Prepare: Why Enterprise Resilience Matters

7/29/2019 Prepare: Why Enterprise Resilience Matters

1/108

1Enterprise Resilience

Prepare.Why Enterprise Resilience Matters


2/108

Why Enterprise Resilience Matters

EDITED BY Debbie van Opstal, Senior Vice President,Policy and Programs, Council on Competitiveness

This publication may not be reproduced, in whole or in part, inany form beyond copying permitted by sections 107 and 108of the U.S. copyright law and excerpts by reviewers for thepublic press, without written permission from the publishers.

The Council on Competitiveness is a nonprot, 501 (c) (3)organization as recognized by the U.S. Internal RevenueService. The Councils activities are funded by contributionsfrom its members, foundations, and project contributions. Tolearn more about the Council on Competitiveness, visit us atwww.compete.org.

COPYRIGHT 2010 Council on Competitiveness

D E S IG N Soulellis Studio


3/108

1Enterprise Resilience

Prepare.Why Enterprise Resilience Matters


4/108

22


5/108

3

Foreward by Deborah L. Wince-Smith 4

Agenda 6Workshop Summary 10

Words Matter: Dening a Common Vocabulary 12

Numbers Matter: Metrics for Resilience 24

Actions Matter: Incentives for Resilience 34

Brieng Materials

Warning: Turbulence Ahead 45

Capturing Value from Risk Intelligence and Resilience 49

Implementing Risk Intelligence 54Reaching for Resilience 64

Roles for Governance 76

Recommendations for Risk Intelligence and Resilience 84

About the Council on Competitiveness 100


6/108

4

These rst years of the 21st century are best

described by three Ts: transition, turbulence andtransformation. Rapid globalization is altering ourworld in fundamental ways, and we are more con-nected and more interdependent than ever before.Risks are magnied in an environment in whichdisruptions cascade across networks and borders.What happens anywhere can have profound effectseverywhere.

Countries, communities and companies face whatprofessor Anthony Giddens called the new riskinessto risk. The impact of point failures, whether trig-

gered by attack or accident, can reverberate quicklyacross networksand failure to anticipate and adaptto turbulence can cascade into a bet the companymistake. An Economist Intelligence Unit surveyfound that one in ve companies suffered signi-cant damage from risk failures. Yet, only 25 percentof companies set regular risk targets for managers,and less than one-third provide risk managementtraining. Some companies remain in the dark aboutthe risks they face. Nearly half of the respondents

to a Deloitte survey stated that their companysnon-nancial reporting measures were ineffectiveor highly ineffective in shaping the decision-makingprocess.

Prepare represents the thought leadership of agroup of C-suite executives and resilience expertswho met for a day and half at a Risk Intelligence andResilience Workshop in Wilmington, Delaware. It was

initially developed as a brieng book for workshop

participants on seminal research and recommenda-tions in the elds. It now includes the summary oftheir discussions representing the insights of thoseparticipants, who collectively represent over a millen-nium of risk management experience.

A key conclusion: The next new revolution inbusiness will be in risk management and resili-ence. Just as we built integrated quality and safetymanagement systems, so we must now buildintegrated risk management systems. Enterpriseresilience is an approach to risk management that

anticipates disruptions, better ensures recoveryand protects business protability. Risk-intelligentorganizations elevate resiliency to a board-levelconcern and bake it into the DNA of their enterprisewith powerful processes, well-trained people androbust systems. Their goal is to be proactive andadaptive in response to disruptions, whatever formthey take. Resiliency goes beyond minimizing lossesto include preserving shareholder value, ndingcompetitive advantage in the ability to manage risk

well and growing the top line.For countries, resilience has replaced the threeGsguards, gates and gunsas the national strat-egy. Our work has inspired the government to focuson resilience instead of protection, with the creationof a Resilience Directorate in the National SecurityCouncil. We see the need for continuing dialoguebetween the public and private sectors that lever-


7/108

5

ages resilience to meet multiple goals of national

security, homeland security, energy security andeconomic competitiveness.

I would like to thank James H. Quigley, CEO of De-loitte, and John Swainson, former CEO of CA Inc., fortheir sponsorship of this opportunity to understandhow different risk functions link to each other andto strategic planning, and what CEOs and boardsneed to know about risk management. Mark Layton,vice chairman of Deloitte; Vikram Mahidhar, directorof operations of Deloitte Research; and MargaretBrooks, vice president at CA Inc.; provided advice

and insights on an ongoing basis. At the Council,senior vice president Debra van Opstal ably led theCouncil team, with the help of David Padgham, Mil-dred Porter and Michael Ruthenberg-Marshall.

Deborah L. Wince-Smith

President and CEOCouncil on Competitiveness


8/108

6

preparations to fences and rewalls;

from business continuity to competitiveadvantage. Words matterand we need tocreate a common language of risk.

Goal: The overall goal is not so much toachieve perfect denitions of resilience andrisk intelligence as it is to get insights fromthe participants on how they operationalizethese objectives in their own organizations.

Paper PresentationErica Seville

University of CanterburyNew Zealand

CommentatorsMary HerbstDirector of Business ResiliencyCarlson Hotels

Anne LarsenAdvisor, Corporate ResponsibilityNovo Nordisk A/S

Darren Mulholland

Senior Vice President, Operations andTechnology, NASDAQ

3:45 Breakout Sessions: Defning the Desired

State

October 30, 2009

12:00 Welcome and Introductions

Lunch

12:30 Setting the Global Stage

Warning! Turbulence Ahead:Strategic Risks

Erik PetersonDirectorGlobal Strategy InstituteCenter for Strategic and International

Studies

1:30 The Risk-Intelligent Enterprise

Rick FunstonPrincipal and National Practice Leader forGovernance and Risk OversightDeloitte & Touche, LLP

2:15 What Risk Executives Think: Survey

Results

Vikram Mahidhar

Senior Manager, Deloitte ResearchDeloitte & Touche, LLP

2:45 Session 1

Words Matter: Defning Risk Intelligenceand Resilience

Creating a Common Lingo. The terms riskintelligence and resilience actually meandifferent things to different peoplespanninga spectrum from disaster management


9/108

7

5:00 Reports rom the Breakouts: Defning

Risk Intelligence & ResilienceCo-Chairs for Breakout and Reports:

Breakout 1

Bob MooreVice President, Global Security Group, HP

Carl GibsonDirector, Risk Management Unit, LatrobeUniversity, Australia

Breakout 2

Joe PetroManaging Director, Citigroup

Joseph FikselExecutive Director, Center for ResilienceOhio State University

Breakout 3

Jim PorterVice President and Chief EngineerDuPont (ret.)

Bob FlynnVice President, Travelers

Breakout 4

Ken SenserSenior Vice PresidentGlobal Security, Wal-Mart, Inc.

Branko TerzicSenior Energy Consultant, Deloitte

5:30 Break

6:00 Reception

6:30 Dinner

7:30 Evening Discussion:

What should managers and directors be

asking about risk?

ModeratorDeborah L. Wince-SmithPresidentCouncil on Competitiveness

Director, NASDAQTom ONeillPrincipal, Sandler ONeillChair, Audit Committee, ADM

Larry RittenbergChairman of COSOErnst & Young Professor of Accounting &Information SystemsUniversity of Wisconsin

Mark LaytonGlobal Leader, Enterprise Risk Services andVice Chairman, AuditDeloitte & Touche, LLP

The Honorable Roy FergusonNew Zealand Ambassador

9:30 Adjourn


10/108

8

October 31, 2009

7:30 Networking Breakast

8:30 A CEOs Perspective on Risk

Conversation with Charles O. Holliday, Jr.,CEO, DuPont

9:00 Session 2

Numbers Matter: Metrics for RiskIntelligence and Resilience

Developing a Dashboard: Once a commonlanguage of risk is developed, metrics areneeded that cross risks and functions toaccurately assess enterprise riskexistingas well as emerging risks or determinewhether management objectives have beenachieved.

Goal: The goal is to identify measures ofrisk that are meaningful to management,comparable across risk managementfunctions, and explicitly tied to enterpriseobjectives and performance.

Paper Presentation

Brian Ballou/Dan HeitgerCo-Directors, Center for Business ExcellenceMiami University of Ohio

Commentators

Spiros DimolitsasSenior Vice President, Georgetown University

John OConnor

Director of Supply Chain Risk ManagementCisco Systems, Inc.

Pat GnazzoSenior Vice President, U.S. Public SectorBusiness, CA Inc.

10:00 Breakout Sessions

Measuring Risk Intelligence and Resilience

11:30 Reports rom Breakout Groups

Co-chairs for Breakouts/ Reports:

Breakout 1

Bobbi BaileyVice President, Global Network Operations

Jane CarlinGlobal Head of Operational Risk, BCP, andInformation Security, Morgan Stanley

Breakout 2

Steven TrevinoManaging Director

Resilient Civilization InitiativeChris McIlroyDirector, Infrastructure Protection &Resiliency Division, SRA International, Inc.

Breakout 3

Judith CardenasCEO, Center for Performance andAccountability; and Vice President, UniversityCenter, Lansing Community College


11/108

9

Bill Raisch

Director, International Center for EnterprisePreparedness

Breakout 4

Scott McHughVice President, Global Asset ProtectionWal-Mart

Steve SpoonamorePartner, GSP LLC

12:00 Networking Break/Luncheon Buet

12:30 Roundtable on Recommendations:Policies and Practices that Support Risk

Intelligence and Resilience

Questions for Discussion: The evidenceseems to indicate that companies whichare more risk intelligent and resilientoutperform the market. If thats true, whydont the markets reward companies thatdemonstrate risk intelligence and resilience?What role could the ratings, insurance and

audit industries play in creating incentives/requirements for risk management? Whatshould government do to encourage thesemarket movers to reward resilience? Whatshould government do to protect citizensfrom the consequences of massive failures inrisk management?

Goal: To identify how the markets can

incentivize better risk management practices,particularly through ratings, insuranceand audit, and what government can doto strengthen and complement marketincentives.

ModeratorHenry RistucciaPartnerDeloitte & Touche, LLP

Linda Conrad

Director, Customer Enterprise RiskManagement, Zurich

Christine St. ClareAdvisory Partner, KPMG

Phil AuerswaldProfessor of Public Policy, George MasonUniversity

2:45 Next Steps

3:00 Adjourn


12/108

10

The Risk-Intelligent EnterpriseRick FunstonPrincipal and National Practice Leader, Governance and Risk Oversight

Deloitte & Touche, LLP

The ability to survive and thrive in an uncertain and turbulent environment requires resil-ience and agility. Resilience is the ability to rapidly recover and resume a former shape.Agility is the ability to assume a desired shape in order to rapidly adapt and seize desiredopportunities. Risk intelligence is the ability to detect and rapidly respond to changes thataffect the business model and bottom line.

Risk Intelligence enables:

No surprises No big mistakes

No missed opportunities

Of course, brutal reality is that there will always be surprises, mistakes and missed oppor-tunities. But, in a risk-intelligent enterprise, they will not be life-threatening.

Critical Skills o Risk-Intelligent Enterprises

Check Your Assumptions at the Door. It is better to be roughly right than preciselywrong. Risk-intelligent enterprises look for evidence that their assumptions are wrong.Sometimes that means identifying weak signals that key assumptions in your environmentare changing in ways that threaten your business.

Anticipate Potential Causes o Failure. It is almost un-American to think of failure, butrisk-intelligent enterprises legitimize a constructive discussion of triggers for failure. Theydo not just step outside the box, they actively attack it.

Identiy Interconnections and Interdependencies. The weakest links are often at thenexus of core processes.

Improve Reaction Time. One of the distinguishing aspects of turbulence is speedmostcompanies do not factor velocity into their risk assessments. Bad things happen faster

Rick Funston, Deloitte & Touche, LLP


13/108

1

than good; reputations are gained in inches per year and lost in feet per second. The

speed of response has to be matched to the speed of onset.Develop Common Senses to Get Insight and Foresight, Not Hindsight. Mostenterprises tend to lack a central risk nervous system and good communications linesbetween multiple appendages. Specialist functions speak specialty languages and have ahard time communicating with one another, with the result that enterprise communicationscan become a tower of Babel. And, management structures sometimes act as buffers toprevent bad news from getting to the corporate brain. Honing the common senses thatidentify over-the-horizon risks require enterprise collaboration and communication.

Veriy Sources o Inormation. In God we trust; all others bring data. Prior experience isnot necessarily a good predictor for the future. Executive opinions, while important, need

to be corroborated.Maintain a Margin o Saety. October is a particularly dangerous month to invest instocks. Other dangerous months are July, January, September, May, March, November andso on. According to Warren Buffet, the most dangerous words in the investors lexicon areeveryone else is doing it.

Maintain Operational Discipline. For mountaineers, most accidents happen on the waydown. Attention should be constantly focused on operational discipline.

Adopt a Long-Term View. Urgent problems are often not the most important ones. Andshort term events carry a risk of over-reaction. Risks have to be taken to sustain ROI.

In sum:

Build risk intelligence into decision-making processes, but do not bolt it on.

Focus on valueprotecting what you have while creating new value.

Drive out fear of talking about potential for failure.

Generate dialogue, not reports.

Rely on judgment, not formulas.

Manage icebergs first, not ice cubes.


14/108

12

The language we use matters. Often we use the

same words to mean different things. Or, the wordswe use describe qualities, not competencies. Thelack of a common language of risk is one of the chiefbarriers to risk intelligence and resilience. We needcommon understandings about the words we useto communicate effectively with each other, with ourmanagement, with our investors and even with ourregulators.

Resilience: Great Conceptbut What

Does It Mean?

Erica SevilleResearch FellowUniversity of Canterbury, New Zealand

Resilience is about an organizations ability toachieve its core objectives, even in times of adver-sity, so that it survives in good times AND in bad.Resilient organizations are able to cope with boththe foreseeable events that are on their risk radars,and the ones that come out of the blue.

Seizing Opportunity: Resilience is not just about

survival, but the ability to seize opportunity out of cri-sis. There are always opportunities in a crisis, and theorganizations that are able to seize these opportuni-ties for renewal are the ones that will both surviveand thrive. The qualities that enable an organizationto survive in adversity are the same qualities thatenable it to compete successfully on a day-to-daybasis. The case for resilience is about market leader-ship as well as crisis management.

Interdependencies: Another key characteristic is

that resilience cannot be achieved by any one organi-zation. No organization is an island. It operates withina network of other organizations which, if not alsoresilient, could eventually pull down the network. Weneed to raise the game of all the organizations in thenetwork. Equally important are resilient communities.Organizations are only as resilient as their people andthe communities in which they live.

Dynamic: Resilience is dynamic, not static. Everytime an organization implements a new technol-ogy or has a fractious round of pay negotiations, itis shifting its resilience space. One-time resilienceaudits do not workresilience needs to be constantlyre-evaluated.

Resilience is an overarching concept that pulls togeth-er many aspects of good business management. Itforces business leaders to think about, anticipate andplan for those things that are not on the risk radarand to develop adaptive management strategies.

Four pillars of resilient organizations include:

Resilience Ethos: How well has the organizationbuilt a value system and culture that sets resil-ience as a goal? Has it made the effort to buildwider networks for resilience?

Situational Awareness: Does the organizationhave its finger on the pulse of its operating envi-ronment. Is it positioned to recognize subtle shifts,identify potential opportunities and threats, andmobilize itself to respond?


15/108

1

Processes or Managing Keystone

Vulnerabilities: Does the organization knowwhere its critical vulnerabilities are and howproactively it is managing them?

Adaptive Capacity: When the chips are downand the plan did not work, how well can the orga-nization come up with new strategies and imple-ment them rapidly?

Finally, there is no one model for resilience. Likeindividuals, organizations have their own personalities,strengths and weaknesses. The key is to make the

most of strengths in times of crisis and understandweaknesses, and hopefully shore them up before thecrisis moment comes.

Erica Seville, University oCanterbury, New Zealand


16/108

14

Table 1: Deining Resilience Using a Competencies Framework

Resilience Ethos: A culture of resilience that is embedded within the organization across all hierarchical levels and disciplines,where the organization actively manages its position in an interdependent system and where resilience issues are key consid-erations for all decisions that are made.

INDICATOR DEFINITION

Commitment to Resilience A belief in the fallibility of existing knowledge as well as the ability to learn from errorsas opposed to focusing purely on how to avoid them. It is evident through an organiza-tions culture, training and how it makes sense of emerging situations.

Network Perspective A culture that acknowledges organizational interdependencies and realizes the impor-tance of actively seeking to manage those interdependencies. It is a culture where the

drivers of organizational resilience and the motivators to engage with resilience arepresent.

Situation Awareness: An organizations understanding of its business landscape; its awareness of what is happening aroundit, and what that information means for the organization, now and in the future.


Internal and External SituationMonitoring and Reporting

The creation, management and monitoring of human and mechanical sensorsthat continuously identify and characterize the organizations internal and externalenvironment, and the proactive reporting of this situation awareness throughout theorganization.

Informed Decision Making The extent to which the organization looks to its internal and external environment forinformation relevant to its organizational activities and uses that information to informdecisions at all levels of the organization.

Recovery Priorities An organization-wide awareness of its priorities following a crisis, clearly dened at alllevels of the organization, as well as an understanding of the organizations minimumoperating requirements.

Understanding and Analysis ofHazards and Consequences

An anticipatory all-hazards awareness of any events or situations which may createshort or long-term uncertainty or reduced operability. An understanding of theconsequences of that uncertainty to the organization, its resources and its partners.

Connectivity Awareness An awareness of the organizations internal and external interdependencies and anunderstanding of the potential scale and impact that expected or unexpected changecould have on those relationships.

Roles & Responsibil ities Roles and responsibilities are clearly dened and people are aware of how thesewould change in an emergency, the impact of change, and support functions it re-quires.

Insurance Awareness An awareness of insurance held by the organization and an accurate understandingof the coverage that those insurance policies provide. (Note: This indicator seems at amore micro-level than others, but we regularly observed organizations using insuranceas a security-blanket, without a good understanding of the limitations of that cover!)


17/108

1

Management o Keystone Vulnerabilities: The identification, proactive management, and treatment of vulnerabilities that, ifrealized, would threaten the organizations ability to survive.


Robust Processes for Identifying andAnalyzing Vulnerabilities

Processes embedded in the operation of the organization that identify and analyzeemerging and inherent vulnerabilities in its environment, and enable it to effectivelymanage vulnerabilities to further the networks resilience.

Planning Strategies Effectiveness of organizational planning strategies designed to identify, assess andmanage vulnerabilities in relation to the business environment and its stakeholders.

Participation in Exercises Participation of organizational members in rehearsing plans and arrangements thatwould be instituted during a response to an emergency or crisis.

Capability and Capacity of InternalResources

The management and mobilization of the organizations physical, human, andprocess resources to effectively respond to changes in the organizations operatingenvironment.

Capability and Capacity of ExternalResources

Systems and protocols designed to manage and mobilize external resources as part ofan interdependent network to ensure that the organization has the ability to respondto crisis.

Organizational Connectivity Management of the organizations network interdependencies and the continuousdevelopment of inter-organizational relationships to enable the organization to operate

successfully, and to prevent or respond to crisis and uncertainty.

Staff Engagement and Involvement The engagement and involvement of staff so that they are responsible, accountable andoccupied with developing the organizations resilience through their work because theyunderstand the links between the organizations resilience and its long term success.


18/108

16

Adaptive Capacity: The organizations ability to constantly and continuously evolve to match or exceed the needs of its

operating environment before those needs become critical.


Strategic Vision and OutcomeExpectancy

A clearly dened vision which is understood across the organization and reectsits shared values and empowers its stakeholders to view the organizations futurepositively.

Leadership, Management andGovernance Structures

Organizational leadership which successfully balances the needs of internal andexternal stakeholders and business priorities, and which would be able to provide goodmanagement and decision making during times of crisis.

Minimization of Silo Mentality Reduction of cultural and behavioral barriers which can be divisive within and betweenorganizations, which are most often manifested as communication barriers creatingdisjointed, disconnected and detrimental ways of working.

Communications and Relationships The proactive fostering of respectful relationships with stakeholders to createeffective communications pathways which enable the organization to operatesuccessfully during business-as-usual and crisis situations.

Information and Knowledge The management and sharing of information and knowledge throughout theorganization to ensure that those making decisions or managing uncertainty have asmuch useful information as possible.

Innovation and Creativity An organizational system where innovation and creativity are consistently encouragedand rewarded, and where the generation and evaluation of new ideas is recognized askey to the organizations future performance.

Devolved and Responsive DecisionMaking

An organizational structure, formal or informal, where people have the authority tomake decisions directly linked to their work and, when higher authority is required, thiscan be obtained quickly and without excessive bureaucracy.


19/108


20/108

18

Business Resiliency: Moving the

Mountain an Inch at a TimeMary Herbst

Former Director of Business Resiliency, Audit and BusinessRisk ManagementCarlson Hotels Worldwide

Carlson is in the hospitality business, with facilities allover the world known under several brand names fromthe Raddison Hotels to TGIF. We operate in somehigh-risk areas, so we need to be able to understandthose risks and prepare crisis plans. In times of cri-sis, we need to make sure that our employees know

what to do to keep our guests safe and to minimizethe chaos. What is less understood is that we alsoprovide shelter and food in times of disasterfor thoseevacuated as well as for relief teams. After HurricaneKatrina, our TGIF restaurant was up and running in24 hours, serving $2 meals and $3 beers and provid-ing complementary meals to those who could not pay.We provided showers and daycare for employeesand others. Importantly, that store is also our No. 1producer in the nation and in the world because of

its rapid response and community ties.Carlson created a Business Resilience Councilcomprised of representatives from all of the businessunits as well as the financial, HR and PR areas. Inthe event of a disaster, the Council could be con-vened in conjunction with the crisis team. We needto have processes, plans and standards in place, butwe also need commitment to the mission. Compla-

cence often sets in when a few years pass without

an event. And, without an ongoing effort, your pro-cesses, policies and plans are only as good as yourlast crisis, not your next. We have to take resiliencefrom theory to reality. Our goals are to ensure thatour guests and employees are safe, evaluate andsecure our site quickly in the event of crisis, respondand resume business quickly, and understand ourend-to-end risks and how to mitigate them.

Key Observations rom the Discussions

Deine Resilience: Resilience is a process of pre-

paration, implementation and lessons learned. It isa framework, a process and a lifecyclea constantevaluation of where you are in relationship to yourbusiness objectives and risks.

Resilience is a steward ofand a way to future-proofbusiness strategy.

Resilience is fleeting. The level of resilience anorganization achieves today could be gone tomor-row. Changing contexts create new resiliencechallenges.

Resilient organizations are prepared to reinventthemselves. In a period of change, they do not goback to old ways of doing things, but adapt andevolve.

The rewards of resilience are both financial andintangiblebrand, reputation and relationships.An organizations survival is closely tied to theseintangibles.

Mary Herbst, Carlson HotelsWorldwide


21/108

1

Deine Risk Intelligence: Deloitte coined this term

because of the confusion in marketplace and thealphabet soupfrom ERM (enterprise risk manage-ment) to CM (crisis management) to GRC (gov-ernance, risk and compliance)that was floatingaround. Risk intelligence is an aspirational state ofcontinuous improvements in risk management andgovernance.

Risk Intelligence Beore Resilience: Risk intel-ligence is the information needed to make an organi-zation resilient. It is not just the ability to see what isahead, but what is around the corner. It is knowledge,foresight, pervasive situational awareness and theability to communicate risks. An organization needsto be risk intelligent before it can develop the capac-ity to be resilient.

Ignore Deinitions, Focus on Process: It doesnot look like there will ever be a common languageof risk. Focus on common processes rather than acommon lingo.

Focus on the Ecology o Risk: Organizations tendto look inward to manage risk when they should belooking outward at changing contexts and commu-nicating with external stakeholders, competitors andcustomers.

Manage Eects, Not Triggers: We have to becareful not to confuse cause and effect. Humanscan go three minutes without air, three days withoutwater and three weeks without food. We need tothink about critical dependencies and how long we

can go without them, independent of causes. That

creates the framework for prioritizing risks andallocating resources.

Prior to September 2005, the secretary of theDepartment of Homeland Security would havesaid that the primary risk he was responsible forwas terrorism. Post-Katrina, the thinking about riskand risk triage changed completely. Katrina wasa weapon of mass effect. We cannot completelyremove the prevention framework, but to managebigger risks, you need to manage outcomes andeffects, not just triggers.

Implement Resilience: The C-suite and the boardneed to buy into resilience. If the tone at the top isnot there, resilience will not be pervasive across theorganization. Resilient organizations have three requi-sites: a culture of resilience, a set of business pro-cesses and enabling technologies. There need to becross-functional teams to help implement these req-uisites, but accountability for resilience must residewith the people who will implement the processes.

Limits o Risk Registers: The vast majority of risk

management is focused on identifying and catalog-ing risks. That is like keeping an accurate inventoryof deck chairs on the Titanic. It is not the data that isimportant so much as the line of questioningwhichtriggers thinking rather than robotic, check-the-boxresponses. Risk management needs to be built intothe way the business is runone size fits one. You canover-risk yourself. Once you capture too many risks,


22/108

20

people can be paralyzed into inaction. Lets cut out

90 percent of the list and focus on the top five riskswithin units.

Managing Across Silos: Companies tend tomanage risk well within silos, but most risk failuresemerge from the white spaces between silos.One participant asked: How many people havebeen bitten by an elephant? Less than 10 peopleworldwide have died from an elephant bite. Howmany people have been bitten by a mosquito? Atleast 130 million have died from mosquito-borndiseases. Within their silos, companies tend to focus

on elephants. But, most organizational failures comefrom the mosquitoesthe little annoying things thatcan come back to bite us.

Where Risks Must Be Managed: Managing risk islike conducting an orchestra. The individual compo-nents are competent, but run and are synthesizedby the conductor. One of the key decision points isat what level risks should be managed. There are adozen or so risks that could bring a global corpora-tion to its knees. All other risks are pushed down

to the market levels, and managers are empoweredto identify and manage the risks and opportunitiesthey present.

Need or Oense: One can dig the deepest bun-

kers and pour as much concrete as possible, butsomeone will eventually find their way in or out of it.Unless someone is willing to play offense, organiza-tions cannot be viewed as being resilient. It is abouttraining an organization so that when under pres-sure, a framework has been established to allow theorganization to consolidate its resources and lay thegroundwork to emerge stronger than before. If youadd just a little offensive capacity, the bad guys goelsewhere. You become an unappetizing target.


23/108

2

Seven Revolutions that Are Shapingthe FutureErik Peterson

Executive Director, Global Strategy InstituteCenter for Strategic and International Studies

We are now navigating in a period of acute volatilitynot just financial volatility, but criti-cal inflection points where we see simultaneous uncertainties. We begin with a question:What will the world look like long range?

Ive identified seven revolutionseach will shape our collective future and the nature ofrisk. They are:

Demographic and population dynamics;

Strategic resource management;

Technological innovation and diffusion;

Massive movement of data and information;

Global economic integration;

Conflict; and

Challenge of governance.

Demographics: What will be the shape of the human family? There were 150 million

humans at time of Julius Caesar. By 2025, the population is projected to rise to 8 billion;8.8 billion by 2040 and 9.2 billion by mid-century.

In the developed world, we will face an aging population. We are reaching a critical tippingpoint where there will be more older people than younger peoplea narrowing base ofsupport for an aging population. High rates of population growth will occur in the emerg-ing economies least able to support it. This suggests that we may want to be alert to thepotential for significant migration patterns, economic as well as climate migrants.

Erik Peterson, Center or Strategicand International Studies.


24/108


25/108


26/108

24

If companies manage only what they can measure,

what measures would create insights on whetherorganizations are resilient or not? What resiliencymetrics would be meaningful to management tied toperformance and risk objectives? Are measurementsystems able to capture systemic risks that flowfrom interdependencies and externalitiesrisks thatthat individual risk functions may not capture? Whatmetrics could communicate risk intelligence andresilience to the board, C-suite or externally?

Dashboards or Risk and Resilience

Brian Ballou and Dan HeitgerCo-Directors, Center for Business ExcellenceMiami University

Dashboard are in their infancy. There is no onesize fits all. Typically, it is not a question of whethermetrics are available, but what are the right measuresto use? How to filter out volumes of information thatare available? How much internal and external datato gather and put into dashboards? Most companiesfocus internally to control risks, but lack a controltower to pick up external signals in the environment

and bring them back into the risk managementsystem.

Some key questions and challenges companies

ought to be asking:1 What metrics are used to report risk intelligence

and resilience to the board, the C-suite or exter-nally? Have they distinguished between emergingversus existing risks? What are the expectationsof external stakeholders, and what is being com-municated quantitatively?

2 How do risk metrics relate to overall performancegoalscash flow, earnings per share or otherperformance measurement goals? How are those

metrics placed in contexthow are competitorsbench-marked? How are risk metrics linked tocompensation?

3 Is information consistent across risk functions?Are there common denominators for making stra-tegic decisions and conveying risk information?In some companies, each risk ends in a differentnon-financial metric. Others pick a financial met-ric to showcase how well they are meeting goals.Is there a common metric to compare across risksilos? Are there measures for business process

risks that identify how risks affect the wholeorganization?

4 Can leading versus lagging indicators be identi-fied? Most variables are laggingand risk man-agement systems have been stalled in finding thecorrelations and interconnections. Are there riskmodels that can identify problems on the horizon?Can these measures be financial?


27/108

2

Three questions executives should ask about their

risk models: Is it right? Have the assumptions been chal-

lenged?

How robust is it and has it been stress tested?

How has the model changed? Indicators do nothold up for very long.

5 Are there qualitative ways of reporting risks? Isthe top ten reporting list that many companiesuse even a good idea? Perhaps the top two risksare so big that they should just focus on those. If

resilience is a process, not a specific risk, shouldqualitative metrics be used to describe the pro-cess? To what extent should a dashboard focuson compliance processes or risk response plans?

Communicating Risk to the Board

Spiros Dimolitsas

Senior Vice President and Chief Administrative OfficerGeorgetown University

A university has an unusual risk profile in that itsfactors of production, production capacity and cus-tomers are all in the same place, which makes it verydifficult to diversify risks.

The board has expressed an interest in looking atrisks more broadly, and we have provided them adashboard to prioritize by type of risk and impact ofrisk. It characterizes risks in two ways, by type andby impact.

Types of Risk

Community risksthings that can harm people orinfrastructure

Business continuity risksfailure of systems toperform as designed

Business performance risks failure of systems toperform as needed

Financing risksthings that can deplete the cashneeded to run operations

Impact of RiskEach type of risk is grouped by likelihood and

threshold of impact (medium, high, low, severe). Forexample, a severe community risk might be a deathon campus. Disruption of a major revenue line bymore than four weeks would be a severe businesscontinuity risk. Reputational risks, such as a dropin national ranking or in the competitiveness of thestudent body, would constitute a severe businessperformance risk.

Resilience MetricsWe have also developed a framework to report how

resilient we are. Bad things have two dimensions:how long they last and how widespread. If you thinkabout extent and duration, you can construct a two-by-two table: localized short term and localized longterm, and widespread short term and wide-spreadlong term. A less resilient system would only be ableto handle a short term, localized disruption. A moreresilient system should be able to handle a longerterm, more widespread disruption.

Brian Ballou and Dan Heitger, Center or Business Excellence at MiamiUniversity

Spiros Dimolitsas, GeorgetownUniversity


28/108


29/108


30/108

28

Leading Indicators

Leading indicators are difficult to identify. Sometimesit is not whether you can predict the indicator, butwhether you can rapidly assess how it will impact yourposition. As a service organization, one of our con-cerns is the volatility and rising levels of benefits pack-ages. The benefits budget is significant20 percentof operational budget. We might not be able to predicteverything that could impact the cost of benefits, forexample, a change in the social security floor, but wehave developed a methodology to assess how quicklya change would be digested through the system and

what it would do to our cash position.

Managing and Mitigating Risk

Pat Gnazzo

Senior Vice President, U.S. Public Sector BusinessCA Inc.

Compliance, risk and business continuity are all inter-twined. A couple of cautions. We need to be carefulabout using someone elses template. One size doesnot fit all. Every company is different. Every universityis different. Risks are different across sectors and

universities. Risks have to be understood within thecontext of a specific business.

Companies have been assessing risk for years, butthey do not put it in a form that boards can use. Theproblem is the lack of a good tool that allows infor-mation to bubble up to senior management. Everyorganization should understand its risk appetite andits risks.

That plan needs to reach down to the business

unitstheir operating plans should talk about therisks of not meeting goals and the actions it will taketo mitigate those risks. Risk management has tostart at the bottom. You cannot understand it froman enterprise basis if you do not understand it atthe business unit level. For example, everyone has abudget. What are the risks of changes to the budget,and how will the business units mitigate that risk?

The top ten enterprise risks are important, but wecannot forget that every department within an orga-nization should have a top ten risk list as well. If each

one of those departments is not working on its topten risks, the company is exposed. We may be han-dling the Katrina and bird flu risks, but we are miss-ing the department risks. There will always be a topten, because when you mitigate some risks other willemerge. That is what managing risk is all about.

Resilience Metrics: Time to Recovery

John OConnor

Director of Supply Chain Risk ManagementCisco

My perspective is functionally oriented toward supplychain risks. Cisco has an enterprise risk managementgroup focused on assessment and identification oftop risks. They coordinate activity, but the functionsdrive the risk intelligence and resiliency programs.

What can we measure, and what should we mea-sure? Cisco has identified a key quantitative metric:time to recovery. Our business continuity program(BCP) assesses our strategic nodescore suppli-

Pat Gnazzo, CA Inc. John OConnor, Cisco


31/108

2

ers, transportation hubs, logistics nodes, manufac-

turing nodesand asks: Regardless of disruption,what is the time to recovery for each of thesenodes? Regardless of the disruption, how long doesit take us to go from a catastrophic disruption withzero output back to 100 percent? That is our mea-sure of resilience: TTR or time to recovery.

We spent a lot of time on that information set becauseunderstanding recovery time is a key piece of informa-tion for crisis management. Whether it is a Chengduearthquake or a Hurricane Ike, we understand wherenodes in that region are and how long it takes for

them to recover. We can assess the impact immedi-ately. This informs not only our crisis management butalso our resiliency programs. We understand wherewe have exposures and where we need to allocateresources to drive recovery. BCP may come off as adry process, but it is a key enabler.

We have BCP coverage as a metric and responserates as a requirement, and we measure our suppli-ers against that.

We pair risk intelligenceknowing where our vulner-

abilities arewith risk analytics. We have collectedlarge series of data setshistoric food data, incidentdata, simulation analysiswhich tell us where wehave the greatest probabilities of disruption.

This allows us to look at operational risks and naturaldisasters as one set. It tells us where we are morelikely to experience a disruption. That is all interestingand informative, but the data has not been terribly

operational. Risk programs are not generally tailored

to risk analytics for a couple of reasons. You arealways going to pick the wrong risk.

At the end of the day, we found that revenue is thekey attribute that focuses risk programs. Obviouslywe have a program that takes care of our peoplefirst, but a risk focus on revenue allows us to lookafter both our shareholders and customers. Ciscois unique in that it has 200 product families and8,500 products. But 100 products account for50 percent of revenue, so it is a relatively easyanswer about where to focus.

How do you determine your risk appetite? That is aninteresting question, but the simple answer is that riskappetite will never match risk budget. For $100 millionwe could de-risk the entire supply chain. Although wehave a great budget, it is no where near enough toguarantee a risk-free supply chain. When setting ourrisk budget, we also think about the impact on grossmargin and on external insurance. So, risk appetiteneeds to be anchored in something far more tangible.

We have been talking about risk intelligencegath-

ering information, understanding vulnerabilities andmaking sure you have playbooks and processesbutwe have not really discussed resilience. Whatevervulnerabilities we identify, they are still going to bethere. This to me is the difference between risk intel-ligence and resilience. For Cisco, resilience is aboutrecovery time goals for each of the nodesand thatrecovery time may or may not be acceptable. If thenode is something with a simple process, like pack-


32/108


33/108


34/108

32

Coping with Crisis,DuPont StyleCharles O. Holliday, Jr.

CEO DuPont

We have learned a couple of key lessons.

First, you can never anticipate the crisis you get.

Second, if your systems are resilient enough, youcan manage pretty much anything that comes up

Third, raise the warning flags early. People are

often reluctant to call a crisis. A few examples:

Case 1: Crisis or Not?

One Wednesday at 5:00, when I was head ofDuPonts Asia Pacific business based in Tokyo, Ireceived a call from a person who said he was theSwiss ambassador. He said a DuPont employeehad broken into the embassy and threatened to killhim. This was potentially an international incident onsovereign Swiss soil involving the Swiss, Japaneseand U.S. governments with DuPont at fault.

Here is the rest of the story: The employee lived fourhouses away from the embassy. His wife was preg-nant and due very soon. He had complained multipletimes that the embassy guests were blocking hisdriveway so he could not get out in the event thathis wife went into labor. And he could not call emer-gency services because he did not speak Japanese.

And, although he got angry enough to issue threats,

he was not actually armed. We did not call the U.S.embassy or Wilmington. We decided to work itthrough. And, two days later, the ambassador invitedthe employee and his wife for dinner and an apology.

All the trappings, but no crisis.

Case 2: Crisis or Not?

The scene is Northern India. DuPont had a contractto sell technology to a plant under construction. At2:00 a.m., rebels went in an pulled five people out oftheir dorms and assassinated them. DuPont had no

one on site.

Most thought it was a terrible tragedy. Few wouldhave seen a crisis coming. But the next morning, thefactory owner gave an interview to the news mediaand said that DuPont caused the deaths. His logicwas that DuPont had advised them to keep the gunslocked up since the vessels that were being deliveredwould not have reacted well to a gunshot. The nextmorning the parliament of India was debating whatcharges should be brought against DuPont.

Crisis or Not? We did react very seriously. We got theright information out to the public, talked to the ownerand got him to retract his statement, and shut thecrisis down in 24 hours. Because of how the mediahandled it, what would have been a terrible tragedy inany event turned into a crisis. So the message is thatthe organization will tend not to call a crisis.

Charles O. Holliday, Jr., DuPont


35/108

3

Crisis Management at DuPont: The key to manag-

ing crisis is to create a resilient crisis managementprocess and pressure test it.

At DuPont, there are 17 crisis management teams.The leaders of each of those teams are continu-ally on alert and empowered to call a crisis. Thefirst question that is asked is whether it should be acorporate crisis. Those actually have not been calledvery often9/11 was the first.

The leaders of the 17 groups can be rallied to a cen-tral crisis management room in 30 minutesand we

find that the room itself creates its own kind of focusand mindset.

The CEO has specific crisis communications roleswith the media, the government, suppliers, families.Given those responsibilities, the DuPont CEO doesnot manage the crisis teams.

Because people tend not to take crisis tests veryseriously, we have stretched the definition of crisis toinclude important events, but maybe not the tradi-tional definition of crisis events. On a Friday after-

noon about a year ago, I was in New York meetingwith customers when my blackberry started to doits shaking thing. I looked down and read: No crisis,call immediately. Within a few minutes, I learnedthat President Bush was planning a visitthe nextTuesdayand the secret service and advance peoplewere already on their way. As we were thinking about

how to get ready for that visit, we decided to activate

our corporate crisis processand it worked brilliantly.We were able to rally everyone in the company virtu-ally overnight.

Strategic Resilience at DuPont: Back in late1980s, Greenpeace scaled the fence on a coldrainy day and hung a big banner from the top ofthe water tower that said: DuPont, No. 1 polluter.The word polluter was so low that it was belowthe fence line. So all the people outside could seewas: DuPont, No. 1. Most people thought we hadwon another award. Our plant manager handled the

Greenpeace guys, got them down safely, and wewere dealt with pretty gently on the evening news.So, we were sitting around the next day, pattingourselves on the back, and one lone voice said: Buttheyre right. He said that we put out more stuffthan anyone else. You could have heard a pin drop.And everyone was thinking: Who is this soon to beunemployed person?

But, for me, it was a watershed moment. We mightbe the biggest, but we spent the next decade try-

ing to fix our processes to reduce our footprint. As aresult of that work, we have reduced our greenhousegas emissions by 72 percent while we increased ourvolume by 40 percent, and we got good returns forour shareholders every time.


36/108

34

At the end of the day, companies need to create a

system that drives toward resilience. What role canmarket movers play in helping to move organizationstoward more effective risk management and resil-ience? What can government do to reinforce privatesector drivers and market mechanisms that encour-age/reward resilience processes? How should thepublic and private sectors be working together tocreate a more resilient country?

The Role o Audit

Christine St. Clare

Audit PartnerKPMG

The audit profession is risk averse, so it is hard toimagine rapid innovation in risk reporting in non-financial areas. However, the fastest inroads are beingmade in the areas of sustainability and corporatesocial responsibility (CSR) reporting. Increasingly,senior management sees non-financial reporting as acrucial companion to financial reporting.

Today, the real question is not who is doing CSR

reporting, but who is not. Every three years, KPMGconducts a global study. We found significantincreases in the number of companies reporting.CSR has become a more mainstream practice aroundthe worldand the U.S. is lagging. We are near thebottom of 22 countries.

For the Global 250, more than half are linking theirreports to metrics. This is driving a need for morenon-financial data that is credible and can stand up

to scrutiny. Until recently, there has been criticism

around self-serving reports that were generated byexternal PR offices.

Historically, financial reporting was directed to share-holders. The evolution now is toward CSR reportingdirected to a broader audience of stakeholders.Today, stakeholders are asking that reporting belinked to strategy, risk, business processes, gov-ernance and concrete performance indicators ormetrics.

Since sustainability reporting is voluntary, guidelines

have been slower to emerge. The guidelines com-monly used are published by the Global Reporting Ini-tiative. These guidelines created a more data-driven,structured way of reporting that creates comparabilityThat is what is needed for the accounting industry tohave a credible assurance or attestation capability.

We could take an hour and not exhaust the list ofstakeholders who want more reporting and moretransparency in CSR reports. To name just a few,the Carbon Disclosure Project, a collaboration of300 institutional investors, is calling better disclo-

sure around risk to be included in 10K filings. TheCoalition of Environmentally Responsible Economiespetitioned the SEC to force registrants to disclosefinancial risk and opportunities around climatechange. The Climate Action Partnerships lobbyingeffort for federal regulations on greenhouse gasemission (to forestall a patchwork quilt of state regu-lations) could drive more reporting requirements. The


37/108

3

Grocery Manufacturers of America are working with

their members to measure carbon footprints fromproduction to consumption.

The Dow Jones Sustainability Index is ranking perfor-mance related to environmental programs. Walmartrecently brought together its suppliers with NGOsand Chinese officials to discuss how to bring sustain-ability and risk mitigation into the supply chain.

All of this creates pressures to collect data that canbe verified by the audit community.

In the sustainability area, the United States lags in

developing approaches and standards that can beattested to. And, basic requirements for attestationare missing in the risk reporting area, including lackof a common language of risk, lack of standard tax-onomy even within an organization, and one size fitsone approaches which are at odds with the unifor-mity of reporting approach requirements. Moreover,auditors will have difficulty with the issue of emerg-ing versus existing risk.

The opportunity to get more uniformity and accep-

tance of risk reporting and performance indicators isthere, but much more groundwork must be laid. If theother stakeholders keep up the pressure for morereporting, as they have done in CSR and sustainabil-ity, the accounting profession will continue to moveinto the area of non-financial risk attestation.

The Role o Insurance

Linda ConradDirector Risk Engineering, North America

Zurich

Insurance is in the business of risk. It is what we dofor a living. Our motto is: change happens. Lastyear we delineated that into three sections: Changehappens around you (that you cannot necessarilycontrol); change happens to you and change hap-pens because of you. That helps you delineate thosethings over which you do have control versus thethings you do not control but to which you must beprepared to respond.

Many people think of insurance as lines of business;as discrete risk solutions for certain problems. But Ithink we do ourselves as an industry a disservice ifwe do not look beyond insured risks. No companywould look at its exposure just in terms of propertyrisk. We need to look at the entire risk that compa-nies face, not just their insurable risk. Insurance isonly a small piece, maybe 20 percent to 40 percent,of a companys risk picture. If we only look at the

insured portion, we are not working as a partner.A case in point. We conducted a risk profiling sessionwith a food additive company. Someone in account-ing stood up and said that they had a fantastic newsales partner which represented some 25 percent to30 percent of business. The new sales partner wasan aviation company buying up food additives forde-icing purposes. We were insuring them for productliabilitybut this use was not part of the coverage.

Christine St. Clare, KPMG Linda Conrad, Zurich


38/108

36

We are not working well with our customers if we do

not help them look at things that could come out ofnowhere.

Most people tend to think of insurance as set it andforget it. If structured correctly, they think that oncethe insurance coverage is in place, they can move on.But risk is dynamic and needs to be revisited often.If we are not constantly re-evaluating, we are not ad-equately covering even the insured risks, let alone therisks that are uninsurable, like reputation and brand.

Insurance needs to get out of the old century and

become more like a GPS system. Risk intelligence isGPS. If you are going down a path and miss the turn,your strategic decisions need to realign. Even moreimportantly, you have to keep checking whether youare headed toward the right address.

The Role o Public Policy

Phil Auerswald

Professor of Public PolicyGeorge Mason University

When we think about responsibilities, risks and

events, there is scalability. Low impact events areusually managed by individuals or by operationspeople in a company. Larger-scale events might bethe responsibility of a CEO or a mayor. And thenthere are problems that are much largerand gobeyond the fence line or the municipal boundary.These situations are too large for any one com-pany or jurisdiction to handle, even if their survivalis threatened. Those will be the challenges that thegovernment has to lead.

Although its focus is often on high-impact, low-

probability events, the government has an interest inunderstanding risk across the boardjust as compa-nies have an interest in understanding risk that goesoutside their firms. So there is a convergence ofquestions being asked, decisions being made and,surprisingly, even of objectives. All of this could havethe fortuitous effect of creating an era of betterand different government, and better and differentbusiness. But, there are no guarantees it will happenthat way.

The 2008-2009 global financial crisis could inform

a whole new vision of how the government shouldpartner with business. But, that is not where weare headed. On one hand, the central take-away ofthe discussion is that government was not payingattention and did not perform its regulatory func-tions. On the other hand, it is that businesses weregreedy and did not care about the soundness of thefinancial system.

This crisis should have stimulated a conversationabout opportunities for public and private mission

sharing. This will have to be an activity in which bothsides leave behind the 20th century. The private sec-tor has to be leave behind the old adages of dontregulate us, we know what were doing; the freemarket can solve its own problems; and resourceswill be allocated when we let the market determinewhat will function best. For its part, the governmentmust understand that more compliance directives,more regulation and more standards of differenttypes do not make good use of the capabilities of

Phil Auerswald, George MasonUniversity


39/108


40/108


41/108

3

publicly-owned facilities and infrastructure, and offer-ing homeowners incentives to do the samebefore adisaster occurs.

Create Market Financing or Disasters. Finally,government can partner with the private sector tocreate innovative financing mechanisms that fundrecovery from natural disasters. Floods, storms, earth-quakes and heat waves place a huge burden on thepublic sector, which not only carries the cost of reliefefforts but is also responsible for rebuilding publicinfrastructure.

Moreover, public entities consciously or uncon-sciously decide to retain risk by not insuring theirinfrastructure. For example, in 2005, economic lossesfrom natural catastrophes hit a record high, withdirect financial losses of $230 billion (0.5 percentof total worldwide GDP). Despite a record insurancepayout of more than $83 billion, uninsured directlosses of $150 billion had to be carried by individuals,companies and the public sector. More recently, in

2007, a total of 335 natural catastrophes led tolosses of $64 billion across the globe, of which$40 billion were uninsured.4

Traditionally, the public sector has adopted a post-event approach to disaster funding, including increas-ing taxes, reallocating funds from other budget items,accessing domestic and international credit, andborrowing from multilateral financial institutions. Mostrely on assistance from international aid.

Pursuing a post-disaster strategy has several

potential disadvantages for governments. Fundsare diverted from key development projects to payfor emergency relief. Governments must pay thepremium to raise new domestic debt in a creditconstrained, post-event market, and raising taxescan weaken the economy further and discouragenew private investments. Finally, international aidoften arrives too late for immediate disaster relief.

4 Disaster Risk Financing: Reducing the Burden on Public Budgets. SwissRe, June 2008.

Governments could save considerable amounts byshifting from relief to pre-event risk financing; that is,by setting up solutions that involve financial reserves,contingent debt agreements, insurance and alterna-tive risk transfers. How could this work? One exam-ple is catastrophe bonds that transfer risks from thesponsors to market investors. In essence, the bondoffers investors an attractive risk/return profile. Theissuer invests the capital in low-risk securities (suchas treasuries) and the interest plus a premium is

paid to the investors. If the bond matures without thepre-specified event occurring, the principal is repaidto the investors, similar to regular bonds. If a catas-trophe does occur that triggers the bond, investorsmay lose some or all of the investment principal theyhave paid. In that event, the funds are paid to thebond sponsor to cover losses.

We are now facing a new set of risk dichotomiesthat demand new approaches in the way countries,companies, communities and citizens prepare for and

manage risk, and prepare for resilience.In the 20th century, paradigms of security evolvedfrom Maginot lines to doctrines of containment tofirewalls. Each succumbed in its turn to technologyand globalization. At the start of the 21st century, thevery notion of security defined in terms of perimeterdefense or threat containment has become all butobsolete.

Todays threats are too ubiquitous to be isolated andtoo nimble to be contained.

In such a world, responsible companies and govern-ments are compelled to emphasize accessible actionsrather than illusory remedies. In such a world, resil-ience is no longer an afterthought. It is an imperative.


42/108

40

Challenges orCorporate RiskManagersHenry Ristuccia

PartnerDeloitte & Touche

Vikram Mahidar

Senior Research ManagerDeloitte

What we find in many companies is that risk man-agement activity is driven by both regulation andbusiness needs. But, the connectors are lackingboth across the organization and up the organiza-tional ladder.

One of the most serious gaps is the disconnectbetween the risk management functionswheremost of the heavy lifting occursand the seniorexecutives and governing bodies that are ultimatelyresponsible for risk management. There is nocommon definition of organizational frameworkfor managing risk, no well understood roles andresponsibilities and no way to measure or monitoreffectiveness.

A few weeks ago, I asked the CEO of a financialinstitutionone that has fared better than its peershow its risk management programs were related tothe risks identified in the companys 10K. He said:Thats the problem; they dont. The biggest oppor-tunities to transform risk management are in filling

in the gaps between the risk management activi-

ties and senior managers. These broken links haveserious implications for the bottom line: incompleteand inaccurate information, false positives as well asfalse negatives, and inefficient use of resources.

Many of the following nine principles of a risk-intelli-gent enterprise focus on a transformation at theexecutive level. The characteristics of risk intelli-gence include:

Common definition of risk that addresses both thevalue preservation and the value creation sides

consistently and throughout the organization; Common risk framework supported by appropriate

standards;

Key roles, responsibilities and authorities clearlydefined and delineated;

Common risk management infrastructure to sup-port business units and functions;

Appropriate transparency and visibility into riskmanagement processes for the board;

Executive management charged with primaryresponsibility for designing, implementing andmaintaining an effective risk management process

Business units given responsibility for manage-ment of risk within the organizational framework;

Certain functions (finance, legal, IT, HR) providesupport to business units with respect to organi-zational risk management processes; and

Ongoing and objective monitoring and reportingon effectiveness of risk programs.

Henry Ristuccia , Deloitte & Touche Vikram Mahidar, Deloitte


43/108

4

Survey Results: When asked how they identify and

mitigate their top five risks, most company executivessaid they did not manage risk that way anymore.Rather, they had created a comprehensive frame-work for risk management that was integrated acrossthe organization and at multiple levels. Respondentsindicated that their companies understand risksspecific to their industry and business modelandmany have instituted a central function charged withorchestrating risk management processand theseprocesses have been well-received by the businessunits.

That is the good news. The bad news is that mostrespondents were not sure whether these best prac-tices are adequate, and they did not know whethertheir companies are managing risk well or not.

We identified three gaps:

1 The ultimate goal of risk management remainsunclear. When we asked, how do you define riskmanagement goals, the answers were literally allover the map. Risk disclosure statements, evenwithin the same industry, are quite disparate, indi-cating that there is no common understanding ofwhat is important. Even within the same company,there are inconsistencies about what the goal ofrisk management processes should be.

2 Most executives reported that they do not under-stand the risk management expectations of majorstakeholders, such as investors.

3 Given the uncertainties, companies are finding it

difficult to quantify the business impact of emerg-ing risks.

Senior management and board level involvementremains minimal. Getting the right tone and estab-lishing clear goals and consistent processes requiresengagement by senior executives. Companies haveset up risk committees, but executive involvementremains relatively sparseas do the reports fromthe risk committee to the executive committee. Onerespondent noted that the only time the CXO getsinvolved is when it is time sign the SEC filing. Simi-

larly, the balance scorecards used by the boards con-tain very few risk measures. We need to balancethe balance scorecard.

Currently, risk seems to be managed from differentfunctional organizations within the companylegal,audit, security. But, frequently, there is not ownershipat the executive level. And, the people who managerisk often come from a security, intelligence, compli-ance or legal background. What is needed are busi-nesses skills that complement these specialty areas.

Risk professionals need to be able to translate whatthey see into business terms.


44/108


45/108

4

James PorterVice President and Chief EngineerSafety, Health, &Environment and Engineering (Retired)DuPont

William RaischDirector, International Center for EnterprisePreparednessNew York University

Henry RistucciaPartner and Leader, Governance and Risk ManagementDeloitte & Touche, LLP

Larry E. RittenbergErnst & Young Professor of Accounting & InformationSystemsUniversity of WisconsinChair, COSO

Susan RochfordVice President, Energy & Sustainability InitiativesCouncil on Competitiveness

Steve RossFirm Director, Security ServicesDeloitte & Touche, LLP

Kenneth SenserSenior Vice President for Global Security, Aviation andTravelWal-Mart Stores, Inc.

Erica SevilleResearch FellowUniversity of Canterbury

Mark SibleyProgram Director, Business Resilience, NorthropGrumman Information Technology

Steve SpoonamorePartnerGSP LLC

Christine St. ClareAdvisory PartnerKPMG LLP

Matt StatlerAssociate Director, International Center for EnterprisePreparednessNew York University

David W. StenderAssociate CIO for CybersecurityChief Information Security OfficerInternal Revenue Service

Branko TerzicSenior Energy ConsultantDeloitte & Touche, LLP

Jonathan TetzlaffSenior Director, Crisis Management and Threat AnalysisMerck & Co., Inc.

Betsy ThurstonVice President, Strategic DevelopmentCouncil on Competitiveness

Steven TrevinoManaging DirectorResilient Civilization Initiative

Debra van Opstal

Senior Vice PresidentCouncil on Competitiveness

Deborah L. Wince-SmithPresidentCouncil on Competitiveness

Kirsten Edmondson WolfeVice President, MarketingCA Inc.

Rob ZanellaVice President, IT ComplianceCA Inc.

COUNCIL STAFF

David Padgham

Policy DirectorCouncil on Competitiveness

Mildred PorterMeeting PlannerCouncil on Competitiveness

Michael Ruthenberg-MarshallInternCouncil on Competitiveness


46/108

44


47/108

4

Global Risks 2008: A Global Risk Network

ReportWorld Economic Forum, January 2008

The World Economic Forum (WEF) highlights majorcategories of transnational riskwith emphasis onsystemic nancial risk, food security, supply chainsand energy. Globalization has increased the likeli-hood of a tragedy of the commons-type outcomeby reducing the incentives for any one actor toaddress problems like pandemics, pollution or globawarming. Interdependency has also increased theprobability that a disruption in any one region mayhave signicant global repercussions.

The WEF compared the likelihood of 26 coreglobal risks with their predicted severity in termsof economic loss (measured in U.S. dollars).

Its a whole new ballgame on riskor

countries as well as companies.Transorm, Council on Competitiveness

Overview

Globalization, competition, technologicalcomplexity, interdependence and speed arefundamentally changing the kinds of risksand competitive challenges that companiesand countriesface. The competition is get-ting much better. The world is entering anage in which well all be competing witheveryone, from everywhere, for everything.1

Technological complexity and interdepen-dence in the global economy are increasingother risks. Extended and interdependentenergy, transportation, information and com-munications networks can quickly magnify theimpact of point failureswhether triggeredby attack or accident. Operational risks, oncethought to be a back ofce concern and trivialin comparison to market and credit risks, arebecoming bet-the-company risks that belong

in the boardroom.Studies may disagree as to which are thegreatest risks, but every study underscoresthe concern of business executives that risksare rising.

1. Globality, Harold Srikin, James Hemerling and Arindam Bhattacharya. Bos-ton Consulting Group (Boston: 2008)


48/108

46

Core Global Risks and Predicted SeveritySource: World Economic Forum, January 2008

50-250

250-1,000

50-250

250-1,000

50-250

>1,000

10-50

5-25

50-250

30-150

50-250

>1,000

50-250

150-625

50-250

50-250

10-50

50-250

50-25030-150

250-1,000

50-250

150-625

50-250

150-625

10-150

Economics

Geopolitics

Environment

Society

Technology

Risk Perceived Likelihood(%-WEF Analysis)

Cost(Severity in Billions of US$)

5-10

10-20

7-12

7-12

1-5

17-22

5-10

7-12

5-10

10-20

5-10

5-10

7-12

10-20

7-12

7-12

5-10

1-5

1-51-5

5-10

3-8

10-20

5-10

7-12

1-5

Food Insecurity

Oil and Gas Price Spike

Major Fall in US$

Slowing Chinese Economy (6%)

Fiscal Crises in Advanced Economies

Asset Price Collapse

International Terrorism

Collapse of Nuclear Proliferation Treaty

Interstate and Civil Wars

Failed and Failing States

Transnational Crime and Corruption

Retrenchment from Globalization (Developed)

Retrenchment from Globalization (Developing)

Middle East Instability

Extreme Climate Change Related Weather

Heat waves and Droughts

Loss of Freshwater

Natural Catastrophe: Cyclone

Natural Catastrophe: EarthquakeNatural Catastrophe: Extreme Inland Flooding

Pandemic

Infectious Disease, Developing World

Chronic Disease, Developed World

Liability Regimes

CII Breakdown

Emergence of Nanotechnology Risks


49/108

4

Risk 2018: Planning or an Unpredictable

DecadeEconomist Intelligence Unit, 2008

In 2008, the Economist Intelligence Unit (EIU) sur-veyed 600 senior-level executives to evaluate andrank which risks they believed would present themost signicant threats to business during the nextdecade, as well as the level of preparedness of theirindividual organizations to address each risk.

High Risk/Impact with Less than HighReadiness

Climate change Retrenchment from globalization

Oil price shock

Instability in Middle East

Asset price collapse

International terrorism

Emergence of disruptive business mode

High Risk/Impact with High Readiness

Unexpected regulatory change Global recession

Increased competition from emerging marketeconomies

Talent shortages

The EIU survey noted that: Risk managementappears to be a function in transition. While it retainsits responsibilities as a source of assurance thatensures regulatory compliance and helps the orga-

nization to avoid loss, it is now expanding beyond

this traditional heartland to assume a broader role.Among our survey respondents, there is generalagreement that risk management will encompassmore strategic activities over the next ten years, withtwo-thirds expecting an increase in the use of riskmanagement as a strategic tool.

Risk management and controls now have two par-allel dimensions: the traditional keep me out oftrouble side of risk and the emerging make mybusiness better aspect. Managing risk effectivelycan help improve performance, help improve process

and strengthen competitive advantage.

Strategic Business Risks 2008Ernst &Young

Interviews with more than 70 analysts across20 disciplines by Ernst & Young captured a differ-ent set of insights on key risks.

Regulatory and compliance risk

Global nancial shocks

Aging consumers and workforce

Inability to capitalize on emerging markets

Industry consolidation/transition

Energy shocks

Execution of strategic transactions

Cost ination

Radical greening

Consumer demand shifts


50/108


51/108

4

Overview

A key theme is that risk management isnot just about minimizing losses, but aboutpreserving shareholder value and growingthe top line. The rst wave of studiesextended the lens beyond simply calculatingimmediate losses from failure in risk man-agement. They linked risk management tolong-term earnings and shareholder value.A next wave of studies is needed for a more

rigorous examination of the upside potentialfor value creation.

Disarming the Value KillersDeloitte & Touche, 2005

The Deloitte study found that many of the largestlosses in value among the worlds largest globalcompanies resulted from their failures to managerisk effectively and systemically. Almost half of the1,000 largest global companies suffered declinesin share prices of more than 20 percent in a one-month period between 1994 and 2003, relative tothe Morgan Stanley Capital International (MSCI)World Index. And the value losses were often long-standing. Roughly one-quarter took more than a yearfor their share prices to recover, sometimes muchlonger. By the end of 2003, share prices for one-quarter of these companies had not recovered totheir original levels.

The study found that most rms were exposed to

more than one type of riskwhether strategic,operational, market or nancialand failed to managethe relationships among these different types of risk.Actions taken to address one type of risk had thepotential to increase exposure to other types of risk.

Countering the Biggest Risk o AllAdrian Slywotzky and John DrzikHarvard Business Review, April 2005

The evidence of strategic risk is becoming ever moreapparent. In the past 20 years, there has been adramatic decrease in the number of stocks receiving

a high quality rating by Standard & Poors and a dra-matic increase in the number of low-quality stocks.From 1993-2003, more than one-third of Fortune1000 companies lost at least 60 percent of theirvalue in a single year.

Many rms have been adopting the practice ofenterprise risk managementfocusing on nancial,hazard and operational risksbut most managershave not systemically addressed the strategic risks

A risk-intelligent enterprise knows

when to avoid danger and when to

take a chance. It doesnt just stay in

business. It prospers.

James Quigley, CEO DeloitteFortune Magazine, Weathering Any Storm, March 19, 2007


52/108

50

that can be a more serious cause of value destruc-tion. The authors categorize strategic risk into sevenmajor classes: industry, technology, brand, competitor,customer, project and stagnation.

Managing for strategic risks can often turn defensivemoves into offensive opportunities. Besides limiting

the downside, strategic risk management helps man-agers improve the odds of success by forcing themto think more systematically about the future andhelping to identify opportunities for growth.

Airbuss focus on a collaborative model that wouldhelp its member companies to escape shrinking mar-gins enabled it to create sufcient market share tobecome a true rival to Boeing. For American Express,

1985 1990 1995 2000 2003

PERCENTAGE

O

F

3000

S&P

RATED

STOCKS

28%

53%

63%

67%

73%

19%16%

13%

Low-Quality Stocks

High-Quality Stocks

41%

35%

Strategic Risks are GrowingSource: Harvard Business School Review, April 2005

Note: High-quality stocks include those rated A+, A and A-. Low quality stocks include those rated B, B-, C and D.

the fundamental change in its brand investment mix,in response to competitive threats from other bankcards, set off a decade of growth. For Target, shiftingits focus to a customer segment that was differentfrom Wal-Marts not only helped it sidestep a newcompetitor but sparked protable growth.

While managers often see a trade-off between riskand reward, creative risk management combinedwith a good business model can allow a companyto improve in both areas. This is analogous to theevolution, 30 years ago, from a cost-quality trade-offto total quality management which achieved lowercosts and higher quality simultaneously.


53/108

5

The Eect o Supply Chain Disruptions on Long-

Term Shareholder Value, Proftability and Share

Price VolatilityVinod Singhal and Kevin HendricksThe Logistics Institute 2005

Researchers looking at the impact of supply chaindisruptions found that such events can be cata-strophic for businesses and their shareholders.Based on a sample of more than 800 companiesthat announced a supply chain disruption between

1989 and 2000, 33-40 percent experienced lowerstock returns than their industry peers, regardlessof industry, cause of disruption or time period. Suchrms experienced 7 percent lower sales growth and11 percent higher costs.

The study shows that rms that experience disrup-tions, on average, experience a 107 percent decreasein operating income, 114 percent decrease in returnon sales, and 92 percent decrease in return onassets. Changes in operating income, sales, total

costs and inventories remained negative in the twoyears after the problems were disclosed.

Innovators in Supply Chain Security:

Better Security Drives Business ValueStanford and Manufacturing Research Institute, NationalAssociation of Manufacturers, 2006

International trade is no longer just about movinggoods quickly and cheaply. In this age of global ter-rorism, there is a third element: it is about movinggoods quickly, efciently and securely. Some of theimplications of the 9/11 events include an increaseof 15 percent in airfreight costs and an increase of20 percent in the costs of commercial insurancepremiums to about $30 billion per year. New secu-rity measures following 9/11 are estimated to costthe U.S. economy alone more than $150 billion, ofwhich $65 billion is for changes in supply chains.

The study also quantied benets, through casestudies of eleven major manufacturers and threelogistics providers, that have the potential to offsetor exceed the costs of security, including:

Improved product safety (38 percent reductionin theft/loss/pilferage, 37 percent reduction intampering);

Improved inventory management (14 percentreduction in excess inventory, 12 percent increase

in reported on-time delivery); Improved supply chain visibility (50 percent

increase in access to supply chain data, 30 percentincrease in timeliness of shipping information);

Improved product handling (43 percent increasein automated handling of goods);

Process improvements (30 percent reduction inprocess deviations);

More efcient customs clearance process (49percent reduction in cargo delays, 48 percentreduction in cargo inspections/examinations);

Speed improvements (29 percent reduction intransit time, 28 percent reduction in delivery timewindow);

Resilience (close to 30 percent reduction in prob-lem identication time, response time to problemsand in problem resolution time); and

Higher customer satisfaction (26 percent reduc-tion in customer attrition and 20 percent increase

in number of new customers).


54/108


55/108

5

The Business Value o ResilienceCouncil on Competitiveness, Transorm.Company Vignettes

Wal-MartWal-Marts reputation for supply chain gymnasticswas showcased during Hurricane Katrina, when thecompany was able to bring 66 percent of its storesin the affected region back into operation with 48hours, and 93 percent within seven days. But, itssupply chain sophistication was not developed as a

disaster management tooland in fact, the invest-ment could not have been justied solely on disasterpreparedness grounds.

The inventory visibility and supply chain agility isrooted in a business model that requires quickchanges in the merchandise mix as a source ofcompetitive advantage and new business opportuni-ties, and robustness in its information and logisticssystems. Resilience has been embedded in thecompanys DNA to handle peak requirements.

GeorgetownThe availability of student housing is a critical partof the universitys business continuity. If housingis not available, then one of the main sources ofoperating revenuetuitionis also at risk. Georgetownundertook a project to improve residence hall safetystandards that exceeded codeinstalling sprinklersand other equipmentresulting in a signicantdecrease in its insurance premiums. The universitytook these savings and increased its business

interruption insurance vefold (well before Katrina).

That became a positive factor in determining theuniversitys rating and cost of capital in a subsequentbond issue.

Waste ManagementAfter 9/11 and a break-in a few months later ata landll in Cut and Shoot, Texas, that destroyedhalf a million dollars in heavy equipment, WasteManagement began to investigate the benetsof a state-of-the-art security operations center. It

Documents

Prepare: Why Enterprise Resilience Matters