The Interaction of Treasury The Interaction of Treasury and Risk Managementand Risk Managementand Risk Managementand Risk Management

NCSU Enterprise Risk Management InitiativeNCSU Enterprise Risk Management InitiativeJanuary 25, 2008 January 25, 2008

Brian WarrenBrian WarrenDirector Risk ManagementDirector Risk ManagementDirector, Risk ManagementDirector, Risk ManagementMicrosoft CorporationMicrosoft Corporation

AgendaAgenda

A Quick Tour of Microsoft A Quick Tour of Microsoft Microsoft TreasuryMicrosoft Treasury

Life Cycle of a DollarLife Cycle of a DollaryyFinancial Risk ManagementFinancial Risk ManagementBusiness Risk ManagementBusiness Risk ManagementBusiness Risk ManagementBusiness Risk Management

ERM at MicrosoftERM at MicrosoftOperational Risk Management Case StudyOperational Risk Management Case StudyOperational Risk Management Case StudyOperational Risk Management Case Study-- Classification of High Business Impact DataClassification of High Business Impact DataQ&AQ&AQ&AQ&A

Microsoft by the NumbersMicrosoft by the Numbers$60B Revenue*$60B Revenue*$18 B N I *$18 B N I *$18.5B Net Income*$18.5B Net Income*84,600 Employees (and hiring)84,600 Employees (and hiring)Subsidiaries in 103 CountriesSubsidiaries in 103 Countries24 million sq ft of facilities at 565 sites24 million sq ft of facilities at 565 sites24 million sq ft of facilities at 565 sites24 million sq ft of facilities at 565 sites

* Forward looking guidance 1/24/07

Microsoft’s BusinessesMicrosoft’s BusinessesMicrosoft OfficeSharePoint Portal ServerMicrosoft LiveMeeting

Windows VistaWindows VistaWindows Media Center EditionTablet PC

Microsoft Dynamics

Xbox

Windows Live SearchMSNHotmail Xbox

Consumer software and hardwareTV platform

Messenger

Windows Mobile Software

Windows ServerSQL ServerExchange ServerDeveloper Tools

Windows Embedded Device OSWindows Automotive

Developer ToolsMicrosoft Consulting Services

Wh t d ll thi t ?What does all this mean to me?

Microsoft FY 08’ Risk Universe Microsoft FY 08’ Risk Universe

Strategic Financial/ReportingOperations Legal/Compliance

Enterprise Risk ManagementEnterprise Risk Management

Business Model:Vision & DirectionMonetization ModelBrand/Marketing StrategyChannel Strategy

Product Development:Product StrategySoftware DevelopmentProduct Development PartnersProduct Quality/Integrity

Corporate Governance: Board Performance

Governance FrameworkCorporate Citizenship

Planning & Resource Allocation: Operational and Business PlanningBudgeting and ForecastingCapital Expenditure Planning

People:CultureRecruiting & Retention Global Resourcing

Strategic Financial/ReportingOperations Legal/Compliance

Channel StrategyPricing StrategyCompetitive PositioningValue Chain StrategyMeasurement & MonitoringStrategic Investments:M&A

Product Quality/IntegrityProduct SecurityProduct Release3rd Party Subsystems or Functionality IntegrationSales & Marketing:Research and Development

Corporate Citizenship

Legal Compliance: Ethics and Business ConductAnti-CorruptionFraud

Capital Expenditure PlanningOutsourcing Treasury: Cash ManagementHedgingInvestingInsuring

Development and Performance Succession Planning Compensation & Benefits Labor RelationsEmployee CommunicationsM&A

Partner AllianceEcosystem InvestmentsR&D InvestmentsMarket Dynamics:General Macro EnvironmentSocial-Political

Research and DevelopmentMarketingAdvertisingProduct PricingSales and Marketing - Partner ManagementSales Contracting/Customer Pricing

Legal: ContractIP/Source Code ProtectionIP InfringementPiracy/Counterfeiting

InsuringFundingCredit and CollectionsSecurities Lending

Financial Reporting:GAAP Accounting

yOrganizational StructureInformation Technology: Infrastructure Resiliency and AvailabilityData PrivacyData Management, Integrity Social-Political

Technology ChangesTalent AcquisitionCustomer DemandConsumer LifestyleUGC/SharingUse of Mobile vs. PC

g gOrder ManagementPublic RelationsServices:Consulting ServicesCustomer SupportService Partners

Regulatory: Antitrust and Competition LawExport Control and Global Trade Labor Laws and RegulationsSecurities

GAAP AccountingExternal Reporting & DisclosureInternal Control/SOX 404/302Statutory Reporting

Internal ReportingInformation & Reporting Integrity

g g yand QualityInfrastructure SecurityInformation System AccessIT GovernanceBusiness Continuity: Natural Events

Piracy

Business Model Disruptions:"Thin" Client ServicesOpen SourceAd-FundedVi t li ti

Customer Operations

Supply Chain:Manufacturing Planning and Forecasting/Product Availability Vendors/Partners/Contract Execution

SecuritiesEnvironmentData Protection and PrivacyProduct Safety

g g yTax: Tax Strategy and PlanningTax OptimizationTransfer PricingProperty TaxesTax Compliance

Information Technology RecoveryBusiness Process RecoveryCrisis Management

Man Made EventsVirtualizationOEM DisruptionChannel AlienationImportance of S/W H/W Coupling

ProcurementProductionInventory & Capacity ManagementDistribution ChannelsProduct Licensing/SubscriptionsProduct ComplianceS ft Pi

Investor Relations:

Communications

Mergers, Acquisitions & Divestitures:

Corporate Physical Security:Buildings and FacilitiesThreats of Violence

Incidents of TheftLife Safety

Microsoft TreasuryMicrosoft Treasury

Microsoft is generating free cash flow at a Microsoft is generating free cash flow at a $18 /$18 /rate now exceeding $18B / year.rate now exceeding $18B / year.

Investment income is running over $1B Investment income is running over $1B annually, from ~ $21B of managed assets.annually, from ~ $21B of managed assets.FY07 FY07

stock buystock buy--back $27B, back $27B, dividends $3.8B, dividends $3.8B, d de ds $3 8 ,d de ds $3 8 ,acquisitions ~ $1.5Bacquisitions ~ $1.5B

Mandate: provide $1B liquidity within 24Mandate: provide $1B liquidity within 24Mandate: provide $1B liquidity within 24 Mandate: provide $1B liquidity within 24 hours at any time.hours at any time.

Treasury’s Business Model: Treasury’s Business Model: The Lifecycle of the DollarThe Lifecycle of the Dollar

Re en e/

The Lifecycle of the DollarThe Lifecycle of the Dollar

Revenue/Sales Treasury Risk Group

15-FTE

Gl b l C h Change in Cash

Capital Markets Group20-FTE

Global Cash Management &

Treasury Operations15-FTE

World Wide Credit Services68-FTE

Corporate Finance3-FTE

Worldwide Credit ServicesWorldwide Credit Services

Organized into 2 groups:Organized into 2 groups:Windows Online Credit ServicesWindows Online Credit ServicesWWCSWWCS

Maximize Maximize A/R protection, while allowing MS to expand A/R protection, while allowing MS to expand sales and increase market sharesales and increase market shareEvaluate A/R risks and appropriate reservesEvaluate A/R risks and appropriate reservesDevelop tools to anticipate future risksDevelop tools to anticipate future risksMaintain continuous and consolidated information on Maintain continuous and consolidated information on customer financial condition and outstanding credit customer financial condition and outstanding credit balancesbalancesba a cesba a cesProvide creditProvide credit--related expertise and related expertise and servicesservices

Microsoft Finance In The NewsMicrosoft Finance In The News

Global Cash Global Cash Management and Management and Treasury Operations GroupsTreasury Operations GroupsTreasury Operations GroupsTreasury Operations Groups

Settlements in over 100 countries and 25+ currenciesSettlements in over 100 countries and 25+ currencies995 995 bank accounts of which 500+ are managed dailybank accounts of which 500+ are managed dailyActive management of over 30 counterparty Active management of over 30 counterparty relationshipsrelationshipsMonthly transaction volume over $Monthly transaction volume over $40B40By $y $SWIFT Initiative SWIFT Initiative –– cash visibility and optimize cash cash visibility and optimize cash balancebalance

The value of a global centralized treasury functionThe value of a global centralized treasury function

Capital MarketsCapital Markets

•• Capital Capital MarketsMarkets•• Portfolio Portfolio ManagementManagement

•• Liquidity PortfolioLiquidity Portfolio•• Special Purpose PortfolioSpecial Purpose Portfolio•• Special Purpose PortfolioSpecial Purpose Portfolio•• Investment Portfolio Investment Portfolio

•• Strategic Investments Strategic Investments •• Foreign Foreign ExchangeExchange

Risk Risk Group: Group: FinancialFinancial Risk ManagementRisk ManagementFinancial Financial Risk ManagementRisk Management

Twofold Role:Twofold Role:Independent check on portfolio manager risk and performanceIndependent check on portfolio manager risk and performanceIndependent check on portfolio manager risk and performanceIndependent check on portfolio manager risk and performance

Advise portfolio managers on risk from investment choicesAdvise portfolio managers on risk from investment choices

Risk Metrics and Reports:Risk Metrics and Reports:Value At Risk (VAR)Value At Risk (VAR)

Stress Stress TestingTesting

Scenario Scenario AnalysisAnalysis

Counterparty RiskCounterparty Risk

P f R tP f R tPerformance ReportsPerformance ReportsPerformance attribution (allocation vs. selection)Performance attribution (allocation vs. selection)

RiskRisk--adjusted Returnsadjusted ReturnsRiskRisk--adjusted Returnsadjusted Returns

Daily Green Zones ReportDaily Green Zones Report

25

Financial RM Financial RM –– Looking AheadLooking Ahead

Developing advisory capabilitiesDeveloping advisory capabilitiesRisk BudgetingRisk BudgetingPrePre--trade consultationtrade consultation

Testing vendor hosted VaR systemTesting vendor hosted VaR systemComputing and data maintenance is intense,Computing and data maintenance is intense,Computing and data maintenance is intense, Computing and data maintenance is intense, difficult to support indifficult to support in--househouseCorrelation matrices already hosted by vendorCorrelation matrices already hosted by vendory yy y

Business Risk ManagementBusiness Risk ManagementHazard Risk Management:Hazard Risk Management:

Ri k C l i d I (Ri kRi k C l i d I (Ri kRisk Consulting and Insurance (Risk Risk Consulting and Insurance (Risk Financing)Financing)

Cl i I f ti d A l i TCl i I f ti d A l i TClaims, Information and Analysis Team:Claims, Information and Analysis Team:Quantitative Risk Analysis and AssessmentQuantitative Risk Analysis and AssessmentAccounting coordinationAccounting coordinationIT application Product ManagementIT application Product ManagementClaims preparation, submission, pursuitClaims preparation, submission, pursuitRecords managementRecords management

Business Business Risk Risk ManagementManagementclassic risk mapclassic risk map

Risks:Risks: Risks:Risks:PC TheftPC TheftLow Dollar PropertyLow Dollar PropertyContractual ObligationsContractual Obligations

IP Infringement LiabilityIP Infringement LiabilityPrivate AntitrustPrivate AntitrustE&O LiabilityE&O LiabilityOperations Impact DamagesOperations Impact Damagesty

Hig

h

Solution:Solution:Self Insurance (retain the risk)Self Insurance (retain the risk)

Operations Impact Damages,Operations Impact Damages,Product Recall/ReturnProduct Recall/ReturnSolution:Solution:Captive InsuranceCaptive InsurancePr

obab

ilit

( )( ) ppRisks:Risks:Low Dollar CrimeLow Dollar CrimeFiduciary LiabilityFiduciary Liability

Risks:Risks:High Dollar Property,High Dollar Property,Consequential LossConsequential Loss

Pw

Solution:Solution:Self Insurance (retain the risk)Self Insurance (retain the risk)

High Dollar CrimeHigh Dollar CrimeSolution:Solution:33rdrd Party InsuranceParty Insurance

Low

Economic LossHighLow

Enterprise Risk ManagementEnterprise Risk Management

HistoryHistoryRisk Maps circa 1996Risk Maps circa 1996Risk “knowledgebase” prototype circa 1998 Risk “knowledgebase” prototype circa 1998 (RISKS)(RISKS)1999 1999 –– prototype quantitative estimates of top prototype quantitative estimates of top

t i l P/C i kt i l P/C i kmaterial P/C risksmaterial P/C risksCOSO eraCOSO era

20052005 fi t t f h ll Mi ftfi t t f h ll Mi ft2005 2005 –– first assessment of how well Microsoft first assessment of how well Microsoft meets new COSO standardmeets new COSO standard2007 2007 –– current ERM program launchedcurrent ERM program launchedp gp g

Practical ERMPractical ERMFor Microsoft, Risk Resiliency resonatesFor Microsoft, Risk Resiliency resonates

How can I structure my finances to survive a major How can I structure my finances to survive a major disaster or technology disruption?disaster or technology disruption?

Assumes “black swans” existAssumes “black swans” existAssumes black swans existAssumes black swans existResiliency can be obtained via: Resiliency can be obtained via:

Retained risk capitalRetained risk capitalRetained risk capitalRetained risk capitalContingent capital (lines of credit, insurance)Contingent capital (lines of credit, insurance)Agile business structure (low fixed / flexible variable Agile business structure (low fixed / flexible variable g (g (costs)costs)

Gates’ mandate: Keep at least one year of Gates’ mandate: Keep at least one year of OPEX h dOPEX h dOPEX on handOPEX on hand

EnterpriseEnterprise--widewide Risk ManagementRisk ManagementMS executes enterpriseMS executes enterprise--wide risk management wide risk management

by means of distributedby means of distributed subject mattersubject matterby means of distributed by means of distributed subject matter subject matter experts carrying out discrete efforts.experts carrying out discrete efforts.

Office of ERMI thi d l TRG i of ERM

Ops ERMTRG

In this model, TRG is a one expert resource in a matrix ERMresource in a matrix of risk management activity.

LegalIA & Compliance

y

31

Treasury Risk Group’s RoleTreasury Risk Group’s Role

How do we enact our mission of being How do we enact our mission of being ii h i k SME ?h i k SME ?inin--house risk SMEs?house risk SMEs?

Quantify economic impact of loss scenariosQuantify economic impact of loss scenarios

Scalable and repeatable quantitative risk estimates Scalable and repeatable quantitative risk estimates Reports of loss scenariosReports of loss scenarios

Scale to gauge risk materialityScale to gauge risk materialityDecision support for Microsoft Business Groups and the enterpriseDecision support for Microsoft Business Groups and the enterpriseDecision support for Microsoft Business Groups and the enterpriseDecision support for Microsoft Business Groups and the enterpriseValidate adequacy of Microsoft insurance programsValidate adequacy of Microsoft insurance programs

Blue SkyBlue Sky Scenario risk mappingScenario risk mapping

Single event/worst caseSingle event/worst caseAtlas v.1Atlas v.1 Single event/worst case Single event/worst case t ast as

Atlas v.2Atlas v.2 Frequency and severity outputFrequency and severity output

Atlas v.XAtlas v.X Refinement going forwardRefinement going forward

Interviews…Interviews… Nearly 300 interviewsNearly 300 interviews

AlgorithmAlgorithm Catastrophic Risk CategoriesCatastrophic Risk CategoriesBusiness GroupBusiness Group--specific Loss Scenariosspecific Loss ScenariosCommon Cost ElementsCommon Cost Elements

Stochastic behavior modelStochastic behavior model R li bl d tR li bl d t

Validate OutputsValidate Outputs

Stochastic behavior modelStochastic behavior model Reliable dataReliable dataCredible assumptionsCredible assumptions

Atlas Quant MethodsAtlas Quant Methods

Many ‘tools’ to choose fromMany ‘tools’ to choose fromActuarial approachesActuarial approaches

Exposure, Frequency, SeverityExposure, Frequency, SeverityLoss DevelopmentLoss Development

Decision Theory approachesDecision Theory approachesInfluence diagramsInfluence diagramsDecision treesDecision treesMonte Carlo simulationMonte Carlo simulationMonte Carlo simulationMonte Carlo simulation

Six Sigma approachesSix Sigma approachesFailure Modes Effects AnalysisFailure Modes Effects AnalysisFailure Modes Effects AnalysisFailure Modes Effects Analysis

ORM Case StudyORM Case StudyClassification of High Business Impact DataClassification of High Business Impact Data

“Least Privileges Access”“Least Privileges Access”Problem:Problem:

Unanticipated result of internal Unanticipated result of internal SharePoint SharePoint pp“dogfooding”“dogfooding”Proliferation of Proliferation of SharePoint SharePoint sites with no or low sites with no or low access limitationsaccess limitationsDefault when setting up new Default when setting up new SharePoint sites SharePoint sites

‘ ibl t ll’‘ ibl t ll’was ‘accessible to all’.was ‘accessible to all’.Many site owners were not changing access to Many site owners were not changing access to level appropriate for contentlevel appropriate for contentlevel appropriate for content.level appropriate for content.

Microsoft High Business Impact Microsoft High Business Impact (HBI) D t R i t(HBI) D t R i t(HBI) Data Requirements(HBI) Data Requirements

Microsoft must protect the following informationMicrosoft must protect the following informationMicrosoft must protect the following informationMicrosoft must protect the following informationFinancial information (non public)Financial information (non public)Customer dataCustomer dataI t ll t l P tI t ll t l P tIntellectual PropertyIntellectual PropertyPersonnel dataPersonnel data

Microsoft must follow national and international laws and Microsoft must follow national and international laws and l til tiregulationsregulations

GLBAGLBASOXSOXHIPPAHIPPACOPPACOPPACB 1386CB 1386EU directivesEU directivesJapan’s privacy lawsJapan’s privacy laws

HBI Problem StatementHBI Problem StatementPolicy must be enforcedPolicy must be enforced

MSFT D t h dli li i l ifi tiMSFT D t h dli li i l ifi tiMSFT Data handling policy requires classificationMSFT Data handling policy requires classificationFor HBI, encryption requiredFor HBI, encryption required

Repositories have large amounts of data and are Repositories have large amounts of data and are p gp gdistributed globallydistributed globallyRemediation must be efficient and effectiveRemediation must be efficient and effective

Remediation must be automaticRemediation must be automaticRemediation must be automaticRemediation must be automaticRemediation must facilitate business needsRemediation must facilitate business needs

MSFT must be able to demonstrate HBI policy MSFT must be able to demonstrate HBI policy yycompliancecomplianceBeginning State: Controlling Sensitive Data (HBI) ORM Beginning State: Controlling Sensitive Data (HBI) ORM exposure rated “High” and top riskexposure rated “High” and top riskexposure rated High and top risk.exposure rated High and top risk.

Methodology & Deployment Methodology & Deployment PlanPlan

Develop Proof of ConceptDevelop Proof of Concept

Conduct Risk AnalysisConduct Risk AnalysisDesign and BuildDesign and BuildPilot and DeployPilot and DeployPlan to Grow to Service ManagementPlan to Grow to Service Managementgg

MSFT Treasury Support MSFT Treasury Support forforRi kRi k A tA tRisk Risk AssessmentAssessment

Collaboration with MSIT HBI TeamCollaboration with MSIT HBI TeamMSIT, Treasury, LOB, LegalMSIT, Treasury, LOB, LegalSmall data sample evaluated by teamSmall data sample evaluated by teamSmall data sample evaluated by teamSmall data sample evaluated by teamCreated a process modelCreated a process model

Included Exposure, Frequency & SeverityIncluded Exposure, Frequency & Severityp , q y yp , q y yModel Parameter Estimates used to drive Monte Model Parameter Estimates used to drive Monte Carlo simulationCarlo simulationBB Sh P i iSh P i i d i hd i hBase case = Base case = SharePoint sites SharePoint sites created with opencreated with open--access default, and no file scanning.access default, and no file scanning.6 comparison scenarios =6 comparison scenarios = SharePoint sites createdSharePoint sites created6 comparison scenarios 6 comparison scenarios SharePoint sites created SharePoint sites created with limitedwith limited--access as default, and various file access as default, and various file scanning & classification tool optionsscanning & classification tool options

MSFT Treasury Support forMSFT Treasury Support forRi k A tRi k A tRisk AssessmentRisk Assessment

Cost of classification & remediation projectCost of classification & remediation projectCost of classification & remediation project Cost of classification & remediation project estimatedestimatedROI > 600%ROI > 600%ROI > 600%ROI > 600%(Expected Loss / Project Cost > 600%)(Expected Loss / Project Cost > 600%)

Operational issue now cast in business Operational issue now cast in business pptermsterms

Accept Risk Accept Risk –– Take no additional actionTake no additional actionppMitigate Risk Mitigate Risk –– Implement Classification & Implement Classification & Remediation program with expected ROIRemediation program with expected ROI

Classification of High Business Classification of High Business Impact Data FrameworkImpact Data FrameworkImpact Data FrameworkImpact Data Framework

WORKFLOW ENGINE WORKFLOW ENGINE

Business workflowBusiness workflowBusiness workflow Business workflow engine supports IT’s engine supports IT’s business needs and business needs and enables remediationenables remediation

BUSINESS BUSINESS REPORTINGREPORTING

High endHigh end enables remediationenables remediationHigh endHigh endkey metricskey metrics

HBI Classification

ClassificationClassification

Automatic Automatic

Classification &

Remediation Framework

classificationclassificationof all File Share of all File Share (network folders) and (network folders) and Sh P i t SitSh P i t Sit

LOCKDOWN SharePoint SitesSharePoint SitesDOWN

UNSTRUCTUREDHBI Classification HBI Classification

UNSTRUCTURED DATAUnclassified Data or Unprotected Data Workflow EngineWorkflow Engine

CLASSIFY

Classifying Data by classifying SharePoint sites &

S

SCAN

Content monitoring t id tif iti

FileShare; and

Enforcing higher levels of Access controls on HBI and MBI Data

Once information is scanned and properly classified, it is audited based upon flexible content t i i li ito identify sensitive

content

APPLY RULES

key words and REMEDIATE

the automated

transmission policies

HBI MBI LBIy

phrases will be identified and weighted based upon information classification requirements that

di t t d b

the automated service will detect and remediate all HBI and MBI files across all managed

are dictated by regulatory, industry and Microsoft Security standards

.

gMicrosoft accessible digital assets

Solutions AdoptedSolutions AdoptedAll File Shares and SharePoint sites classified within 30 days or locked All File Shares and SharePoint sites classified within 30 days or locked down.down.B d t b d d ill b t ti ll dB d t b d d ill b t ti ll dBroad access groups cannot be used and will be automatically removed.Broad access groups cannot be used and will be automatically removed.

Anonymous Anonymous Guest Guest EEEveryone Everyone NTNT\\Authenticated UsersAuthenticated Users

HBI sites will not be permitted to have group access (Active Directory or HBI sites will not be permitted to have group access (Active Directory or Security groups (Groups will be removed automatically)Security groups (Groups will be removed automatically)Security groups (Groups will be removed automatically).Security groups (Groups will be removed automatically).HBI Data must be encryptedHBI Data must be encryptedHBI Reporting and KPI’s allow demonstration of complianceHBI Reporting and KPI’s allow demonstration of compliance

Data ScannedData ScannedData ScannedData ScannedFrequency of ScanningFrequency of ScanningNumber of HBI Detections by LOB, user, etc.Number of HBI Detections by LOB, user, etc.Average days to remediationAverage days to remediation

E d St t C t lli S iti D t (HBI) ORM t d “L ”E d St t C t lli S iti D t (HBI) ORM t d “L ”End State: Controlling Sensitive Data (HBI) ORM exposure rated “Low”.End State: Controlling Sensitive Data (HBI) ORM exposure rated “Low”.

FeedbackFeedback“The risk management team provided tremendous value to the HBI LPA program at several levels having an independent reviewseveral levels. … having an independent review of our processes and methodology was very helpful. It provided valuable feedback that we incorporated into our planning and implementation of the project. The economic analysis done helped drive towards the right y p gsolution, and gave information to our management helping in their decision as well. Having the economic data to back up the riskHaving the economic data to back up the risk versus benefit is extremely helpful in deciding on the right approach. In addition, it was a very

fvaluable learning opportunity for the entire team. “

brianwar@microsoft combrianwar@microsoft.com425- 703- 5339

© 2005 Microsoft Corporation. All rights reserved.© 2005 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.