Enterprise Risk
Management
Framework for establishing industry
requirements and priorities
Andreas Vogel
September 13th, 2006
SAP CONFIDENTIAL
Framework for Discussion
This is a strawman proposal which summarizes some thinking and brainstorming
Next steps

Team discussion and refinement

Framework for discussion with ISMs and IBUs

Framework for discussion with partners, analysts, customers
The goal is to create a product strategy which optimizes between market requirements and
SAP development capabilities.
 SAP AG 2006, Enterprise Risk Management – Andreas Vogel / 1
Train of Thought (for non-audio consumption)
Risk Management Processes



Identifying the key processes and process steps within
Classify steps by generic vs. specific to a risk class
Modeling and monitoring are risk class specific
Risk Monitoring

Identify a list of risk classes, the corresponding key risk identifiers, and
the industries where they apply (some are generic)
Risk Modeling




Understand pre-requisites for quantitative modeling
Identify techniques
Identify industries which satisfy pre-requisites
Understand approach to solution for qualitative modeling and analysis
Value drivers in key industries
ERM value pyramid
Used banking as an example to identify key value drivers within the ERM
process
 Provide similar analysis for other key industries


 SAP AG 2006, Enterprise Risk Management – Andreas Vogel / 2
Managing Enterprise Risk – Processes View
Strategic Planning
Setting Risk Appetite
Periodically
Risk Identification and Assessment
Risk Identification
 Surveys
 Workshops
 Review
Risk Registration
 Risk database
 Description
 Owners, etc.
Risk Assessment
 Qualitative
 Quantitative
Response Strategy
 To hazards
Actions to change
 Frequency
 Impact
Models/Simulation
 VaR, Monte Carlo,
etc.
Periodically
Risk Monitoring
Monitoring
 Risk indicators
Continuously
Specific
Generic
 SAP AG 2006, Enterprise Risk Management – Andreas Vogel / 3
Train of Thought (for non-audio consumption)
Risk Management Processes



Identifying the key processes and process steps within
Classify steps by generic vs. specific to a risk class
Modeling and monitoring are risk class specific
Risk Monitoring

Identify a list of risk classes, the corresponding key risk identifiers, and
the industries where they apply (some are generic)
Risk Modeling




Understand pre-requisites for quantitative modeling
Identify techniques
Identify industries which satisfy pre-requisites
Understand approach to solution for qualitative modeling and analysis
Value drivers in key industries
ERM value pyramid
Used banking as an example to identify key value drivers within the ERM
process
 Provide similar analysis for other key industries


 SAP AG 2006, Enterprise Risk Management – Andreas Vogel / 4
Monitoring of Key Risk Indicators – Industry Specific
Risk class
Risk indicator
Supply chain
risk

Environmental,
Health & Safety






Project
management
Health of suppliers
Delay in logistics
Capacity (supplier,
warehouses)
Source system
Supply Chain Management systems
status
(delays, critical mile
stones, etc)
xRPM, ERP/PS, Microsoft Project
Intellectual
property
Patent
Government
(FDA, etc.)
approval
Approval
portfolio
process



Accidents / incidents SAP EH&S
Inspection reports
Physical access systems
Access violations
HCM
Certifications
Project
Applicable industries






Manufacturing
High-Tech
Construction and Engineering
Mining
Oil&Gas
Bio-tech
Utilities (Nuclear Power)
Public sector



Manufacturing (Automotive,
Aerospace, ...)
High-Tech
Construction and Engineering
Professional Services
External (patent office, etc.)


High-tech
Pharma
External
Pharma
 SAP AG 2006, Enterprise Risk Management – Andreas Vogel / 5
Utilities
Mining
(Nuclear)
Risk Monitoring of Key Risk Indicators - Generic
Risk class
IT
Risk indicator



HR




Atypical network
traffic
Password probing
…
Source system
OpenView, Tivoli, Symantec, Cisco, etc.
Turn-over
ERP / HR
Key people
succession planning
Unions contracts
Harassment and
discrimination
ERP – Financials, BW
Corporate
governance

Accounting
irregularities
Big-ticket sales

Deals over threshold CRM
 SAP AG 2006, Enterprise Risk Management – Andreas Vogel / 6
Applicable industries

Generic

Generic

Generic

Generic
Train of Thought (for non-audio consumption)
Risk Management Processes



Identifying the key processes and process steps within
Classify steps by generic vs. specific to a risk class
Modeling and monitoring are risk class specific
Risk Monitoring

Identify a list of risk classes, the corresponding key risk identifiers, and
the industries where they apply (some are generic)
Risk Modeling




Understand pre-requisites for quantitative modeling
Identify techniques
Identify industries which satisfy pre-requisites
Understand approach to solution for qualitative modeling and analysis
Value drivers in key industries
ERM value pyramid
Used banking as an example to identify key value drivers within the ERM
process
 Provide similar analysis for other key industries


 SAP AG 2006, Enterprise Risk Management – Andreas Vogel / 7
Risk Modeling and Simulation
What could be done outside the
financials services industry?
Prerequisites for Quantitative Modeling


Statistically relevant historical data samples,
e.g.
 Stock market data

 Accident static of thousands of employees
over years
available
 Historical demand data
Applicable modeling and simulation
technique, e.g.
 Value at Risk
 Monte Carlo Simulation
not available

Apply qualitative techniques
 What-if scenario analysis
How would tools for
scenario analysis look like?
 SAP AG 2006, Enterprise Risk Management – Andreas Vogel / 8
Apply quantitative modeling
and simulation techniques
 Banking
 Insurance
Are there other industries
Where quantitative modeling
can be applied?
Train of Thought (for non-audio consumption)
Risk Management Processes



Identifying the key processes and process steps within
Classify steps by generic vs. specific to a risk class
Modeling and monitoring are risk class specific
Risk Monitoring

Identify a list of risk classes, the corresponding key risk identifiers, and
the industries where they apply (some are generic)
Risk Modeling




Understand pre-requisites for quantitative modeling
Identify techniques
Identify industries which satisfy pre-requisites
Understand approach to solution for qualitative modeling and analysis
Value drivers in key industries
ERM value pyramid
Used banking as an example to identify key value drivers within the ERM
process
 Provide similar analysis for other key industries


 SAP AG 2006, Enterprise Risk Management – Andreas Vogel / 9
ERM Value Pyramid
Requirements too sophisticated
for current SAP offering
Have agreement on what the sweet spot is and why?
Need to review selected industry in this bucket with IBUs

ERM is core value driver
 Companies have
sophisticated tools, processes
and org structures in place
 Budget available

Banking
 Insurance

Failure to address certain
classes of risk can put
companies out of business
 Often regulated industries
 Budget available
 Some processes and org
structures in place

Failure to address certain
classes could have major
impact on business
 Processes and org structures
rudimentary

ERM is
core business
Sweet spot for
SAP ERM
ERM is
key to business
No $$$

ERM is
important to business
 SAP AG 2006, Enterprise Risk Management – Andreas Vogel / 10
Mining
 Oil & Gas
 Pharma / Biotech
 Aerospace and
Defense
 Utilities
Remaining
industries
ERM Value Pyramid based on Deloitte Input

ERM is core value driver
 Companies have
sophisticated tools, processes
and org structures in place
 Budget available

Banking
 Insurance

Failure to address certain
classes of risk can put
companies out of business
 Often regulated industries
 Budget available
 Some processes and org
structures in place

Failure to address certain
classes could have major
impact on business
 Processes and org structures
rudimentary
 May have very specific risks
requiring special solutions

ERM is
core business
ERM is
key to business

ERM is
important to business
 SAP AG 2006, Enterprise Risk Management – Andreas Vogel / 11
Pharma
 Utilities / Energy
 Oil & Gas / Mining
 Selected
manufacturing
(large and complex)
Public sector
 Healthcare
 Telco
 Retail
Value Drivers in Financial Services
Can we make similar assessment
for other industries?
Strategic Planning
Setting Risk Appetite
Periodically
Risk Identification and Assessment
Risk Identification
 Surveys
 Workshops
 Review
Risk Registration
 Risk database
 Description
 Owners, etc.
Periodically
Risk Assessment
 Qualitative
 Quantitative
Models/Simulation
 VaR, Monte Carlo,
etc.
Response Strategy
 To hazards
Actions to change
 Frequency
 Impact
 Investment
decisions
Risk Monitoring
Continuously
 SAP AG 2006, Enterprise Risk Management – Andreas Vogel / 12
Monitoring
 Risk indicators
Case Studies and Customer Interviews I
Customer Industry
Chase
Manhattan1
Financial
Services
Requirements / Practices



du Pont1
Chemical



Microsoft1
1
High-Tech
Risk identification
 Well understood in finance
Risk assessment
 Self-assessment scorecards
Modeling / Simulation
 Value at Risk (VAR)
 Stress testing
Risk identification
Risk assessment
 No risk maps
Modeling / Simulation
 Earnings at Risk (EAR)
 Worst case scenario probabilities
 Risk profiles

Risk identification
 Face2face between risk managers and
business managers
 Scenario analysis
 Risk assessment
 Risk maps (frequency)
 Risk measurements
 Not everything is measurable
 Modeling / Simulation
 Value at Risk (VAR)
Maturity







Organizationally
 Vice Chairman
 Chief Risk Officer
 Highly organized committee structure
Process
 Integrated core business processes
Organizationally
 CEO, CFO, Treasurer are key risk
managers
 Risk management committee (incl. CFO)
Process
 Risk management integrated in operational
process
Organizationally
 Treasurer and “Risk Champion”
 Risk management group
Process
 Risk managers partners to business
Systems
 Gibraltar – Treasury Information System
 Intranet – risk related info
Excerpt from Barton et al, “Making Enterprise Risk Management Pay Off”, fei Research Foundation, 2002
 SAP AG 2006, Enterprise Risk Management – Andreas Vogel / 13
Case Studies and Customer Interviews II
Customer Industry
United Grain
Growers1
Agriculture
Requirements / Practices




Unocal (now
part of
Chevron) 1
Oil & Gas



1
Maturity
Risk identification
Brainstorming sessions with senior
management
Risk assessment
By management incl. prioritization
Risk measurements
Technology and regulatory risk cannot be
quantified
Modeling / Simulation
Gain/loss probability curve
Risk impact on earnings

Risk identification
 Risk identification/assessment within
business units
 Industry specific risks: incidents, hedging
prices, political risk, technical (deepwater
drilling), etc.
 Audit department created risk profiles
 Questionnaire (800 questions)
Risk assessment
 Risk peer reviews
 Risk Matrix Status Board
Modeling / Simulation
 Scenario analysis
 Quantitative unknown



Organizationally
 CEO, CFO main driver
 Treasurer, internal audit, corporate risk
manager
 Risk management committee (incl. CFO)
Process
 Senior management buy-in
 Cross-silo integration
Organizationally
 Driven by Internal Audit and Health,
Environment and Safety departments
Process
 Risk management is integrated into line
management
Excerpt from Barton et al, “Making Enterprise Risk Management Pay Off”, fei Research Foundation, 2002
 SAP AG 2006, Enterprise Risk Management – Andreas Vogel / 14
Case Studies and Customer Interviews III
Customer Industry
First Enery2
Utility
Requirements / Practices



Canada
Post2
Automotive




2
Maturity
Risk identification
 Organizationally
 Workshops with cross-functional teams
 Chief Risk Officer
 Additionally root cause analysis of risks
 ERM Department
Risk assessment
 Fully integrated with lines of business
 Risk prioritization based on shareholder
 Process
impact
 Moved from silo to integrated risk
 Quantitative assessment for selected risks,
management
e.g. lead to earnings insurance
 Systems
 Earnings at risk
 Desk Manual
Modeling / Simulation
 Electricity book
 Stress testing
 Monte Carlo
Risk identification
 Survey
 Workshops with cross-functional teams
Risk assessment
 Use risk framework for categorizing events
 Risk maps
 Control effectiveness in control framework
Risk measurements
 Focus on qualitative assessments
Modeling / Simulation
 n/a



Organizationally
 Driven by internal auditing
Process
 Developed Dynamic Assessment of Risk
and Enablers (DARE)
 “perfected” risk framework
Systems
 Resolver Ballot
Excerpt from Paul et al, “Enterprise Risk Management: Pulling it all together”, The Institute of Auditors Research Foundation, 2002
 SAP AG 2006, Enterprise Risk Management – Andreas Vogel / 15
Case Studies and Customer Interviews IV
Customer Industry
Wal-Mart2
Chemical
Requirements / Practices



Risk identification
 Workshop with cross-functional teams
Risk assessment
 Risk map
Modeling / Simulation
 n/a
Maturity



General
Motors2
High-Tech




2
Risk identification
 Objective Risk Management – identify risks
within business unit to business strategy
Risk assessment
 Use risk framework for categorizing events
(Business Risk Management – strategic,
operational and process risks)
Risk measurements
 Focus on qualitative assessment
Modeling / Simulation
 n/a



Organizationally
 Driven by internal audit
 ERM team in place
Process
 Moved from silo to integrated risk
management, embedded into core
business processes
 Workshops
 Scorecards
 Monitoring actions plans
Process
 Resolver Ballot
Organizationally
 Driven by GM Audit Services (GMAS)
Process
 Workshops
 Process risk management embedded in all
key processes
Systems
 Option Finder
 Home-grown risk assessment tools
 On-line risk repository
Excerpt from Paul et al, “Enterprise Risk Management: Pulling it all together”, The Institute of Auditors Research Foundation, 2002
 SAP AG 2006, Enterprise Risk Management – Andreas Vogel / 16
Southern Company3
Profile
Company Southern Company
Contact
Silvia King
Manager Strategic Finance and
Enterprise Risk
smking@southerco.com
Industry
Utility
Location
Atlanta, GA
Date
1/12
Software
Microsoft Excel & PPT
Decisioneering Crystal Ball (for
modeling and Monte Carlo
simulations)
Follow-up interested
3
Key Take-aways
Risk management at Southern Co
Organizational structure: ERM within Finance
Total 150 – 200 risk being managed, 7-10 per business unit
End-goal
Risk-adjusted financial plans
Finical reporting incl. risk
Critical success factor in ERM
Balancing and integrating facilitation and collaboration, and statistical methods
Common dictionary for consistent definition across the organization
On software solutions
Risk map is a must-have
but needs excellent graphics to be useful
Ranking must be always relative, absolute numbers don’t make sense
Tools for document processes and controls to deal with risk
Linking risks with corresponding actions
Linking to accountability and strategic goals
On success factors for selling sw solutions
Need to sell top down, CEO, CFO, directors
Need to get acceptance by accounting firms and rating agencies
Phone interview by Andreas in 2005/2006
 SAP AG 2006, Enterprise Risk Management – Andreas Vogel / 17
Bombardier3
Profile
Company Bombardier
Contact
Bindesh Rach
Director Enterprise Risk
Management
bindesh.rach@bombardier.com
Industry
Manufacturing
Location
Montreal, Quebec, Canada
Date
1/17
Software
home-grown
Follow-up interest in design partnership
3
Key Take-aways
On existing software solutions (Methodware, Paisley)
 methodology needs to drive tools and not the other way around
 Many organization are not yet ready for sophisticated tools
On their in-house software solution
 Risk register – database of identified risk, root cause, properties, potential
impact, risk and mitigation owner, etc
 3-dimensional analytical tool, enables managers on each hierarchy level to
drill into the risk dimensions:
 External and internal environment
 Relationship to four objectives: strategy, compliance, reporting and
operation
 Hierarchy level
On risk definition
 Identify root cause for risk
 Quantify wherever possible, $ value or other key risk indicators
 Risk owner, mitigation owner
 Tolerance, i.e. risk appetite (they have given up on business due to high risk
and invested in risk with low risk
On Bombardier process
 Bindesh’s team owns methodology, system and knowledge transfer, acts as
mentor and facilitator, actual risk management done by line management
 Identification of risk , ownership, tolerance and key risk indicator
 Classification in 46 risk categories
 Mitigation plan (with owner)
 Monitoring and reporting, connection to strategic planning (all PPT)
 Use of value-at-risk, monte carlo, etc left to business units
Phone interview by Andreas in 2005/2006
 SAP AG 2006, Enterprise Risk Management – Andreas Vogel / 18
Hydro One3
Profile
Company Hydro One
Contact
John Fraser
Chief Risk Officer
johm.fraser@hydroone.com
Industry
Utility
Location
Toronto, Ontario, Canada
Date
1/16
Software
Resolver, Methodware, Paisley
Follow-up interested
3
Key Take-aways
On existing software solutions (Resolver, Methodware, Paisley)
 Use Resolver for identification
 Methodware as Risk Register
 Paisley for process risk / management of controls / SOX
 Tools consider as sufficient, need of an integrated tool acknowledged, but
cost factor of software solutions stressed
On integrated approach
 stresses strong ties to strategic planning tools and associated tools
On monitoring and alerting
 sees close relationship to performance management, needs to be viewed
and interpreted from a risk perspective
On Hydro One process
 key consideration is the cost factor – which risk are worthwhile to be
managed?
On Andreas framework
 Validates framework
Phone interview by Andreas in 2005/2006
 SAP AG 2006, Enterprise Risk Management – Andreas Vogel / 19