Prepared for the Committee on Finance & IT
June 18th 2010
BMR Advisors - All rights reserved
Enterprise Risk Management
Insights & Operationalization
Contents
Background
Key findings:
1.
The current state of ERM implementation
2.
Types of ERM program
3.
Organisation of ERM functions
4.
Operationalization of ERM
Open questions
About BMR
BMR Advisors - All rights reserved
Next steps
BMR Advisors - All rights reserved
Background to the study
A perfect storm
ERM has been a topic of discussion and analysis
since the mid 1990s – but economic turmoil
has thrown risk management into sharper focus
Regulatory developments – for example, the
• What’s your company’s risk
culture?
introduction of SEC Rule 33-9089 – are acting as
a powerful catalyst for ERM adoption
Management teams and Boards are under
increasing pressure from regulators, investors
and the media to demonstrate the effectiveness
• Elson & Hubbard to lead study
group on corporate boards
of risk management efforts – both in protecting
BMR Advisors - All rights reserved
shareholder interests AND in adding value
By 2009, FERF had identified a gap in
knowledge among FEI members – most of whom
knew that they should do something about
• European Commission to unveil
governance Green Paper
ERM, but weren’t sure exactly what to do
| 4
Focus on practical implementation
FERF and BMR agreed that an executive report
was needed to help FEI members address the
’operationalization’ of ERM
A steering group was formed, comprising Peggy
Yocher of United Technologies; Joan Netzel of
SunTrust Banks; and Prof Paul Walker of the
University of Virginia, as well as BMR and FERF
representatives
Rather than review theoretical frameworks, it
was agreed that the study should canvass ERM
Managers to find out how ERM is actually
BMR Advisors - All rights reserved
being implemented on the ground and to
identify trends, patterns and future directions that
may be of value to FEI members
It was also agreed that the principal focus should
be upon ERM in non-financial companies
| 5
Participants in the study
Companies interviewed for the study have
aggregate revenues in excess of $1.2
trillion and are generally global in scope
They were predominantly Fortune 500
organisations or similar, on the basis that
these companies are most likely to have
well-developed ERM programs

ERM Directors

Treasurers

Strategy Directors

Controllers
BMR Advisors - All rights reserved
Personnel interviewed were typically either:
In addition to these face-to-face interviews,
we also carried out detailed reviews of
approximately 15 more ERM programs
| 6
Key findings
1. Current state of ERM implementation
2. Two types of ERM program
3. Organization of ERM programs
BMR Advisors - All rights reserved
4. Operationalization of ERM
Current state of ERM implementation
• ERM Managers believe ERM exists to make risks more visible before they
1. There is a broad
impact an organization, so that management decisions can be evaluated
and challenged
consensus as to
the purpose of ERM • There is a growing recognition that ‘ad hoc’ risk management approaches
2. The typical ERM
program is still in
an early stage of
development
• Some organizations have reached ‘advanced’ levels of sophistication
• However, these are heavily outnumbered by those for whom ERM still
remains a work in progress, or has not been embarked upon at all
• All ERM Managers agree that there can be no ‘one size fits all’ solution
3. The ‘drivers’ of
ERM programs fall
into three main
categories
• Proactive decision, prompted by leadership change, Board discussion etc
• Reaction to events, whether internal (fraud, restatement) or external
(terrorism, reputational issues affecting other companies)
• Requirements / expectations of regulators and other external bodies
(biggest influence on the current heightened interest in ERM)
BMR Advisors - All rights reserved
have not worked and are no longer acceptable
| 8
Key findings
1. Current state of ERM implementation
2. Two types of ERM program
3. Organization of ERM programs
BMR Advisors - All rights reserved
4. Operationalization of ERM
Two types of ERM program
ERM programs can be classified
are deemed to be in scope; and the
overall approach that is adopted to risk
management:
In general, programs tend to fall into one
or other of two program types:
Type One: programs that take a mainly
strategic view of risk, and manage it in a
qualitative way; and

Type
One
Type
Two
Type two: programs that take a more
financial / operational view, and tend to
manage risks through quantitative control
The view of risk might be said to be either
“Enterprise Level” (Type One) or
“Enterprise Wide” (Type Two)
Quantitative
Qualitative
Predominant approach that a given
company takes to management of risk
BMR Advisors - All rights reserved

Type of risks
that a given
program is
mainly
designed to
address
Operational
Strategic
according to the categories of risk that
Move toward more integrated, holistic approaches
Most organizations are making efforts to take a
more holistic, integrated view of ERM
Qualitative
awareness of
strategic risks
To do this an organization needs to ask:

How can strategic risks be analyzed on a
quantitative level?

How can financial / operational data be
interpreted in a qualitative way?
The benefits of successfully adopting a more
Qualitative
interpretation
of operational
data brings
strategic risks
to the surface
Quantitative
analysis of
strategic risks
informs
operational
plans
integrated view are that a virtuous circle would
be created, strengthening the links between
Quantitative
control of
financial /
operational
risks
BMR Advisors - All rights reserved
business strategy and operational planning
| 11
Key findings
1. Current state of ERM implementation
2. Two types of ERM program
3. Organization of ERM programs
BMR Advisors - All rights reserved
4. Operationalization of ERM
1. Ownership of
risks must be with
the business, not
with the ERM team
• ERM must not operate in parallel to the existing management structure
• Primary responsibility for the identification, ownership and management of
risk MUST remain with the business itself
• Accountability for each risk must beheld at an appropriate level, while
‘tone at the top’ is established by the CEO and management team
2. Functional
ownership of ERM
process is less
important
• The choice of which function should own the ERM process is not critical
provided that it has the necessary skills, relationships and knowledge
• In general, Type One programs are more likely to be managed out of
Strategy & Planning functions while Type Two programs are more likely to
be led out of Internal Audit, Controllership, Treasury etc
BMR Advisors - All rights reserved
Organization of ERM functions (1)
• Most ERM functions are staffed by very small teams, which can introduce
3. Small ERM teams
a significant risk unless steps are taken to institutionalize the knowledge,
processes and tools of ERM
can introduce a risk
• If an ERM program relies too heavily on the personal ‘equity’ of the ERM
all of their own
Manager, what happens if that person leaves? Does ERM cease?
| 13
4. Role of ERM
function is different
in each company
• While some ERM functions act purely as facilitators of a process,
others have much more influence over development and
enforcement of risk policy
• Whichever approach is adopted, it is vital to ensure that ERM is not
perceived as the “risk police”
5. Risk culture
drives engagement,
which drives
success
• The intensity of ‘engagement’ between the ERM program and the
business is a key determinant of success
• This in turn is influenced by risk culture – which cannot be imposed,
but must be allowed to develop naturally through human interaction
6. ERM is generally
believed to have
very ‘long arms’
• Although accountability for risk management can only extend to
relatively senior managerial levels, ERM Managers believe that ERM
should aim to increase awareness of risk in all decisions across the
business
BMR Advisors - All rights reserved
Organization of ERM functions (2)
| 14
Key findings
1. Current state of ERM implementation
2. Two types of ERM program
3. Organization of ERM programs
BMR Advisors - All rights reserved
4. Operationalization of ERM
Operationalization of ERM functions
Most ERM programs are operationalized around
five broad activities:
1.
Gathering ‘risk intelligence’
2.
Cross-functional risk discussion
3.
Risk scoring and prioritization
4.
Risk response
5.
Reporting
Although the activity areas do not necessarily
1. Gathering
risk
intelligence
5. Reporting
2. Crossfunctional
discussion
4. Risk
response
happen sequentially, most programs reviewed
that resembles a cyclical process
For companies starting out on the ERM journey,
gathering of risk intelligence is the most obvious
place to start
3. Risk
scoring and
prioritization
BMR Advisors - All rights reserved
for the study operate with a natural ‘cadence’
Operationalization of ERM functions
1. Gathering risk intelligence
• Most ERM programs begin with a ‘top down’
approach to gathering intelligence on risk
• Senior management takes the first cut at
defining the risk universe, which is then
refined through interaction with leaders of
business units and corporate functions
• In some cases, intelligence about risks is
harvested from IT systems, through review
of ERP data – or even the outputs of
continuous control monitoring
2. Cross-functional risk discussion
BMR Advisors - All rights reserved
• Cross-functional risk forums are considered
essential in most programs
• They bring together insights and inputs from
across the business and therefore play a
critical role in ensuring truly enterprise-wide
engagement
• These forums are perceived to be a key
component in infusing energy into an ERM
program, and ensuring consistency
| 17
Operationalization of ERM functions
3. Risk scoring & prioritization
BMR Advisors - All rights reserved
• Most programs incorporate ‘heat maps’ to
support risk analysis, with axes representing
the likelihood and severity of risks
• Some organizations have taken this further,
to incorporate ‘effectiveness of mitigation’ or
even ‘risk velocity’
• It is often impossible to compare ‘apples with
apples’ – particularly when comparing
strategic and operational risks, or existing
and emerging risks
• The concept of Risk Capacity is not widely
adopted in non-financial companies, but Risk
Appetite (which is closely linked to corporate
culture) is considered of far more relevance
• Some programs are defining tolerances for
specific risks which can be used as the basis
for business rules – creating a link between
business strategy and operational planning
| 18
Operationalization of ERM functions
4. Risk response
• Essentially, the responses open to a company
are to accept a risk; share it; mitigate it; or avoid
it – but all can have serious implications
• A risk response may itself create another risk
event elsewhere, through ‘risk correlation’ or the
‘law of unintended consequences’
5. Reporting
BMR Advisors - All rights reserved
• Management and Boards must be kept fully
informed of the outputs of ERM programs, but
must also not become bogged down
• After the initial establishment of a program,
Boards typically allow between 30 and 60
minutes per meeting for ERM discussion
• Periodic ‘deep dives’ into specific risk areas are
commonly presented (often rotationally) to
monthly or quarterly board meetings
• ERM Managers typically aim to report on the ‘top
ten’ risks, but in practice this figure varies,
depending on pragmatic assessment as to which
risk factors merit board-level discussion
| 19
BMR Advisors - All rights reserved
Open questions
Questions that require deeper exploration
The role of ERM
• What should be the ultimate role of the ERM function – should it be purely facilitative, or given
greater ‘teeth’?
• If risk management is embedded in the role of executive management, and risk oversight is
earmarked as the function of the Board, what implications does this have for the role of an
ERM leader and his or her team?
• Should the ERM leader be a Chief Risk Officer with executive committee status?
Integration
• Should ERM be integrated with compliance and / or internal audit – or should a solution be
found by which audit, compliance etc. continue to monitor risks and controls from an historical
standpoint, while ERM remains focused on emerging risks?
BMR Advisors - All rights reserved
Risk culture
• How can a ‘risk culture’ best be created within the organization?
• How can an appropriate balance be struck between responsibility and expectation on the one
hand, and empowerment and engagement on the other?
• What infrastructure, tools and techniques are needed to ensure top-down AND bottom-up
communication about risk?
| 21
BMR Advisors - All rights reserved
Next steps
Engaging the FEI membership
As has been seen, the study leaves a number of
questions open for discussion
We also hope that it will provoke debate around
this critical issue, which in itself will prove
valuable and interesting to FEI members
We are exploring options for further engagement
with FEI membership to take forward the
conversation we have started with this study.

Regional round table discussions in key ‘hub’ cities

Webinars

Discussions / presentations at CFRI or other FEI
BMR Advisors - All rights reserved
Ideas may include:
conferences
| 23
BMR Advisors - All rights reserved
About BMR
Who we are
former Andersen and EY partners
BMR At A Glance
Partners
27
We are now recognised as one of the top three tax
Headcount
425 and growing steadily
firms in India* and the number one M&A service
Clients
200+
provider for the Indian market**
Practice Areas Tax & Regulatory
Mergers & Acquisitions
At the same time, we have established a global
Risk & Advisory
reputation for risk and process consulting, having
delivered assignments in more than 40 countries
Key Industries Energy
Retail
Financial Services
Real Estate
We have a strong track record, with most of our
Infrastructure
Technology
partners having worked together for 20+ years
Media & Entertainment
Telecoms
Delhi
London
We offer the high quality that clients expect from a
Locations
Mumbai
New York
major international firm, combined with a flexible
Bengaluru
Bahrain
approach that fosters innovation
Chennai
Singapore
BMR Advisors - All rights reserved
BMR was founded in October 2004 by a group of
For the second year, we are ranked among India’s
top employers by the Great Place To Work® Institute
* Source: International Tax Review, 2009
* * Source: Thomson Reuters, 2009
| 25
Unique model for outsourcing of risk functions
To our knowledge, BMR is the only firm offering an unique global business model
for the outsourcing of risk-related functions
Outstanding quality
• Most BMR people – including all Partners and Directors – have a Big Four background
• We pride ourselves on the level of Partner / Manager engagement we devote to our client
projects – far higher than is typical in the consulting sector
Reasonable cost
• Our clients benefit from massive cost arbitrage and generate savings of 60% or more
relative to other approaches
BMR Advisors - All rights reserved
• This is because our teams are based out of India and travel to global locations as required
Demonstrable track record
• We have worked extensively on global jobs, covering multiple teams, business units and
countries
• Our specialist areas include ERM, Internal Audit, SOX, AML, Decision Analytics and BPM
| 26
New Delhi
The Great Eastern Centre
70 Nehru Place
New Delhi 110 019
Tel: +91 11 3081 5000
Mumbai
The Contractor Building
41 RK Marg, Ballard Estate
Mumbai 400 001
Tel: +91 22 3021 7000
Bengaluru
Embassy Icon Annex
2/1 Infantry Road
Bengaluru 560 001
Tel: +91 80 4032 0000
Chennai
21 Sambandam Street
Mandaveli
Chennai 600 028
Tel: +91 44 24954783/84
London
Berkeley Square House
Berkeley Square
London W1J 6BD
Tel: +44 20 7849 6100
New York
100 Park Avenue
New York
NY 10017
Tel: +1 212 880 6462
Bahrain
32 Sabha Building
Diplomatic Area
Manama 317
Tel: +97 313 646676
Singapore
10 Anson Road
#09-24 International Plaza
079903 Singapore
Tel: +65 6408 8004
Santa Clara
3940 Freedom Circle
Santa Clara
CA 95054
Tel: +1 408 834 4699
BMR Advisors - All rights reserved
Contact details