Enterprise Risk Management

Where next for ERM? September 12, 2007

Alex Hindson & Steven Harmer Aon Global Risk Consulting

SOLUTIONS
FOR COMPLEX RISK
1

Agenda
Context of Aons research Aons Research Study Research Findings Conclusions & Discussion

Aon Global Risk Consulting

Global risk consulting practice with centres of excellence in London, Paris Amsterdam, Chicago, New York, and Sydney Specialised in Enterprise Risk and Business Continuity Management Experienced in practical implementation of Enterprise Risk Management solutions ERM practice founded in 1999 Over 50 practising consultants globally Committed to Thought-leadership and leading thinking on how to successfully implement ERM in global organisations

Integrated Risk Consulting Process

Integrated Service offering

Partners in the identification, assessment and management of risk
Identify & Assess Quantify Solution Design Implement Outsource

Enterprise Risk Management

Actuarial & Analytical

Risk Finance

Risk Transfer Captives Alternative Risk Financing

Captive Management

Aons Value-Driven ERM Approach

Aons approach is founded on understanding current processes and organisation culture

Evaluate Risk Process

Risk Identification & Prioritization

Risk Management Implementation

Growth

Profitability

Continuity

Risk Quantification

Risk Response Solution

Enterprise Risk Management Defined

Enterprise risk management deals with risks and opportunities affecting value creation or preservation. Aon defines Enterprise Risk Management (ERM) as:

The proactive execution of a senior management sponsored, entitywide strategic process of assessing and responding to the collective risks that impact an organizations ability to maximize stakeholder value.

Issue 1: How do I extract value from risk spend while balancing the diverse interests of internal and external stakeholders? Objectives of managers: Performance vs. Conformance

Growth
Bus. Units Managers

Value Creation Performance

Returns
Shareholders Investors Partners

External

Internal

ERM Governance
Controls Compliance

Enterprise Goals & Objectives

ERM Capital

Financial Strength Conformance

Debtholders Agencies Regulators

Issue 2: How do I manage the increasing complexity and interdependencies of risk?

Good services, reliable products Strong governance Steady growth Community investment Stable returns Privacy

Risk management

Shareholders & Investment Community

Consumers & Clients

Fair practices and terms

Transparency

Compliance with laws, regulations, contracts, policies

Firm Value
Strong, visionary

Clear disclosure Solvency Managed risk Opportunities

Regulators & Legislators

Community reinvestment

Associates & Employees

Honest communication Fair treatment

Issue 3: In the face of increasing regulation and the cost associated with conformancehow do I make my investment perform?
ERM Depth
Setup: Framework / Risk Governance Risk Identification Risk Measurement - Qualitative Risk Measurement - Quantitative Risk Measurement Quantify Enterprise Risk Exposure & Facilitate Determination of Risk Appetite Risk Response Mitigating Risk Risk Response Taking More Risk for Suitable Rewards Risk Response Managing Risk Exposure to within Risk Appetite Risk Response Integrating ERM into business decision-making processes Risk Monitoring Proactive and Retrospective Risk Learnings Enhancing communications with external stakeholders Benchmark risk again peers No No Difficult Not in scope No No Basic No No
9

Sarbanes-Oxley / COSO

Aons ERM Approach

100s/1000s of risks

Focus on key risks

Conformance

Performance

Issue 4: How does my company align with best practices in enterprise risk management?

Systematically Build and Improve Risk Management Capabilities

Capabilities characteristic of individuals vs. the organization Initial

Process established and repeating: reliance on people is reduced Established

Policies, processes and practices defined and formalized across the organization Uniform

Risks measured, managed and aggregated on an enterprisewide basis Managed

Organization focused on RM as a source of competitive advantage and continuous improvement Optimizing

Risk Opportunity

Source: Adapted from the Software Engineering Institutes (SEIs) Capability Maturity Model (CMM)

10

Agenda
Context of Aons research Aons Research Study Research Findings Conclusions & Discussion

11

Research Project - Topic

Specifically researched how ERM was being implemented in global organisations
The role given to ERM in organisations What strategic objectives had been set for ERM? What resources were deployed to implement ERM? What approach was selected to implementing ERM? How cultural issues were being addressed Successes and challenges in embedding ERM

Analysed according to
Organisations location, scale and sector Organisations ERM maturity (self assessed) Organisational culture type (self assessed)

12

Research Project - Methodology

Approached 1,149 Executives, CROs and risk managers in G1500 client and contact database using on-line survey Obtained 103 quantitative responses to survey from EMEA and Americas Undertook 12 structured qualitative interviews to develop case studies from leading companies Study completed between June and August 2007 by Aons ERM practice with support from David Burton Associated Results to be published October 2007

13

ERM Survey - Demographics Industry sector

14

Aons PADI Culture Model

P Performance
Be responsive Develop faster, less bureaucratic and more direct ways of accomplishing results

A Administration
Be consistent Develop more accurate, precise and systematic methods to do things

Surprise me Find totally new ways of doing things and accomplishing results

Understand me Develop more cohesion, participation and cooperation amongst the people doing things

D Development

Intimacy

15

Agenda
Context of Aons research Aons Research Study Research Findings Conclusions & Discussion

16

Who is typically championing ERM? Prime champion or sponsor of ERM?

17

Are remits clearly defined? Is ERM functions remit clearly defined?

18

How developed is ERM? Stage of Development within Maturity Model

19

Drivers for ERM implementation - Maturity Prime drivers for ERM implementation

20

Drivers for ERM implementation -- Regional Prime drivers for ERM implementation

21

Impact of Maturity on ERM Activities Key activities of ERM function

22

Impact of Culture on ERM Activities Key activities of ERM function

23

Culturally aware ERM implementation?

Extent to which ERM takes into account of prevalent culture

24

Impact of Culture on ERM Development Stage of development of ERM strategy & framework

25

Ability to drive ERM culture change Extent to which organisations culture has changed as a result of ERM programme

26

Embedding ERM level of understanding? Understanding of and support for ERM Objectives
(saying entirely or significantly)

27

Embedding ERM Cultural differences Understanding of and support for ERM Objectives
(saying entirely or significantly)

28

Approaches to communicating ERM Techniques used to create Risk Management Culture

29

Embedding ERM - Performance scorecard Rating the success of ERM programme

30

Agenda
Context of Aons research Aons Research Study Research Findings Conclusions & Discussion

31

Conclusions of Research
ERM implementation is a communication and engagement process Making ERM happen is primarily about communication and management of change Organisations have so far primarily focused on the tangible process aspects of ERM rather than culture and communication Communication beyond management levels is proving challenging Culture plays a key part in how ERM needs to be implemented Working with an organisation culture maximizes the chances of success Organisations with the most mature ERM programmes have specifically addressed the issues of stakeholder engagement & communication
32

Case Study Communication challenges

Telenor Changing attitudes about ERM Telenor, one of the fastest growing providers of mobile communications services in Europe and Asia, recognized that risk management must be regarded as a core competency within the organization. However, an initial barrier to implementing ERM at Telenor was that it was established in parallel to a compliance project. This created the perception that ERM was a compliance-based project, Identifying the appropriate resources to enable the global rollout for ERM initiative was a major challenge. Different approaches for different internal stakeholder groups were considered, and a variety of ERM-related messaging strategies were discussed. Training and awareness programmes were key to success.

33

Case Study Communication challenges

Telenor Changing attitudes about ERM Director of Risk Per Pundsnes has given a wide range of internal presentations. Typically audiences can be initially skeptical to a concept perceived as theoretical and woolly. In the end they said that the process had value as a pragmatic management decision tool and they would implement it, he says. Time will tell how they actually buy in to ERM. Change takes time. Results: The creation of an entirely new area in which theory can create value A new understanding of the risk levels the company is taking, Potential additional value from an insurance point of view

34

Action points for organisations

How well equipped is your organisation to communicate the benefits and drivers for ERM? Have you considered what type of culture your organisation has and what implications this might have for implementing ERM? Have you any success stories that demonstrate how your ERM programme has influenced your organisations risk culture? Do you understand who your key stakeholders for ERM are both internally and externally? Have you evaluated what their needs are with respect to ERM? Do you have a communication and engagement plan to influence their perceptions of ERM and its benefits?

35

Discussion - Interactive Questions

1. What industry is your organisation primarily engaged in ? 2. In which region is your company headquartered ? 3. Which of the following do you feel best describes the culture of your organisation? 4. Which of the following would you say best describes the current stage of development of your organisations ERM strategy and framework? 5. Which of the following would you say have been the prime drivers for the implementation of ERM in your organisation? 6. Which of the following would you say have created barriers to the implementation of ERM in your organisation?

36

Discussion - Interactive Questions

7. To what extent has the Enterprise Risk Management function taken the organisations prevalent culture into account in designing and adapting its approach to the implementation of ERM? 8. To what extent has the culture of the organisation changed as a result of your ERM programme? 9. How would you rate the ERM function in terms of?
Effectiveness Value for Money Internal Relationship Management Communication

37

Discussion on Way Forward for ERM

Any further questions?

38

Contact Information Register for a copy of Aon report www.aon.com/erminsight2007

Alex Hindson Associate Director Aon, Enterprise Risk Management +44.1932.837403 Alex.Hindson@aon.co.uk Steven Harmer Consultant Aon, Enterprise Risk Management +44.1932.837420 Steven.Harmer@aon.co.uk

39