Tackling Risk Appetite

NC State University College of ManagementERM Roundtable Series

Spencer SchwartzNovember 2, 2007

November 2, 2007 2

Agenda

• ERM Overview

• Risk Appetite Framework

• Case Study

• Success Factors

• Q & A

November 2, 2007 3

About MasterCard Worldwide

Key Company Statistics (2006)

• Over 16 billion MasterCard-branded transactions processed

• Almost $2.0 trillion in GDV

• 817 million MasterCard-branded cards

• Almost 25,000 customer financial institutions

• More than 25 million acceptance locations

• Award-winning Priceless®

advertising campaign in 109 countries and 50 languages

Spencer Schwartz,Senior Vice President

• Group Head of ERM, Business Continuity, and Customer Risk Management

November 2, 2007 4

• Understand the principles of ERM

• Explain the value of ERM

• Develop a framework for Risk Appetite

• Integrate ERM and Risk Appetite into existing business processes

Objectives

November 2, 2007 5

Defining ERM

ERM is the capability to protect and enhance enterprise value by managing:

– All types of risk

– Across the organization and globe, and

– With a coordinated and systematic approach

ERM Overview

The primary goal of ERM is to enhance shareholder value

“Enterprise risk management helps an entity achieve its performance and profitability targets, and prevent loss of resources. It helps ensure effective reporting. And, it helps ensure that the entity complies with laws and regulations, avoiding damage to the company’s reputation and other consequences. In sum, it helps an entity get to where it wants to go and avoid pitfalls and surprises along the way.”

COSO ERM Framework

November 2, 2007 6

Enhancing Shareholder Value

Risk appetite

Enhanced risk governance

Framework for Executive Management and Audit Committee

Quantification Corporate strategy focus

Risk-weighted decision-making

Mitigating activities

Optimization of Resources

ERM culture External environment

Minimization of “Surprises”

ERM Overview

November 2, 2007 7

Traditional Risk Management vs. ERMERM Overview

“Old Paradigm”Traditional Risk Management

“New Paradigm”ERM

• Fragmented – departments/functions manage risk independently

• Accounting, treasury and internal audit are primarily concerned with risk management efforts

• Integrated – risk management coordinated with senior-level oversight

• Everyone in the organization views risk management as part of his or her job

• Ad hoc – risk management is done whenever managers believe the need exists to do it

• Continuous – the risk management process is ongoing

• Narrowly focused – primarily insurable risk and financial risks

• Broadly focused – all business risks and opportunities considered

Source: Barton, Shenkir and Walker, “Making Enterprise Risk Management Pay Off”

November 2, 2007 8

Drivers of ERMERM Overview

• One out of two financial services firms faces at least one major financial distress every 5 years

• Major disruptions are associated with company underperformance

↓40% over 2 years afterevent announcement

Stock Price

Source: McKinsey’s Quarterly. Based on a survey of 200 leading financial services companies over 1997-2002. Distress is defined as a major financial event.

Drivers:• Natural disasters• Pandemic• Terrorism• Technology/Internet• Deregulation• M&A activity• Product recall• SEC investigations• Fraud

November 2, 2007 9

Primary Drivers for Implementing ERM

64%60%

43%

54%

Corporate governancerequirements

Understand hard to quantifyrisks

Regulatory pressure Board request

Source: The Conference Board, From Risk Management to Risk Strategy, 2006

ERM Overview

November 2, 2007 10

ERM at MasterCard

Publications

Councils/Conferences

Benchmarking

Outside Consultants

The Foundation:

• Policy

• Governance

• Training and Communication

ERM Overview

November 2, 2007 11

Foundation of ERMERM Overview

News Articles on Corporate Intranet

News

ERM Policy

Code of Conduct

Policies

Workshops

Multi-media Training

Interactive

Tabling Events

Face-to-Face Meetings

P2P

November 2, 2007 12

Foundation of ERMERM Overview

• Analyze external and internal events

• Raise significant issues

• Ensure risks are properly managed and mitigated

• Provide regular reporting

• Institutionalize ERM culture

• Chair the Risk Committee

• Cross-functional representation

• Institutionalization of ERM

• Discuss risks and proactive mitigation

• Identify issues to be raised to the Policy/Audit Committees

• Prioritize and address significant risks

Risk Champions Risk Committees

November 2, 2007 13

Integration With Business ProcessesERM Overview

Post Implementation

Reviews

Pricing proposals

Budget and planning

process

Riskinformation for shareholders(SEC filings)

Performanceobjectives

Corporatestrategy

CEO regularlyreviews

Business Unit risks

Corporate duediligence

framework

Risk-adjusteddiscount

rates

STRENGTHENINGBUSINESS

PROCESSES

November 2, 2007 14

Getting To Know You

What is the biggest challenge in defining your organization’s Risk Appetite?

1

Insufficient resources (people/technology)

Lack of consensus on benefits of defining Risk Appetite

2

3

Getting organizational buy-in

4 Lack of mature risk quantification process

Risk Appetite Framework

November 2, 2007 15

Companies are struggling with how to define their risk appetite

• Most companies are in the “adolescent phase” of ERM implementation

– < 40% tie quantification to financial statements

– < 20% use advanced quantification techniques

• Risk appetite is “advanced ERM”

– Captures significant risks

– Optimal level of risk to maximize enterprise value

Risk Appetite

Source: Mercer Oliver Wyman, The Conference Board, 2006

Risk Appetite Framework

November 2, 2007 16

Defining Risk Appetite

Vehicle:

Expressed through tolerance ranges for performance within the defined risk appetite

Definition:

The amount of risk exposure from an activity or portfolio of activities that an organization is willing to accept or retain

Risk Appetite Framework

How isrisk appetite

defined?

November 2, 2007 17

Developing Risk Appetite Framework

Why Risk Appetite?

Select Approach

Define Risk Tolerance

Assess Risks

Simulate Outcomes

Risk Appetite

Analyze Results

Quantify Risks

Risk Appetite Framework

November 2, 2007 18

VALUE • Meet rating agency expectations

• Facilitate Board responsibility for understanding the company’s risk profile

• Support discussions with investment community

• Assess business volatility, risk and return

• Determine how much risk is acceptable

Enhancing Communications

Understanding Business

Optimizing Business

• Better informed decision-making and more timely actions

• Set tolerances, differentiated approvals and reporting

• Optimize business portfolio over time

• Integrate with strategic planning

Why Risk Appetite?Why Risk Appetite?

Define Risk Tolerance

Assess Risks

Simulate Outcomes

Risk Appetite

Analyze Results

Quantify Risks

Select Approach

November 2, 2007 19

Select Approach

Detailed Model

Pros: Strategies built in, scalability, identify areas of mitigation

Cons: Information availability, complexity of the model, model maintenance

Qualitative

Pros: Information readily available, simple model, easy to maintain

Cons: Does not allow drill down, not enough information to generate meaningful discussions

Somethingin

Between

Why Risk Appetite?

Select ApproachDefine Risk Tolerance

Assess Risks

Simulate Outcomes

Risk Appetite

Analyze Results

Quantify Risks

November 2, 2007 20

Select Approach

QuarterlyOne yearMulti-year

Time HorizonRisk inventoryTop risksSpecific scenario(s)Opportunities

Quantification

CorrelationBusiness segmentMitigation activities

Other

Select approach based on anticipated value

Why Risk Appetite?

Select ApproachDefine Risk Tolerance

Assess Risks

Simulate Outcomes

Risk Appetite

Analyze Results

Quantify Risks

November 2, 2007 21

Define Tolerance Ranges

These may be:

• Metrics communicated to the investment community, Board, employees, etc.

• Metrics that peer groups are measured by

• What management determines to be important in measuring the performance of the business, e.g.,:

– Revenue growth

– Gross margin

– EPS

Why Risk Appetite?

Select Approach

Define Risk Tolerance

Assess Risks

Simulate Outcomes

Risk Appetite

Analyze Results

Quantify Risks

Select metrics togauge performanceand apply tolerance

measures

November 2, 2007 22

Assess Risks

Organizational

Business Unit/Function

Department/Geography

Project/Product/Service

Risk Areas

Top-down risk

identification

Bottom-up risk

identification

Define Scope

Why Risk Appetite?

Select Approach

Define Risk Tolerance

Assess Risks

Simulate Outcomes

Risk Appetite

Analyze Results

Quantify Risks

November 2, 2007 23

Assess Risks

Internal/ExternalAnalyses

Workshops

Interviews

SMEs

Internal Audit/SOX/Compliance

Risk

Inventory

• Prioritized Risks

• Response Plans

• Reporting

Likelihood

Severity

Why Risk Appetite?

Select Approach

Define Risk Tolerance

Assess Risks

Simulate Outcomes

Risk Appetite

Analyze Results

Quantify Risks

November 2, 2007 24

SeverityCategory Definition

Insignificant (1-2) The risk may have almost no financial implications.

Minor (3-4) The risk may have a minimal impact on financial performance.

Moderate (5-6) The risk may have a significant impact on financial performance.

Major (7-8)The risk may have a substantial impact on financial performance requiring a multi-year recovery period.

Extreme (9-10) The risk may have a significant impact on corporate solvency.

Category Definition

Rare (1-2) The risk has a negligible probability of impact in the next 12-24 months.

Unlikely (3-4) The risk has a low probability of impact in the next 12-24 months.

Possible (5-6) The risk has a medium probability of impact in the next 12-24 months.

Likely (7-8) The risk has a high probability of impact in the next 12-24 months.

Almost Certain (9-10)The risk is affecting the organization right now or almost certainly will in the next 12-24 months.

Likelihood

Assess RisksWhy Risk Appetite?

Select Approach

Define Risk Tolerance

Assess Risks

Simulate Outcomes

Risk Appetite

Analyze Results

Quantify Risks

November 2, 2007 25

Quantify Risks

• To understand and measure the impact

• To prioritize risks

• To determine the response required

• For risk appetite

Quantify Risks

Why Risk Appetite?

Select Approach

Define Risk Tolerance

Assess Risks

Simulate Outcomes

Risk Appetite

Analyze Results

Why do we need to quantify risks?

November 2, 2007 26

Quantify RisksQuantify Risks

Why Risk Appetite?

Select Approach

Define Risk Tolerance

Assess Risks

Simulate Outcomes

Risk Appetite

Analyze Results

Quantification Approach

Pros Cons

Qualitative SimpleLimited objective

support

Historical LossesBased on actual

eventsData may be

limited

External DataBased on actual

events Scarcity and

lack of relevance

Expert OpinionClearly define how risks may

occur

More involved process

A combination of these approaches is used to build risk scenarios

November 2, 2007 27

Quantify Risks

Very Optimistic

Optimistic Best Estimate Pessimistic Very Pessimistic

Risk levels • XYZ’s application is far superior

• XYZ’s own application is better

• Business as usual --Maintain XYZ’s forecast

• Competitor’s application is better

• Competitor’s applications is far superior

• Significant media coverage which harms XYZ’s reputation and sales

Applied probabilities

1% 5% 88% 5% 1%

Revenue impact

Up 50% Up 20% None Down 20% Down 50%

Expense impact

• Decrease advertising/ marketing

• Decrease advertising/ marketing

• None • Increase development and advertising/ marketing

• Increase development and advertising/ marketing

Example: A mid-size IT company (XYZ)

Key Risk: Competitive Threats

Risk Scenario: A key competitor has developed and begun to roll-out a high-profile “killer app” just as XYZ is ready to roll out its new application

Quantify Risks

Why Risk Appetite?

Select Approach

Define Risk Tolerance

Assess Risks

Simulate Outcomes

Risk Appetite

Analyze Results

November 2, 2007 28

Quantify Risks

Risk LevelsVery

OptimisticOptimistic Pessimistic Very Pessimistic

Anticipated revenue$150 $120 $80 $50

Incremental Revenue Gain/(Loss) $50 $20 ($20) ($50)

Development (Increase)/Decrease $0 $0 ($20) ($40)

Advertising/Marketing (Increase)/Decrease $40 $20 ($20) ($40)

Total Impact to Forecast$90 $40 ($60) ($130)

Example: A mid-size IT company (XYZ) (Continued)

(in millions)

Quantify Risks

Why Risk Appetite?

Select Approach

Define Risk Tolerance

Assess Risks

Simulate Outcomes

Risk Appetite

Analyze Results

November 2, 2007 29

Simulate Outcomes

Potential Outcomes

Risk Tolerance Ranges

Historical Volatility

vs. vs.

Forecast Risk & Opportunity Quantification+

Simulation

Why Risk Appetite?

Select Approach

Define Risk Tolerance

Assess Risks

Simulate Outcomes

Risk Appetite

Analyze Results

Quantify Risks

November 2, 2007 30

10% 15% 20% 25% 30% 35%0% 5%

Net IncomeGrowth

Revenue Growth

Customer Satisfactio

n

Range of Performance

Illustrative Example

Simulate OutcomesWhy Risk Appetite?

Select Approach

Define Risk Tolerance

Assess Risks

Simulate Outcomes

Risk Appetite

Analyze Results

Quantify RisksPerfor

man

ce Metric

s

Legend

Risk Tolerance Measures

Historical Volatility

Potential Outcome

( = Mean)

= Forecast

November 2, 2007 31

Analyze Results

The range of potential outcomes is above the organization’s risk tolerance

Areas of Opportunity

The range of potential outcomes is within the organization’s risk tolerance

Areas of Confidence Management can use this information to:

• Validate the organization’s risk tolerance

• Address areas of concern and take advantage of areas of opportunity

• Assist in better understanding the company’s business volatility

• Optimize business returns by ensuring the strategic planning efforts address the areas of concern and support the areas of opportunity

• Enhance communications with rating agencies and the Board/Audit Committee

Areas of Concern

The range of potential outcomes is below the organization’s risk tolerance

Analyze Results

Select Approach

Define Risk Tolerance

Assess Risks

Simulate Outcomes

Risk Appetite

Quantify Risks

Why Risk Appetite?

November 2, 2007 32

“Seventh Inning” Stretch

November 2, 2007 33

Case Study

Company Name: RiskWise Associates

Our Task Today: Define RiskWise’s risk appetite

(in millions) 2006 2007 (Forecast) % Growth

Revenues$400 $460 15%

Expenses:

Personnel 100 110 10%

Development 100 110 10%

Advertising/Marketing 80 92 15%

Other 40 50 25%

Total Expenses 320 362 13%

EBIT 80 98 23%

Interest and taxes 32 39 22%

Net Income $48 $59 23%

EPS $0.48 $0.59 23%

November 2, 2007 34

Case Study: Define Tolerance Ranges

• Identified three performance metrics

• Gathered the following information for each

Case Study Examples

Performance Metrics

Historical Ranges

Average Peer Group

Top Quartile of Peer Group Forecast

Revenue Growth 10 – 15% 5 – 9% 10 – 15% 15%

EPS Growth 17 – 25% 12 – 18% 19 – 25% 23%

Market Share 16 - 22% 16 - 19% 20 - 23% 24%

Where should we set the initial tolerance ranges?

November 2, 2007 35

Case Study: Define Tolerance Ranges

Set the initial tolerance ranges at top quartile of peer group:

Performance Metrics Tolerance Ranges

Revenue Growth 10 – 15%

EPS Growth 19 – 25%

Market Share 20 - 23%

November 2, 2007 36

Case Study:Assess Risks

Reputational

Brand damage due to product

recall

Natural disaster

Operational

Competitive challenge

Market / Customer

Determined six significant risks:

Financial

Foreign exchange

fluctuationsPending lawsuit

Legal and Regulatory

Large expansion into a new market

Strategic

November 2, 2007 37

Risk

Competitive challenge

Large expansion into a new market

Brand damage due to product recall

Foreign exchange fluctuations

Natural disaster

Pending lawsuit

Case Study: Quantify Risks

Scenario

The risk that the competitor’s newly rolled out application is superior to RiskWise’s new application or the opportunity that RiskWise’s new application is superior

The risk that the investment fails or the opportunity that it succeeds

The risk that RiskWise’s main product is recalled or the opportunity from a competitor’s product being recalled

The risk or opportunity of FX fluctuations (up/down) in a country that does a significant amount of product developmentThe risk of a natural disaster shutting down RiskWise’sback office for a month

The risk of an unfavorable judgment resulting in RiskWisehaving to pay a fine or the potential of the lawsuit being dismissed and RiskWise will recoup its legal expenses

November 2, 2007 38

Case Study: Quantify Risks

Large expansion into a new market

Very Optimistic Optimistic Best Estimate PessimisticVery

Pessimistic

Risk levels • Sales beat estimate by 25%

• Sales beat estimate by 10%

• Revenue of $100 million

• Sales fall short by 10%

• Sales fall short by 25%

Applied probabilities 1% 5% 88% 5% 1%

Personnel • Hire incremental 20 people at $100,000 each

• Hire incremental 10 people at $100,000 each

• Hire additional people per plan

• Hire 10 less people at $100,000 each

• Hire 20 less people at $100,000 each

Advertising/ Marketing

• Decrease by 25%

• Decrease by 10%

• Expense of $30 million

• Increase by 20%

• Increase by 50%

November 2, 2007 39

Case Study:Quantify Risks

Risk LevelsVery

OptimisticOptimistic Pessimistic

Very Pessimistic

Anticipated revenue$125 $110 $90 $75

Incremental Revenue Gain/(Loss) $25 $10 ($10) ($25)

Personnel (Increase)/Decrease ($2) ($1) $1 $2

Advertising/marketing (Increase)/Decrease $8 $3 ($6) ($15)

Total Impact to Forecast$31 $12 ($15) ($38)

Large expansion into a new market (Continued)(in millions)

November 2, 2007 40

Risk Category Key RiskVery

OptimisticOptimistic

Best Estimate (Forecast)

PessimisticVery

Pessimistic

Market / Customer

Competitive challenge

$90 $40 $0 ($60) ($130)

StrategicLarge expansion into a new market

$31 $12 $0 ($15) ($38)

ReputationalBrand damage due to

product recall$50 $25 $0 ($50) ($100)

FinancialForeign exchange fluctuations

$10 $5 $0 ($5) ($10)

Operational Natural disaster $0 $0 $0 ($30) ($60)

Legal and Regulatory

Pending lawsuit $5 $5 $0 ($50) ($200)

Total $186 $87 $0 ($210) ($538)

Case Study: Quantify Risks

Applied Probabilities For All Key Risks

1% 5% 88% 5% 1%

(in millions)

November 2, 2007 41

10% 15% 20% 25% 30% 35%0% 5%

EPS Growth

Perfor

man

ce Metric

s

Revenue Growth

Market

Share

Range of Performance

Case Study: Simulate Outcomes

Legend

Risk Tolerance Measures

Historical Volatility

Potential Outcome

( = Mean)

= Forecast

November 2, 2007 42

Integration With Business ProcessesSuccess Factors

Collaboration is a key to success

• Finance

• Human Resources

• Operations

• Audit

• Product Development

• Law

November 2, 2007 43

Success Factors of Risk Appetite

• Part of overall ERM Program

• Current financial data

• Share with rating agencies and Board

• Get outside help if necessary

• Choose an approach that is right

Success Factors

November 2, 2007 44

ConclusionSuccess Factors

• Multiple stages of ERM

• Find the quick wins

• Involve the organization

• Focus on value added activities

• ERM is a journey –different tools and techniques can help you along the way!

November 2, 2007 45

Thank you.