MBA518
Heat Map
a tool that provides visualization of critical risk issues (maps likelihood vs. impact)
Portfolio of Risks
concentrations of risks affecting specific strategies or overlapping risks for the enterprise
Risk Of
Risk of actual strategy on existing business; what if really successful?
Velocity of Risk
speed of onset of risk, how quickly will the risk even occur?
changes in leadership, things in external environment change (laws and regulations), mergers and acquisitions
According to COSO ERM Framework, what might trigger changes to an organization's culture over time?
1. leadership in strategic performance 2. objective oversight of management
Board governance: governance over which two aspects of entity?
-S&P is now evaluating management and governance because they believe that management's ability to effectively manage risks is directly related to company's creditworthiness -management subfactors can have positive, neutral, or negative on score -governance subfactors can only have a negative or neutral effect because governance does not enhance creditworthiness -scores available: strong, satisfactory, fair, and weak -two subfactors directly relate to ERM capabilities -15 subfactors for public companies, 17 for insurance companies
Credit rating agencies might be a driver for rating agencies for an organization to embrace ERM. How?
-in the middle: internal environment 1. core business drivers and strategic initiatives 2. risk identification 3. risk assessment 4. risk response 5. communication and monitoring
Describe the picture of the generic ERM process (ties to components of ERM)
JetBlue angered many customers by promising a flight even though there was an ice storm, and many sat on a hot plane for hours on end just to have their flight cancelled because pilots and attendants couldn't get to the airport
Describe what happened at JetBlue
Put in place to have an idea of the external factors that affect your company and risks; Political - government intervention, Economic - GDP growth, Social - demographics, Technological - rate of technological changes or disruptions, Legal - laws and regulations, Environmental - climate change
Describe what is meant by PESTLE and what are the key elements?
-for larger financial institutions (total assets > $10B) -establish separate risk committees at board level -risk committee will be: held responsible for risk oversight, required to include independent directors, and required to include risk management expert
Dodd-Frank Act may have requirements related to risk oversight. For who and what?
All entities, including nonprofits; all risk included, especially those relating to strategy
For what types of entities does the COSO ERM framework apply to and what types of risk are the focus of ERM?
informs the organization on risks associated with alternative strategies considered and adopted strategy
How does ERM help inform an entity's strategy?
aggressive targets may be more risky, but conservative targets may result in business objectives not being met
How does the setting of performance targets affect the entity's risk profile?
1. Board engagement 2. CEO support of ERM 3. commitment to core values 4. involvement in strategic leadership 5. risk transparency 6. risk ownership accountabilities 7. education and awareness 8. resources and defined processes
How is culture influencing risk management?
if risk adverse, need to set conservative strategies and vice versa
How might an organization's risk appetite inform strategy setting?
may not be how you're behaving, could be embracing values or mission; don't align with risk appetite
How might link to mission, vision, and care values?
-communication breakdown -subcultures
How might number of layers of management impact risk culture?
senior management - lead process, set tone business unit leaders - more focused on core operations but still risk owners
How might roles of senior management in ERM differ from the role of business unit leaders in ERM?
1. anticipate risks earlier or more explicitly 2. identify and pursue existing and new opportunities 3. respond to deviations in performance more quickly and consistently 4. improve collaboration, trust, and information sharing across the entity
How might the integration of ERM with business processes add value?
- should not be stated as a fact (include "which may") -should not be too general -there is a risk that (fact).... which may (impact)....
How should you word a risk issue?
-impact on customer satisfaction -extent of media coverage
In addition to defining risk impact based on financial impact, what are some other dimensions that management should consider when developing scales to assess risk impact?
increases - more time for more things to go wrong
Range of uncertainty in strategies increases or decreases with time?
the aggregate amount of risk associated with different levels of performance; the higher the performance level, the higher the aggregate risks
The COSO ERM Framework discusses the relationship of risk and performance (risk profile); when organizations consider different performance possibilities as they evaluate alternative strategies, how might that impact the organization's risk profile?
The audit committee and CEO (who reports to full board)
To whom should CRO report?
-Management is in charge of risk assessment and risk management policies and how to manage risks, report to audit committee -audit committee is responsible for discussing guidelines and policies to govern process of risk -Committee should discuss major financial risks and steps management has taken to manage these risks -can delegate this to other committees, but audit committee should still review guidelines set in place by other bodies
What are the main requirements of NYSE Corporate Governance Rules?
1. understand and approve management's process for managing risks (discuss risk management philosophy, approve risk management practices) 2. understand and approve the types of risks identified by management's process (review risks relative to risk appetite, apprised of risks and related responses)
What are two primary responsibilities of the board of directors in ERM?
-the process got people more conversant about risk -the process led to the creation of risk ambassadors -the process can be duplicated for recently acquired companies
What benefits can be realized using risk workshops?
1. What must go right? 2. What big assumptions are we making?
What two broad questions would you want management to think about in regards to core business drivers and strategic initiatives before you have management think about risks?
1. supplier power 2. buyer power 3. competitive rivalry 4. threat of new entrants 5. threat of substitutes Measures competition!
What are Porter's Five Forces?
-siloed approach -scheduling -don't hear others views - only one perspective
What are disadvantages of interviews?
-not seen as leader -doesn't report to board -managing risk is not seen as everyone's job or people don't understand why they're talking about risks -people think about risks just in conjunction with compliance
What are elements of ineffective CRO positioning?
more implicit values, personal relationships, how it really works, grapevine, intangible
What are internal attributes and how might they impact culture?
Things regarding culture that are physical and accessible to the employees such as a policy handbook, code of conduct, performance reviews, layout of office, mission statements
What are physical mechanisms that drive culture? Examples?
questionnaires, surveys, interviews, workshops, data tracking, cognitive computing
What are some common approaches entities use to engage management in a risk identification process?
-What is our desired credit rating? -How much earnings volatility are we willing to accept? -Are there specific risks we are not willing to accept? -To what extent are we willing to expand our product, customer, or geographic coverage?
What are some examples of questions we might ask to determine our risk appetite?
1. Risks managed in silos 2. some risks fall between silos and are missed 3. some risks are in multiple silos, so each tries to come up with own strategy to mitigate risk, but it may negatively effect another silo or result in duplication of responses 4. Not connected to strategy 5. focused too much on internal risks only
What are some pitfalls to the traditional approach to risk management?
-interviews: questions should be open ended, ask focused questions (look at core business drivers and strategic initiatives) -workshops: should be facilitated by ERM staff, bottom-up view, free exchange of ideas/concerns, speedy, not siloed -Stress tests: focus on small sets of critical variables (can change all variables), assumptions embedded in model -scenario planning: what if this scenario happened? Focus is long run -war-gaming: assess vulnerabilities to competitors' strategies. How can competitors beat us? -pre-mortem analysis: forecast bad event then try to figure out what most likely happened
What are some techniques that could be used to prompt management to think about risks?
1. governance and culture 2. strategy and objective-setting 3. performance 4. review and revision 5. information, communicating, and reporting
What are the components related to the new COSO ERM Framework?
1. accelerating urbanization - people moving to cities 2. climate change and resource scarcity - extreme weather 3. demographic shifts - aging population 4. shift in global economic power - BRIC countries, growth in middle class 5. technological breakthroughs - effects on consumer expectations
What are the five megatrends identified by PWC?
1. it's a process 2. effected by management and by board of directors 3. connected to strategy 4. enterprise focused 5. in an effort to identify risks AND opportunities and manage these risks 6. in connection with risk appetite
What are the key elements of the ERM definition?
Core business drivers and new strategies --> risks and opportunities ---> missed opportunities and increase shareholder value
What are the key elements of the picture with the lightening bolt?
provide guidance for how to develop ERM practices, they are principles-based so you can easily fit it to your company culture
What role do frameworks serve in risk management?
-SWOT -Porter's Five Forces -PESTLE
What techniques can be used to analyze business context?
-"Penn State way" -board did not ask questions, let the president do what he wanted and trusted his judgment -athletics ruled -no accountability for management -create risk compliance committee -management should report significant risks at every board meeting -create standard set of core values -emphasis on openness and transparency at all levels to the public -risk management and IA should report to the board
What cultural factors led to the crisis and what could be done to avoid those situations in other organizations?
global executives views on risks 1. inequality and polarization 2. environmental risks - extreme weather 3. technology is interconnecting risks
What did Davos say were some of the economic trends stated in the World Economic Forum?
risks for which there was no reasonable expectation that the organization would consider during risk identification, doesn't make them unknowable; future actions by competitors are unknown
What do they mean by unknown risks? Give example
What: Mission statement and goals How: strategic initiatives ; risk management is mostly focused on how given that is where risks are most likely to occur
What do we mean by the what vs the how?
not just a department within an entity; culture, practices, and capabilities are integrated throughout the entity; integrated with strategy
What doe they mean by integrating ERM in the business? What's the main point?
We are not risk neutral, a response to a loss tends to be more extreme than a response to gain - tendency to misinterpret probabilities
What does Prospect Theory tell us about our ability to think about a risk probability?
if upper level management is in the room, use clickers or anonymous technology
What factors might prevent individuals from being candid in making comments at a risk workshop? What are some ways to mitigate this?
Risk To
What internal or external events might prevent what must go right for strategy to be successful? What would keep strategy from working?
-internal: strengths and weaknesses -external: opportunities and threats
What is a SWOT analysis?
1. establish right culture and leadership tone 2. design and implementation of ERM 3. Manage risks identified in ERM
What is management's role in risk management?
-compensation: must assess the impact of compensation incentives for all employees on risk assessment and risk management process; disclose risks that are reasonably likely to have a material adverse effect on the company -Must disclose the role of the BOD in the company's risk oversight process in the proxy and information statements -gives suggestions: whether the person who assess and manages risk reports directly to board or committee, how the board monitors and oversees risk management
What is required of public companies by the SEC in regards to risk management?
risk appetite on a spectrum; risk adverse, risk neutral, risk aggressive
What is the culture spectrum?
Already known risks, want you to know about unknown by knowable risks; can't know unknown unknowable risks but can be in a better position for when these things occur
What is the current focus on and what does ERM help you start thinking about?
to enhance shareholder value
What is the goal of ERM?
Mission, vision, and core values --> strategy, business objectives, and performance (risk to strategy and performance, implication from strategy chosen, possibility of strategy not aligning) --> enhanced performance
What is the new "cube" of the revised COSO Framework?
mission and vision and core values provides insight as to what the company wants to do; a company that understands mission and vision can set strategies that will yield desired risk profile; can be misaligned if you take on too much risk than what your mission and vision indicate
What is the relationship between mission/vision/core values and strategy?
The president changed JCP's strategy by including more quality products at higher prices, but people shot at JCP because it s a discount store; did not communicate discounts or promotions, which led to decreased sales
What led to the firing of the president of JCP?
-skewed/biased information from management, or management withholds info -multiple stakeholder needs -disagreement on board -this isn't their full-time job -may not know industry
What makes board oversight hard?
-no reliance on stand-alone assessment program -everyone is a risk manager -culture: encouraging people to escalate issues without fear or retribution -capabilities: management is able to make decisions that are appropriate give its appetite
What might be some signs that ERM practices are fully integrated?
benefits of using resources exceeds costs of those inputs; risk opportunities vs. bad risks
What must happen for value to be created?
for insurance companies; issue ORSA report: -at least annually assess adequacy of risk management framework -document the process and results of assessment -provide summary report to state insurance regulator
What types of organizations are affected by ORSA? And what is it?
Mylan's EpiPen is increasing in price significantly and many can't afford it, even though it is a lifesaving drug
What was the controversy surrounding Mylan?
Wells Fargo had a culture of "sell or be fired" which caused many employees to create fake accounts for customers. Then management blamed the employees even though management created the culture, not the employees; had unrealistic sales quotas, encouragement of unethical actions to meet these quotas
What was the primary risk event that triggered all the negative publicity for Wells Fargo?
Strategy then business objectives; business objectives are supposed to be aligned with strategy and are more specific and measurable
Which comes first, business objectives or strategy. Why?
BOD, management, and other personnel
Who are examples of internal stakeholders?
Management and executives; board oversight - evaluates ERM practices
Who is responsible for design and implementation of ERM?
to aggregate risks and think about risks at an enterprise level and in congruence with strategy, more like consultant, does not own risk
Why consider having a CRO?
A strategy with a large number of assumptions that are unproven can result in a higher risk profile; the propensity for assumptions to change
Why is it important to consider the types and number of assumptions associated with a given strategy? When evaluating assumptions, what should management think about?
Culture
attitudes, beliefs, values, how you behave, tone at the top
Risk Appetite
defining levels of risk you are willing to accept in the pursuit of shareholder value
Rush to Solve Tendency
immediately want to solve problem by making too quick of a judgment
Anchoring Tendency
make assessments by starting from a initial numerical value and then to adjust insufficiently away from the initial value in forming a final judgment
Key Risk Indicator
metrics that provide an early signal of increasing risk exposure in various areas of the organization
Availability Tendency
only consider information easily retrievable from memory as being more likely, relevant, and important
Halo/Liking Tendency
overall impression of a person affects ability to objectively evaluate information when making judgment or decision
Overconfidence Tendency
overestimate own abilities to perform tasks or to make accurate diagnoses or other judgments and decisions
Strategy
refers to an organization's plan to achieve its mission, vision, and to apply its core values
Confirmation Tendency
seek for and put more weight on information that is consistent with initial beliefs or preferences
Vision
the entity's aspirations for its future state or what the organization aims to achieve over time
Core Values
the entity's beliefs and ideals about what is good or bad, acceptable or unacceptable, which influence the behavior of the organization
Mission
the entity's core purpose, which establishes what it wants to accomplish and why it exists
Risk Capacity
the maximum potential impact of a risk event that the firm could withstand and remain a going concern
Core Business Drivers
things that already successfully drive value