The document discusses enterprise risk management (ERM) and outlines its importance for public companies. It notes that ERM processes have been mandated by regulators to enhance oversight of financial reporting risk and to improve risk-related disclosures. Proper ERM implementation requires identifying risks, assessing their likelihood and impact, prioritizing them, mitigating major risks, and regularly reporting to management and boards. Frameworks like COSO provide guidance on establishing comprehensive ERM programs.
1. Enterprise
Risk
Management
Walter Gangl,
Director, Society of Corporate Secretaries and
Governance Professionals;
Former Deputy General Counsel and Corporate
Secretary,
Armstrong World Industries
R.R. Donnelley –
SEC Hot Topics 2008
September 24, 2008
2. Serious failings have led to demands for
enhanced board oversight of Risk:
Sarbanes-Oxley
Calls for enterprise-wide documentation and testing of controls over financial
reporting risk.
NYSE-Amendments to listing standards
Requires the Audit Committee to discuss with internal and external auditors how
the company handles risks and the steps taken to monitor and control exposure
to such risks.
SEC
Now mandates disclosure of risks in periodic ’34 Act reports. Commissioner
Cynthia Glassman urges public companies to use information gleaned from
ERM to enhance disclosure in management’s discussion and analysis.
Boards of Directors
A 2005 McKinsey survey of 1000 board members indicated that 76% would like
to spend more time on risk. Source: The Executive Board – Treasury
Leadership Roundtable, “Organizing for Enterprise Risk Management”, dated 18
August 2005
3. COSO – Enterprise Risk Management
Framework
COSO (“Committee Of Sponsoring Organizations”
of the Treadway Commission) is the “father” of SOX
404’s Internal Controls evaluation.
COSO’s ERM “Framework” provides an
organizational scope, emphasis, and program to
broaden risk management, create an enterprise-
wide awareness and emphasis, and integrate risk
management process into corporate strategy.
IT’S THE BIBLE: Go to: www.coso.org and click on
“Resources” to download.
4. Key Definitions
Risk
Any event or circumstance which could impact the achievement of business objectives.
Risk Assessment
The process of identifying and evaluating the magnitude and likelihood of risks to
achievement of business plans.
Inherent Risk
Exposure to a risk that is intrinsic to the business in the current environment before the
consideration of risk mitigation and control activities that have been designed and
implemented to address a given risk.
Mitigation
The process of reducing the likelihood and/or impact of a risk.
Residual Risk
Exposure to a risk remaining after considering the effect of mitigation through risk
management and control activities.
Risk Management
The Composite of the processes of Risk Assessment and Risk Monitoring
5. ERM Defined:
“… a process, effected by an entity's board
of directors, management and other
personnel, applied in strategy setting and
across the enterprise, designed to identify
potential events that may affect the entity,
and manage risks to be within its risk
appetite, to provide reasonable assurance
regarding the achievement of entity
objectives.”
Source: COSO Enterprise Risk Management – Integrated Framework. 2004. COSO
6. Why?
Risk Assessment is necessary to comply with SEC
disclosures in ’33 and ’34 Act reports.
Rating Agencies are beginning to take Risk
Management into consideration on credit ratings…
so it will affect companies’ cost of capital.
Also, for Board oversight purposes. They want to
know the Company has good Risk Management
processes and check what management sees as
the major risks and how they plan to deal with
them.
7. 80
25
8
1
1042 7
Almost
Certain >90%
cgabce
Probable
>50%
Possible
15-50%
Unlikely
Less than 15%
Rare
Less than 2%
Probability of Occurrence
.5Impact
Probability of occurrence.
(Over five year business plan)
SeverityofImpact
Massive
Risk to human life
or over $20 million
Major
>$2 to $20 Million
Moderate
$250,000 to
$2 million
Minor
Up to $250,000
Risk Prioritization Using a Risk Matrix
Impact levels tie to
disclosure
standards
8. .
Disaster
Recovery
Risks
Legal Compliance
Risks (Product
Liability, EH&S,
Employment
Practices,
Antitrust)
Internal
Control, (SOX 404)
Accounting &
Reporting
Risks
Culture
(Tone at the Top)
Risks
Hurricane,
Natural Gas
Price, Terrorist
Attack,
Supplier
Problems, etc
Currency
Volatility,
Political
Risk, Trade
Restrictions
Workplace
Safety,
Product
Quality
and Safety
Reliance on Big
Box Customers,
Competitor
Strategies
ASBESTOS
STRATEGY
Identify risks
relevant to your
particular
business &
strategy
9. ERM vs Compliance Risk Assessment
“Compliance Risk Assessment” is just one
component of an Enterprise-wide Risk
Assessment. In an infelicitous use of
nomenclature, many parties conflate the
ERM term “Risk Assessment” with
Compliance risks alone……avoid that
confusion.
11. Risk Management Process
Identify matters that create risk to achieving your
business plans.
Evaluate the risks by determining their likelihood and
impact.
Prioritize risks - start with those with most serious
potential impact.
Mitigate risks, starting with the most serious, through
improved controls, processes or procedures or other
action.
Monitor risks to address whether mitigation is effective.
Report risks to management and board.
At least annually, management should report to the Board about:
Risk Management Processes
Major Risks
Mitigation of Major Risks
Residual Risk levels
12. Management's role is to guide and review ERM efforts, consider
whether the residual risks are acceptable, and approve plans to
mitigate serious risks.
Business units (and functional units such as EH&S, HR, Treasury)
must explain their risk analysis in a way that allows management to
test, accept and share it with other operations and the Board of
Directors.
Management’s report to the Board is structured within the context of
these five points:
Company processes to identify matters that create risk to achieving our
business plans,
Processes to assess the likelihood and impact of such risks in order to
prioritize them,
The Company’s major risks and how it defines “major”,
Who is responsible for mitigation and monitoring of those major risks, and
The mitigation of major risks, and our view of the resulting residual risk.
Management’s Role
13. Board’s Role
Board’s Role
The Board's role is to oversee the ERM process, monitor how risks are
evaluated, prioritized and mitigated, review the Company's assessment and
mitigation plans for serious risks, and improve or reshape management's
decisions.
In the end, they should:
Advise whether they are comfortable with Company’s processes to identify
and assess risks.
Advise whether they agree with our identification, assessment and mitigation
measures.
Advise whether they view the ERM processes as effective.
Advise whether they are comfortable with the level of residual risk accepted
by management.
Make any suggestions or recommendations they have relative to the ERM
processes, including identification, assessment and mitigation plans.
14. Who’s Responsible on the Board?
That’s up to the Board to Decide:
The whole Board…..or a committee. Whatever works best.
Despite what you read in the press, the Audit Committee is NOT required to
oversee ERM. NYSE rules only require the Audit Committee to monitor risks
to financial reporting. And some companies have saddled Audit Committees
with this additional duty.
What’s the better arrangement?
The Board’s basic duties are to advise management and monitor
performance. When dealing with strategy and other fundamental matters, the
whole Board should be involved – bringing their diverse backgrounds and
experiences to the process.
Risk Management is tied to and is the flip side of strategy. IMHO, Risk
oversight generally belongs under the Board as a whole.
15. What’s this About Standard & Poors
Evaluation Our Risk Management?
Following a 2007 announcement about ERM ratings, S&P
announced May 2008 that it will begin an analysis of ERM
implementation by companies in Q3 2008.
S&P takes the expansive view of ERM outlined above.
They expect companies to have a coherent, systematic risk
management approach. They will discount a “crammed-
together collection of longstanding and disparate practices.”
S&P will initially look at a company’s risk-management
culture and strategic risk management. (Remember the
importance of strategic risk.)
16. What’s this About Standard & Poors
Evaluation Our Risk Management?
Within a year, S&P expects all companies will have had
at least an initial ERM discussion.
A subsequent S&P benchmarking process will form the
basis of a new S&P ERM scoring system that they intend
to help identify situations that might require rating actions.
Bottom Line: Companies need to get to work on ERM.
How well they do on ERM will affect their access to
capital markets and borrowing costs.
17. What Needs to Be Done?
Lots.
A recent survey of approximately 600 major
companies showed that 30% have not even
taken the first steps in ERM.
27% were “beginning” to implement it.
15% responded “Don’t know.”
Only 24% claimed to have progressed to
Intermediate (20%) or Advanced (4%)
implementation.
Source: KPMG
18. What’s the Objective of ERM?
S&P wants to see that a company’s Risk
identification, assessment, controls, monitoring
and reporting are beyond basic levels. They
should at least become an integrated
management process.
Ideally, S&P wants to see ERM become a
strategic tool for the company, helping to:
set strategy,
identify markets,
guide product development,
allocate capital budgets, and
become a part of its analytical framework.
19. 19
ERM: The Sunoco ExperienceERM: The Sunoco Experience
September 24, 2008September 24, 2008
Ken SomesKen Somes
20. Sunoco, Inc.Sunoco, Inc.
Refining & Supply
1,215
Chemicals
975
Retail
Marketing
620
Coke
490
Logistics
500
Corp.
440
Capital Employed, MM$
6/30/08
• Founded in 1886Founded in 1886
• 2007 Revenue = $45 billion2007 Revenue = $45 billion
• As of 6/30/08:As of 6/30/08:
$4.8 billion in market cap
About 14,200 employees
• Five Business LinesFive Business Lines
340 MMB / yr. refining prod.
5 billion gal. / yr. retail fuel
sales
5 billion lbs / yr. chemical
merchant sales
Logistics MLP (NYSE:SXL)
owned 43% by Sunoco, Inc.
4.2 MM tons / yr. coke prod.
A2
21. 21
Refineries
Chemical Plants
Coke Plants
Terminal
Retail Marketing
Western Pipeline System
Eastern Pipeline System
Philadelphia
Marcus Hook Refinery
Tulsa
Jewell
Indiana
Harbor Haverhill
Neal
Toledo
Frankford
Marcus Hook
Polypropylene
La Porte
NederlandBayport
Eagle Point
A3
Sunoco
Operations
22. 22
Background/History of ERM ProgramBackground/History of ERM Program
• Initiated in 2004Initiated in 2004
Audit Committee of the Board
• ERM Manager Position EstablishedERM Manager Position Established
Initial inventory of risks
• Program Continues to EvolveProgram Continues to Evolve
Learning/improving as we go
External influences, e.g. Rating Agencies
23. 23
ERM OrganizationERM Organization
Audit CommitteeAudit Committee
of the Boardof the Board
ERM Manager
Chief Financial
Officer
VP Investor Relations
& Strategic Planning
ERM Steering
Committee
Quarterly
24. 24
Examples
•Chairman's Health
Environment & Safety
Committee
•Operations Committee
•Financial Information
Committee
•Management Control
Committee
Audit Committee
Likelihood
Consequence
(business
impact)
Enterprise
Risk Management
Steering
Committee
Identify and
Classify Risk
Determine
Appropriate
Report Out
Forum
ERM–
Coordinates,
Tracks & Reports
Status of Risks
Strategic
Financial
Operational
Identify Risk
Owner
Risk Owner
Develops
Response Plan
Risk Rank
Organizational
Legal/Political
Market
Risk Owner
Reports to Forum
ERM Risk Identification & Follow-UpERM Risk Identification & Follow-Up
25. 25
Key Components of Risk Review Report:Key Components of Risk Review Report:
• Likelihood and Potential Impact of RiskLikelihood and Potential Impact of Risk
• Historical PerspectiveHistorical Perspective
• How Risk is Currently ManagedHow Risk is Currently Managed
Key responsibilities/structure in place
Controls/policies/reviews, etc.
• Monitoring & ReportingMonitoring & Reporting
What is measured/tracked (leading & lagging)
• Opportunities to Strengthen the PlanOpportunities to Strengthen the Plan
Who is doing what and by when
26. 26
Example Risk: Projected RetirementsExample Risk: Projected Retirements
• Percent Retirement Eligible Within 5 yrsPercent Retirement Eligible Within 5 yrs
• Classified: Organizational RiskClassified: Organizational Risk
• Risk Owner: SVP of Human ResourcesRisk Owner: SVP of Human Resources
SVP’s of Business Units
• Forums for Report:Forums for Report:
Executive Human Resource Development
Committee
Full Board of Directors
27. 27
Example Risk: Projected RetirementsExample Risk: Projected Retirements
• Historical PerspectiveHistorical Perspective
Demographics compiled and analyzed
Industry/business units/departments experience
• How Currently ManagedHow Currently Managed
HR Development Committees
Succession plans/development/external hiring
• Opportunities to StrengthenOpportunities to Strengthen
Identified critical positions/disciplines at risk
Selective adjustments to compensation package
• Monitoring & ReportingMonitoring & Reporting
Personnel changes/succession plans/hiring
Projected versus actual experience
28. 28
Lessons LearnedLessons Learned
• Support From the TopSupport From the Top
• Benchmark/Learn From OthersBenchmark/Learn From Others
• Tailor ERM to Company CultureTailor ERM to Company Culture
• Build off Processes Already in PlaceBuild off Processes Already in Place
• Simpler is BetterSimpler is Better
• Get Started, then Learn/AdjustGet Started, then Learn/Adjust
• Continuing evolution
29. AW Enterprise Risk Management
Process
Ellen Wolf
Senior Vice President and Chief
Financial Officer
September 2008
30. 30
Who We Are
We are the largest investor-owned water and wastewater service
provider in the United States.
• We serve a broad national footprint and a strong local presence
• We lead the industry in water quality, testing and research
• We provide services to over 15 million people in more than 1,600 communities
in 32 states and in Ontario, Canada
• We employ nearly 7,000 dedicated and active employees and support ongoing
community support and corporate responsibility
• We treat and deliver over one billion gallons of water daily
30
31. 31
Utility Only
O&M Only
Both
Where We Are
We manage more than 350 individual water systems across the
country
Every day we operate and manage:
• 45,000 miles of distribution and
collection mains
And more than:
• 80 surface water treatment plants
• 600 groundwater treatment plants
• 1,000 groundwater wells
• 40 wastewater treatment plants
31
32. 32
Directors of
Loss Control
Finance
Risk Management
Frenkel
Legal
Human Resources
Department
Operations
Engineers
Water Quality
Information
Technology
Travelers
American Water
Works Association
Risk & Insurance
Management Society
InfraGuard
Media
Internet
ENTERPRISE RISK MANAGEMENT – Pre 2003
• Decentralized approach
33. 33
ENTERPRISE RISK MANAGEMENT – Pre IPO
• RWE Risk Management Process was implemented at American
Water immediately after RWE’s purchase of the Company.
• Key Attributes:
Risk Management Committees of senior executives at subsidiary
and corporate.
Risks and Opportunities Management (ROM) toolkit which offers a
structured approach to the identification and evaluation of risk.
The Risk Summary, signed by the CEO, Key Risk reports and Risk
Map are updated and submitted to RWE on a quarterly basis.
34. 34
ENTERPRISE RISK MANAGEMENT – Pre IPO
• Goals of RWE process
Identify and report to senior management at RWE risks which may
have a material financial impact on RWE business plans.
• Process
RMC committees at subsidiary level identify risks, mitigation
activities and potential financial impact. Risks are aggregated and
reviewed at each higher organizational level until final report is
prepared for RWE board.
• Risk Management Committees (RMC):
Corporate, Regional and Business Unit
Corporate EMC includes SVP & CFO, CEO, COO, VP Audit, SVP
Legal, Regional Presidents, Regional Risk Representatives;
Regional and Business Unit RMC includes its Presidents, VP
Finance, VP Legal, VP Service & Delivery, VP Human Resources
35. 35
ENTERPRISE RISK MANAGEMENT – Pre IPO
• The ROM includes a risk register identifying all risks. Risks which are
valued great than 20% of net operating income and have a greater
than 1% probability of occurrence are designated as Key Risks. The
ROM includes:
Reports prepared for each Key Risk which include cause analysis,
severity evaluation, control and mitigation strategy, monitoring and
reporting by a Risk owner.
A Risk Summary is from information generated in the Key Risk reports
and prioritizes risks for the Company.
A Risk Map which is a simple visual representation of the relative
importance of Key Risks to achieving business objectives. The view of
risk is achieved by plotting Key Risks in terms of their probability and
impact on the “heat” map.
36. 36
ENTERPRISE RISK MANAGEMENT POST IPO
• An American Water (AW) framework to manage risk
To create awareness regarding risk so Management has full knowledge of risk
and rewards related to AW’s business objectives.
Operational
Financial
Regulatory
• Addresses risk management needs of various stakeholders
AW Management
AW Board (Audit Committee)
Rating Agencies
Investment Firms
External Auditors
Securities and Exchange Commission (SEC)
Regulators
37. 37
Risk Assessment Process Information Flow
Commercial
Development
(CD)
Capital Investment
Management Committee
(CIMC)
Operational
Risk Management
(ORM)
Operational Risk
Assessment
(Insurance, etc.)
Labor Relations
Environment Audits
Other
Sarbanes Oxley
Business
Performance Reviews
Quarterly Disclosure
Committee Meetings
* Operations
Risk Assessment Meeting Attendees:
• EVP Eastern Division
• EVP Western Division
• VP Operations Services
• AWE President
• SVP Sales/Business Development
* Regulatory
(Compliance with Laws & Regulations)
Risk Assessment Meeting Attendees:
• SVP Legal & General Counsel
• SVP Human Resources
• SVP Communications/Ext. Affairs
• VP & Counsel Regulatory Programs
* Finance
Risk Assessment Meeting Attendees
• VP & Controller
• VP Planning & Reporting
• VP & Treasurer
• SEC Counsel
Senior
Risk Management Meeting
Held prior to
Audit Committee Meeting
• Chief Executive Officer,
• President – AW Services,
• President - Reg. Operations,
• Chief Financial Officer and
• VP Internal Audit (Coordinator)
Significant company initiatives
(various owners)
AW
Board of
Directors,
Audit
Committee
Fraud Risk Management Integrated Throughout
(See following slide)
* Frequency of meetings is every 6 months and
before Audit Committee meeting as necessary
OSHA
Risk Identification and
Mitigation Process
38. 38
Fraud Risk Management Process
AW Code of Ethics• Annual communication
• Employees asked to read and certify
• Part of new employee orientation
• Periodic training
• Posted on AW intranet
AW Management Oversight Controls
• AW Policies and Practices (i.e. Delegation of Authority)
– Posted on AW intranet
– Part of New Employee Orientation
– Owned and monitored by each applicable Senior Functional Executive
Internal Audit reviews of various functions, states, etc. throughout year
AW Ethics Hotline
• Third-Party Provider that receives calls regarding potential violations of AW Code of Ethics.
• Third-Party Provider immediately reports calls to designated AW Senior Management.
AW Compliance Officer
• Manages reported Code of Ethics violations, investigations and reporting to Senior Management.
• Promotes proactive communications regarding AW Code of Ethics through various company
communication channels.
AW Ethics Committee
Committee of Senior AW Executives that govern/monitor Code of Ethics, Hotline calls,
investigations, disciplinary actions, communications regarding Code of Ethics and reporting to
Board of Directors, Audit Committee.
AW Board of Directors, Audit Committee
Quarterly, reviews Code of Ethics violations, investigations and disciplinary actions.
39. 39
Senior Risk Management Meetings
• Meet quarterly before Audit Committee meeting
Also meet on ad-hoc basis as business conditions warrant.
• Establish Enterprise Risk Management (ERM) Strategy
Establish ERM Subgroups – i.e. Operations, Finance, and Regulatory.
Ensure compliance with and effectiveness of ERM Strategy.
Set Delegation of Authority (DOA) limits, which is key to who is empowered for specific types of
decision making.
• Review, approve, and monitor significant company initiatives
i.e. Major cross divisional IT projects.
i.e. Major business process and organizational changes.
• Establish Corporate Investment Criteria – Risk/Return threshold
• Review all information (including 10Q and 10K) prior to Audit Comm. reporting
• Review, approve, and monitor significant financing and company capital structure
ERM Subgroups – Operations, Finance and Regulatory
Mandate is to Identify, Monitor, and Mitigate Risk
• Report and discuss risk assessments at Senior Risk Management meetings
40. 40
ENTERPRISE RISK MANAGEMENT - FUTURE
• Continuous Improvement
New risks and mitigation efforts identified continuously
Mitigation efforts for known risks continues to be monitored
Strong senior management support up through Board of Directors
• Continuous Change to Adapt to Evolving Risk Environment
Hinweis der Redaktion
Thank you for your help pulling together our inaugural risk assessment for the third quarter 10-Q.
Unmitigated risks have impacted what were thought to be well managed organizations….
Marsh & McLennan
Refco
Enron
WorldCom
ERM encompasses 4 of the 5 business lines – excludes Logistics
Outside consultant used to help compile initial list
Important to understand drivers/supporters
Program continues to evolve
Steering Committee – Senior Executives, each business line
Annual + ongoing ID process
Existing Committees versus new