Enterprise Risk Management: Practical Implementation

Barry Franklin
Group Managing Director, Americas Aon Global Risk Consulting November 2007

Discussion Topics
Preliminaries

Defining ERM
ERM drivers Recent survey results

Defining Risk
Balancing diverse views - consistent framework

A value-driven approach to ERM

Implementation challenges
Case studies

What is ERM?

ERM is the process by which companies identify, measure, manage, and disclose all key risks to increase value to primary stakeholders while satisfying other stakeholders.

What is ERM?
Process: Measure: Manage: Disclose: Holistic: A systematic and sustained business process Consistent metrics adopted in an integrated manner across the organization Focused on enabling management decision making and enabling exploitation of business opportunities Enabler of meaningful and transparent disclosure to key stakeholders Integrated approach to Financial, Operational, Strategic and Regulatory risks Balanced perspective on uncertainty, managing threats and capturing opportunities Focused on delivering the organization's key stakeholder needs and expectations

Material risks: Analyzing & quantifying the organization's significant risks

Value: Stakeholders:

Related Risk Management Processes

Enterprise Risk Management (ERM) is often identified with Strategic Risk Management (SRM) or Governance, Risk and Compliance (GRC). Common elements are: Process applied consistently across company Driven from the top of the organization Takes a proactive, forward-looking view Considers both risks and rewards

Integrates risk management into business process

Assigns clear risk ownership

Driving Forces Behind ERM

Enron WorldCom Adelphia Mutual Funds

Banks Asset Managers Energy Firms Corporations

Corporate Disasters

Best Practices

Enterprise Risk Management

Regulatory Actions
S.E.C. Sarbanes-Oxley Basel II

Treadway Report, US Turnbull Report, UK Dey Report, Canada

Industry Initiatives

Executive Research Key Findings

Most companies are making some progress Greater board and CEO involvement More awareness across organizations Faster adoption outside of North America Few companies have progressed to advanced level Slower progress than originally expected

Key Drivers

Corporate Governance Requirements

Understand Hard to Quantify Risks

Regulatory Pressures

Board Request

0.0%

20.0%

40.0% 2004 2006

60.0%

80.0%

Source: The Conference Board

Key Objectives 2006

Ensure risk considered in decision making Avoid surprises Integrate risk management into corporate processes Align risk exposures & mitigation 83% 85% 70% 65%

Use risk management as competitive tool

36%

Source: The Conference Board

Integration into Business Processes

Rest of the World

75.0% 75.0% 53.8% 65.9% 71.2% 39.8% 20.0% 40.0% 2004 2006 60.0% 80.0%

UK/Europe

United States/Canada

0.0%

Source: The Conference Board

Building the Process

Business Risk Inventory

Mission Statement

Regular Risk Assessment

Common Risk Languange

0.0%

20.0%

40.0% 2004 2006

60.0%

80.0%

Source: The Conference Board

Building the Process

Root Cause Analysis

Individual Risk Ow nership

Regulaar Board Reports

Tolerances

0.0%

20.0%

40.0% 2004 2006

60.0%

80.0%

Source: The Conference Board

Risk Management Integration

Internal Audit

Strategic Planning

New Product Development

Product Pricing

0.0%

10.0%

20.0%

30.0% 2004

40.0% 2006

50.0%

60.0%

70.0%

Source: The Conference Board

Greatest Benefits

Better Informed Decisions

Management Consensus

Articulate Risk Taking

Governance

0.0%

20.0%

40.0% 2004 2006

60.0%

80.0%

Source: The Conference Board

Key Risks - Americas

Damage to reputation Business interruption Third party liability Distribution or supply chain failure Market environment Regulatory/legislative changes Failure to attract or retain staff Technology failure

Failure of disaster recovery plan Loss of data

Source: 2007 Aon Global Risk Management Survey

Level of Preparedness
% with written plan in place or have undertaken a formal review of this risk

Damage to Reputation Business interruption Third party liability Distribution or supply chain failure Market environment Regulatory/legislative changes Failure to attract or retain staff Market risk Physical damage Merger/acquisition/restructuring Failure of disaster recovery plan

48% 70% 75% 63% 35% 41% 55% 56% 77% 69% 65%

Source: 2007 Aon Global Risk Management Survey

Business Activity Priorities

Current Priority Ranking 1 2 3 4 5 6 7 8 9 10 Priority Ranking Next 2 years 1 3 4 2 5 6 9 7 8 10

Business Activities

Risk identification, quantification and analysis Regulatory compliance and reporting Loss control / prevention Managing risk on an enterprise-wide basis Risk communication internally with management and operations Emergency / contingency planning Insurance buying Risk financing Claims management Risk communication externally with business partners

Source: 2007 Aon Global Risk Management Survey

Responding to Changing Risks

8%

11%

23%

32% 46%

External service/ advisor 29% Benchmarking Quantitative analysis Management intuition and experience 22%

42% 29% 19%

Identify major risks

Assess probability and impact

Determine limits for insurance

Source: 2007 Aon Global Risk Management Survey

Identification of Major Risks

11% 8%

14% 7% 18%

5% 4%

13% Other 19% External service provider/ advisor 45% Business Unit registers or key risk indicator w orksheets Senior management intuition and experience

32%

55%

42%

55% 23% 19% 12% Europe

Board w orkshops or scenario planning

7% All

5% The Americas

3% Asia/Pacific

Source: 2007 Aon Global Risk Management Survey

What is Risk?

Risk can be defined as the potential harm that may arise from some present process or from some future event. In everyday usage, "risk" is often used synonymously with "probability", but in professional risk assessments, risk combines the probability of a negative event occurring with how harmful that event would be. Risk can also be viewed as volatility from expected. This definition captures both the upside and downside of risk.

What is Risk?
Financial
Includes the fluctuating cost of fuel, interest rates and access to capital

Human Capital
A growing area of exposure in todays labor market including employee selection, retention and turnover, absenteeism, compensation and labor relations

Legal / Regulatory
Incorporates liabilities for employment, defamation and other allegations, including regulatory change and governance requirements

What is Risk?
Operational
Includes day-to-day business challenges across all functional platforms, including the strive for efficiency, optimal use of outsourcing and business continuity

Strategic
Includes organizational planning, such as the strategic response to changing customer preferences, competition, reputation/brand, innovation, etc.

Technology
Includes system failure, network liability, internet security and other technology-related risks

Public Company View of ERM

A strategic mechanism for effective risk identification and containment Ensures that business objectives are balanced with: Corporate governance initiatives Risk mitigation initiatives Enhanced and timely business decisions Enhanced profitability Long-term growth

Goal to maximize shareholder value for the enterprise as a whole

Greatly influenced by Sarbanes-Oxley and SEC in the U.S.

Private Company View of ERM

Short Term: Drives structured and disciplined approach to risk management: Provides methodology for measuring business risks Increases awareness of risks and potential risks Long Term: Ability to aggregate risks and benefit from enterprise effects Better capital allocation and competitive position More effective strategic and operational planning Ensures execution of the Core Competency

Balancing Diverse Interests

Growth
Bus. Units Managers

Value Creation Performance

Returns
Shareholders Investors Partners

External

Internal

ERM

Enterprise Goals & Objectives

ERM

Governance
Controls Compliance

Capital
Financial Strength Conformance
Debtholders Agencies Regulators

COSO A Starting Point for ERM

The COSO ERM Framework Consists of 8 Interrelated Components and 4 Objectives

Elements of ERM as outlined in the framework: Is a process Is effected by people Is applied in strategy setting Is applied across the enterprise Is designed to identify potential events Manages risks within risk appetite Provides reasonable assurance Supports achievement of key objectives

Source: COSO ERM Framework

Using a Value-Driven Approach

Start with a skilled assessment of your business and ERM needs to ensure that the approach and outcomes are well matched to your needs
Evaluate Risk Process Risk Identification & Prioritization

ERM management

ERM process
Governance, Culture and Disclosure Growth
Profitability

Risk Quantification Continuity Risk Management Implementation Risk Response Solution

ERM outcome - value

Evaluate Risk Process

Activities
Gather information on current status Develop scorecard ranking current program vs. leading practice Develop future vision for ERM program Develop gap analysis using scorecard format and identify quick-hits Conduct executive workshop

Deliverables

Current state risk score card Risk maturity benchmark Key ERM goals & objectives ERM performance plan Alignment on ERM framework / plan

Current State Assessment

Initial

Established

Uniform

Managed

Optimizing

Risk Opportunity

Current State Assessment

Risk management is becoming more complex Most companies have a wide-range of risk management activities underway

ERM

Sarbanes-Oxley
Compliance Operations Risk committees
Unfortunately, many companies lack a coherent vision for risk management Senior management and board members often have differing views of what information they would like to see from risk management

Rating agencies are assessing risk management quality as part of their overall rating process S&P, Fitch

Risk Maturity Benchmarking

Sample Risk Maturity Benchmark
C A P A B IL IT IE S
IS K E N A B L E D R IS K M A N A G E RD

RE S UL T S
P ro c e sse s R isk H a n d lin g O u tc o m e s

M easu res

R isk L e a d e rsh ip

R i sk S tr a te g y & P o lic ie s

P e o p le

P a r tn e r sh i p s

(= Ex c e l l e n t c a pa bi l ity e s ta bli s h e d)

L E V E L 5

F u lly e m b e d d e d in d a y - t o - d a y b u s in e s s p ro ce sse s an d s tr a te g ie s .

L E V E L 4
Em be dde d a n d i m p r o vi n g )

(=

In t e g r a t e d a p p ro a c h e s to m a n a g in g r is k are im p le m e n t e d acro ss b o u n d a r ie s .

R IS K D E F IN E D

L E V E L 3

(= Im p l e m e n t a t i o n c o m pl e te d i n k e y ar eas )

F o rm al a p p ro a c h e s to m a n a g in g r is k in p la c e a n d w id e ly im p le m e n t e d .

L E V E L 2

(= Im p l e m e n t a t i o n P la n n e d)

R IS K A W A R E

F o rm al a p p ro a c h e s to m a n a g in g r is k in p la c e a n d p a r t ia lly im p le m e n t e d .

L E V E L 1

(= A war en es s / U n de r s ta n di n g )

Aw are n e ss o f n e e d b u t lit t le a c tio n .

L e a d e r s h ip R is k

D o s e n io r m a n a g e rs s u p p o rt a n d p ro m o t e ris k m a n a g e m e n t?

P ro c e s s es R is k

D o t h e o r g a n i s a t i o n 's p r o c e s s e s i n c o r p o r a t e e ffe c t i v e r i s k m a n a g e m e n t ?

Maturity: Building Risk Capabilities

Systematically Build and Improve Risk Management Capabilities Organization focused on RM as a source of competitive advantage and continuous improvement

Capabilities are characteristic of individuals, not of the organization Initial

RISK

Process established and repeating: reliance on people is reduced Established

Policies, processes and practices defined and formalized across the organization

Risks measured, managed and aggregated on an enterprisewide basis

Uniform

Managed

Optimizing

OPPORTUNITY

Risk Identification & Prioritization

Activities
Risk categorization and scoring criteria Conduct interviews / surveys Benchmark clients public risk factors Consolidation and aggregation of identified risks Conduct risk workshop

Deliverables

Risk hierarchy and criteria Internal risk identification External risk identification Risk register Prioritized risk map

Calibrate Definitions and Criteria

Risk Categorization and Scoring Criteria

Prioritized Risk Map

Risk Quantification

Activities
Develop risk scenarios and correlations Modeling key risks Calculate aggregate risk exposures

Deliverables

Risk scenarios Individual risk quantification and prioritization Aggregate impact of key risk on companys value and financial performance

Risk Quantification / Valuation

Step 1 Develop Risk Scenarios

Step 2 Develop Baseline Valuation Model

Step 3 Run Model to Quantify Risks

Conduct interviews with risk experts Develop risk scenarios and associated financial impact Gather existing facts / historical data points

Build baseline valuation model; project financials consistent with strategic plan Adapt model to dynamically accommodate risks/scenarios, value drivers and key metrics

Aggregate risks Shock model for each risk/scenario Quantify impact to value and other key metrics Provide basis for decision-making

Defining Value One View

ERM Value Propositions

Improved resource allocation Enhanced risk corporate governance Common and deep knowledge of critical business and organizational risks Increased operational efficiency Greater transparency of risk

Keeping resources focused on those activities that matter most to the organization

Possible reduction in earnings volatility

Optimized capital allocation Improved regulatory standing

Structured process to allocate capital based on those businesses that are the most risky to the organization

Everyone in the organization has the ability to define, treat, and manage risk in a homogeneous fashion

Enhanced risk reporting Consistent framework for risk Improved compliance Provide confidence that risks are being identified and managed in a constructive fashion

Defining Value Alternate View

Risk Adjusted Income Statement
2008 REVENUE Sales Other Operating Revenue Total Revenue OPERATING EXPENSES Salaries, Wages and Benefits Supplies and Services Total Operating Expenses (LOSS) INCOME FROM OPERATIONS OTHER INCOME (EXPENSE) Interest and Dividends Current State Risk Exposure Mitigation Costs Mitigation Impact on Current State Risk Total Other Income (Expense) NET PRETAX INCOME 642,100 14,482 656,582 2009 2010

670,965 701,292 14,626 14,773 685,591 Aggregate 716,065 Loss Distribution

0.07

310,667 289,850 600,517 56,065

323,093 0.05 0.04 309,593 0.03 632,686 0.02

0.01

0.06

336,017 330,750 666,767

5 10 15

52,906 0

49,298 20 25 30

35

40

45

28,419 (16,000) (2,784) 14,326 23,961 80,026

28,704 (17,326) (2,812) 16,532 25,098

20% 18% 16% 14% 12% 10% 8% 6% 4%

Competing Mitigation Strategies

28,991 (15,683) (2,840) 12,031 22,499 71,796

78,003
2% 0% -6 -4 -2 0 2

10

12

14

16

Value-centric ERM framework

Risk Management Tactics

Strategy
Scenario Development Surveys Determine Portfolio Effect

Risk Appetite

ERM Committee Consensus Meeting

All Risks

Key Risks

ERM Model (Value)

Enterprise Risk Exposure

Value

Risk Identification Process Key: Risk Quantification Risk Management

Individual Risk Quantification & Ranking

Sample Output (partial data)

Risk Distribution Report
Risk: IT External Attack (Risk #4) Risk Scenario Likelihood 1-in-30 year event Value
Risk 11 Risk 1 Risk 8 Risk 7

Key Risks Rank by Value Impact of Worst Case Scenario

Worst Case

-7.5%

Pessimistic

1-in-10 year event

Risk 4

-2.4%

Risk 9 Risk 12 Risk 10

Best Estimate

Most Likely

---

Risk 15 Risk 6 Risk 13

Optimistic

1-in-15 year event

Risk 3

0.1%

Risk 5 Risk 14 Risk 2

Best Case

1-in-50 year event

0.2%

0.0%

-5.0%

-10.0%

-15.0%

-20.0%

Risk Response Solution

Activities
Determine risk tolerance Identify risk response solution options Evaluate and select risk response solution

Deliverables

Defined risk tolerance Risk response solutions Risk response business case

Risk Appetite - One View

Impact of $100 million, pre - tax losses on metric - 260 bps

FY07 Metrics

FY07E

Defined Goal

Financial Buffer (RBC)

EPS Growth (from 2006) Free Cash Flow Operating Margin Cash/ Months Operating Expense

25.0%

22.5%

$60

$1,883

$1,400

- $53 million

$750

40.1%

40.5%

- 81 bps

$0 Threshold is not expected to be achieved in FY07 Not Available

8.9

12.0

0.11 months

Total Debt/CFO

73.6

Not Available

+155 bps

$ in millions

Sources: 2007 budget, metric & threshold input

Risk Appetite - Alternate View

Value

Enterprise Risk Exposure Current State Event

Rev Growth

Target for Future State Probability

Probability

10% decrease in value Achieving strategic plan goals

15% 35% 5%

? ? ?

eps Growth

5% increase in eps

Is the ERM Committee comfortable with the current state? If not, what do they want it to be? The answers result in tolerance thresholds collectively called Risk Appetite.

Other

Risk Response Solution

Risk Response Strategies

Terminate

Mitigate

Transfer

Exploit

Tolerate

Exit Risk Area

Preventative

Financing Solutions

Corrective Insurance Directive Capital Markets Contractual Transfer Hybrid

Explore the upside of risk by taking new opportunities

Make a conscience decision to tolerate the risk

Detective

Evaluating Solutions
Increase in Likelihood of Meeting Risk Appetite Current Mitigation

Total Cost of Risk

Mitigation Option Being Considered 85% Risk Tolerance

95%

Increased Mitigation Cost 0% Cumulative Probability 99.9%

Evaluating Solutions

Management selects ERM actions that move enterprise risk exposure towards risk appetite, for example:
Risk Exposure Pre-Mitigation
Value

Risk Exposure Post-Mitigation

Value

Risk Management Implementation

Activities
Develop risk response plan Obtain support of risk management leaders Develop teams and tools Implement projects Define metrics and implement monitoring tools

Deliverables

Risk management project plan Project governance structure Resource allocation, communication and training Program management Risk platform and scorecards

Risk Management Implementation

ERM Multi-Year Project Plan
2007
Define Risk Strategy Develop Cost of Risk Model Establish Risk Appetite Evaluate Data Strategy Develop Risk Profiling Legacy Claim Evaluation Captive Strategy M & A Process Evaluation

2008

2009

Comprehensive Risk Mapping Technology implementation Risk Modeling Captive Optimization Legacy Claim Projects Global Optimization Expanded Risk Assessment Portfolio Risk Modeling

ERM Enabling Technologies

There are a lot of technologies related to risk in general and ERM Use a selection process as with any tool/technology
Analysis: RFI/RFP
Vendor discussions and Bake-off with prototype Design: Purchase on trial basis Full deployment

ERM Dashboard Applications

ERM Monitoring and Reporting

Dashboards & Governance

Drives Accountability

Facilitates Dashboard Reporting

Automates Tracking of Key Risk Indicators

Governance, Culture and Disclosure

Key Activities
Develop detailed ERM frameworks and governance Develop internal risk communication and awareness program Develop external communication strategy Monitor risk performance against defined metrics Develop continuous improvement process

Client Deliverables

Policies, manuals, committees, roles and accountabilities Rollout of communication and awareness program Enhanced communication with rating agencies, equity analysts and regulators Reporting on KPIs Improvement processes and accountabilities

Governance, Culture and Disclosure

ERM Framework and Governance
Board of Directors

Executive Committee

COO

CFO

Chief Risk Officer

CIO

CLO

ERM Function

Business Unit A

Division A

Business Unit B

Functional, support and Shared services

Division B

Business Unit C

Division C

Risk Management Compliance

Internal Audit

Governance: Partnership is Key

Board Set Policy Approve Risk Strategy Enforce Correction Provide Tone from the Top Audit Committee Establish Policy Propose Risk Strategy Measure / Monitor Report to Board on Key Matters ERM Working Group* Monitor Coordinate Educate Facilitate Benchmark Report Compliance/Ethics Internal Audit Provide Assurance Conduct Risk-Based Audits Business/Functional Risk Owners Identify Risk Manage Risk Measure Risk Report & Prioritize Risk Improve *possibly chaired by CRO Act as Functional Risk Owner Manage Legal Risks Foster an Ethical Environment

Governance, Culture and Disclosure

ERM Project Plan e.g. ERM Manual

Client ABC Client ABC Client ABC

External Risk Disclosure Analysis Annual 10-K reports are a primary risk information source for investors and the public.
How was this list developed? How was the order of the risks determined? Were the impacts of these risks quantified? How will investors react if an unmentioned risk results in significant loss of market value? How does your list compare to your competitors?

Comparative Analysis
A comprehensive ERM program can ensure that the10-K risk factor list is complete and in appropriate order.

Review the risks listed in the 10-K report

Is anything missing? Are the risks listed in an order that is representative of their impacts? Have these risks been quantified?

How would investors or regulators react if an unmentioned risk results in significant loss of value?

Analyzing Competitors Disclosures

Regular review of competitors risk disclosures is vital to:

Ensure that your risk disclosure is complete

Keep tabs on changes in the industry environment

Comparing Risk Disclosures

Description Consumer demand and acceptance of services offered by us Our ability to achieve and maintain acceptable cost levels Fare levels Actions by competitors Regulatory matters General economic conditions Commodity prices Changing business strategies Single aircraft type Changes to and costs of security procedures

Strategic Review of Annual Reports / Regulatory Filings

Green = Declared

Cost and availability of aircraft insurance

Red = Not Declared

Terrorist attack International hostilities Ability to continue as a going concern Ability to operate pursuant to the terms of the DIP Financing Ability to obtain a federal loan guarantee from the ATSB

Orange = Not Relevant

ERM Commonly Cited Challenges

Inability to demonstrate immediate, quantifiable return on investment

Internal competition among business units

Cultural incompatibility
Limited technology / tools Inadequate senior-level support

ERM - Critical Success Factors

Senior management support

Clearly defined vision

Regular and open communication among the team Realistic expectations regarding timelines and deliverables Sufficient resource allocation for implementation and follow-through Linkage to organizational success factors, strategies and processes

ERM Potential Benefits

Establish Sustainable Competitive Advantage
Integrate with business planning and value management processes Avoid missing key risks and losing vital opportunities Optimize balance between capital preservation and growth/profit-generation

Manage Risk at a Lower Cost

Minimize risk averse behavior Develop cost-effective risk strategies and solutions Eliminate redundant or unnecessary risk controls

Improve Business Performance

Support more informed/proactive risk management decisions aligned with business objectives/strategies Link to enterprise performance, measurement and monitoring Reduce volatility and prevent surprises

ERM Gap Analysis

Phase I Information Gathering Conduct interviews / gather information Identify risk universe Define and develop cost of risk data Conduct gap analysis Phase II Setting the Stage Develop overall risk management vision Create risk management scorecard / Gap analysis Identify key risk projects / activities needed to achieve risk management excellence Understand cost / benefit of potential risk management strategies Phase III Executive Support Obtain support of risk management leaders Present overall objectives and plan to senior management Develop teams and tools Get moving Phase IV Implementation Deliver defined projects Update progress toward overall vision Measure performance Create linkage to next steps Build feedback loop to ensure continued progress toward goals

Risk Management Vision

Risk management vision transcends the various projects and activities that comprise risk management within an organization In order to define risk management vision, the company must resolve a series of key questions: What are the goals of the companys risk management efforts?

How does the company define risk management excellence?

What is the current state of risk management? Where are the gaps? What are the priorities? How will success be measured? In the end, risk management must deliver measurable impact on the companys operating performance

Key Risk / Performance Indicators

What are the KRIs?

How do I get them?

How often do I get them? What do I do with them? Foundation understanding of: frequency, source and meaning

KRIs - Example

Focus on Value
Risk Management Tactics

Strategy
Scenario Development Surveys Determine Portfolio Effect

Risk Appetite

ERM Committee Consensus Meeting

All Risks

Key Risks

ERM Model (Value)

Enterprise Risk Exposure

Value

Risk Identification Process Key: Risk Quantification Risk Management

Individual Risk Quantification & Ranking

Case Study #1: Fast Growing Company

Highly successful, profitable company Recent patent litigation surprise created temporary cash and credit crunch

Audit committee wanted an overview of key risks facing the company

Risk committee was formed to coordinate the effort Team conducted interviews with over 50 executives, supplemented by over 80 surveys

Project Objectives
Has the company identified all its critical risks ? Does the company have effective controls for managing its critical risks? Are the risks greater now than they were 12 - 24 months ago (earnings pressure, continued acquisitions and internal strategic initiatives)? Are these risks within acceptable limits? Is the right level of information reported to Senior Management and the Board?

Project Results
Provided information to senior management and the Audit Committee Developed models for key risks based on potential impact on:

Revenue EPS Cash Reputation

Examined current and potential risk mitigation opportunities, including risk transfer and self-funding Created a framework for more effective decision-making regarding supply chain management, site selection and inventory management

Case Study # 2: Manufacturing Company

Company had a well-developed risk management process Top risks for each of the business were routinely assessed and evaluated

Due to lack of internal data, limited effort had been made to quantify the potential impact of events
Recent supply chain problems had highlighted previous unmeasured vulnerabilities Project team developed customized risk models for the top five risks of each business unit

Project Results
Delivered working risk models to each business unit Risk models were used to develop underwriting models for potential risk transfer / mitigation solutions Company expanded the use of existing captive insurance company and finite risk insurance arrangements to address key issues Event risk maps helped uncover critical decision points that could substantially alter the overall risk exposure Changes were made in supply contracts, inventory levels and contingent business interruption coverage as a result of the analysis

Case Study #3: Consumer Products

Fortune 100 consumer products company Treasurer and Risk Manager had identified 17 key risks under their charge Company wanted to develop a quantitative approach to better evaluate risk decisions Solution: Risk modeling project to help evaluate the optimal risk strategy

Project Results
Project focused on the analysis of internal and external risk data Creation of individual and portfolio risk models Risk mitigation and transfer alternatives were tested using the models, resulting in significant changes

Company was able to demonstrate the value of additional risk retention and the use of internal funding (via a captive insurance subsidiary)
Risk finance and mitigation resources were reallocated to optimize the companys risk management efforts

Case Study #4: Hospital

Medium-sized hospital looking to achieve excellence in health care by surpassing standards set in The New American Hospital and the Malcolm Baldrige National Quality Award

Key objective: conduct a comprehensive risk assessment Project involved:

Interviews with key personnel (management, physicians and nurses)

Creation of a risk inventory Benchmarking of current risk management approaches and quality of care against industry standards and best practices Evaluation of current risk mitigation methods

Hospital ERM Project Results

Identified and prioritized key enterprise risks

Recommended improved approaches for risk management

Opportunities for improvement included: Implementation of clinical best practices and rapid response teams to reduce cardiac complication rates Diversification of services to counteract the impact of Medicare reform Contingency planning around key physicians and solesource service providers Improvement of the contract oversight and document retention process to minimize legal liabilities

Case Study #5: Capital One

Capital One signed an "informal memorandum of understanding" with bank regulators. More than a dozen class actions were filed charging the credit card issuer with securities fraud for misleading shareholders about its financial health and its compliance with bank regulations.

Risk management capabilities designed and implemented across the organization.

Capital One's stock plummeted by 39%, falling from a $50.60 per share close on July 16 to $30.48 per share by the close of July 17; a drop of roughly $4B in market value.

July 2002, 8K filing: the company publicly commits to enhance its enterprise risk management and internal control environment.

ERM Process: Enhanced Future State

Integrated into Operational Business Processes Improved Risk Predictability and Measurement

ERM Process

Line of Business Operations Risk Metrics

Risk-Adjusted Decision Making

Improved Business Performance

Suggestion: Adopt a Pilot Approach

Start small and grow big Select a locale with engaged management and noncomplex products or customers Establish proof of the ERM concept quicker benefits

Accomplish process objectives in a shorter timeframe

Learn from successes/mistakes to roll out the ERM process across the organization

Overview of a Pilot

Review current company and business objectives/risk management objectives; evaluate current risk management infrastructure and capabilities

Severity ($ millions)

Legend
>100M Strategic H2 S1 O5 O1 O3 O2 10 H1 5 T2 T1 H3 S2 F2 O4 L1 S1 Partnering arrangements S2 Changing industry dynamics Ope rational O1 New initiative integration/success O2 Business continuity O3 Product quality O4 Centralized distribution O5 Hazard risk Human Capital H1 Succession planning H2 Turnove r H3 Human capital de velopment Legal/Regulatory H2 2 F1 L1 Political pressure around drug affordability Te chnology T1 Intellectual prope rty T2 Information security Financial 1 F1 Currency fluctuations F2 Commodity prices <5 10 25 50 75

50 High Impact Moderate Impact Low Impact Partial / Full Mitigation No / Minimal Mitigation

Establish risk management options, action plans, etc.

Risk
Information Technology Network Security

Definition
Ability to safeguard proprietary knowledge from a security breach which could damage financials, brand and reputation Intentional, coordinated and/or hidden sabotage of systems, software or processes by internal or external parties

Current State
Severity Level

Frequency

Current Metrics
Number of viruses per month Minutes of downtime per month Backup processes double checked weekly

Risk Owner(s)
Chief Technology Officer IT Department Security

Action Plans

Risk Assessment Pilot

Current:

Recommended: Intrusion detection and vulnerability detection equipment and software Destruction of old hard drives from redundant computers Ensure no single point of failure Redundant hardware systems

Estimated Investment: Additional IT staff personnel Purchase of intrusion detection and vulnerability detection equipment Continual investment in updating software

Establish criticality of risk and prioritize; map key risks

Up-to-date Anti-virus and system Firewall protection Disaster recovery plans Network backup planning Software and data backups Backup Power Supply

September

November

Perform facilitated session and/or interviews with select internal and external experts to identify and assess risks and risk management processes
Analyze risks for causal factors, effects, and interrelationships

Summarize data of most significant risks

Reduce voluntary employee departures by 10% by 2008

# Departures
2006 2007 est. 2008 est.

Target

Questions to Consider

Is ERM adding value for your organization?

Is the ERM effort stalled or is progress being made?

Are there parallel risk management efforts that fall outside of the ERM process? What can be done to automate portions of the ERM process? Are there high impact drill-down projects that will deliver ERM value? Is ERM sustainable after the project team has moved on to other assignments?

Barry Franklin, FCAS, MAAA

Aon Global Risk Consulting

312.381.3920 [email protected]

Confidentiality
We recognize that our clients industries are extremely competitive and maintaining confidentiality is of the utmost importance. Accordingly, Aon takes seriously its obligation to protect the confidentiality of client information. Similarly, we view our approaches and insights as proprietary and therefore look to our clients to protect Aon interests in our presentations, methodologies, and analytical techniques. Under no circumstances should the material in this report be shared with any third party without the written consent of Aon. Copyright 2007 Aon