Managing Uncertainty, Creating Opportunity Enterprise Risk Management J. Brown, CEO

Basic Model of Value Creation 1. Idea 2. Develop 3. Execute 4. Monetize  How the Information Technology firm creates value  Absent uncertainty, the process simply repeats over time  Not a realistic view

Simplistic Model of Value Creation: Adding Uncertainty 1. Idea 2. Develop 3. Execute 4. Monetize Uncertainly exists and affects all processes, therefore adaptation is required The comprehensive and incisive approach to manage uncertainty is Enterprise Risk Management (ERM): Prevent or minimize disruptions to the value creation chain Improve ability of IT firms to achievestrategic objectives Help ensure survival of IT firm Adapt External Factors

What in this distinguishes IT firms from other services? 1. Idea 2. Develop 3. Execute 4. Monetize Successful execution of steps 1 through 3 gives rise to an “Intellectual asset” (in step 4) that must be protected ERN within the IT firm is different from ERM within other service firms because of substantial, inherent differences in the nature of Intellectual Property assets

What is Enterprise Risk Management (ERM)? Enterprise Risk Management (ERM) is a strategic business discipline that supports the achievement of an organization's objectives by addressing the full spectrum of its risks and managing the combined impact of those risks as an interrelated risk portfolio.

Principles of Enterprise Risk Management  Aligning risk appetite and strategy – Management considers the entity’s risk appetite in evaluating strategic alternatives, setting related objectives, and developing mechanisms to manage related risks.  Enhancing risk response decisions – Enterprise risk management provides the rigor to identify and select among alternative risk responses – risk avoidance, reduction, sharing, and acceptance.  Reducing operational surprises and losses – Entities gain enhanced capability to identify potential events and establish responses, reducing surprises and associated costs or losses.  Identifying and managing multiple and cross-enterprise risks – Every enterprise faces a myriad of risks affecting different parts of the organization, and enterprise risk management facilitates effective response to the interrelated impacts, and integrated responses to multiple risks.  Seizing opportunities – By considering a full range of potential events, management is positioned to identify and proactively realize opportunities.  Improving deployment of capital – Obtaining robust risk information allows management to effectively assess overall capital needs and enhance capital allocation.

Two types of Risk Insurable Risk Operational Risk

Components of ERM Define the risk criteria (e.g., any event that could impact profit by more than 1%) Risk identification (list of possible events, see our Excel chart, IT Risk Assessment) Risk analysis (essentially, impact X probability) Risk treatment, prioritize and: - Avoidance (eliminate, withdraw from or not become involved - Reduction (optimize – mitigate) - Sharing (transfer – outsource or insure) - Retention (accept and budget) Monitoring and review (continually improve the ERM process)

Risk Identification The entity as a while, and each department, faces risk. Each worker is responsible for the risks that affect his/her role and activities. Identify risks on two levels: 1.Corporate Risks: impact the whole organisation and high-level goals and objectives 2.Unit Risks: impact department goals and objectives Categorise risks based on type: Physical Technological Political Financial Operational (HR, IT, Process) Strategic Executive

Integration of ERM Embedded in all practices and processes in a way that it is relevant Should become part of, and not separate from, those organisational processes Embed into the policy development, business and strategic planning and change management process

Operational HRProcessIT FraudCapacityData Integrity Health & SafetyDesignSystem Availability Evacuation PlansExecutionDevelopment Attract/retainProduct QualityMaintenance top talentSupplierSecurity IP Rights Data breach Compliance EXECUTIVE Ethics Board E&O Kidnap, ransom Compliance Regulatory PHYSICAL Catastrophic loss (e.g., fire) Environmental Incidents Weather Asbestos TECHNOLOGICAL Obsolescence Opportunity Emerging STRATEGIC Financial viability Competition M&A Legal disputes Emerging technologies Commodity pricing/volatility Alliances Black Swan Macroeconomic FINANCIAL Tax Access to capital Interest rates Foreign exchange Repatriation of funds Cash Management POLITICAL Policy changes Regulations Enforcement Compliance Foreign government actions

Cross Functional & Emerging View of Risks LegalFinancialBusiness/Strategic CivilOverheadBrand CriminalInterestReputation RegulatoryForeign ExchangeService ContractualInsuranceAlliance FinancingExpansion OperationalSafety/SecurityAudit TechnologySafetyFinancial Controls Info SecurityEnvironmentProcess Risks E-businessEmployee SafetyDisclosure ContinuitySafetyFraud Functional Risk View The challenge is to address cross functional and forward looking “horizon” risks

Risk Register Risks identified and assessed should be documented in a risk register for the organization. We use Microsoft Excel to build out the Information Technology firms’ risks registers (e.g., risk maps). We provide a risk register: Executive Owner –Leader of function (e.g., CFO, Director ) Risk Owner – Person(s) who are responsible for mitigating the risk. The risk owner(s) are usually people whose responsibilities are directly related or impacted by the risk. However, risks may have multiple risk owners. Risk Owner Department – Department that risk and risk owner are assigned to. Risk Description – A sentence or two describing the risk event. Expected/Residual/Current Likelihood Expected/Residual/Current Impact Risk Tolerance Risk Velocity Management Preparedness Please see “Risk Analysis section” for definition

Risk Analysis Following risk identification, stakeholders have to assess the risk using predetermined metrics. The Enterprise Risk Management function created criteria and a scoring system to prioritize the risks. The criteria established are: Likelihood – How likely is the risk to occur? Impact – If the risk were to occur, how much impact would it have on the organization? Tolerance – How much risk is the organization willing to tolerate (e.g., impact and/or likelihood of risk occurring)? Velocity – If the risk were to occur, how long would it be before the organization was impacted? Management Preparedness – How prepared or aware is management of the risk? History has shown that organizations tend to falter when risks were not identified or addressed properly.

Risk Appetite The amount of risk that an organisation is willing to accept in pursuit of corporate objectives Willingness to accept risk LowMediumHigh X X X X X X X Physical Technological Political Financial Operations Strategic Executive

Risk Mitigation Plan Following risk identification, stakeholders have to assess the risk using predetermined metrics Risk Monitoring Timeline Mitigation plan 6 Month check-up: Documentation 12 Month Check- up: Re-score & Documentation Integration

Street Edmonton, AB T6B 3J