Excellence in Risk Management

Excellence in Risk Management IIA Qualitative Survey of Enterprise Risk Management ProgramsApril 18, 2005Marsh2What Is ERM?―Assessing and addressing risk from all sources.‖―A process to manage all risks of the enterprise.‖―Managing your business with a more deliberate and systematic focus on risk.‖―Implementing the infrastructure and culture within the organization to make good decisions on risk.‖Respondents shared these definitions with us:Marsh3“Excellence in Risk Management” Studies ―Excellence in Risk Management I‖ studied the risk management practices of 30 top-performing risk managers in North America. Findings presented at the 2004 RIMS conference included the following:–The events of the past 10 years have resulted in a dramatic shift in the the importance of risk management and its practices. –There is an opportunity for risk managers to play a more strategic role in their organizations.–Companies can recognize a significant financial impact by controlling risk and recognizing profit from risk-related strategies.–Successful risk management relies on a robust hierarchy of information and integrated information systems. Using ―Excellence I‖ as a foundation of understanding, ―Excellence II‖ examines the characteristics and practices of organizations that are implementing an enterprise-wide risk management program. Marsh4Excellence in Risk Management II—Research Parameters and Methodology Methodology:Qualitative versus quantitative approachIn-depth interviews within five large organizations that are implementing an ERM programIndustries represented:Information services (2)Financial services (2)Commodity services (1)Interviews with 25 individuals at these organizations, including risk management at each companyInterviews were administered by phone to obtain insights on practices, perceptions, organizational dynamics, and relationshipsInterviews were supplemented by a short closed-end questionnaire covering basic topicsInterviews were conducted by Greenwich AssociatesMarsh5Who We Interviewed Risk Management (7)Operations (8)Audit (5)Compliance and Legal (3)Business-Unit Head (1)Safety (1)Marsh6Key TakeawaysRecognize the fundamental benefits of ERMUnderstand how to implement ERMUnderstand how to sustain ERM in your companyMarsh7Enterprise Risk Management—Applying Risk Management Discipline More BroadlyObjectiveSettingRiskIdentificationRisk AssessmentRisk MitigationControl ActivitiesMonitoring•All Types of Risk•Broad Focus•ContinuousCommunicationSource: The Committee of Sponsoring Organizations of the Treadway CommissionMarsh8Survey Results OverviewWhy ERM?Getting Senior-Management SupportCreating a Process to Support ERMBuilding ERM Into the Corporate CultureKey TakeawaysWhy ERM? Marsh10ERM Benefits“I’m liberating people in our company about risk and uncertainty so that they can better achieve the objectives that they made to the board.”-Risk ManagerMarsh11As Organizations Adopt ERM, the Role of Risk Manager Becomes More StrategicStrategic Risk ManagementProgressive Risk ManagementTraditional Risk ManagementImpact On Organization’s Bottom Line and CultureOrganizational Buy-InTechnical ManagementMarsh12As Companies Develop an ERM Approach, Potential Benefits Multiply. Support Objectives. Improve Earnings and Cash Flow. Manage Growth. Capture Opportunities. Reduce Losses . Lower Insurance CostsManaging RiskTransferringRiskOptimizingRiskAdvanced Risk ManagementDefensive Risk ManagementERM Approach. Purchase Insurance and Cover RisksMarsh1373%80%80%80%Risk ManagerOtherAgree/Strongly AgreeThe Role of Risk Management in the FirmThe firm views risk management as a keystrategic functionThe role of the risk manager has becomemuch more strategicwith implementationof ERMRisk ManagerOther(Risk Manager: n=5; Other: n=15)Marsh1431%81%20%100%60%88%75%80%StrategicOperationalHighly Significant Benefits (4 & 5)FinancialHazardQ21. With the implementation of an integrated approach to risk management across the firm in all of the risk areas (ERM), how would you rate the benefits accruing—or expected to accrue—in each of the major types of risk? Please rate on a scale of 1 to 5, where 1 is ―None‖ and 5 is ―Highly Significant.‖Benefits of ERM Implementation inMajor Risk AreasRisk ManagerOtherRisk ManagerOtherRisk ManagerOtherRisk ManagerOther(Risk Manager: n=5; Other: n=16)Marsh1540%80%80%100%.Risk ManagerOtherPresent and Future Benefits of ERMAgree/Strongly AgreeThere are tremendousfuture potential benefits in ERM that have not yet been realizedThe firm is recognizing substantial benefits from ERM todayRisk ManagerOther(Risk Manager: n=5; Other: n=15)Marsh1694%88%80%100%100%94%100%100%Highly Significant Benefits (4 & 5)Risk ManagerOtherRisk ManagerOtherRisk ManagerOtherRisk ManagerOtherImproved communications on risk taking to shareholders/boardBetter-informed decisionsBetter allocation of capital and resources to address riskImproved corporate governance practices(Risk Manager: n=5; Other: n=16)Perceived Benefits of ERMMarsh17Examples of ERM BenefitsMultimillion-dollar project undertaken once risk profile understoodOffshore outsourcing program cancelled once high risk was assessedNatural hedge discoveredFacilitated M&A processReduced insurance ratesDecided not to discontinue product once risk was understoodMarsh18ERM—Driving ForcesCompany Risk Management FocusUnderstanding RiskControlling RiskOptimizing RiskExternal ForcesSarbanes-OxleySix SigmaCorporate ScandalsRegulatory InitiativesSeptember 11Natural DisastersInternal ForcesManaging Earnings and Cash FlowsStakeholder AccountabilityMeeting ObjectivesRegulatory Compliance Getting Senior-Management Support Marsh20Consensus That Board and Senior-Management Buy-In of ERM Is Essential to Acceptance by the OrganizationBoardSenior ManagementFunctional ManagementBusiness Units and Operations•Alignment with board objectives•Senior-level champion•Continued involvement•Sets the tone•Link to investorsMarsh21Continued Support From Senior Management Requires Direct Communication By ERM Team•Risk committees•Senior-management risk committee•Board level: audit committee /separate risk committee•Internal audit•Continuous communications•―Don’t shoot the messenger‖ attitude•Help from brokers and consultants•Can jump-start processCreating a Process to Support ERMMarsh23Accountability and Reporting at All Levels Is Required to Support the ERM ProcessBoardSenior ManagementCEO CFOCROCOO CTOOperationsBusiness UnitsFunctionalManagementCross-Functional ERM TeamRisk Management, Audit, Compliance/LegalRisk CommitteeRisk CommitteeMarsh24Organization to Support ERM—Key Takeaways•Separate risk committees to board and senior management•Risk management representation in senior management •Cross-functional ERM team—risk management, internal audit, legal, and compliance form core team•Representation from operations/business units and functional management •Human resources conspicuous in its absenceMarsh25ObjectivesPolicies and ProceduresDecisionsPlans and BudgetsFinancial StrategyEnterprise Risk ManagementCorporate StrategyLink to Strategic Objectives and Integrate ERM Thinking Into Regular Business ActivitiesMarsh26Reinforce the ERM Process With a CommonLanguage and Training•Establish a common language about risk•Simple•In conformity with culture•Take a consultative approach to training by using workshops•Use available technology•Keep it simpleBuilding ERM Into the Corporate Culture Marsh28“Risk management is everybody’s job. Everybody who does anything in the company is a risk manager to some extent.”-Senior ManagerERM in the Corporate Culture“The most important thing is to get buy-in from the most senior levels of the organization first. Until you do that, you’re going to have great ideas, but they’ll never see the light of day.”-Risk ManagerMarsh2993%100%Risk ManagerOtherAgree/Strongly AgreeEmbedding ERM in Corporate CultureImplementation of ERM requires and results in a cultural change in the organization(Risk Manager: n=5; Other: n=15)Marsh30How to Influence Thinking to Include ERMCommunicationsCompensationPerformanceMeasurementLearning &Development“Grooming”InternallyAll CompanyEmployees“Lifetime” Mentality to ERMKey Takeaways Marsh32ERM Risk Analysis Involves Five Fundamental Steps—Applied to All Areas of Risk1. IdentifyRisks2. AssessImpact3. AssessLikelihood4. Quantify & Prioritize5. OptimizeMarsh33ERM Demands a Strategic Role for Risk Managers ERM ApproachAdvanced RiskManagementDefensive Risk ManagementStrategic Risk ManagementProgressive RiskManagementTraditional Risk ManagementCompany ERM EvolutionRisk Manager EvolutionVALUEMarsh34For Low-Frequency Risks, ERM Can RevealHidden Risks Requiring Action and Help in Prioritizing Resources High ImpactHigh Impact Low Likelihood Low Impact Low LikelihoodHigh Impact High Likelihood Low Impact High Likelihood Low ImpactLow LikelihoodHigh LikelihoodMarsh35Cautions•Don’t treat ERM as one-time project •Overkill can create backlash•Need tangible accomplishments to keep momentumMarsh36Recommendations―Just do it! ‖Get started Identify a champion Get senior-management buy-in Start prioritizing risks using ―Top10‖ approach Perform business practice reviews Hold risk workshops Leverage existing initiatives–Sarbanes-Oxley–Six Sigma–Audit and compliance initiatives–Strategic planningMaintain sensitivity to seismic events in the companyEmploy team approach to the task of implementing ERM Formalize it: –Structured approach to organizing processes /lines of reporting Keep ERM technology simple and understandable Embed ERM in existing business processes Treat ERM as a process, not a project Marsh37Final Thought“The key to high-performance risk management is aligning risk strategy among key risk stakeholders, obtaining and sustaining senior management engagement, and achieving effective integration with strategic planning.”-Risk ManagerThank YouRIMS and Marsh are proud to have sponsored the Excellence in Risk Management II surveyMarsh is part of the family of MMC companies, including Kroll, Guy Carpenter, Putnam Investments, Mercer Human Resource Consulting (including Mercer Health & Benefits, Mercer HR Services, Mercer Investment Consulting, and Mercer Global Investments), and Mercer specialty consulting businesses (including Mercer Management Consulting, Mercer Oliver Wyman, Mercer Delta Organizational Consulting, NERA Economic Consulting, and Lippincott Mercer).The Risk and Insurance Management Society, Inc. (RIMS) is a not-for-profit organization dedicated to advancing the practice of risk management, a professional discipline that protects physical, financial and human resources. Founded in 1950, RIMS represents nearly 4,000 industrial, service, nonprofit, charitable, and governmental entities. The Society serves over 9,600 risk management professionals around theworld.Copyright 2005 Marsh Inc. All rights reserved. Compliance # MA6-10480