IT Risk Management, Planning and Mitigation TCOM 5253 / MSIS 4253 Enterprise Risk Management (ERM) 23 August 2007 Charles G. Gray

The material in this presentation is adapted from “Enterprise Risk Management – Integrated Framework” published by the Committee of Sponsoring Organizations (COSO) of the Treadway Commission, copyright 2004. Used by permission. (The name is derived from the name of the first chairman of the 1985 National Commission on Fraudulent Financial Reporting, James C. Treadway, EVP and General Counsel, Paine Webber, Inc., and former Commissioner of the SEC.)

ERM Defined “A process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”

Why is ERM Important? Every entity, whether for-profit or not, exists to realize value for its stakeholders Value is created, preserved, or eroded by management decisions in all activities, from setting strategy to operating the enterprise day-to-day.

ERM and Value Creation ERM enables management to: Deal effectively with potential future events that create uncertainty Respond in a manner that reduces the likelihood of downside (negative) outcomes and increases the upside (positive).

The ERM Framework View objectives in the context of Strategy Operations Reporting Compliance Consider activities at all levels Enterprise-level Division or subsidiary Business unit processes

Portfolio View of Risk Management must consider how individual risks interrelate Develop a “portfolio view” from the perspective of Business unit level Entity level A “holistic” view of how various risk factors impinge on the enterprise

Components of the ERM Framework Internal environment Setting objectives Event identification Risk assessment Risk response Control activities Information and communication Monitoring

Internal Environment Establishes a philosophy regarding risk management Recognizes that unexpected as well as expected events may occur Establishes the enterprise “risk culture” Consider all other aspects of how the organization’s actions may affect its risk culture

Setting Objectives Applies when management considers risk strategy in the setting of objectives Forms the “risk appetite” – a high level view of how much risk management is willing to tolerate in pursuit of objectives Risk tolerance – acceptable level of variation around objectives aligned with risk appetite

Event Identification Differentiates risks and opportunities Events with negative impact are risks Events that may be positive represent offsets (opportunities), which management channels back to strategy setting Identify internal or external incidents that could affect achievement of objectives Addresses how internal and external factors interact to influence the risk profile

Risk Assessment Evaluate the extent to which potential events might impact objectives Assesses risk as to likelihood and impact Assess risk related to objectives Combination of both qualitative and quantitative assessment methodologies Relates time horizons to objective horizons Assesses risk on both inherent and residual basis

Risk Response Identify and evaluate possible responses to risk Evaluates options vis-à-vis risk appetite Cost vs. benefit Degree to which a response will reduce impact and/or likelihood Selects and executes response based on evaluation of the portfolio of risks and responses

Control Activities A strong system of internal control is essential to effective risk management Policies and procedures that help ensure that the risk responses, as well as other directives, are carried out Should occur throughout the organization, at all levels and in all functions Include application and general information technology controls

ERM Roles and Responsibilities Board of directors Senior management CEO, CIO, CFO, COO, other? Unambiguous and enthusiastic support Risk officers VP, chief risk officer, chief security officer Risk/security steering committee Internal auditors

Key Implementation Factors Organization design of the enterprise Establishing an ERM organization Performing risk assessments Determining the overall risk appetite Identifying risk responses Communication of risk evaluation results Monitoring Management oversight and periodic review

Risk Appetite What risks will the organization not accept? E.g., Damage to corporate image What risks will the organization take on new initiatives? E. g., New products What risks will the organization accept for competing objectives? Sacrifice profit for environmental issues (PR)

Risk Appetite - Definitions The amount of risk exposure or potential adverse impact from an event that the organization is willing to accept The level of risk an organization is prepared to be exposed to before it decides that action is necessary The level of risk you’re willing to live with before you do something about it The amount of risk you’re prepared to take in order to achieve objectives