cisco - erm at cisco presentation
TRANSCRIPT
© 2006 Cisco Systems, Inc. All rights reserved. 1Cisco Public
Enterprise Risk Management at Cisco
NC State UniversityRob RolfsenDirector, Global Risk ManagementMarch 23, 2007
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 2
Agenda
Growing Importance of ERMCisco’s ERM ProgramOur ERM ProcessFY07 Plans Success Story
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 3
The Growing Influence of Risk Management
9%
35% 56%
Preparing/ Developing/ Implementing
Positively disposed
Have rejected
A majority of companies are choosing ERM……and ERM is seen as an increasingly important responsibility
50%
46%
39%
29%
30%
38%
29%
36%
19%
16%
32%
35%
Internalaudit
CFO
CEO
Board
Very high Significant Somewhat or lessDegree of Importance
Conference Board/Mercer Oliver Wyman survey
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 4
Primary Drivers for Implementing ERM*
Rank Driver Percent
1 Corporate governance requirements 66%
2 Greater understanding of strategic and operating risks 60
3 Regulatory pressures 53
4 Board request 51
5 Competitive advantage 41
* Multiple answers allowed
Conference Board/Mercer Oliver Wyman survey
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 5
Highest Priority ERM Objectives*
Ensure risk issues are explicitly considered in decision making 44%
Avoid surprises and “predictable” failures 40
Align risk exposures and mitigation programs 24
Institute more rigorous risk measurement 19
Integrate ERM into other corporate practices like strategic planning 17
* Multiple answers allowed
Conference Board/Mercer Oliver Wyman survey
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 6
At Most Companies, ERM is Still a Work in Progress
ERM efforts are still in their infancy at many companies and face many constraints
Depending on the company, it takes three to five years to fully integrate and operationalize advanced risk practices
The cost of developing and building an ERM framework is not insubstantial
Many firms consider specific risks within certain business units, but they rarely examine risk strategies at the company-wide level
Conference Board/Mercer Oliver Wyman survey
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 7
Cisco’s ERM Organization• Led by Chris Kite, VP, Global Risk Management/Workplace Resources• Dotted line reporting into the Board of Directors • Virtual Multi-disciplined global team• Corporate Executive Sponsors
• Randy Pond – COO• Dennis Powell - CFO
• Meet Regularly with Executive Sponsors and Risk Review Group • RRG = ICS, IT, Finance, HR & Supply Chain
• Report Quarterly to Audit Committee and Investment Committee
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 8
ERM at Cisco
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 9
Enterprise Risk Management
“How Do I take more Intelligent Risks ?”
Disciplined Decision Making Risk TimingBusiness & Technology InnovationIncreased Shareholder ValueIndustry Leadership
“How Do I take more Intelligent Risks ?”
Disciplined Decision Making Risk TimingBusiness & Technology InnovationIncreased Shareholder ValueIndustry Leadership
“Is my current Risk level in control?”
Business Risk MonitoringRisk ResponsivenessTolerance
–Controllable Risks–Non-Controllable Risks
“Is my current Risk level in control?”
Business Risk MonitoringRisk ResponsivenessTolerance
–Controllable Risks–Non-Controllable Risks
“How Do I Reduce Business Risk?”
Risk AnalysisRisk AssessmentBusiness Continuity PlanningBusiness Resilience
“How Do I Reduce Business Risk?”
Risk AnalysisRisk AssessmentBusiness Continuity PlanningBusiness Resilience
OPTIMIZE GROWPROTECT
ERM
Corporate Strategy
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 10
Cisco’s Integrated ERM Framework
Integrate ERM in Corporate Compliance and Governance Activities
Integrate key risk processes and systems Understand Cisco’s risk appetiteSustain a risk-based approach to improving and managing Corporate compliance and governanceUse Risk Review Group to increase multi-disciplinary risk education, awareness and information sharing
Internal Controls Internal Controls (ICS)(ICS)
SarbanesSarbanesOxley Oxley (SOX) (SOX)
Risk Risk ManagementManagement
(RM) (RM)
Finance Planning Finance Planning and Analysisand Analysis
(FP&A) (FP&A)
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 11
Cisco’s ERM ProcessDetermine priorities for ERM via Risk Review Group and Board
Identify Executive Sponsor in area to be assessed
Interview key executives in multiple functional areas re: their perceptions of key risks facing the company and their quantification of the probability, severity and current management effectiveness at managing the risk – the discussion is the most important aspect
Consolidate interview results, identify key risks and report back to Executive Sponsor and collect feedback
Share final report with Corporate Executive Sponsors and Audit Committee
Facilitate discussions/workshops with risk owners wrt decisions re: identified key risks
Track progress via Ops Reviews, Risk Review Group, Internal Audit Schedule and integrate with business planning
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 12
Assessment Criteria: Probability, Severity and Management Effectiveness
Probability Severity - Annual Impact to Cisco Profitability
1.00 Remote 1.00 <$35M or Insignificant
2.00 Possible 2.00 $35M - $150M or Minimal
3.00 Probable 3.00 $150M - $1B or Significant
4.00 Almost Certain 4.00 > $1B or Catastrophic
Management Effectiveness
4.00 Assessment completed. Mitigation is in place. Reporting and Monitoring in place.
3.00 Assessment completed. Mitigation is in place. Reporting and Monitoring not in place.
2.00 Assessment completed. Mitigation is not place. Reporting and Monitoring not in place.
1.00 Assessment not completed. Mitigation not in place. Reporting and Monitoring not in place.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 13
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Cash Flow•
Collateral•
Commodities•
Concentration•
Counterparty•
Credit•
Default•
Equity•
Financial Instruments•
Foreign Exchange•
Interest Rate•
Liquidity•
Modeling•
Opportunity Cost
Brand/Reputation
Business Model
Business Portfolio
Delivery Channels
Intellectual Property
Marketplace
Organization Structure
Planning
Product Life Cycle
Resource Allocation
Social Responsibility
• Capital Availability • Disease • Industry • Regulatory • Technological Innovation
• Competitor • Economy • Legal • Shareholder Relations • Terrorism
• Customer Needs • Financial Markets • Natural Hazard/Catastrophe • Sovereign/Political
•Capital Availability • Disease • Industry • Regulatory • Technological Innovation• Competitor • Economy • Legal • Shareholder Relations • Terrorism• Customer Needs • Financial Markets • Natural Hazard/Catastrophe • Sovereign/Political
StrategicStrategic OperationalOperational FinancialFinancial
Process
Alignment Business InterruptionCapacity Change ResponseCompliance Contract CommitmentCustomer SatisfactionCycle Time
Accounting Information Budgeting & Forecasting Completeness/Accuracy Investment EvaluationPension Fund Regulatory ReportingTaxation Sarbanes Oxley
Conflict of InterestEmployee FraudEthical Decision Making Illegal ActsManagement FraudThird-Party FraudUnauthorized Acts
Access AvailabilityCapacityData Integritye-CommerceInfrastructureRelevanceReliability
Business Risk Inventory
•Performance Gap•Physical Security•Product Development•
Product Liability•
Product/Service Failure•
Product/Service Pricing
AccountabilityChange ReadinessCommunications Competencies/SkillsEmpowermentHiring/RetentionLeadershipOutsourcingPerformance IncentivesSuccession PlanningTraining/Development
\Turnbull 030117vb.ppt
Relationship Mgmt Strategy ImplementationSourcingSupply ChainTransactionProcessing
EfficiencyEnvironmentalHealth & SafetyKnowledge ManagementMeasurementPartnering
INTERNAL RISKSINTERNAL RISKS
EXTERNAL RISKSEXTERNAL RISKS
Human Capital Integrity TechnologyManagement Information
INDUSTRY-
SPECIFIC RISKS
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 14
FY07 ERM ObjectivesEnhance understanding of risks affecting theatres & subsidiaries & the drivers of those risks
Raise the level of ERM awareness & education within Cisco & externally
Integrate risk management with existing processes – investment management, strategic planning & business development
Continue to integrate risk management with line management processes
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 15
ERM Success StoryERM group invited to participate in workshops with the Emerging Markets Group to help executives understand the risks the company faced.Emerging Markets (EM) sales team asked ERM to help build risk into its decision-making models. As part of the overall go-to-market strategy, an Emerging Countries Council was put in place to govern doing business in these developing countries. Risk, specifically safety and security and ethics risks are quantified and discussed as part of the overall decision making process. Developed ten key quantifiable variables to help drive a more risk-informed decision-making process.
Macroeconomic – credit, interest rates, foreign exchange, Political and Ethical – fraud and competitor, expropriationOperational – regulatory, complexity, health & safetyStrategic – early mover advantage, marketplace (partners), brand reputation/IP
The ultimate goal is to be able to allocate resources more effectively and to answer the question of in which countries should the company be devoting which resources.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 16
Emerging Markets Risk Analysis
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 17