Excellence in Risk Management

April 18, 2005 Excellence in Risk Management II A Qualitative Survey of Enterprise Risk Management Programs What Is ERM? Respondents shared these definitions with us:  ―Assessing and addressing risk from all sources.‖ ―A process to manage all risks of the enterprise.‖ ―Managing your business with a more deliberate and systematic focus on risk.‖ ―Implementing the infrastructure and culture within the organization to make good decisions on risk.‖ 2    Marsh “Excellence in Risk Management” Studies  ―Excellence in Risk Management I‖ studied the risk management practices of 30 top-performing risk managers in North America. Findings presented at the 2004 RIMS conference included the following: – The events of the past 10 years have resulted in a dramatic shift in the the importance of risk management and its practices. – There is an opportunity for risk managers to play a more strategic role in their organizations. – Companies can recognize a significant financial impact by controlling risk and recognizing profit from risk-related strategies. – Successful risk management relies on a robust hierarchy of information and integrated information systems.  Using ―Excellence I‖ as a foundation of understanding, ―Excellence II‖ examines the characteristics and practices of organizations that are implementing an enterprise-wide risk management program. 3 Marsh Excellence in Risk Management II— Research Parameters and Methodology Methodology:   Qualitative versus quantitative approach In-depth interviews within five large organizations that are implementing an ERM program Industries represented:  Information services (2)  Financial services (2)  Commodity services (1) Interviews with 25 individuals at these organizations, including risk management at each company Interviews were administered by phone to obtain insights on practices, perceptions, organizational dynamics, and relationships Interviews were supplemented by a short closed-end questionnaire covering basic topics Interviews were conducted by Greenwich Associates 4      Marsh Who We Interviewed       Risk Management (7) Operations (8) Audit (5) Compliance and Legal (3) Business-Unit Head (1) Safety (1) Marsh 5 Key Takeaways  Recognize the fundamental benefits of ERM  Understand how to implement ERM  Understand how to sustain ERM in your company Marsh 6 Enterprise Risk Management—Applying Risk Management Discipline More Broadly Objective Setting Monitoring Risk Identification •All Types of Risk •Broad Focus •Continuous Communication Risk Assessment Control Activities Risk Mitigation Marsh Source: The Committee of Sponsoring Organizations of the Treadway Commission 7 Survey Results Overview  Why ERM?  Getting Senior-Management Support  Creating a Process to Support ERM  Building ERM Into the Corporate Culture  Key Takeaways Marsh 8 Why ERM? ERM Benefits “I’m liberating people in our company about risk and uncertainty so that they can better achieve the objectives that they made to the board.” -Risk Manager Marsh 10 As Organizations Adopt ERM, the Role of Risk Manager Becomes More Strategic Strategic Risk Management Impact On Organization’s Bottom Line and Culture Progressive Risk Management Organizational Buy-In Traditional Risk Management Technical Management Marsh 11 As Companies Develop an ERM Approach, Potential Benefits Multiply ERM Approach Optimizing Risk . Support Objectives . Improve Earnings and Cash Flow . Manage Growth . Capture Opportunities Advanced Risk Management Managing Risk . Reduce Losses . Lower Insurance Costs Defensive Risk Management Transferring Risk Marsh . Purchase Insurance and Cover Risks 12 The Role of Risk Management in the Firm Agree/Strongly Agree The role of the risk manager has become much more strategic with implementation of ERM Risk Manager 80% Other 80% The firm views risk management as a key strategic function Risk Manager 80% Other 73% Marsh (Risk Manager: n=5; Other: n=15) 13 Benefits of ERM Implementation in Major Risk Areas Highly Significant Benefits (4 & 5) Strategic Risk Manager Other 80% 75% Financial Risk Manager Other 60% 88% Operational Risk Manager Other 100% 81% Hazard Risk Manager Other 20% 31% Q21. With the implementation of an integrated approach to risk management across the firm in all of the risk areas (ERM), how would you rate the benefits accruing—or expected to accrue—in each of the major types of risk? Please rate on a scale of 1 to 5, where 1 is ―None‖ and 5 is ―Highly Significant.‖ Marsh (Risk Manager: n=5; Other: n=16) 14 Present and Future Benefits of ERM Agree/Strongly Agree There are tremendous future potential benefits in ERM that have not yet been realized Risk Manager 100% Other 80% . Risk Manager The firm is recognizing substantial benefits from ERM today 80% Other 40% Marsh (Risk Manager: n=5; Other: n=15) 15 Perceived Benefits of ERM Highly Significant Benefits (4 & 5) Improved communications on risk taking to shareholders/board Better-informed decisions Risk Manager Other 100% 100% Risk Manager 100% 94% Other Better allocation of capital and resources to address risk Risk Manager Other 100% 88% Improved corporate governance practices Risk Manager Other 80% 94% Marsh (Risk Manager: n=5; Other: n=16) 16 Examples of ERM Benefits  Multimillion-dollar project undertaken once risk profile understood Offshore outsourcing program cancelled once high risk was assessed Natural hedge discovered Facilitated M&A process Reduced insurance rates Decided not to discontinue product once risk was understood      Marsh 17 ERM—Driving Forces External Forces  Sarbanes-Oxley  Six Sigma  Corporate Scandals  Regulatory Initiatives  September 11  Natural Disasters Company Risk Management Focus Understanding Risk Internal Forces  Managing Earnings and Cash Flows  Stakeholder Accountability  Meeting Objectives  Regulatory Compliance Controlling Risk Optimizing Risk Marsh 18 Getting Senior-Management Support Consensus That Board and Senior-Management Buy-In of ERM Is Essential to Acceptance by the Organization • Alignment with board objectives Board • Senior-level champion • Continued involvement • Sets the tone • Link to investors Senior Management Functional Management Business Units and Operations Marsh 20 Continued Support From Senior Management Requires Direct Communication By ERM Team • Risk committees • Senior-management risk committee • Board level: audit committee / separate risk committee • Internal audit • Continuous communications • ―Don’t shoot the messenger‖ attitude • Help from brokers and consultants • Can jump-start process Marsh 21 Creating a Process to Support ERM Accountability and Reporting at All Levels Is Required to Support the ERM Process Risk Committee Board Risk Committee Senior Management Cross-Functional ERM Team CEO CFO CRO COO CTO Risk Management, Audit, Compliance/Legal Business Units Functional Management Operations Marsh 23 Organization to Support ERM—Key Takeaways • Separate risk committees to board and senior management • Risk management representation in senior management • Cross-functional ERM team—risk management, internal audit, legal, and compliance form core team • Representation from operations/business units and functional management • Human resources conspicuous in its absence Marsh 24 Link to Strategic Objectives and Integrate ERM Thinking Into Regular Business Activities Decisions Objectives Financial Strategy Corporate Strategy Enterprise Risk Management Policies and Procedures Plans and Budgets Marsh 25 Reinforce the ERM Process With a Common Language and Training • Establish a common language about risk • Simple • In conformity with culture • Take a consultative approach to training by using workshops • Use available technology • Keep it simple Marsh 26 Building ERM Into the Corporate Culture ERM in the Corporate Culture “Risk management is everybody’s job. Everybody who does anything in the company is a risk manager to some extent.” -Senior Manager “The most important thing is to get buy-in from the most senior levels of the organization first. Until you do that, you’re going to have great ideas, but they’ll never see the light of day.” -Risk Manager Marsh 28 Embedding ERM in Corporate Culture Agree/Strongly Agree Implementation of Risk Manager ERM requires and results in a cultural change in the organization Other 100% 93% Marsh (Risk Manager: n=5; Other: n=15) 29 How to Influence Thinking to Include ERM Communications “Grooming” Internally Compensation Learning & Development Performance Measurement All Company Employees “Lifetime” Mentality to ERM Marsh 30 Key Takeaways ERM Risk Analysis Involves Five Fundamental Steps—Applied to All Areas of Risk 1. Identify Risks 2. Assess Impact 3. Assess Likelihood 4. Quantify & Prioritize 5. Optimize Marsh 32 ERM Demands a Strategic Role for Risk Managers Strategic Risk Management ERM Approach Progressive Risk Management VALUE Advanced Risk Management Traditional Risk Management Marsh Defensive Risk Management 33 For Low-Frequency Risks, ERM Can Reveal Hidden Risks Requiring Action and Help in Prioritizing Resources High Impact High Impact Low Likelihood High Impact High Likelihood Low Impact Low Impact Low Likelihood Low Impact High Likelihood Marsh Low Likelihood High Likelihood 34 Cautions • Don’t treat ERM as one-time project • Overkill can create backlash • Need tangible accomplishments to keep momentum Marsh 35 Recommendations      ―Just do it! ‖ Get started Identify a champion Get senior-management buy-in Start prioritizing risks using ―Top10‖ approach Perform business practice reviews Hold risk workshops  Maintain sensitivity to seismic events in the company Employ team approach to the task of implementing ERM Formalize it: – Structured approach to organizing processes / lines of reporting Keep ERM technology simple and understandable Embed ERM in existing business processes Treat ERM as a process, not a project       Leverage existing initiatives – Sarbanes-Oxley – Six Sigma – Audit and compliance initiatives – Strategic planning   Marsh 36 Final Thought “The key to high-performance risk management is aligning risk strategy among key risk stakeholders, obtaining and sustaining senior management engagement, and achieving effective integration with strategic planning.” -Risk Manager Marsh 37 Thank You RIMS and Marsh are proud to have sponsored the Excellence in Risk Management II survey Marsh is part of the family of MMC companies, including Kroll, Guy Carpenter, Putnam Investments, Mercer Human Resource Consulting (including Mercer Health & Benefits, Mercer HR Services, Mercer Investment Consulting, and Mercer Global Investments), and Mercer specialty consulting businesses (including Mercer Management Consulting, Mercer Oliver Wyman, Mercer Delta Organizational Consulting, NERA Economic Consulting, and Lippincott Mercer). The Risk and Insurance Management Society, Inc. (RIMS) is a not-for-profit organization dedicated to advancing the practice of risk management, a professional discipline that protects physical, financial and human resources. Founded in 1950, RIMS represents nearly 4,000 industrial, service, nonprofit, charitable, and governmental entities. The Society serves over 9,600 risk management professionals around the world. Copyright 2005 Marsh Inc. All rights reserved. Compliance # MA6-10480