© 2009 towers perrin april 1, 2009 patrick t. finegan delvacca inaugural in-house counsel...

April 1, 2009

Patrick T. Finegan

© 2009 Towers Perrin

DELVACCA Inaugural In-House Counsel Conference

Managing Risks in Today's Turbulent Economy

© 2009 Towers Perrin 2

Risk management as a discipline is under siege

There is widespread concern that something is wrong with risk management practices in corporate America.

From journalists, policymakers and investors

From management

— Towers Perrin and CFO Research interviewed 125 finance executives immediately following the collapse of Lehman Brothers in September, 2008.

— 72% expressed concern about vulnerabilities in their own risk management practices.

— 62% stated that their companies would change risk management practices as a consequence of the financial crisis.

Corroborated by a surge in requests for proposal

Yet the precise dimensions of what went wrong and what companies should do remain elusive.

This raises the question whether any amount of energy and investment could protect a company against the wrenching dislocations of another financial crisis.

And it creates a healthy sense of humility about attempting to describe risk management “best practices.”


Reliance on dated risk management standards (or “best practices”) is part of the problem

There is growing uneasiness that COSO and its brethren:

Defined risk poorly

Categorized risk factors in a manner unsuited to effective economic analysis, assignment of responsibility, and identification of important interdependencies

Contributed to a highly tactical, compliance-oriented approach to risk identification, measurement and management

Created a false sense of security


Enterprise risk management (ERM) is a young discipline that has only partially evolved

Link with strategy

High

Low

Medium

Risk control Balance sheet protection

Risk/return optimization

Value creation

Industry standard in the last 5 – 10 years

Industry standard in the next 5 – 10 years

Compliance

Loss minimization

Risk management

Risk measurement

Strategic integration

Return optimization

Today

Source: Standard & Poor’s.


What we have learned so far:

Why Risk Management Programs Fail Why Risk Management Programs Succeed

Risk Management Foundation

Poorly defined objectives Ineffective reporting systems, tools, staffing Compliance-focused Not all risks identified or well understood

Consistent economic framework for defining, measuring, prioritizing and controlling risks

Regular and systematic examination of risks on a consolidated enterprise basis.

Risk Management Governance

Disjointed, overlapping or conflicting task forces, responsibilities and controls

Perfunctory involvement by senior management and the board

Clear line-of-sight assignment of responsibility and accountability for key risks

Sr. risk officer charged with supervising all risks, independent of operations; dotted line to the board

Risk Management

Culture

Weak, inconsistent tone from the top Limited consideration of risk in strategic

decision-making Limited employee risk awareness or

concern Open communication discouraged

Leadership and active involvement by the CEO and board of directors

Integration of risk management practices into strategic decision-making processes

Well-developed risk culture

Risk Management

Metrics

Inconsistent risk metrics and controls Metrics not well-understood or monitored

Employ simple, well-designed risk dashboards Embed risk management metrics into forward-

looking investment decisions and performance management assessments

Risk-Reflective Pay

Poor alignment of employee incentives with risk management objectives and parameters of acceptable risk

Payout of short-term incentive awards based on unsustainable profits

Rewards that encourage risk-taking within established parameters

Incentives based on defined risk-reflective metrics, calibrated properly given business risks

Timing of incentive payouts that allows for realization of impact of risk


Effective risk management focuses on tail events, not expected losses

An entire generation of risk managers has been trained under COSO and other “standard-setting” frameworks to use “likelihood x impact” heat maps in setting risk priorities.

The result has been strong micromanagement of admittedly important periodic loss exposures, but weak and/or haphazard preparation for seismic, once-in-a-lifetime events.

COSO

n/a

n/a

n/aHigh (3)

Med (2)

Low (1)

Freq

uenc

y

Low (1) Med (2) High (3)

Severity

COSO

9

6

3

6

4

2

3

2

1

Low (1) Med (2) High (3)

Impact

High (3)

Med (2)

Low (1)

Like

lihoo

d

Modern ERMCOSO


The typical risk map is a jumble of contributory factors, loss events, and direct and collateral consequences

There is no clear way to assign responsibility or evaluate interconnections.


Effective ERM requires a structured way of thinking about risk — a sound risk “taxonomy”

Insufficient training

Events Consequences

Lack of managementsupervision

Inadequateauditing procedures

Poor HRpolicies

Poor systemsdesign

Inadequate segregation of duties

Employment Practices and Workplace Safety

Execution, Delivery and Process Management

Damage toPhysical Assets

Business Disruption and System Failures

Clients, Products and Business Practices

Regulatory, Compliance and Taxation Penalties

Restitution

Loss of Recourse

Reputation

Business Interruption

Monetary Losses

Non- Monetary Losses

(ForgoneIncome)

•

•

•

Write-down

Loss or Damage to Assets

Legal Liability

Causes Effects

ContributoryFactors

Insufficient riskmonitoring

External Fraud

Internal Fraud


A sound risk taxonomy clarifies interdependencies and facilitates line-of-sight responsibility

Mutually exclusive, collectively exhaustive set of events

Better ability to anticipate (and prepare for) perfect storm and/or Black Swan conditions

Risk Event 1

Consequence 1

Consequence 2

Factor 1

Factor 2

Risk Event 2

Risk Event 3

Consequence 3

Consequence 5

Consequence 6

Consequence 4

Factor 3

Factor 4

Systemic Risk

Concentration of Risk


What companies get from their ERM investment:

Value Proposition Evidence

More durable and higher quality of earnings

More efficient operations

Increasing body of research demonstrating significant improvements in share price, quality of earnings, and dollar savings from concentrating risk management resources around risks that matter, improving the "risk-awareness" of incentives, and reducing the incidence and impact of loss events

Improved standing among stakeholders, regulators and trade partners

Heightened interest by upper management, directors, capital providers and important third parties, including trade partners

Heightened interest by regulators and other governmental bodies

Lower cost of capital; better access to the capital markets

Strong empirical evidence that good risk management practices strengthen credit ratings

Stated ERM requirements of Standard & Poor's and Moody's

Sustainable long-term ability to grow the business

Strong inverse correlation between long-term corporate survival and the incidence of risk events

Empirical evidence that strong risk governance, incentives and culture improve revenue productivity

Fewer catastrophes. Better management of those that occur

Strong anecdotal evidence that ERM can improve preparedness against massive loss events, e.g., the ability of ERM leaders in the insurance industry to reserve losses from Hurricane Katrina and Rita more accurately than ERM laggards


Diagnostic questions for your organization

Towers Perrin co-sponsored the most recent global risk briefing by the Economist Intelligence Unit, a unit of The Economist.1 In that briefing, the author compiled a list of questions that should be fully and candidly assessed in determining whether a company has effective risk governance.

The questions are divided into multiple callouts (or “shout boxes”), but have been extracted, paraphrased and/or copied here into a single table (next 4 slides).

Together, the questions present a diagnostic of the health of your enterprise risk management system.

1 Robert Mitchell, “Risk and recovery: Practical lessons for the morning after,” Economist Intelligence Unit Global Risk Briefing, March 23, 2009.


Diagnostic questions for your organization (continued)

Topic Health check

Risk focus Have you properly identified your main risks? Are you confident that senior management and the Board of Directors are aware of these risks, their severity, and the potential impact on the business?

Does the filtering of information as it rises through the organization handicap the ability of senior management and the Board of Directors to manage risk effectively?

Risk authority Do risk professionals have appropriate authority within the organization? If a problem with potentially damaging reputational and/or financial consequences arises, are there adequate processes in place to escalate the issue to senior management?

Are there appropriate independent committees in place to review risk management practices?

Is there an individual, independent of operations, who is responsible for risk management across the Company? Does he or she have direct access to the Board?

Source: Robert Mitchell, “Risk and recovery: Practical lessons for the morning after,” Economist Intelligence Unit Global Risk Briefing, March 23, 2009



Topic Health check

Risk information

What information does the Company use to assess its risk position?

Are the sources of information generally accepted and are they tested against other sources to ensure validity?

Does the Company rely overly on historical data?

How dependent is the Company on human instinct and judgment in identifying and assessing risk? Does the weighting of qualitative and quantitative risk inputs seem appropriate?

Risk culture What is the standing of risk management in the Company? How close is it to the business?

To what extent is risk management seen as a support function? Would closer integration with the business lead to it having a more strategic role? In what ways might this benefit the Company?

How do employees and lower-level managers perceive the Company’s commitment to effective risk management?




Topic Health check

Risk framework

Are risks identified and aggregated centrally and subject to an enterprise-wide view?

Do you understand the interaction between different risk categories and the way in which events in one part of the business can increase the frequency or severity of events elsewhere?

Is there a common language of risk to ensure clarity of understanding across the Company? Does it relate to measures that investors and rating agencies care about, such as financial stability and the return on capital? Is there a logical and usable risk taxonomy?

Do you have the IT infrastructure and analytics to support risk aggregation and the effective communication of risk information?

Risk strategy Does senior management devote time to studying market, political and economic scenarios, and the impact of these scenarios on their business? Should this exercise be formalized?

To what extent are different scenarios considered when setting long-term strategy? Is there a tendency to rely on an “official future” rather than test the business model against other plausible assumptions?

Does senior management seek a range of views and perspectives in order to test its assumptions?



Topic Health check

Risk agility How frequently does the Company review and update assumptions about the risk environment? Is this process frequent enough, given current external conditions?

How is information about the changing risk environment communicated to senior management?

To what extent do changes in the external risk environment lead to changes in risk management priorities and processes?

Risk-reflective pay

How is the link between corporate performance and compensation made? Are the right indicators being used throughout the Company, and are incentive programs designed in such a way that they motivate and reward, but do not encourage behavior that is detrimental to long-term shareholder interests?


© 2009 towers perrin april 1, 2009 patrick t. finegan delvacca inaugural in-house counsel...

Documents