Escolar Documentos
Profissional Documentos
Cultura Documentos
Underwritten by:
ctc guide to
Contents
Introduction
Page 1
Page 3
Page 3
Page 5
Page 6
Page 7
Page 8
Page 9
Page 10
Page 11
Page 12
Case Studies
Page 14
Page 14
Page 16
Page 19
Page 22
Page 27
According to Peter Frank, Partner at PricewaterhouseCoopers (PwC), whether or not theres a formal
ERM program is a separate question than whether or
not a company is successfully managing its risks. Some
companies have very sophisticated risk cultures and do
not necessarily overlay those cultures with an explicit
ERM process. The companies that do [ERM] well have
to combine a cultural appreciation for risk with rigor of
process, noted Frank. Certainly companies in industries
such as chemicals, oil and banking have a history of
developing sophisticated risk awareness programs. Yet,
some of the most spectacular risk failings in recent history have occurred within such organizations. A forensic
review typically indicates a failure in risk management,
said Frank. For ERM to work, he said, There needs to
be a culture and a process, and general sophistication of
risk. Without all three theres not going to be success.
What success looks like
Each of the companies in this guide is in a very different phase of what they all call a journey, from the earliest
stages of ERM to the most mature programs, based on
the rigor of the program and how embedded ERM
already is into their strategic planning process.
At a very large industrial equipment dealer (see
Case Study 1: The ERM Pivot on page 14), a recent
enterprise resource planning (ERP) implementation
gone bad spurred a rethinking of risk management
in the company. That led to the hiring of a VP-level
risk executive, a former consultant. According to
this ERM practitioner, there are various ways ERM
can add value. From our perspective, he said, the
emphasis is going to be on being more proactive
www.AFPonline.org
RISK
as Downside
and Upside
Quantify
RISK
RISK
Capacity
www.AFPonline.org
>
www.AFPonline.org
North
Europe
America
38%
40%
Revenues Revenues
Under
At Least
$1 Billion $1 Billion
39%
34%
Publicly
Traded
Privately
Owned
35%
38%
28 38 23 38 33 24
26 8 24 19 26 19
Other
2 3 1 3 4 0
11
14
19
Association for Financial Professionals (AFP) in collaboration with Zanders Treasury and Finance Solutions.
The survey shows that companies are in the midst of a
mindset transformation, and are increasingly aware of
the value-added potential of a risk management function
that examines risk as a two-sided coin. More than half
the survey respondents indicate their companies are considering making or have recently made a shift to viewing
risk on an integrated basis and 87 percent see business
improvement as a key objective of risk management
(see Figures 1 and 2). According to the survey analysis,
this realization supports the transformation of the risk
management function to a more strategic one that exists
to enable and support business goal realization.
Whats more, a majority of organizations say ERM is
the most promising development for risk management.
A 2012 study of 200 companies by Deloitte &
Touche LLC confirms these findings. It found that
79 percent of respondents were significantly reworking their risk management process, activities, strategy
www.AFPonline.org
North
All
America Europe
Revenues Revenues
Under
At Least
$1 Billion $1 Billion
Publicly
Traded
Privately
Owned
34%
33% 30% 36% 33% 37% 30%
2
4 3 1 4 3 3
www.AFPonline.org
>
RISK
as Downside
and Upside
RISK
Capacity
Quantify
RISK
14%
13%
7%
4%
5%
4%
2%
2%
2%
6%
4%
4%
3%
3%
4%
3%
1%
2%
s
s
s
s
e
n
g
g
ts
et
re
ar
er
ud
ge
isk
ion
nce urce
ent
ent
gin
clin gratio onflic
ack astin
ark
fra
pr
ssu
ew
nov
and rat
era
de
fide
so
etb
shi n pre nt tur
c
hed statem
tlem cial
ec
e m e pric
lev
te
em integ
r
r
e
d
o
i
ial
con enue
set finan
al s d for
n
ial
rice IT in atory
c
e
t
e
v
c
g
f
n
ct rger
i
c
r
r
p
r
n
t
n
o
n
m
l
o
u
n
a
r
n
l
c
r
e
s
p
o
tio
a
ity
ev
ati
Ma
gu
rod /Me
fina ancia
nt o estru
fina
Po
ga and/o
od
ed
nag tor los tive r /oper r dem
Re
or
n
ep
me
/liti
ive
D
a
ma
rsifi
mm
Fin
Po
o
cor uisitio ringe
uits rities
ess
ves ltern
ive
Co
ior
ring
Po
s
n
c
i
n
f
d
n
u
I
x
w
t
a
q
a
n
n
l
e
e
i
E
c
c
S
U
gu
il la
or
nd
tru
ra
clin
Civ g irre
etit
De Poo
xpa te res
mp
tin
to e
ra
n
Co
o
u
e
r
p
r
co
lu
Co
Ac
Fai
Strategic
Risks
65%
Operational
Risks
13%
Legal and
Compliance
Risks
7%
Financial
Risk
15%
www.AFPonline.org
RISK
as Downside
and Upside
Quantify
RISK
RISK
Capacity
www.AFPonline.org
>
www.AFPonline.org
RISK
as Downside
and Upside
Quantify
RISK
RISK
Capacity
www.AFPonline.org
>
10
www.AFPonline.org
RISK
as Downside
and Upside
Quantify
RISK
RISK
Capacity
www.AFPonline.org
11
12
www.AFPonline.org
www.AFPonline.org
13
Case Studies
>
14
www.AFPonline.org
www.AFPonline.org
15
>
16
www.AFPonline.org
Board and management level buy-in is critical to the running of the ERM program.
Youre setting the tone at the top, said one IAMGOLD executive.
3. Risk policy. Document the risk policy and
processes, including reporting and communications, and how ERM is integrated into the business
planning process.
4. Risk infrastructure. Document the companys
appetite for risk and implement technology tools
to track the risks that impact the business and strategic plan. The company is currently at this stage.
The ERM framework was initially designed by
Internal Audit/Risk Management (IARM). IARM supports management in reporting to the board and Audit
Committee [about] how we are doing versus our risk
framework, the executives said. We sit down with the
Executive Leadership Team and review risks in terms of
both a short- and long-term horizon and in relation to
our business and strategic plans. That overview is then
captured within key areas including compliance, financial, strategic and operational risks.
We get input from all functional and site leadership, reported one executive. We do functional, site
management and executive level reviews, and based on
the collective input we come up with the most significant risks to us.
The IAMGOLD team noted that ERM is an important,
comprehensive and proactive undertaking that is used to
assess and manage the companys key risks. Its an evolving
program. Wherever there is a potential risk, we identify it,
address it and update our risk universe, they said, adding
that while the key risks will get the most attention, all risks
are continuously on the radar screen.
IARM is the ERM process owner in terms of developing, monitoring and reporting protocols and their
respective action items. Execution is handled by the
functional and business unit executives. Specific risks
are assigned to specific individuals. IARM pulls that
together and reports to the board through the oversight
of the Audit Committee on a quarterly basis and more
frequently if necessary.
Such board and management level buy-in is critical
to the running of the program. The engagement from
www.AFPonline.org
17
18
Evolving program
This year, IARM is working to create a more robust,
detailed risk policy and document the companys risk
appetite and tolerance level. That does not mean there
is not one now. The work the team did defining the
process already gave rise to a substantial amount of
documentation. There is a common definition and
clarity around how things are defined, explained one
executive. It is important to ensure that we define risks
in a consistent way so there is a constructive conversation. There is a lot of work that has already been done
in standardizing the nomenclature. The team added:
We have a lot of information and insight about the
process, risk impact and the policy. As we discuss it, we
continue to refine it.
Advice for others
The IAMGOLD executives offered this collective advice to their peers, in terms of key ERM success factors:
1. Buy-in from the top. This is the key item for
success that [we] would suggest for any ERM
program. Without it, it is going to be a much
less effective process. It is important to
understand how this can add value to the
business, from an investment, compliance and
operational perspective.
2. A robust process. Next in line is having a
rigorous process. According to these ERM pros,
the companys four-phase approach lends structure
to the process.
3. Keep it fresh. Dont do it once and put it away,
they advised. It needs to be a living, breathing
process as your business develops.
4. Get the right people in the room. Finally, according to these ERM veterans, it is important to get
the right people to assess the right set of risk areas.
www.AFPonline.org
>
HCA Holdings, Inc. is a $33 billion hospital and healthcare provider, with 162 hospitals and 113 freestanding
surgery centers in 20 states and England. The company
was founded in 1968 and has since grown considerably
into one of the nations leading healthcare providers with
over 200,000 employees.
According to David Hughes, HCAs Assistant Vice
President, Enterprise Risk Management and Business
Continuity Planning, theres no single way to do ERM.
What Ive seen is that there are few people who are doing it the same way, Hughes said. Companies that are
successful have figured what works best in their environment and their company and have had great success
and their programs are growing. Some things work for
others and not us, he said. Ultimately, its got a lot to
do with management vision and the companys culture.
Taking incremental steps
Hughes believes HCAs program has been successful because it started small and grew over time. While
some new ERM technologies and tools are coming on
line, Hughes is not sure such systems would necessarily add value. Most are too detailed. Many have tried
to take SOX tools and make them into ERM tools,
and drill down really deep into risks related to certain
processes, he offered. Thats not what ERM is about.
Too many people try to do that out of the gate, he
added. They try to look at risk at too granular a level.
You can always drill down later. Start at the top level
and work on communication.
In our company, ERM is a tool for executive management, Hughes explained. If its too detailed and
drills down too deeply, you can lose that connection
and it doesnt really translate into executive management
decision-making, he said. You can always get more
detailed later. Its easier to start at a high level and get
some early successes. Thats how we started.
www.AFPonline.org
19
20
www.AFPonline.org
www.AFPonline.org
21
>
22
www.AFPonline.org
www.AFPonline.org
and the plans are communicated to the broader organization in October. And thats where the entire process
begins again.
In addition to the annual reporting, the top risks are
also organized into one-page dashboards that describe
the risk/problem statement, the mitigation plans including whos responsible and what metrics are used. Those
dashboards are updated twice a year and shared with
senior leadership and the board. (This is only a small
part of the full scale risk communication touch points
for the board; see below.)
To make the risk map a useful tool, we wanted a
visual map with color schemes and shapes, but a four
dimensional tool, proved problematic, remembered Sibson. People were focusing on the top right quadrant.
Management was concerned it was creating blind spots.
For example, risks of lesser impact that are much more
likely but not residing in the upper right quadrant were
being overlooked.
To ensure such risks are properly monitored, Sibson
created a straightforward formula that takes the average
of the risks likelihood and impact, minus the current
effectiveness score plus the velocity to arrive at a total
risk score. The formula required some tweaking because
low probability and low impact risks with a high velocity
would get pushed to the forefront. And just because a
risk is moving fast doesnt mean its very material. The
resulting score is used to rank the risks and chart them
on a map. Another potential blind spot is created by
the effectiveness score: To ensure effectively managed
risks are still being tracked, ERM highlights the highest
scoring ones and suggests that Internal Audit devote a
small percentage of their audit activity to verifying actual
performance vs. leadership perception.
Identifying risk ownership
Of course, 106 risks are too many for any single
person to manage. In fact, Sibson stressed, there are no
dedicated risk professionals at JCI (not counting insurance). ERM is managed by strategic planning and select
other members of the Risk Committee. In each business unit, responsibility for monitoring the entire risk
universe is divided among the business unit presidents
direct reports and, for corporate, among the functional
staff reporting to the CEO. The business unit head
23
24
www.AFPonline.org
Risk Taking
Philosophy
Tolerance for
Uncertainty
Choice
Trade-Off
5-Open
Will take
justified risks
Fully anticipated
Willing
4-Flexible
Expect some
Willing under
certain conditions
3-Cautious
Preference for
safe delivery
Limited
Prefer to avoid
2-Minimalist
Extremely
conservative
Low
With extreme
reluctance
1-Averse
Sacred risk
avoidance is a
core objective
Extremely Low
Never
Rating
www.AFPonline.org
25
technological breakthrough as one of its risks. Sibson referred to Michael Porters Five Forces model which posits
that companies typically do a good job understanding
their current customers, suppliers and current competitors. When they fail, its often because they didnt see a
new competitor or substitute product coming to market.
(Think of Kodak vs. Sony or Netflix vs. Blockbuster).
Its often the new entrants and the substitutes, Sibson
said that kill companies. The key to success is anticipating those forces.
To this end, JCI developed a disciplined process by
which it monitors the market for potential competition, new technologies, new players as well as potential
technology acquisitions. It has increased its work with
universities and national labs and came up with a clear
action plan to mitigate risk in this critical area mitigation. It expanded its focus and activities to more external
forces to better prepare for emerging technologies. That
involved a better understanding of developing technologies and in a couple of cases even investing in venture
capital funds.
Step 3: Improved communication to the board
Finally, JCI increased its level of communication with
its board. The board receives the Risk Committees
detailed minutes every quarter. In January, the company
provides a dedicated Risk presentation to the board that
highlights key risk topics. In addition, in July, Sibson
provides a 50-page narrative about the ERM program
which identifies the process, the top risks from the annual mapping output, progress on management and
mitigation plans in the business units (dashboard updates) and other significant areas of risk discussion. That
document goes to the board but is also distributed to
senior management and team leaders who are involved
in ERM activities. In addition, Internal Audit creates its
own narrative every January, including their activities,
audit plan and risk areas. Were touching the board in
more places, Sibson said. In fact, on average, so aspect
of ERM is before the board 10 times a year.
The reception across all these communication lines has
been very positive. Emerging during the second week
26
www.AFPonline.org
>
While financial institutions are often perceived as being at the forefront of ERM, thats not necessarily the
case with every single one. A lot of companies havent
quiet mastered it yet, said Barry Franklin, CRO of
Zurich in North America. Even within the insurance
context, theres still a wide array of ERM practices
and companies at different points along the maturity
curve, he said. However, at the ones that are fairly
mature and have been doing it for a very long time,
ERM is well established and has worked its way into
the culture. At Zurich, when you talk about ERM,
people have a pretty good idea what youre referring
to, he said. Many of the risk management practices
that Zurich has implemented may not be identified
as ERM because they have become so much a part
of what we do. Risk management is embedded into
normal processes, he said.
The three pillars of ERM
When I look at the foundation for a company such
as us, you have to have a mature program that rests on
the companys entire financial management and capital
management discipline, Franklin explained. At Zurich,
ERM is first and foremost about effectively managing
capital. Second, its about encouraging and supporting
risk based-decision making. And third, its about supporting and encouraging a risk-aware culture.
www.AFPonline.org
Capital management
ERM within the capital management context is about
protecting the companys capital base, so you are financially capable of delivering on your promises to stakeholders, customers and investors. To do this, Zurich
employs an economic capital discipline, and establishes
risk tolerance levels for business areas. The process is
very objective and analytical but incorporates some qualitative considerations as well, Franklin said.
At the group level, Zurich operates in about 170
countries and multiple lines of business across many legal
entities. Capital management for the Zurich Group
relates primarily to a target debt-rating equivalent, which
is a common approach. For Zurich that means maintaining a target capital level thats consistent with an AA
rating, which in turn implies a 99.95 percent likelihood
of remaining financially solvent over a one year horizon,
a type of VaR measure. Based on capital model output
and analysis, Zurich establishes target monetary tolerance
levels, which also take into account correlations among
different risk types, geographies and lines of business.
Reflecting correlations and dependencies brings complexity to the model, but its important because a large
diversified insurance company needs less risk capital on
proportional basis for the same level of perceived security,
than does a similarly sized company operating in a single
line or geography, Franklin explained. This broad
diversification is a key aspect of Zurichs strategy, and our
approach to capital modeling helps us ensure our capital
management practices remain aligned with that strategy.
Theres a process to reconcile the model and analysis to
make sure were allocating that diversification effect appropriately, to take into consideration the overall group
desired risk tolerance level as well as quantify the diversification. When we discuss the model, diversification and
capital allocation its important to remember were talking
about economic capital, which represents a theoretical
number or the level you should have, Franklin said.
27
Theoretical capital should reflect your forwardlooking business strategy, which suggests a certain level
of capital to support future business activity. Then
theres real capital, or what an insurer must hold for
regulatory purposes. Theres not necessarily a mathematical connection between the two, he said. One
is based on economics. The other varies by regulator
and jurisdiction. While the economic capital (should)
drive their business decisions insurers have to comply
with regulatory capital requirements.
Franklin acknowledges that financial organizations
have the advantage of being able to more easily quantify
risk in terms of quantitative models. Financial managers
in non-financial organizations still need to have a way to
analyze and allocate capital and to ensure everybody is
looking at Return on Capital at some level. But its more
challenging. Its not quite as apparent to those outside of
the Finance area why that type of capital focus is necessary, and the underlying data might not be as readily
available, he said.
28
www.AFPonline.org
www.AFPonline.org
29
30
www.AFPonline.org
The Corporate Treasurers Council is the executive-level membership of AFP. The CTC
features tailor-made products, events and exclusive networking opportunities all year
long for treasury and finance executives that address the latest industry insights, trends
and best practices and will provide guidance, practical tools and the validation needed to
move forward in making critical decisions.
When you join AFP and have the title of corporate treasurer, assistant treasurer,
chief financial officer, vice president of finance or controller, you are automatically enrolled
in the Corporate Treasurers Council (CTC) and have access to CTC products and events.
For more information go to www.corporatetreasurers.org
AFP@AFPonline.org
www.AFPonline.org
301.907.2862
The bricks
to build
something
of value
Quality, honesty, integrity and trust are critical to every
successful business. With these important elements as
your foundation, you can begin to build real value.
Through our global network of firms with more
than 180,000 people in 158 countries we provide
quality advisory, assurance and tax services to many
of the worlds most successful companies. For more
information about how we can support your strategic
risk management needs, contact:
Eric Cohen
Principal
(646) 471 8476
Peter Frank
Principal
(646) 471 2787
2013 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity.
Please see www.pwc.com/structure for further details. This content is for general information purposes only, and should not be used as a substitute for
consultation with professional advisors.