Tackling Risk Appetite - Home - ERM...Understand hard to quantify risks Regulatory pressure Board...
Transcript of Tackling Risk Appetite - Home - ERM...Understand hard to quantify risks Regulatory pressure Board...
Tackling Risk Appetite
NC State University College of ManagementERM Roundtable Series
Spencer SchwartzNovember 2, 2007
November 2, 2007 2
Agenda
• ERM Overview
• Risk Appetite Framework
• Case Study
• Success Factors
• Q & A
November 2, 2007 3
About MasterCard Worldwide
Key Company Statistics (2006)
• Over 16 billion MasterCard-branded transactions processed
• Almost $2.0 trillion in GDV
• 817 million MasterCard-branded cards
• Almost 25,000 customer financial institutions
• More than 25 million acceptance locations
• Award-winning Priceless®
advertising campaign in 109 countries and 50 languages
Spencer Schwartz,Senior Vice President
• Group Head of ERM, Business Continuity, and Customer Risk Management
November 2, 2007 4
• Understand the principles of ERM
• Explain the value of ERM
• Develop a framework for Risk Appetite
• Integrate ERM and Risk Appetite into existing business processes
Objectives
November 2, 2007 5
Defining ERM
ERM is the capability to protect and enhance enterprise value by managing:
– All types of risk
– Across the organization and globe, and
– With a coordinated and systematic approach
ERM Overview
The primary goal of ERM is to enhance shareholder value
“Enterprise risk management helps an entity achieve its performance and profitability targets, and prevent loss of resources. It helps ensure effective reporting. And, it helps ensure that the entity complies with laws and regulations, avoiding damage to the company’s reputation and other consequences. In sum, it helps an entity get to where it wants to go and avoid pitfalls and surprises along the way.”
COSO ERM Framework
November 2, 2007 6
Enhancing Shareholder Value
Risk appetite
Enhanced risk governance
Framework for Executive Management and Audit Committee
Quantification Corporate strategy focus
Risk-weighted decision-making
Mitigating activities
Optimization of Resources
ERM culture External environment
Minimization of “Surprises”
ERM Overview
November 2, 2007 7
Traditional Risk Management vs. ERMERM Overview
“Old Paradigm”Traditional Risk Management
“New Paradigm”ERM
• Fragmented – departments/functions manage risk independently
• Accounting, treasury and internal audit are primarily concerned with risk management efforts
• Integrated – risk management coordinated with senior-level oversight
• Everyone in the organization views risk management as part of his or her job
• Ad hoc – risk management is done whenever managers believe the need exists to do it
• Continuous – the risk management process is ongoing
• Narrowly focused – primarily insurable risk and financial risks
• Broadly focused – all business risks and opportunities considered
Source: Barton, Shenkir and Walker, “Making Enterprise Risk Management Pay Off”
November 2, 2007 8
Drivers of ERMERM Overview
• One out of two financial services firms faces at least one major financial distress every 5 years
• Major disruptions are associated with company underperformance
↓40% over 2 years afterevent announcement
Stock Price
Source: McKinsey’s Quarterly. Based on a survey of 200 leading financial services companies over 1997-2002. Distress is defined as a major financial event.
Drivers:• Natural disasters• Pandemic• Terrorism• Technology/Internet• Deregulation• M&A activity• Product recall• SEC investigations• Fraud
November 2, 2007 9
Primary Drivers for Implementing ERM
64%60%
43%
54%
Corporate governancerequirements
Understand hard to quantifyrisks
Regulatory pressure Board request
Source: The Conference Board, From Risk Management to Risk Strategy, 2006
ERM Overview
November 2, 2007 10
ERM at MasterCard
Publications
Councils/Conferences
Benchmarking
Outside Consultants
The Foundation:
• Policy
• Governance
• Training and Communication
ERM Overview
November 2, 2007 11
Foundation of ERMERM Overview
News Articles on Corporate Intranet
News
ERM Policy
Code of Conduct
Policies
Workshops
Multi-media Training
Interactive
Tabling Events
Face-to-Face Meetings
P2P
November 2, 2007 12
Foundation of ERMERM Overview
• Analyze external and internal events
• Raise significant issues
• Ensure risks are properly managed and mitigated
• Provide regular reporting
• Institutionalize ERM culture
• Chair the Risk Committee
• Cross-functional representation
• Institutionalization of ERM
• Discuss risks and proactive mitigation
• Identify issues to be raised to the Policy/Audit Committees
• Prioritize and address significant risks
Risk Champions Risk Committees
November 2, 2007 13
Integration With Business ProcessesERM Overview
Post Implementation
Reviews
Pricing proposals
Budget and planning
process
Riskinformation for shareholders(SEC filings)
Performanceobjectives
Corporatestrategy
CEO regularlyreviews
Business Unit risks
Corporate duediligence
framework
Risk-adjusteddiscount
rates
STRENGTHENINGBUSINESS
PROCESSES
November 2, 2007 14
Getting To Know You
What is the biggest challenge in defining your organization’s Risk Appetite?
1
Insufficient resources (people/technology)
Lack of consensus on benefits of defining Risk Appetite
2
3
Getting organizational buy-in
4 Lack of mature risk quantification process
Risk Appetite Framework
November 2, 2007 15
Companies are struggling with how to define their risk appetite
• Most companies are in the “adolescent phase” of ERM implementation
– < 40% tie quantification to financial statements
– < 20% use advanced quantification techniques
• Risk appetite is “advanced ERM”
– Captures significant risks
– Optimal level of risk to maximize enterprise value
Risk Appetite
Source: Mercer Oliver Wyman, The Conference Board, 2006
Risk Appetite Framework
November 2, 2007 16
Defining Risk Appetite
Vehicle:
Expressed through tolerance ranges for performance within the defined risk appetite
Definition:
The amount of risk exposure from an activity or portfolio of activities that an organization is willing to accept or retain
Risk Appetite Framework
How isrisk appetite
defined?
November 2, 2007 17
Developing Risk Appetite Framework
Why Risk Appetite?
Select Approach
Define Risk Tolerance
Assess Risks
Simulate Outcomes
Risk Appetite
Analyze Results
Quantify Risks
Risk Appetite Framework
November 2, 2007 18
VALUE • Meet rating agency expectations
• Facilitate Board responsibility for understanding the company’s risk profile
• Support discussions with investment community
• Assess business volatility, risk and return
• Determine how much risk is acceptable
Enhancing Communications
Understanding Business
Optimizing Business
• Better informed decision-making and more timely actions
• Set tolerances, differentiated approvals and reporting
• Optimize business portfolio over time
• Integrate with strategic planning
Why Risk Appetite?Why Risk Appetite?
Define Risk Tolerance
Assess Risks
Simulate Outcomes
Risk Appetite
Analyze Results
Quantify Risks
Select Approach
November 2, 2007 19
Select Approach
Detailed Model
Pros: Strategies built in, scalability, identify areas of mitigation
Cons: Information availability, complexity of the model, model maintenance
Qualitative
Pros: Information readily available, simple model, easy to maintain
Cons: Does not allow drill down, not enough information to generate meaningful discussions
Somethingin
Between
Why Risk Appetite?
Select ApproachDefine Risk Tolerance
Assess Risks
Simulate Outcomes
Risk Appetite
Analyze Results
Quantify Risks
November 2, 2007 20
Select Approach
QuarterlyOne yearMulti-year
Time HorizonRisk inventoryTop risksSpecific scenario(s)Opportunities
Quantification
CorrelationBusiness segmentMitigation activities
Other
Select approach based on anticipated value
Why Risk Appetite?
Select ApproachDefine Risk Tolerance
Assess Risks
Simulate Outcomes
Risk Appetite
Analyze Results
Quantify Risks
November 2, 2007 21
Define Tolerance Ranges
These may be:
• Metrics communicated to the investment community, Board, employees, etc.
• Metrics that peer groups are measured by
• What management determines to be important in measuring the performance of the business, e.g.,:
– Revenue growth
– Gross margin
– EPS
Why Risk Appetite?
Select Approach
Define Risk Tolerance
Assess Risks
Simulate Outcomes
Risk Appetite
Analyze Results
Quantify Risks
Select metrics togauge performanceand apply tolerance
measures
November 2, 2007 22
Assess Risks
Organizational
Business Unit/Function
Department/Geography
Project/Product/Service
Risk Areas
Top-down risk
identification
Bottom-up risk
identification
Define Scope
Why Risk Appetite?
Select Approach
Define Risk Tolerance
Assess Risks
Simulate Outcomes
Risk Appetite
Analyze Results
Quantify Risks
November 2, 2007 23
Assess Risks
Internal/ExternalAnalyses
Workshops
Interviews
SMEs
Internal Audit/SOX/Compliance
Risk
Inventory
• Prioritized Risks
• Response Plans
• Reporting
Likelihood
Severity
Why Risk Appetite?
Select Approach
Define Risk Tolerance
Assess Risks
Simulate Outcomes
Risk Appetite
Analyze Results
Quantify Risks
November 2, 2007 24
SeverityCategory Definition
Insignificant (1-2) The risk may have almost no financial implications.
Minor (3-4) The risk may have a minimal impact on financial performance.
Moderate (5-6) The risk may have a significant impact on financial performance.
Major (7-8)The risk may have a substantial impact on financial performance requiring a multi-year recovery period.
Extreme (9-10) The risk may have a significant impact on corporate solvency.
Category Definition
Rare (1-2) The risk has a negligible probability of impact in the next 12-24 months.
Unlikely (3-4) The risk has a low probability of impact in the next 12-24 months.
Possible (5-6) The risk has a medium probability of impact in the next 12-24 months.
Likely (7-8) The risk has a high probability of impact in the next 12-24 months.
Almost Certain (9-10)The risk is affecting the organization right now or almost certainly will in the next 12-24 months.
Likelihood
Assess RisksWhy Risk Appetite?
Select Approach
Define Risk Tolerance
Assess Risks
Simulate Outcomes
Risk Appetite
Analyze Results
Quantify Risks
November 2, 2007 25
Quantify Risks
• To understand and measure the impact
• To prioritize risks
• To determine the response required
• For risk appetite
Quantify Risks
Why Risk Appetite?
Select Approach
Define Risk Tolerance
Assess Risks
Simulate Outcomes
Risk Appetite
Analyze Results
Why do we need to quantify risks?
November 2, 2007 26
Quantify RisksQuantify Risks
Why Risk Appetite?
Select Approach
Define Risk Tolerance
Assess Risks
Simulate Outcomes
Risk Appetite
Analyze Results
Quantification Approach
Pros Cons
Qualitative SimpleLimited objective
support
Historical LossesBased on actual
eventsData may be
limited
External DataBased on actual
events Scarcity and
lack of relevance
Expert OpinionClearly define how risks may
occur
More involved process
A combination of these approaches is used to build risk scenarios
November 2, 2007 27
Quantify Risks
Very Optimistic
Optimistic Best Estimate Pessimistic Very Pessimistic
Risk levels • XYZ’s application is far superior
• XYZ’s own application is better
• Business as usual --Maintain XYZ’s forecast
• Competitor’s application is better
• Competitor’s applications is far superior
• Significant media coverage which harms XYZ’s reputation and sales
Applied probabilities
1% 5% 88% 5% 1%
Revenue impact
Up 50% Up 20% None Down 20% Down 50%
Expense impact
• Decrease advertising/ marketing
• Decrease advertising/ marketing
• None • Increase development and advertising/ marketing
• Increase development and advertising/ marketing
Example: A mid-size IT company (XYZ)
Key Risk: Competitive Threats
Risk Scenario: A key competitor has developed and begun to roll-out a high-profile “killer app” just as XYZ is ready to roll out its new application
Quantify Risks
Why Risk Appetite?
Select Approach
Define Risk Tolerance
Assess Risks
Simulate Outcomes
Risk Appetite
Analyze Results
November 2, 2007 28
Quantify Risks
Risk LevelsVery
OptimisticOptimistic Pessimistic Very Pessimistic
Anticipated revenue$150 $120 $80 $50
Incremental Revenue Gain/(Loss) $50 $20 ($20) ($50)
Development (Increase)/Decrease $0 $0 ($20) ($40)
Advertising/Marketing (Increase)/Decrease $40 $20 ($20) ($40)
Total Impact to Forecast$90 $40 ($60) ($130)
Example: A mid-size IT company (XYZ) (Continued)
(in millions)
Quantify Risks
Why Risk Appetite?
Select Approach
Define Risk Tolerance
Assess Risks
Simulate Outcomes
Risk Appetite
Analyze Results
November 2, 2007 29
Simulate Outcomes
Potential Outcomes
Risk Tolerance Ranges
Historical Volatility
vs. vs.
Forecast Risk & Opportunity Quantification+
Simulation
Why Risk Appetite?
Select Approach
Define Risk Tolerance
Assess Risks
Simulate Outcomes
Risk Appetite
Analyze Results
Quantify Risks
November 2, 2007 30
10% 15% 20% 25% 30% 35%0% 5%
Net IncomeGrowth
Revenue Growth
Customer Satisfactio
n
Range of Performance
Illustrative Example
Simulate OutcomesWhy Risk Appetite?
Select Approach
Define Risk Tolerance
Assess Risks
Simulate Outcomes
Risk Appetite
Analyze Results
Quantify RisksPerfor
man
ce Metric
s
Legend
Risk Tolerance Measures
Historical Volatility
Potential Outcome
( = Mean)
= Forecast
November 2, 2007 31
Analyze Results
The range of potential outcomes is above the organization’s risk tolerance
Areas of Opportunity
The range of potential outcomes is within the organization’s risk tolerance
Areas of Confidence Management can use this information to:
• Validate the organization’s risk tolerance
• Address areas of concern and take advantage of areas of opportunity
• Assist in better understanding the company’s business volatility
• Optimize business returns by ensuring the strategic planning efforts address the areas of concern and support the areas of opportunity
• Enhance communications with rating agencies and the Board/Audit Committee
Areas of Concern
The range of potential outcomes is below the organization’s risk tolerance
Analyze Results
Select Approach
Define Risk Tolerance
Assess Risks
Simulate Outcomes
Risk Appetite
Quantify Risks
Why Risk Appetite?
November 2, 2007 32
“Seventh Inning” Stretch
November 2, 2007 33
Case Study
Company Name: RiskWise Associates
Our Task Today: Define RiskWise’s risk appetite
(in millions) 2006 2007 (Forecast) % Growth
Revenues$400 $460 15%
Expenses:
Personnel 100 110 10%
Development 100 110 10%
Advertising/Marketing 80 92 15%
Other 40 50 25%
Total Expenses 320 362 13%
EBIT 80 98 23%
Interest and taxes 32 39 22%
Net Income $48 $59 23%
EPS $0.48 $0.59 23%
November 2, 2007 34
Case Study: Define Tolerance Ranges
• Identified three performance metrics
• Gathered the following information for each
Case Study Examples
Performance Metrics
Historical Ranges
Average Peer Group
Top Quartile of Peer Group Forecast
Revenue Growth 10 – 15% 5 – 9% 10 – 15% 15%
EPS Growth 17 – 25% 12 – 18% 19 – 25% 23%
Market Share 16 - 22% 16 - 19% 20 - 23% 24%
Where should we set the initial tolerance ranges?
November 2, 2007 35
Case Study: Define Tolerance Ranges
Set the initial tolerance ranges at top quartile of peer group:
Performance Metrics Tolerance Ranges
Revenue Growth 10 – 15%
EPS Growth 19 – 25%
Market Share 20 - 23%
November 2, 2007 36
Case Study:Assess Risks
Reputational
Brand damage due to product
recall
Natural disaster
Operational
Competitive challenge
Market / Customer
Determined six significant risks:
Financial
Foreign exchange
fluctuationsPending lawsuit
Legal and Regulatory
Large expansion into a new market
Strategic
November 2, 2007 37
Risk
Competitive challenge
Large expansion into a new market
Brand damage due to product recall
Foreign exchange fluctuations
Natural disaster
Pending lawsuit
Case Study: Quantify Risks
Scenario
The risk that the competitor’s newly rolled out application is superior to RiskWise’s new application or the opportunity that RiskWise’s new application is superior
The risk that the investment fails or the opportunity that it succeeds
The risk that RiskWise’s main product is recalled or the opportunity from a competitor’s product being recalled
The risk or opportunity of FX fluctuations (up/down) in a country that does a significant amount of product developmentThe risk of a natural disaster shutting down RiskWise’sback office for a month
The risk of an unfavorable judgment resulting in RiskWisehaving to pay a fine or the potential of the lawsuit being dismissed and RiskWise will recoup its legal expenses
November 2, 2007 38
Case Study: Quantify Risks
Large expansion into a new market
Very Optimistic Optimistic Best Estimate PessimisticVery
Pessimistic
Risk levels • Sales beat estimate by 25%
• Sales beat estimate by 10%
• Revenue of $100 million
• Sales fall short by 10%
• Sales fall short by 25%
Applied probabilities 1% 5% 88% 5% 1%
Personnel • Hire incremental 20 people at $100,000 each
• Hire incremental 10 people at $100,000 each
• Hire additional people per plan
• Hire 10 less people at $100,000 each
• Hire 20 less people at $100,000 each
Advertising/ Marketing
• Decrease by 25%
• Decrease by 10%
• Expense of $30 million
• Increase by 20%
• Increase by 50%
November 2, 2007 39
Case Study:Quantify Risks
Risk LevelsVery
OptimisticOptimistic Pessimistic
Very Pessimistic
Anticipated revenue$125 $110 $90 $75
Incremental Revenue Gain/(Loss) $25 $10 ($10) ($25)
Personnel (Increase)/Decrease ($2) ($1) $1 $2
Advertising/marketing (Increase)/Decrease $8 $3 ($6) ($15)
Total Impact to Forecast$31 $12 ($15) ($38)
Large expansion into a new market (Continued)(in millions)
November 2, 2007 40
Risk Category Key RiskVery
OptimisticOptimistic
Best Estimate (Forecast)
PessimisticVery
Pessimistic
Market / Customer
Competitive challenge
$90 $40 $0 ($60) ($130)
StrategicLarge expansion into a new market
$31 $12 $0 ($15) ($38)
ReputationalBrand damage due to
product recall$50 $25 $0 ($50) ($100)
FinancialForeign exchange fluctuations
$10 $5 $0 ($5) ($10)
Operational Natural disaster $0 $0 $0 ($30) ($60)
Legal and Regulatory
Pending lawsuit $5 $5 $0 ($50) ($200)
Total $186 $87 $0 ($210) ($538)
Case Study: Quantify Risks
Applied Probabilities For All Key Risks
1% 5% 88% 5% 1%
(in millions)
November 2, 2007 41
10% 15% 20% 25% 30% 35%0% 5%
EPS Growth
Perfor
man
ce Metric
s
Revenue Growth
Market
Share
Range of Performance
Case Study: Simulate Outcomes
Legend
Risk Tolerance Measures
Historical Volatility
Potential Outcome
( = Mean)
= Forecast
November 2, 2007 42
Integration With Business ProcessesSuccess Factors
Collaboration is a key to success
• Finance
• Human Resources
• Operations
• Audit
• Product Development
• Law
November 2, 2007 43
Success Factors of Risk Appetite
• Part of overall ERM Program
• Current financial data
• Share with rating agencies and Board
• Get outside help if necessary
• Choose an approach that is right
Success Factors
November 2, 2007 44
ConclusionSuccess Factors
• Multiple stages of ERM
• Find the quick wins
• Involve the organization
• Focus on value added activities
• ERM is a journey –different tools and techniques can help you along the way!
November 2, 2007 45
Thank you.