eBusiness Enterprise Risk Management

Mark Carey, CPA, CISAPresident

866.335.2736 x8431mark@delcreo.comwww.delcreo.com

Enterprise Risk Management Definition

Enterprise Risk Management (ERM) is the capability to protect enterprise value by managing risk:– With a coordinated and systematic approach,– Organization-wide, and – Across all types of risk.

Business Risk Profiling: Risk Drivers

Strategic Operational Stakeholder Financial Intangible

• Macro Trends• Competitor• Economic• Resource Allocation• Program/Project• Organization Structure• Strategic Planning• Governance• Brand/Reputation• Ethics• Crisis • Partnerships/JVs

• Processes• Physical Assets• Technology Infrastructure• Business Interruption• Legal• Human Resources• Environmental• Hazard

• Customers• Line Employees• Management• Suppliers• Government• Partners• Community

• Market• Accounting• Credit• Cash Management• Taxes• Regulatory Compliance

• Knowledge• Intellectual Property• Information Systems• Databases• Information for Decision Making

Business Impact Assessment

• Management challenges the numbers– Make it “real”

for senior management

– Typical approach/ measures often do not line up with how CEO, CFO, CIO evaluate their business and make decisions

Shareholder Value LeversShareholder Value Levers Risks That MatterRisks That Matter

Growth• Accelerate growth in current

businesses• Drive adoption of next

generation appliances, e-services and infrastructure in high growth markets

Cost and Efficiency• Value Web and Organizational

Efficiency• Streamline decentralized

operating model • Total Customer experience

approach

Capital• Take advantage of

strong balance sheet

Market Variables• Create e-services

ecosystems - place HP at the center

Risk Management Culture and Risk Management Culture and InfrastructureInfrastructure

RISK MANAGEMENT CULTURE AND

INFRASTRUCTURE

• Risk Strategy• Risk Management Processes• Technology• Functions• Culture and Capability• Governance

IMPROVEMENT INITIATIVES

• Senior Management Validation and Support

• eRisk Rapid Response (eR3) Process

• Risk Coverage Mapping• Risk Management Workbench• Detailed Risk Analysis• eBusiness Risk Management

Benchmark

• Customer Facing Business Models

• Virtual Supply Chain• Partnerships and Alliances• e-Business Infrastructure

• Venture Capital Investments• Human Resource• Organizational

Change/Allocation of Resources

• Intellectual Property

EHS

InternalAudit

Insurance

IT Security

PhysicalSecurity

Legal

BCP

GRM

Legal

ITSecurity

BCP

LegalPhysicalSecurity

ERM

InternalAudit

EHS

Risk Risk

Risk

Risk

Risk

Risk

Risk

Risk Management Process

RM ProcessRisk 1

Risk 2

Risk 3

Risk 4

Risk 5

Risk 6

Metrics and Reporting

Assess Risk

Treat Risk

Monitor & Report

•Coordination among risk functions to increase risk coverage and decrease cost•Enable business initiatives to address risks issues quickly to decrease time to market•Alignment with business strategies and objectives•Consistent and organization-wide processes•World-class risk management tools•Focus on risks that impact stakeholder value

Traditional

Cost

Assurance

Revenue

World-ClassTransformation

Knowledge Sources

RiskWeb

Risk Management

Tools

Risk StrategyAnd Framework

Practical Application: Hewlett-Packard ERM Transformation

Source: Hewlett-Packard – Used with permission

eBusiness: So What?• “The ‘telephone’ has too many shortcomings to be seriously considered a means of

communication.” – Western Union Internal Memo, 1876

• “This wireless music box has no imaginable commercial value. Who would pay for a message sent to nobody in particular?”

– David Sarnoff’s associates in response to his urgings for investment in Radio in the 1920’s

• “Who the hell wants to hear actors talk ?”– Harry M. Warner, Warner Bros, 1927

• “There is no reason for any individuals to have a computer in their home.”– Ken Olsen, President, Chairman and Founder of DEC, 1977

• “Heavier-than-air flying machines are impossible.”– Lord Kelvin, President, Royal Society 1895

• “Airplanes are interesting toys but of no military value.”– Marshall Ferdinand Foch, Professor of Strategy, Ecole Superiure de Guerre

eBusiness Trends

• Real Time Enterprise• Low Tech, High Impact• High Tech, Low Cost• Cyber-Activism

“Real Time” Enterprise

• “Ciscoize” and “Dellize” Every Business

• Adaptive architecture, evolvable applications• Federation NOT integration• Architecture to connect architectures• Rapid , incremental implementation• Instantaneous “financials”, metrics, supply chain, customer

support.…

“Spontaneous transaction flow and information transparency throughout the extended enterprise”

Customized from presentation “TECH WRECK or TECH TREND: Perspectives on Technology Investing”,Vinod Kholsa, Kleiner Perkins Caufield & Byers, September, 2001

Low Tech, High Impact• Terrorists have employed low tech weapons to inflict massive

physical or psychological damage– Box cutters– Envelopes

• Infrastructure is vulnerable to unsophisticated attacks• Identify assets at risk

– Strategic Initiatives– People– Process– Information Systems– Physical Infrastructure– Geography– Organization– Products– Flows (supplies, information, electricity, cash, etc.)

• Focus risk assessment on how the asset may be impacted

High Tech, Low Cost• Sophisticated technologies/tools that may be

employed as weapons of Mass Destruction/Interruption– Biological and chemical weapons– Technology

• Technologies/tools that have the ability to inflict massive damage are getting cheaper every day

• Sophisticated tools are increasingly affordable and are being used by competitors, customers, employees, litigation teams, etc.

Cyber Activism

• The Internet: “a powerful tool for communicating and coordinating action.”– Collection– Publication– Dialogue– Coordination of action– Direct lobbying of decision makers

eRisks….Just a Few

• Cyber terrorism• Hactivism• Data Privacy• Critical Infrastructure Failure• Intangible Property• Third Parties

Cyber terrorism

• “The convergence of terrorism and cyberspace”• Definition

– “Unlawful attacks and threats of attack against computers, networks, and information stored therein when done to intimidate or coerce a government or its people in furtherance of political or social objectives” – FBI Definition

• Tamil guerrillas send 800 emails a day to Sri Lankan embassies to “disrupt communications”

• NATO computers hit with e-mail bombs and denial-of-service attacks during 1999 Kosovo conflict

• Pro-Palestinian and pro-Israeli deface Israeli and Palestinian sites over a one month period in October, 2000.

Hacktivism

• Definition– Operations that exploit computers in ways that

are unusual and often illegal to further social causes.

• Methods– Virtual Sit-Ins and Blockades– E-Mail Bombs– Web Hacks and Computer Break-Ins– Computer Viruses and Worms

Data Privacy

• Credit card information• Identity theft• Bio-Metrics• Differences in Regulations

– United States– Canada– European Union– Other

Critical Infrastructure Failure

• Today’s business system– Complex– Tightly coupled– Heavily dependent on infrastructure

• Interconnectivity of infrastructure– Telecommunications– power generation and distribution– Transportation– Medical care– National defense– Other critical government services

• Ripple effects of infrastructure failure

Intangible Property

• Mismanagement– Lost or theft by competitors– Inability to profit– Sharing without compensation

• Poor use of risk management techniques– Insurance– Continuity planning– Business Controls

• Complicated by increase in # of third parties and “virtual” supply chain

Third Parties

• Risk appetite, strategy and sophistication variances

• Brand/reputation inequity• Regulatory compliance complications• Intangible property• Contingency planning

eBusiness Risk Management

• Risk Strategy• Risk Committees• Risk, Incident and Crisis Management• Risk Management Intranet Portals• Enterprise Risk Management

Risk Strategy

• Accept Risk: Management decides to continue operations as is with a consensus to accept the inherent risks

• Transfer Risk: Management decides to transfer the risk from (for example) from one business unit to another or from one business area to a third party (i.e.. insurer)

• Eliminate Risk: Management decides to eliminate risk through the dissolution of a key business unit or operating area

• Acquire Risk: Management decides that the organization has a core competency managing this risk, and seeks to acquire additional risk of this type.

• Reduce Risk: Management decides to reduce current risks through improvement in controls and processes

• Share Risk: Management attempts to share risk through partnerships, outsourcing, or other risk sharing approaches

Silos

• Silos exist in:– Functions and Business Units:

• Corporate and operations• Foreign and domestic

– Information Systems and Databases– Processes

• Risk management• Strategic planning• Legal

• Create processes, systems and tools to reach across silos to provide the “big picture”

• Focus corporate risk management resources on what matters the most

• Leverage the “silo” expertise through better coordination for complex risks

Risk Committees

• Informal Groups• Enterprise Risk

Council• Board of Directors

– Audit Committee– Risk Committee

Roles and Responsibilities• Provide risk management

program leadership, strategy and implementation direction

• Develop risk classification and measurement systems

• Develop and implement escalation metrics and triggers

• Develop and monitor early warning systems, based on escalation metrics and triggers

• Develop and deliver organization wide risk management training

• Coordinates risk management activities – some functions may report to CRO, while others will be coordinated

What is Incident and Crisis Management?

Event - An internal or external action or occurrence that may or may not impact the organization’s stakeholders, processes, technology, infrastructure, brand or intangible property

Incident - An unexpected, negative event involving potential damage to organization’s stakeholders, processes, technology, infrastructure, brand, or intangible property

Crisis - An unexpected, negative event that threatens the lives of stakeholders or could materially impairs the organization and it’s ability to operate

Example: Objectives of an Incident & Crisis Management

ProgramThe incident and crisis management process is designed enhance our interactions with our customers. The following areas will be addressed:

–Identify clear roles and responsibilities–Develop a consistent and coordinated approach–Improve communication to all stakeholders and

media–Reduce incident reporting, verification and response

time–Enable timely and efficient management of incidents–Leverage learnings and ensure process improvement

Risk, Incident and Crisis Management

Risk Management and Business Controls

Events

Incidents

Cri

ses

Impact Monitor & resolve the “critical few” with the crisis management team

Assess potential impact of events and implement appropriate risk management & business controls

Monitor & resolve quickly at most appropriate level using existing structure and processes

Incident Management Process

Crisis Management Process

EHS

InternalAudit

Insurance

IT Security

PhysicalSecurity

Legal

BCP

GRM

Legal

ITSecurity

BCP

LegalPhysicalSecurity

ERM

InternalAudit

EHS

Risk Risk

Risk

Risk

Risk

Risk

Risk

Risk Management Process

RM ProcessRisk 1

Risk 2

Risk 3

Risk 4

Risk 5

Risk 6

Metrics and Reporting

Assess Risk

Treat Risk

Monitor & Report

•Coordination among risk functions to increase risk coverage and decrease cost•Enable business initiatives to address risks issues quickly to decrease time to market•Alignment with business strategies and objectives•Consistent and organization-wide processes•World-class risk management tools•Focus on risks that impact stakeholder value

Traditional

Cost

Assurance

Revenue

World-ClassTransformation

Knowledge Sources

RiskWeb

Risk Management

Tools

Risk StrategyAnd Framework

Practical Application: Hewlett-Packard ERM Transformation

Source: Hewlett-Packard – Used with permission

Source: Hewlett-Packard – Used with permission

RiskWeb: Risk Function Collaboration

Source: Hewlett-Packard – Used with permission

RiskWeb: Knowledge Base

Source: Hewlett-Packard – Used with permission

RiskWeb: Resource Center

Source: Hewlett-Packard – Used with permission

RiskWeb: Discussion Forums

Tools• RiskWeb• Early Warning System• Assessment and Quantification tools

Culture• Knowledge Mgmt• Metrics• Training• Communication

Assess Risk

Treat Risk

Monitor & Report

Enterprise-wideIntegration• Strategic Planning• Programs/PMO• Processes• Functions

Risk Management Process

Allocation ofCapital

Control Cost

Drive Innovation

Manage Growth

Risk Attributes• Lifecycle• Individual• Portfolio• Qualitative• Quantitative

Organization• Enterprise Risk Committee• CRO or ERM Manager

Risk Strategy& Appetite

InternalAudit

RiskMgmt

ITSecurity

ERM

BCP

Legal

EH&S

Risk Strategy• Appetite• Prioritize• Treatment Approach

Program Strategy • Develop• Deploy• Continuously Improve

Risk Functions

Business Objectives Risk Drivers Strategy Capability

Capability• Functions• Process• Organization• Culture• Tools• Enterprise- Wide Integration• Risk Attributes

Risks• Strategic • Operational• Stakeholder• Financial• Intangible

ERM Framework