MBA518

Heat Map

a tool that provides visualization of critical risk issues (maps likelihood vs. impact)

Portfolio of Risks

concentrations of risks affecting specific strategies or overlapping risks for the enterprise

Risk Of

Risk of actual strategy on existing business; what if really successful?

Velocity of Risk

speed of onset of risk, how quickly will the risk even occur?

changes in leadership, things in external environment change (laws and regulations), mergers and acquisitions

According to COSO ERM Framework, what might trigger changes to an organization's culture over time?

1. leadership in strategic performance 2. objective oversight of management

Board governance: governance over which two aspects of entity?

-S&P is now evaluating management and governance because they believe that management's ability to effectively manage risks is directly related to company's creditworthiness -management subfactors can have positive, neutral, or negative on score -governance subfactors can only have a negative or neutral effect because governance does not enhance creditworthiness -scores available: strong, satisfactory, fair, and weak -two subfactors directly relate to ERM capabilities -15 subfactors for public companies, 17 for insurance companies

Credit rating agencies might be a driver for rating agencies for an organization to embrace ERM. How?

-in the middle: internal environment 1. core business drivers and strategic initiatives 2. risk identification 3. risk assessment 4. risk response 5. communication and monitoring

Describe the picture of the generic ERM process (ties to components of ERM)

JetBlue angered many customers by promising a flight even though there was an ice storm, and many sat on a hot plane for hours on end just to have their flight cancelled because pilots and attendants couldn't get to the airport

Describe what happened at JetBlue

Put in place to have an idea of the external factors that affect your company and risks; Political - government intervention, Economic - GDP growth, Social - demographics, Technological - rate of technological changes or disruptions, Legal - laws and regulations, Environmental - climate change

Describe what is meant by PESTLE and what are the key elements?

-for larger financial institutions (total assets > $10B) -establish separate risk committees at board level -risk committee will be: held responsible for risk oversight, required to include independent directors, and required to include risk management expert

Dodd-Frank Act may have requirements related to risk oversight. For who and what?

All entities, including nonprofits; all risk included, especially those relating to strategy

For what types of entities does the COSO ERM framework apply to and what types of risk are the focus of ERM?

informs the organization on risks associated with alternative strategies considered and adopted strategy

How does ERM help inform an entity's strategy?

aggressive targets may be more risky, but conservative targets may result in business objectives not being met

How does the setting of performance targets affect the entity's risk profile?

1. Board engagement 2. CEO support of ERM 3. commitment to core values 4. involvement in strategic leadership 5. risk transparency 6. risk ownership accountabilities 7. education and awareness 8. resources and defined processes

How is culture influencing risk management?

if risk adverse, need to set conservative strategies and vice versa

How might an organization's risk appetite inform strategy setting?

may not be how you're behaving, could be embracing values or mission; don't align with risk appetite

How might link to mission, vision, and care values?

-communication breakdown -subcultures

How might number of layers of management impact risk culture?

senior management - lead process, set tone business unit leaders - more focused on core operations but still risk owners

How might roles of senior management in ERM differ from the role of business unit leaders in ERM?

1. anticipate risks earlier or more explicitly 2. identify and pursue existing and new opportunities 3. respond to deviations in performance more quickly and consistently 4. improve collaboration, trust, and information sharing across the entity

How might the integration of ERM with business processes add value?

- should not be stated as a fact (include "which may") -should not be too general -there is a risk that (fact).... which may (impact)....

How should you word a risk issue?

-impact on customer satisfaction -extent of media coverage

In addition to defining risk impact based on financial impact, what are some other dimensions that management should consider when developing scales to assess risk impact?

increases - more time for more things to go wrong

Range of uncertainty in strategies increases or decreases with time?

the aggregate amount of risk associated with different levels of performance; the higher the performance level, the higher the aggregate risks

The COSO ERM Framework discusses the relationship of risk and performance (risk profile); when organizations consider different performance possibilities as they evaluate alternative strategies, how might that impact the organization's risk profile?

The audit committee and CEO (who reports to full board)

To whom should CRO report?

-Management is in charge of risk assessment and risk management policies and how to manage risks, report to audit committee -audit committee is responsible for discussing guidelines and policies to govern process of risk -Committee should discuss major financial risks and steps management has taken to manage these risks -can delegate this to other committees, but audit committee should still review guidelines set in place by other bodies

What are the main requirements of NYSE Corporate Governance Rules?

1. understand and approve management's process for managing risks (discuss risk management philosophy, approve risk management practices) 2. understand and approve the types of risks identified by management's process (review risks relative to risk appetite, apprised of risks and related responses)

What are two primary responsibilities of the board of directors in ERM?

-the process got people more conversant about risk -the process led to the creation of risk ambassadors -the process can be duplicated for recently acquired companies

What benefits can be realized using risk workshops?

1. What must go right? 2. What big assumptions are we making?

What two broad questions would you want management to think about in regards to core business drivers and strategic initiatives before you have management think about risks?

1. supplier power 2. buyer power 3. competitive rivalry 4. threat of new entrants 5. threat of substitutes Measures competition!

What are Porter's Five Forces?

-siloed approach -scheduling -don't hear others views - only one perspective

What are disadvantages of interviews?

-not seen as leader -doesn't report to board -managing risk is not seen as everyone's job or people don't understand why they're talking about risks -people think about risks just in conjunction with compliance

What are elements of ineffective CRO positioning?

more implicit values, personal relationships, how it really works, grapevine, intangible

What are internal attributes and how might they impact culture?

Things regarding culture that are physical and accessible to the employees such as a policy handbook, code of conduct, performance reviews, layout of office, mission statements

What are physical mechanisms that drive culture? Examples?

questionnaires, surveys, interviews, workshops, data tracking, cognitive computing

What are some common approaches entities use to engage management in a risk identification process?

-What is our desired credit rating? -How much earnings volatility are we willing to accept? -Are there specific risks we are not willing to accept? -To what extent are we willing to expand our product, customer, or geographic coverage?

What are some examples of questions we might ask to determine our risk appetite?

1. Risks managed in silos 2. some risks fall between silos and are missed 3. some risks are in multiple silos, so each tries to come up with own strategy to mitigate risk, but it may negatively effect another silo or result in duplication of responses 4. Not connected to strategy 5. focused too much on internal risks only

What are some pitfalls to the traditional approach to risk management?

-interviews: questions should be open ended, ask focused questions (look at core business drivers and strategic initiatives) -workshops: should be facilitated by ERM staff, bottom-up view, free exchange of ideas/concerns, speedy, not siloed -Stress tests: focus on small sets of critical variables (can change all variables), assumptions embedded in model -scenario planning: what if this scenario happened? Focus is long run -war-gaming: assess vulnerabilities to competitors' strategies. How can competitors beat us? -pre-mortem analysis: forecast bad event then try to figure out what most likely happened

What are some techniques that could be used to prompt management to think about risks?

1. governance and culture 2. strategy and objective-setting 3. performance 4. review and revision 5. information, communicating, and reporting

What are the components related to the new COSO ERM Framework?

1. accelerating urbanization - people moving to cities 2. climate change and resource scarcity - extreme weather 3. demographic shifts - aging population 4. shift in global economic power - BRIC countries, growth in middle class 5. technological breakthroughs - effects on consumer expectations

What are the five megatrends identified by PWC?

1. it's a process 2. effected by management and by board of directors 3. connected to strategy 4. enterprise focused 5. in an effort to identify risks AND opportunities and manage these risks 6. in connection with risk appetite

What are the key elements of the ERM definition?

Core business drivers and new strategies --> risks and opportunities ---> missed opportunities and increase shareholder value

What are the key elements of the picture with the lightening bolt?

provide guidance for how to develop ERM practices, they are principles-based so you can easily fit it to your company culture

What role do frameworks serve in risk management?

-SWOT -Porter's Five Forces -PESTLE

What techniques can be used to analyze business context?

-"Penn State way" -board did not ask questions, let the president do what he wanted and trusted his judgment -athletics ruled -no accountability for management -create risk compliance committee -management should report significant risks at every board meeting -create standard set of core values -emphasis on openness and transparency at all levels to the public -risk management and IA should report to the board

What cultural factors led to the crisis and what could be done to avoid those situations in other organizations?

global executives views on risks 1. inequality and polarization 2. environmental risks - extreme weather 3. technology is interconnecting risks

What did Davos say were some of the economic trends stated in the World Economic Forum?

risks for which there was no reasonable expectation that the organization would consider during risk identification, doesn't make them unknowable; future actions by competitors are unknown

What do they mean by unknown risks? Give example

What: Mission statement and goals How: strategic initiatives ; risk management is mostly focused on how given that is where risks are most likely to occur

What do we mean by the what vs the how?

not just a department within an entity; culture, practices, and capabilities are integrated throughout the entity; integrated with strategy

What doe they mean by integrating ERM in the business? What's the main point?

We are not risk neutral, a response to a loss tends to be more extreme than a response to gain - tendency to misinterpret probabilities

What does Prospect Theory tell us about our ability to think about a risk probability?

if upper level management is in the room, use clickers or anonymous technology

What factors might prevent individuals from being candid in making comments at a risk workshop? What are some ways to mitigate this?

Risk To

What internal or external events might prevent what must go right for strategy to be successful? What would keep strategy from working?

-internal: strengths and weaknesses -external: opportunities and threats

What is a SWOT analysis?

1. establish right culture and leadership tone 2. design and implementation of ERM 3. Manage risks identified in ERM

What is management's role in risk management?

-compensation: must assess the impact of compensation incentives for all employees on risk assessment and risk management process; disclose risks that are reasonably likely to have a material adverse effect on the company -Must disclose the role of the BOD in the company's risk oversight process in the proxy and information statements -gives suggestions: whether the person who assess and manages risk reports directly to board or committee, how the board monitors and oversees risk management

What is required of public companies by the SEC in regards to risk management?

risk appetite on a spectrum; risk adverse, risk neutral, risk aggressive

What is the culture spectrum?

Already known risks, want you to know about unknown by knowable risks; can't know unknown unknowable risks but can be in a better position for when these things occur

What is the current focus on and what does ERM help you start thinking about?

to enhance shareholder value

What is the goal of ERM?

Mission, vision, and core values --> strategy, business objectives, and performance (risk to strategy and performance, implication from strategy chosen, possibility of strategy not aligning) --> enhanced performance

What is the new "cube" of the revised COSO Framework?

mission and vision and core values provides insight as to what the company wants to do; a company that understands mission and vision can set strategies that will yield desired risk profile; can be misaligned if you take on too much risk than what your mission and vision indicate

What is the relationship between mission/vision/core values and strategy?

The president changed JCP's strategy by including more quality products at higher prices, but people shot at JCP because it s a discount store; did not communicate discounts or promotions, which led to decreased sales

What led to the firing of the president of JCP?

-skewed/biased information from management, or management withholds info -multiple stakeholder needs -disagreement on board -this isn't their full-time job -may not know industry

What makes board oversight hard?

-no reliance on stand-alone assessment program -everyone is a risk manager -culture: encouraging people to escalate issues without fear or retribution -capabilities: management is able to make decisions that are appropriate give its appetite

What might be some signs that ERM practices are fully integrated?

benefits of using resources exceeds costs of those inputs; risk opportunities vs. bad risks

What must happen for value to be created?

for insurance companies; issue ORSA report: -at least annually assess adequacy of risk management framework -document the process and results of assessment -provide summary report to state insurance regulator

What types of organizations are affected by ORSA? And what is it?

Mylan's EpiPen is increasing in price significantly and many can't afford it, even though it is a lifesaving drug

What was the controversy surrounding Mylan?

Wells Fargo had a culture of "sell or be fired" which caused many employees to create fake accounts for customers. Then management blamed the employees even though management created the culture, not the employees; had unrealistic sales quotas, encouragement of unethical actions to meet these quotas

What was the primary risk event that triggered all the negative publicity for Wells Fargo?

Strategy then business objectives; business objectives are supposed to be aligned with strategy and are more specific and measurable

Which comes first, business objectives or strategy. Why?

BOD, management, and other personnel

Who are examples of internal stakeholders?

Management and executives; board oversight - evaluates ERM practices

Who is responsible for design and implementation of ERM?

to aggregate risks and think about risks at an enterprise level and in congruence with strategy, more like consultant, does not own risk

Why consider having a CRO?

A strategy with a large number of assumptions that are unproven can result in a higher risk profile; the propensity for assumptions to change

Why is it important to consider the types and number of assumptions associated with a given strategy? When evaluating assumptions, what should management think about?

Culture

attitudes, beliefs, values, how you behave, tone at the top

Risk Appetite

defining levels of risk you are willing to accept in the pursuit of shareholder value

Rush to Solve Tendency

immediately want to solve problem by making too quick of a judgment

Anchoring Tendency

make assessments by starting from a initial numerical value and then to adjust insufficiently away from the initial value in forming a final judgment

Key Risk Indicator

metrics that provide an early signal of increasing risk exposure in various areas of the organization

Availability Tendency

only consider information easily retrievable from memory as being more likely, relevant, and important

Halo/Liking Tendency

overall impression of a person affects ability to objectively evaluate information when making judgment or decision

Overconfidence Tendency

overestimate own abilities to perform tasks or to make accurate diagnoses or other judgments and decisions

Strategy

refers to an organization's plan to achieve its mission, vision, and to apply its core values

Confirmation Tendency

seek for and put more weight on information that is consistent with initial beliefs or preferences

Vision

the entity's aspirations for its future state or what the organization aims to achieve over time

Core Values

the entity's beliefs and ideals about what is good or bad, acceptable or unacceptable, which influence the behavior of the organization

Mission

the entity's core purpose, which establishes what it wants to accomplish and why it exists

Risk Capacity

the maximum potential impact of a risk event that the firm could withstand and remain a going concern

Core Business Drivers

things that already successfully drive value