Enterprise Risk Management Definition Enterprise Risk Management (ERM) is the capability to protect enterprise value by managing risk: –With a coordinated and systematic approach, –Organization-wide, and –Across all types of risk.
ERM Inflection Point 9/11, Anthrax, Terrorism near misses Corporate Governance Crisis –Enron –Arthur Andersen –WorldCom –Adelphia –GE Reveal and amplify underlying trends impacting need for “enterprise” approach to risk management
Trend: Interconnectivity and Infrastructure Today’s business system –Complex –Tightly coupled –Heavily dependent on infrastructure Interconnectivity of infrastructure –Telecommunications –power generation and distribution –Transportation –Medical care –National defense –Other critical government services Ripple effects of infrastructure failure Terrorist employed low tech weapons to inflict massive physical or psychological damage –Box cutters –Envelopes
Trend: Low Cost of Tools Technologies/tools that have the ability to inflict massive damage are getting cheaper and easier to obtain every day Being used by competitors, customers, employees, litigation teams, etc. Examples: –Recent wave of viruses and worms –Cyber Activism: The Electronic Disturbance Theater and Floodnet –CyberTerrorism: NATO computers hit with e-mail bombs and denial-of-service attacks during 1999 Kosovo conflict
Trend: New Laws, Regulations and Agencies Largest, most aggressive expansion HIPAA –Privacy –Information Security –Physical Security –Business Continuity C-TPAT (Customs-Trade Partnership Against Terrorism) –Process Control –Physical Security –Personnel Security Sarbanes-Oxley Act –Accounting –Internal Control Review –Executive Verification –Ethics and Whistleblower Protection Department of Homeland Security –Consolidation of Agencies with various “risk” responsibilities
Response: Be Strategic Be Strategic - Your issues matter more now than ever Position your program as more than “insurance” Speak Language of Senior Management – “Value”
Response: Be Strategic Are we in alignment with organizational value drivers and strategies Can we implement our strategy effectively? Do we have the right –Organizational structure –Tools –Metrics –“Go to market” approach?
Response: Value Drivers Customer Satisfaction –Impact on external customers –# of customers impacted –Duration of impact People –Loss/ access to private employee information –Workforce endangerment –Access to executive information, systems, etc Financial –Cost Increase –Revenue loss Intangible –Proprietary information –Damage to brand Computer Systems –Number of systems impacted –Number of internet facing systems impacted/vulnerable
Response: Update or Create Risk Profile Focus on risks that matter to value drivers Determine response triggers and thresholds Consider Interconnectivity of risks Present to management in their terms (Value Drivers) Drive your strategic planning
Response: Develop Strategic Plan Strategic Plan Implementation Framework Metrics Organizational Change Program Management
Tools RiskWeb Early Warning System Assessment and Quantification tools Culture Knowledge Mgmt Metrics Training Communication Assess Risk Treat Risk Monitor & Report Enterprise-wide Integration Strategic Planning Programs/PMO Processes Functions Risk Management Process Allocation of Capital Control Cost Drive Innovation Manage Growth Risk Attributes Lifecycle Individual Portfolio Qualitative Quantitative Organization Enterprise Risk Committee CRO or ERM Manager Risk Strategy & Appetite Internal Audit Risk Mgmt IT Security ERM BCP Legal EH&S Risk Strategy Appetite Prioritize Treatment Approach Program Strategy Develop Deploy Continuously Improve Risk Functions Business Objectives Risk Drivers Strategy Capability Capability Functions Process Organization Culture Tools Enterprise- Wide Integration Risk Attributes Risks Strategic Operational Stakeholder Financial Intangible ERM Framework