Strategic Risk Management as a CFO: Getting Risk Management Right

1© 2013 Ask, Share, Learn

www.proformative.com

#CFOD13

Strategic Risk ManagementAs a CFO: Getting Risk Management RightAn overview of recent research and suggested best practices

Bruce McCuaig - Director Solution Marketing GRCBob Tizio - VP, GRC Officer – Americas, SAP America Inc.



#CFOD13

Agenda

• Overview of ERM research findings• The state of ERM today• Three value questions: a simple strategy for ERM• 10 questions ERM must answer• Case Study• Q&A



#CFOD13

Risk Management Is Growing In Importance



#CFOD13

Investment in ERM Technology is Lagging



#CFOD13

Enterprise-wide View of Exposures is Poor



#CFOD13

Surprises Are Persistent



#CFOD13

Qualitative Approaches Are Used for ERM



#CFOD13

Enterprise Level Risk Inventories Are Emerging Slowly



#CFOD13

Integration Is Gaining Recognition



#CFOD13

Integrated Approaches Are Exceeding Expectations



#CFOD13

ERM Today: Still Immature by Comparison

Risk management vs. Financial management maturity criteria

Financial management

Risk management

Certified professionals a r

Standardized methodology a r

Independent audits a r

Board involvement a ar

Standardized reporting a r

Supporting technology a a



#CFOD13

Market Risks

Op

era

tion

s R

isks

Fin

an

ce

Ris

ks Human

Capital Risks

ITRisks

LegalRisks

Supply ChainRisks

“Silo” or “Stove-pipe” Risk Management

ERM Today: Still Siloed After All These Years



#CFOD13

ERM Today: “Control” Paradigms Dominate



#CFOD13

ERM Today: Risk Reporting is Evolving



#CFOD13

ERM Today: Monitoring and Review is Weak



#CFOD13

Three Value Questions: A Simple Strategy for ERM

Where is the fundamental value of the business?

• Risk Management will only add value if aligned with value drivers

What drives that value?

• Risk Management will only drive results if complex cause/effect relationships are understood

What can cause catastrophic loss or disruptive opportunity?

• ERM professionals must identify emerging risks and opportunities

Caution: Any risk management approach whose only goal is to add controls will simply add cost. Risk responses must reflect risk appetite



#CFOD13

Ten Questions for Getting ERM Right



#CFOD13Risk Management As A Factor Of Success And An Integral Part Of Effective Corporate Management



#CFOD13

Items To Be Discussed

Risk Management Trends

Prerequisites and Key Factors for Successful Risk Management

Strategic Risk Management

Elements of an integrated strategic/operational risk management model

Providing transparency of risk information



#CFOD13

Current Challenges FacingCompanies And Risk Trends

Risk Management needs to focus on interdependencies & interconnection of risks

Focus on new &

disruptive technologi

es

Focus on External Impacts

Overall economic &

political conditions

Uncertainty surrounding

political leadership affecting markets

Rapid speed of disruptive

technological innovations &

social networks within the industry

May outpace our ability to compete and manage risks.

Focus on Legal and

Regulatory Compliance

Focus on Profitable Growth & Market

Penetration

Focus on Data

Protection & Cyber Security

Regulatory changes and heightening regulatory

scrutiny May affect the manner

in which organization’s products and

services will be delivered

Increasing competition and

profitability pressure

Because of market consolidation

Cyber threats have the

potential to significantly disrupt core operations

Compromising privacy

& informationsecurity protection



#CFOD13

The Risk Management Requirements Are

IncreasedExternal view to

integrate outside-in

risk factors

Expanded view on risk trends and

risk patterns

Combine operational & strategic

risk manageme

nt

Linkage of risk trends

to operational & strategic

targets

Transform risk management from:purely operational focus to combine both operational & strategic focus with outside-in views

compliance view to being a trusted business partner

being a pure facilitator & reporter to an advisor & supporter role

W H

A T



#CFOD13

Resulting In New Implications For Successful And Effective Risk

Management

Shared targets to achieve

business objectives

Risk management

along strategic priorities

Closer collaboratio

n and integration into business

processes

Senior business

people with extensive know-how

from the respective

areas

Risk Managers as business

enabler H O

W



#CFOD13

The Right Conditions Of A Risk Management Organization Are Key Factors Of Successful Risk Management

Drive Risk Culture from the TopIntegrate risk management into board area priorities and projects to drive risk management from the top and enable risk managers.

A right organizational setupA right level of integration throughout the company – global vs. decentralized organization

A tailored risk management approachOne view on risks combining operational and strategic priorities and the integration of risk management into the decision process.

A changed role of a risk managerRisk managers with business know-how and extensive business experience to give guidance, provide mitigations and risk transparency.

So you can:• Get closer to the business• Be involved & integrated• Have insight into risk trends• Foster collaboration & business insights



#CFOD13

SAP’s Global Governance Structure



#CFOD13

Effective Risk Management is Created By The Combination of “Business Partnering” And “Stewardship”

… while maintaining a level

of trust and confidence.

StewardshipCompliance, Transparency,

Policy & Standards

Enable the business to take risk-based decisions at any time…

Business PartnerValue-adding risk management services to business



#CFOD13

Key Success Factor Of A Successful Risk Management Approach Is The Connection Between Bottom-up And Top-down Risk

Strategic Risk Managementwith strong focus on strategic targets, initiatives

& external trends and factorsto identify root causes

Operational Risk Managementwith strong focus on financial, operational and

compliance targetsto identify risk patterns & risk trends

en

able

s

deliv

ers

KR

Is

End-to-End Risk Management



#CFOD13

en

able

s

deliv

ers

KR

Is

“What are early signs of

disruptive change and how do we adapt to

emerging risks?”

“The latest competitive

move – how does it affect my targets?”

“Do I have the risk business

model in place to achieve my strategic targets?”

“Has compliance been ensured in

our goals?”

“Which external events (technology, market,

economy, political, etc.) could challenge the

execution of our strategy and do we have mitigation

plans?”

“Do we have the needed

transparency and independent

risk insight?”

“How do latest disruptive

technologies affect my

products and buyers

behaviour?”

“Are all teams aligned to

execute on our strategic goals?”

External FactorsInternal Factors

Strategic Risk Management Provides Deeper Insight, Greater Transparency And Enables Risk-based Decision Making



#CFOD13

Strategic Risk Management Combines Different Views on Strategic Risks and Opportunities

Identify challenges not yet visible to management & business owner

Earl

y id

enti

fica

tion, vis

ibili

ty a

nd

unifi

ed

vie

w o

f m

ost

cri

tica

l ri

sks

and

op

port

unit

ies

end

ang

eri

ng

the a

chie

vem

ent

of

gro

wth

&

innovati

on t

arg

ets

Early identification & development of right response strategy

Risk related to the

execution of

targets

Risk Scenarios

External Trends &

Risk Drivers

Internal Prediction

Ad

ap

tati

on t

o c

hang

es

in t

he e

xte

rnal

envir

onm

ent

en

ab

les

deliv

ers

KR

Is

“What are early signs of

disruptive change and how di we adapt to

emerging risks?”

“The latest competitive

move – how does it affect my targets?”

“Do I have the risk business

model in place to achieve my

strategic targets?”

“Has compliance been ensured in

our goals?”

“Which external events (technology, market,

economy, political, etc.) could challenge the execution of

our strategy and do we have mitigation plans?”

“Do we have the needed

transparency and independent

risk insight?”

“How do latest disruptive

technologies affect my

products and buyers

behaviour?”

“Are all teams aligned to

execute on our strategic goals?”



#CFOD13

Strategic Risk Management Uses Tools And Services To Get An Independent View On Risks To Support The Strategic Business Objectives

Holistic identification of

risks & opportunities

related to growth & innovation drivers

Identification of emerging risks and opportunities based on a 360° risk

assessment across all board areas involving different stakeholders inside and outside of a

strategic initiative, including comprehensive mitigation strategies.

Outside-in view

Earlier adaptation to changes in the

external environment

through Competitive

Market Intelligence (CMI) and engagement

with analysts.

Innovative Tools

e.g. “Early Prediction” for

strategic initiatives through Wisdom of

the Crowd leveraging the knowledge and

insight of employees independent from

hierarchies.

Interconnectedness &

Dependencies

Identification of key interdependencies that affect multiple strategic initiatives

and might hinder the overall execution of

our strategy.

Significant Material Risks

Early detection of relevant material risks, quite often

tail risks, that could potentially

materialize and significantly impact the achievement of

strategic objectives.



#CFOD13

The Path To A Risk-smart Business

R

StrategyManagement

Process

Risk adjusted

Ris

k a

dju

ste

d

Ris

k a

dju

ste

d

Risk adjusted

Comprehensive view of potential strategic risks based on external and internal business variables, with regards to their impact on strategic objectives and their relevance to a company’s strategic priorities.

Trigger of mitigation steps and corrective actions.

.

Strategy mapping and Strategic Risk Assessments of selected key risk areas which have the potential to impact our business results and intangible values such as

reputation and brand image.

Strategic Risk Assessments of selected strategic initiatives & business cases.

Scenario management & simulation to “stress test“ key assumptions and impact

Internal early warning system.

.

Manage the relationship between strategy performance, risks and controls.Key risk indicators (KRIs) can be presented alongside key performance

indicators (KPIs) to monitor their impact on value drivers.

Strategy Development

Strategy Execution



#CFOD13

Strategic Risk Management Is Dependent On An Integrated And Effective Operational Risk Management

• Risk Managers in the Sales & Consulting area assess projects and opportunities based on High-Risk Scenarios

• These High-Risk Scenarios are based on

• Early warning through KRIs

• Extensive business experience

• Database of previous incidents

• This enables risk managers to act as business partner and advisor

• The RDOA is a risk-based decision process:

• based on SAP’s risk appetite

• to get ownership for appropriate mitigations and approval for residual risks at various levels of the company

• up to the Executive Board level…

• leading to full transparency

• The Executive Risk Committee focuses on top projects and risk trends on a regional level to mitigate possible project risks (bottom up approach).

• Involvement of relevant stakeholders (CFO, COO, risk management, legal, regional management) and top management attention through executive sponsors (e.g. CFO, CEO).

• Top risks and global risk trends are transferred on a global level to evaluate the possible impact and define mitigations

High Risk Scenarios Risk Delegation of Authority (RDOA)

Executive Risk Committees



#CFOD13

The Outcome Of Integrated Risk Management To Effective Corporate Management

Preparedness to react faster on external trends & factors through early warning & high transparence combined with a high degree of effective mitigations.

Higher return on risk management investment through tangible business value add of senior risk managers delivering true business value.

Creation of a risk-aware culture in which people understand their role in contributing to the achievement of objectives.

Effective combination of operational and strategic risk management through an end2end risk management enables effective execution on strategic targets and goals.



#CFOD13

Successful Risk Management Requires Appropriate Transparency Of Risk Information

Need a system to accumulate risk information- we are using SAP’s GRC suite.

Risks are validated by activity owners.

Operational risk information is provided monthly to key stakeholders.

Quarterly Board report prepared detailing key strategic and operational risks.

In process of moving to a consume on demand model for real time risk reporting via Ipad reporting.



#CFOD13

iPad Application for Real Time Risk Reporting



#CFOD13Thank You!Strategic Risk Management As a CFO: Getting Risk Management Right



#CFOD13

Thank You Sponsors!

PLATINUM

GOLD

SILVER

DIAMOND

Strategic Risk Management as a CFO: Getting Risk Management Right

Business

Transcript of Strategic Risk Management as a CFO: Getting Risk Management Right