocation of finite resources to infinite risks
8
Hazard risks
Hazard & Operational
Risks are the “meat and
potatoes” of risk
management
– Work comp
– Property
– Liability
– Auto
– Construction
– Life & Health
Historical risk manager
focus, insurance “sweet
spot”
Incremental improvement
in underlying risk profile
via safety, claims
Not typically considered in
strategic decisions
Insurance focused
Focus: optimize as “cost
of doing business”
9
Reputation risk
Reputation Risk…
– How brand, company
perception, future
business potential is
impacted by internal
and external events and
decisions
– Focuses on internal and
“Risk” is defined by external
parties, stakeholder reactions,
expectations (perceptions),
rather than science (facts)
Media/internet, cultures,
corporate governance,
regulation, non-gov’t
organizations plays major role
Limited role by insurance
Focus: Pre-emptive strategies,
crisis response
external stakeholders
– Response model driven
by perceptions, not
facts
Globalization of brands
Examples: “Mad Cow”, Privacy Breach, Cell Radiation, Exec Comp,
Animal Testing, Crisis Management Failures, Fat (“Oreo & McD”)
10
Societal Risk Issues Blur with Reputation
Societal risk…
Tend to cross cultures &
companies
Similar to reputation risks in
exponential growth potential
Externally driven risk factors
Targets of societal, self-appointed
“representatives”
– UN, Worldbank, WHO, etc.
– Subject to government
intervention/regulation
– Institutional investors?
– Cross cultural “NGOs”
Responses establish boundaries
of corporate, gov’t behavior via
legislation/law, international
opinion
Borderless society generates new
risks and issues for all
– Ex. Avian Flu/SARs, AIDS,
terrorism, internet attacks,
internet special interest groups,
int’l labor migration, IP rights
theft, food safety confidence,
natural disaster refugees
Sarbanes-Oxley classic response to
new “risk” to “boundary” corporate
behavior
– Others: demands for security in
air travel, cross border testing
for madcow, halts on genetically
modified foods, acrylamide,
“Katrina”?
No material insurance role
Focus: Pre-emptive strategies,
crisis response
11
Limited Window to Influence Brand/Societal Risk
Explore/
Plan
Media/Public Impact
Warning Action/Options
Will have short time
period (days) to
restore confidence
before media/ public
perception
overwhelms response
Plan
Ride the Outcome/No Options!
Influence
& Lead
No Ability to Influence Outcomes;
Response Driven by Media,
Government Regulatory, Legislative
Intervention
Ex. Avian
Flu
Time
Emerging
Risk
Awareness
Rapid
Escalation
(Tipping
Events)
Risk Perception Embedded
Irrespective of Facts, Response
Ex..Mad Cow, 9/11 Security, SarBox…
UR
HERE
* Adapted from Risk issue lifecycle, Strategic Reputation Risk, Larkin
12
So Where to From Here?
Chose ERM organizational framework
– COSO, New Zealand, Turnbull, company specific
Address governance and communication infrastructure needs
– Choices based on culture, politics, leadership endorsement
Get started somewhere…its about progress, not perfection
– Drive the process first through a limited number of critical issues
…then build off the initial value generated
The ability to define what may happen in the future and to
chose among alternatives lies at the heart of contemporary
societies. - Peter L. Bernstein , Against the Gods
13
Example…Mercer Oliver Wyman ERM Framework
ERM Infrastructure
ERM Process
ERM Integration
Vision/Goals
Identify, Assess,
and Prioritize
Business Risks
Operational Processes
Governance
Strategic Planning
Oversight Structure
Common Language
Policies
Quality Process
Aggregate
Results with
Decision
Making Processes
Technology
Tools
Techniques
Tolerance/ Appetite
Analyze Risks
and
Current Capabilities
Business
Goals,
Objectives
& Strategies
Measure, Monitor
and Report
Develop and
Execute
Action Plans/
Establish Metrics
Competency Models
Six Sigma
SOX
Product Development
Determine
Strategies and
Design
Capabilities
Capital Projects
Merger/Post-Merger
Capital Allocation
Performance Management
ERM Culture
Organizational Change Management
Communication
Awareness/Training
Information Sharing
Continuous Improvement
14
Copyright Mercer Oliver Wyman 2005
COSO ERM Framework
ERM is a process to help
achieve entity objectives
across these categories
Eight interrelated
components
Applies to activities at
all levels of the
organization
Source: Enterprise Risk Management – Integrated Framework. Committee of Sponsoring Organizations of the Treadway Commission, 2004
15
COSO & MOW Alignment
Internal Environment
Risk Management Philosophy – Risk Appetite – Board of Directors – Integrity and
Ethical Values – Commitment to Competence – Organizational Structure –
Assignment of Authority and Responsibility – HR Standards
ERM Infrastructure & Culture
Vision/ Goals - Governance – Policies – Tolerances and
Appetite - Language
Process
Event Identification
Events – Influencing Factors – Methodologies and Techniques – Event
Interdependencies – Event Categories – Risks and Opportunities
Risk Assessment
Inherent and Residual Risk – Likelihood and Impact – Methodologies and
Techniques – Correlation
Risk Response
Identify Risk Responses – Evaluate Possible Risk Responses – Select Responses –
Portfolio View
Control Activities
Integration with Risk Response – Types of Control Activities – General Controls –
Application Controls – Entity Specific
Objective Setting
Strategic Objectives – Related Objectives – Selected Objectives – Risk Appetite –
Risk Tolerances
Identify, assess,
and prioritize
enterprise risks
Aggregate
results/integrate
with decisionmaking process
Analyze key
risks and current
capabilities
Objectives
&
Strategies
Measure,
monitor and
report
Determine
strategies and
design
capabilities
Develop and
execute action
plans/establish
metrics
ERM Integration
Strategic Planning- Resource allocation – Scorecards – Quality
Processes
Information and Communication
Information – Strategic and Integrated Systems – Communication
ERM Culture and Enabling Activities Communication –
Information – Awareness/ Training – Change Management
Monitoring
Separate Evaluations – Ongoing Evaluations
Copyright Mercer Oliver Wyman 2005
16
Delta: Created Enterprise Risk Council
General/Cross
Functional Risks
ERC
CRO (Chair)
Safety
Security
Legal
Corp. Audit
Treasury
Controller
Info Security
Specific
Risks
Safety Security
Standing Council
Operational
Enterprise
Wide View,
Coordination
And
Early
Identification
Corp Ethics &
Compliance
Compliance/Reg
404 Steering
Committee
404 Compliance
Hotline Reporting,Others
Deeper
Dive
Into
Specific
Areas of
Risks
17
Initiated Risk Mapping
Helpful to put risk into buckets to assess “what’s at risk, where?”
– Useful in communicating risk priorities and response to Board,
others
Categories vary, but often include:
–
–
–
–
–
–
–
–
–
Financial
Operational
Human Capital
Legal
Technology
Security
Political
Ethics/Compliance
Others?
18
Developed Risk Matrix, Common Language
Challenge is finding common means to evaluating various risk is terms
of frequency, severity
While all risk eventually may be (eventually) quantified and correlated,
did not have the time or resources to do so
– Idea was subjective process first, quantitative discipline as ERM evolved
Agreed on Frequency/Likelihood and Severity Matrix for rating risk
– Severity Matrix blended financial measurements, reputation risk and
compliance risk
Built the language bridge across diverse functions like legal, marketing,
human resources, technology, finance
– Low, Medium, High, “Survival Bet” = Severity
19
Risk Mapping
Risks are captured by category…
1. Financial
2. Operational
3. Compliance
4. Legal
5. Security
9. Reputation
6. Human Capital
7. Technology
8. Political
And evaluated for overall risk…
Example/Not Actual
Name
Resulting in
Risk Map
Consequence
Likelihood
Severity
1 Cargo risk / terrorism
Survival Bet
Medium
Extreme
2 T errorist/Bad guy on plane
Survival Bet
Medium
Extreme
3 Missle attack (T errorism)
Survival Bet
Medium
Extreme
4 Biological release in major airport
/ contamination
5 Baggage risk / terrorism
Survival Bet
Low
Extreme
Survival Bet
Low
Extreme
6 Disease outbreak impact air travel
confidence
7 Business Inter/EE from System
Failure > 4 hours
8 Implementation of and migration
to new technologies
9 Security of major IT platforms
Survival Bet
Low
Extreme
Medium
Medium
High
Medium
High
Medium
Medium
High
10 Failure of reservation system
High
Low
High
11 Loss of confidence in management
integrity
12 Multi Catastrophic aviation
accident - close time proximity
13 Class action passenger claim
High
Low
High
High
T he Lottery
High
Medium/Low
Medium
Moderate
14 Shareholder litigation
Medium/Low
Medium
Moderate
15 Contractual breaches
Medium/Low
Medium
Moderate
16 Internet security breach
Medium/Low
Medium
Moderate
20
The Result
Improved communication and awareness on emerging risk issues
– Formalized process to get out of day to day risk management trap
Platform for discussing risk issues and investments with executive leadership
and board, and resource allocation
Identified growing risk areas company was not addressing aggressively (ex.
Delta shifting technology dependence, SARs/pandemic, others)
Combined influence of “risk heads” via ERC moved risk agenda forward faster
than could individually
Net result: Better decision making/resource allocation, fewer surprises
However beautiful the strategy, you should occasionally look at the results.
Winston Churchill
21
Key Learnings
Focus on initial success to seed company for future progress
Critical success factors in any ERM effort:
– Clear ownership and accountability of risk
– Realistic expectations of success of risk control plans
– Conservative estimates of what risk is left over
– Priorities on closing the gaps
– Integrating into financial planning, human capital processes
– Ongoing communications, “governance” processes to continually re-rank
risks, and identify new ones
Culture, process and relationships matter in execution
ERM is ultimately about changing culture and behavior, driving decision
making and measurable results
22
In Closing
ERM is a matter of future survival in an increasingly complex world
Implementation will vary company by company depending on culture,
leadership support, internal and external risk profile
Getting started and making headway is more important than getting it
perfect
ERM won’t make all problems go away…the world is full of
surprises… but it will help you prepare and respond more effectively,
and it will help every company take more intelligent risks.
A ship in the harbor is safe-- but that is not what ships are for…
Admiral Grace Hopper
23