•1

ERM:

Fact or Fiction?

Monday 30 September 2013

Speakers

Edwin Meyer – General Manager Risk & Insurance, ArcelorMittal

Dr Grant Foster – Head of Enterprise Risk Management, Aon

Risk Solutions

Mark Harman – CEO Continental Europe, Middle East & Africa,

Crawford & Company

Agenda

Evolution of risk management

What risks are facing global companies facing?

10 Hallmarks of Best Practice in Risk Management

What skills does insurance bring to ERM?

What should Risk Managers be better at?

Where are we on the journey to risk maturity?

Can we identify value?

Risk Management 1993

Executive management barely thinking about it

Finance as “the conscience of the business”

Non-executive directors – the great and the good,

informal

Auditors focused only on financial statements

In house insurance manager focuses on procuring

insurance

Legal department reactive

Overall – low importance, disparate, trusting

Risk Management 2003

Post Enron, Sox – executive management climate of fear

Finance – louder voice, more centralised control

More professional NEDs with formal roles – audit committees

Requirement to report on risk and controls

Auditors signing off on controls

More internal audit, big increase in certification

Insurance manager morphing into risk manager – better trained,

focus extended to uninsured risks, more linkage to other functions

More widespread use of ERM models and risk maps

Overall – higher profile, more joined up, less trust, focus on

compliance

Risk Management 2013

Executive management ownership and engagement

Embedded within governance structures and processes

Linked to strategy

Risk managers – higher calibre, central role, at top table

Board of Directors driving governance

Compliance embedded and now BAU

Auditors and internal audit becoming risk consultants

Overall – moving from compliance driven to value driven

ERM – A basic business principle

ERM

Business

Compliance

Insurance

Finance Market

Product / Service /

Operations

HSE

What Are Companies Worried About?

Results from the 2013 Aon Global Risk Management Survey

24Crime / theft /

fraud / employee

dishonesty

25Injury to workers

21Lack of technology /

infrastructure to

support business

22Inadequate

succession

planning

23Failure of disaster

recovery plan /

business continuity

16Weather / natural

disasters

17Property damage

18Computer crime /

hacking /viruses /

malicious codes

19Growing burden &

consequences of

Corp. Governance /

20Counter party

credit risk

14Distribution or

supply chain failure

10Increasing

competition

11Exchange rate

fluctuation

9Cash flow /

liquidity risk

15Capital availability

/credit risk

8Commodity price

risk

12Technology failure

/ system failure

13Third-party liability

4Damage to

reputation / brand

5Failure to attract or

retain top talent

6Failure to innovate/

meet customer

needs

7Business

interruption

1Economic

slowdown / slow

recovery

2Regulatory /

Legislative changes

3Increasing

competition

Insurance is a

useful tool… but

business risk is

much wider

Aon Risk Maturity Index

Current Aon Risk Maturity Index Dataset

(September 2013)

• Organizations Represented: 650+

• Countries Represented: 20

• Industries Represented: 30+

The Index will continue to capture global data

throughout 2013 and beyond

All Organizations (870+Participants Globally)

• Developing capabilities to identify, assess and prioritize risks across the organization

• Developing capabilities to analyze risk consistently, but approach may be primarily qualitative

• Developing capabilities for monitoring existing risk exposure across the organization

• Informal and inconsistent consideration of risk and risk management information in decision making

• Developing understanding of Enterprise Risk Management (ERM) and its application

Professional Services Industry Average (35 Participants Globally)

• Developing capabilities to identify, assess and prioritize risks across the organization

• Inconsistency in risk management practices or approaches across the organization (i.e., “silos”)

• Limited capabilities for monitoring existing risk exposure across the organization

• Informal and inconsistent consideration of risk and risk management information in decision making

• Developing understanding of Enterprise Risk Management (ERM) and its application

CILENT X Risk Maturity Rating

• Developed capabilities to identify, assess and prioritize risks across the organization

• Developing capabilities to analyze risk consistently, using qualitative and quantitative techniques

• Developing set of loss and / or tolerance guidelines for key risks

• Developed capabilities for monitoring existing risk exposure across the organization

• Explicit consideration of risk and risk management information in decision making

10 Hallmarks Of Good

Risk Management

1. Board Understanding & Commitment to Risk Management

2. Executive Level Risk Management Stewardship

3. Risk Communication

4. Risk Culture: Engagement & Accountability

5. Risk Identification

6. Stakeholder Participation in Risk Management

7. Risk Information & Decision Making Processes

8. Integrating Risk Management & Human Capital Processes

9. Risk Analysis & Quantification to Understand Risk & Demonstrate

Value

10. Risk Management Focus on Value Creation

What Skills Do Insurance

Risk Managers Bring?

1. Board Understanding & Commitment to Risk Management

2. Executive Level Risk Management Stewardship

3. Risk Communication

4. Risk Culture: Engagement & Accountability

5. Risk Identification

6. Stakeholder Participation in Risk Management

7. Risk Information & Decision Making Processes

8. Integrating Risk Management & Human Capital Processes

9. Risk Analysis & Quantification to Understand Risk & Demonstrate

Value

10. Risk Management Focus on Value Creation

Risk Analysis

Risk register

Scoring risks

Risk prevention measures

Balanced business scorecard

Heat map

Communicating risk

Risk Register 2008 Risk Register Report Dated:

Risk

No.

Status of

Mitigation

(RAG)

Country

Specific/EM

EA Owner Description of Risk Impact if it occurs

Impact

(Critical, Major,

Manageable)

Probability

(High,

Medium,

Low) Current Control Activities

MKT01 Amber UK Martin

Weinthrop

Retention of key clients.

Top 25 clients account for

70% of revenue.

- General erosion of Reputation in the marketplace

- Potential for A domino EFFECT

- Financial Loss of revenue

Major Medium Key Account Management (KAM) team

REP01 Green EMEA Martin

Weinthrop

Serious reputational issue

arises anywhere in the

world.

Could seriously impact our EMEA reputation and competitive

position

Major Low Country Managers pack sets out the standard to be

adopted.

Media Policy sets out the structure of our external

communications

REG01 Amber UK Stephen

Pearsall

Lose FSA authority to

conduct regulated

business

Severe direct impact upon the regulated business.

There would also be a severe reputational impact the non-

regulated parts of our business.

Major Low Peter J Ward has advisory role

FIN01 Amber EMEA Stephen

Pearsall

Top 25 Client organisation

fails

Would impact upon the EMEA revenue and margin heavily, Critical Low Appoint a designated client relationship manager who

would be expected to identify early warning signs.

Monthly credit control reports detailing status of

current debt and identify adverse trends.

PP01 Amber UK Nicola Fu Key staff leave or are

otherwise unavailable.

Could seriously impact the ability of the EMEA to achieve its

corporate objectives.

Loss of key staff or revenue could result in collapse of business

within that country, e.g Greece. Plus loss of team culture.

Also have a country manager without a contract.

Major Low Informal

OPS01 Amber UK Sam Friend Lack of adequate disaster

recovery provision in the

event of the total loss of

key IT infrastructure

Inability to trade effectively. Specifically inability to:-

- Update claim systems

- Raise Invoices

- Review electronic claim files

- send/receive e-mail

Critical Low Cobit Controls (Framework used for SOX compliance)

in place to ensure integrity of data.

People

Operational

Projects

Market

Reputational

Regulation

Financial

Present Risk Register

14

Simple Axis

15

4 Quadrants

4 quadrants with risks plotted

4 quadrants applied to a risk (‘heat’)

map

Risk dots coloured to reflect risk

management effectiveness

What Could Insurance

RMs Be Doing Better?

1. Board Understanding & Commitment to Risk Management

2. Executive Level Risk Management Stewardship

3. Risk Communication

4. Risk Culture: Engagement & Accountability

5. Risk Identification

6. Stakeholder Participation in Risk Management

7. Risk Information & Decision Making Processes

8. Integrating Risk Management & Human Capital Processes

9. Risk Analysis & Quantification to Understand Risk & Demonstrate

Value

10. Risk Management Focus on Value Creation

A Journey To Risk Maturity

Hallmark 10. Risk Management Focus

on Value Creation

8/10/2013 23 23 8/10/2013 23 23

Best Practice Stumbling blocks…

No recognizing ‘value’

Corporate culture views risk

management as a staff function, not a

source of added value.

Employees are not encouraged to

optimise risk-reward activities.

Assuming lasting value will be

maintained through single iterations of risk

management assessments.

Balancing short term gains with long

term sustainability

The upside of risk is acknowledged in risk

assessments

Processing trends versus events

Project risk profile is taken into account

when making capital investment decisions.

Insurance portfolio optimised through

robust analysis of risk exposures and

tolerances. These combine to drive decision

making.

Conclusions

Evolution of risk management

What risks are facing global companies facing?

10 Hallmarks of Best Practice in Risk Management

What skills does insurance bring to ERM?

What should Risk Managers be better at?

Where are we on the journey to risk maturity?

Can we identify value?

8/10/2013 24

8/10/2013 25

1 Board Understanding & Commitment

to Risk Management

Best Practice… Stumbling blocks…

Key risk exposures, risk

appetite and controls are consistent

and embedded into corporate

strategy.

Coordinated reporting cycles that

are conducted frequently for full

Board and its committees.

Alignment of agreed risk

management strategy with the

firm’s overall strategic direction.

‘Intuitive management’ means

decisions are not based on a clear

understanding of the organization’s

risk exposure and appetite.

Board maintains a one-

dimensional attitude to risk –

effective risk taking is avoided.

Risk is managed purely to meet

compliance requirements.

2. Executive Level Risk Management

Stewardship

8/10/2013 26

Best Practice…

Formal assignment of executive-

level risk champion

Risk Management leader’s full

involvement in strategic decisions

and overall RM strategy.

“Walk the Talk”

“It’ll never happen to us...”

Demoting risk management

function to that of administrator.

Risk management competency

not valued as an important invisible

asset.

Management temptation to avoid

bureaucracy by not tying down

accountabilities.

Stumbling blocks…

3. Risk Communication

8/10/2013 27

Best Practice…

Consistent and coordinated content

reported on a routine basis.

Risk disclosures are expressed in both

quantitative and qualitative terms.

Enterprise-wide use of risk terminology,

encouraging open dialogue and

centralised tools to facilitate this.

Active sharing of war stories and

subsequent lessons learned.

Full disclosure of negative feedback

facilitated via formal and informal

channels.

As simple as possible; but no simpler

External and internal risk factors around

decisions are not formally justified and

documented.

Bearers of ‘bad news’ are deemed

unwelcome and negative disclose swept

under the rug.

No formal sanctions for failure to

disclose negative risk information.

Stumbling blocks…

4. Risk Culture: Engagement &

Accountability

28 8/10/2013 28 28

Best Practice…

Managers take ownership of risks

and how this fits with the organization’s

RM strategy.

Risk management expectations are

articulated in executives’ job descriptions

and updated periodically.

Performance metrics are embedded

and implemented consistently, driving

behaviour and communicating results.

Risk management results are formally

incorporated into incentive structures.

Work on shared risks… not just my risks

Leadership sends ambiguous

signals regarding management-level

engagement and accountability.

Corporate culture which assumes

everyone knows how to manage risks

without appropriate training.

People are not rewarded for effectively

managing their ascribed risk portfolio.

Accountability is not assigned to a single

risk owner.

Innovation not supported

Stumbling blocks…

5. Risk Identification

8/10/2013 29

Best Practice…

Lack of resources leading to a low risk

awareness.

Failure to prioritise the organization’s

Crown Jewels: critical processes and key

revenue generators.

Extensive risk mapping to the detriment

of its practical use.

Failing to realise risk identification is a

dynamic process and subject to change at

any given moment.

External information is integrated into

strategic planning, supplementing

identification of actual/ emerging risks.

Defined channels facilitate collaboration

between the organization and strategic

partners to identify and address its risks.

Internal subject matter experts are

consistently privy to all risk identification,

validation and response discussions.

Risk drivers (causes) are well

understood & analysed.

Risk metrics are identified and

objectively track a number of key risk

indicators.

Stumbling blocks…

6. Stakeholder Participation in Risk

Management

8/10/2013 30

Best Practice…

Forums at executive and management

levels seek consensus to address cross-

functional risk.

Demonstrate that stakeholder

expectations are analysed and

incorporated into the organization’s risk

and compliance management processes.

Ensure effective communication

channels to optimise information sharing

and strategy development.

Cross function approach to risk

Failing to incorporate a range of

stakeholder positions into decision making

process.

No developed stakeholder

communication plan and no common

understanding of risk tolerance between

parties.

Withholding key risk information from

stakeholders

Stumbling blocks…

7. Risk Information & Decision Making

Processes

8/10/2013 31

Best Practice… Formal collection and incorporation of

risk information into decision-making

and governance processes.

Risk identification / assessment activities

follow given methodologies and are

considered in project /investment decisions.

Budget allocations incorporate risk

assessment plans and considers risk-return

expectations for each business unit.

Review systems make reference to RM

results and are formally communicated to

group and stakeholders.

BI exposures independently valued at

predetermined intervals, with set triggers to

prompt emergency valuations.

Risk information disconnected from

strategic and operational decisions.

Inconsistent benchmarking and use of

risk information across business units.

No measurable comparisons developed

across time and business units.

Failure to benchmark and review the

process on a periodical basis.

“Something needs to be done….. And

this is something”

“Decide in haste – repent at leisure”

Stumbling blocks…

8. Integrating Risk Management &

Human Capital Processes

8/10/2013 32

Best Practice…

Monitoring of key HR processes are part

of a complete review process, and explicitly

linked to RM processes.

Employee engagement is valued by

executives, quantitative in nature and

maintained on a periodic basis.

Talent management is aligned with the

organization’s future needs.

Leadership development plans are

consistent and in place for critical positions.

Retirement plan risks are managed and

reviewed quarterly and supported

externally.

“Any one person can bring a company

down” - Failure to realise the value of risk

management in the HR space today.

Cost-cutting dictates external support to

help manage HR risks is outlawed by the

organization.

Managing numbers to the detriment of

employee satisfaction.

Stumbling blocks…

9. Risk Analysis & Quantification to

Understand Risk & Demonstrate Value

8/10/2013 33

Best Practice Stumbling blocks…

Link between reward and

appropriate risk taking not considered.

Historical data not incorporated into risk

management decisions.

Quantitative and qualitative analysis

aligned to risk appetite and supported by

additional evaluations.

Common risk drivers are formally identified

and relationships between risks analysed.

Risk KPIs are measured quantitatively and

documentation includes qualitative

commentary and quantitative evidence.

Self-insured valuations are conducted

annually and are developed by actuaries.

Market assumptions are documented

consistently and organizational projects

developed through complex modelling

techniques.

ERM Process Standards

ERM process standards and

guidance are available (e.g.

COSO, ISO 31000)

But these are generally

implemented in different

ways by different companies

So, from all this risk

management activity… what

really gives value to

companies?