1. Enterprise Risk Management: �RAI’s Journey and Approach
�Susan B. Wilson
Vice President and General Auditor
Reynolds American Inc.
2. 2 Reynolds American (RAI) Overview
Enterprise Risk Management Overview
The Evolution of ERM at RAI
RAI’s ERM Process
Key Considerations and Next Steps
Q&A
Agenda Today we’ll talk about what ERM is, why it’s important, how it works at RAI.
My goal is to leave you with some practical advice and useful handouts.Today we’ll talk about what ERM is, why it’s important, how it works at RAI.
My goal is to leave you with some practical advice and useful handouts.
3. 3 RAI Background Created in 2004
Same year that the U.S. operations of �Brown & Williamson combined with RJR Tobacco
HQ: Winston-Salem, N.C.
About 8,000 employees At the time of the merger, RJR was the #2 tobacco company and Brown & Williamson the #3.
Quite frankly, both companies were struggling.
Competitive and litigation risks were significant for both companies.
The merger created a strong #2 with a combined share of 30.88.
Here are some numbers to give some sense of sizeAt the time of the merger, RJR was the #2 tobacco company and Brown & Williamson the #3.
Quite frankly, both companies were struggling.
Competitive and litigation risks were significant for both companies.
The merger created a strong #2 with a combined share of 30.88.
Here are some numbers to give some sense of size
4. 4 RAI Background Operating companies:
R.J. Reynolds Tobacco Company
Conwood Company
Lane, Limited
Santa Fe Natural Tobacco Company, Inc.
R.J. Reynolds Global Products, Inc.
Net Sales – $8.3 Billion
Assets – $6.6 Billion
Market Cap – $18+ billion At the time of the merger, RJR was the #2 tobacco company and Brown & Williamson the #3.
Quite frankly, both companies were struggling.
Competitive and litigation risks were significant for both companies.
The merger created a strong #2 with a combined share of 30.88.
Here are some numbers to give some sense of sizeAt the time of the merger, RJR was the #2 tobacco company and Brown & Williamson the #3.
Quite frankly, both companies were struggling.
Competitive and litigation risks were significant for both companies.
The merger created a strong #2 with a combined share of 30.88.
Here are some numbers to give some sense of size
5. 5 RAI Vision RAI is all about shareholder value.
Go to vision.
To do that, Reynolds American competes in all segments of the tobacco industry and manages its risks.
And, as you know, tobacco is a controversial and risky industry.
Some risks are fairly unique to tobacco; for example, litigation, regulation, excise taxes, smoking bans and a declining industry.
Other risks are quite common among consumer products companies…for instance, business continuity, product tampering, economic downturn, inflation and competitive risks.
That is why ERM is so important – need to identify and manage those risks that can prevent us from reaching this goal.
RAI is all about shareholder value.
Go to vision.
To do that, Reynolds American competes in all segments of the tobacco industry and manages its risks.
And, as you know, tobacco is a controversial and risky industry.
Some risks are fairly unique to tobacco; for example, litigation, regulation, excise taxes, smoking bans and a declining industry.
Other risks are quite common among consumer products companies…for instance, business continuity, product tampering, economic downturn, inflation and competitive risks.
That is why ERM is so important – need to identify and manage those risks that can prevent us from reaching this goal.
6. 6 R.J. Reynolds Tobacco Company�
R.J. Reynolds Camel/Kool - Investment brands – both are growing.
Camel has been growing share since its repositioning in 1988.
In total, we sell about 5 billion packs per year. Camel/Kool - Investment brands – both are growing.
Camel has been growing share since its repositioning in 1988.
In total, we sell about 5 billion packs per year.
7. 7 Conwood Company
Most Recent Acquisition
HQ: Memphis, Tenn.
No. 2 in smokeless tobacco
Growth leader in moist snuff
Behind UST
Conwood holds #1 or #2 position in each of the segments and is growing in a growing market.
Grizzly – growth and share leader in the value segment. (20% SOM in 5 years)
Kodiak – premium priced.
Average compound growth rate 7 to 8% - margins 50%.
$450mm revenue / $250mm
Behind UST
Conwood holds #1 or #2 position in each of the segments and is growing in a growing market.
Grizzly – growth and share leader in the value segment. (20% SOM in 5 years)
Kodiak – premium priced.
Average compound growth rate 7 to 8% - margins 50%.
$450mm revenue / $250mm
8. Enterprise Risk Management (ERM) Overview Let’s ground ourselves as to what ERM is.Let’s ground ourselves as to what ERM is.
9. 9 What is ERM? It might surprise you to know that all companies have some type of ERM.
Some are formal; some are not.
Some are effective; some are not.
It isn’t important that risk management is formal, but it must be effective.
COSO – Committee of Sponsoring Organizations – organized in 1985 and made up of American Accounting Association; AICPA; FEI; IIA; and Institute of Management Accounting. COSO I is most commonly used framework for SOX. COSO II represents the ERM framework.
In short – A process designed to identify and manage risks so your organization can achieve its objectives
It might surprise you to know that all companies have some type of ERM.
Some are formal; some are not.
Some are effective; some are not.
It isn’t important that risk management is formal, but it must be effective.
COSO – Committee of Sponsoring Organizations – organized in 1985 and made up of American Accounting Association; AICPA; FEI; IIA; and Institute of Management Accounting. COSO I is most commonly used framework for SOX. COSO II represents the ERM framework.
In short – A process designed to identify and manage risks so your organization can achieve its objectives
10. 10 External�
Evolving legal and regulatory developments
Governance requirements
Factor for ratings agencies� Why Implement ERM? A number of external factors
SOX NYSE listing standards.
When the NYSE Listing Standards were first published, there was much controversy over the meaning of risk oversight. Opinions varied from a narrow view defined as financial reporting risk to a comprehensive enterprise risk view. The emerging trend in large public companies is toward the enterprise risk definition.
Federal Sentencing Guidelines reform
SEC’s endorsement of COSO risk framework
SEC’s risk factor disclosure requirement
Interpretation of recent Delaware case law (1)
Recent decisions emphasize the importance of compliance with best practices; this may be applicable to ERM
The August 2005 Disney decision by the Delaware Court of Chancery provides important insights into the scope of fiduciary details.
“[The Chancellor] underscored the importance of good faith in the performance of corporate duties and stated that directors and officers are expected to fully understand current best practices as well as ensure that business decisions are taken in light of widely recognized corporate governance standards.” …e.g. risk management best practices do matter and could be a standard of review of fiduciary liability.
(1) From The Conference Board publication, The Role of U.S. Corporate Boards in Enterprise Risk Management.A number of external factors
SOX NYSE listing standards.
When the NYSE Listing Standards were first published, there was much controversy over the meaning of risk oversight. Opinions varied from a narrow view defined as financial reporting risk to a comprehensive enterprise risk view. The emerging trend in large public companies is toward the enterprise risk definition.
Federal Sentencing Guidelines reform
SEC’s endorsement of COSO risk framework
SEC’s risk factor disclosure requirement
Interpretation of recent Delaware case law (1)
Recent decisions emphasize the importance of compliance with best practices; this may be applicable to ERM
The August 2005 Disney decision by the Delaware Court of Chancery provides important insights into the scope of fiduciary details.
“[The Chancellor] underscored the importance of good faith in the performance of corporate duties and stated that directors and officers are expected to fully understand current best practices as well as ensure that business decisions are taken in light of widely recognized corporate governance standards.” …e.g. risk management best practices do matter and could be a standard of review of fiduciary liability.
(1) From The Conference Board publication, The Role of U.S. Corporate Boards in Enterprise Risk Management.
11. 11 Why Implement ERM? Internal
Better decisions / improved business performance
Cross-company view of risks
Risk-aware culture
Transparent communication among top management and Board
Also Internal factors
For example, a recent benefit of our ERM activities has been the identification of reliance on the same “single source supplier” across several of our subsidiaries.
In our company, risk management oversight has been delegated to the Audit Committee. Today, about 2/3 of companies do this.
We have quarterly discussions on risk with the Audit Committee.Also Internal factors
For example, a recent benefit of our ERM activities has been the identification of reliance on the same “single source supplier” across several of our subsidiaries.
In our company, risk management oversight has been delegated to the Audit Committee. Today, about 2/3 of companies do this.
We have quarterly discussions on risk with the Audit Committee.
12. 12 Considerations:
One size does NOT fit all
Know your company’s needs and culture
Use consultants wisely
Which ERM Approach? All companies already have some type of risk management in place, even if it is merely informal discussions among the top management about business threats.
Some manage risk and don’t even realize they’re doing it.
There are many different approaches, ranging from informal and subjective to quite sophisticated and quantitative, as you might find in the financial services sector.
Which type should you choose? That depends on several factors, the most important of which are the Company’s culture and the Company’s needs from a risk management perspective. A basic requirement is that the approach be holistic.
And it’s important to remember that Bureaucracy is not required to derive value from ERM.
Research by The Corporate Executive Board tells us that companies take one of two approaches…
Traditional full ERM launch, very similar to SOX compliance, but encompassing all types of risks, not just financial reporting OR
A “stealth” ERM approach, utilizing a more decentralized approach and building on the Company’s existing processes.
Either way can be successful, depending on your Company’s needs and culture.
All companies already have some type of risk management in place, even if it is merely informal discussions among the top management about business threats.
Some manage risk and don’t even realize they’re doing it.
There are many different approaches, ranging from informal and subjective to quite sophisticated and quantitative, as you might find in the financial services sector.
Which type should you choose? That depends on several factors, the most important of which are the Company’s culture and the Company’s needs from a risk management perspective. A basic requirement is that the approach be holistic.
And it’s important to remember that Bureaucracy is not required to derive value from ERM.
Research by The Corporate Executive Board tells us that companies take one of two approaches…
Traditional full ERM launch, very similar to SOX compliance, but encompassing all types of risks, not just financial reporting OR
A “stealth” ERM approach, utilizing a more decentralized approach and building on the Company’s existing processes.
Either way can be successful, depending on your Company’s needs and culture.
13. 13 Current State of ERM ERM is an emerging practice Where are most companies today in terms of ERM?
In general, financial services have robust and formalized ERM. �(reference Wachovia)
However, for companies outside financial services, ERM is still emerging.
Few companies (11%) had fully developed ERM throughout all aspects of their operations.
86% of those practicing advanced ERM believed it could enable better decision-making, but only 58% had achieved this benefit.
Where are most companies today in terms of ERM?
In general, financial services have robust and formalized ERM. (reference Wachovia)
However, for companies outside financial services, ERM is still emerging.
Few companies (11%) had fully developed ERM throughout all aspects of their operations.
86% of those practicing advanced ERM believed it could enable better decision-making, but only 58% had achieved this benefit.
14. 14 �Why Planning is Important This shows why planning is so important –
And why your ERM process must be tailored to your company..
companyEarlier, we talked about the importance of effectiveness.
This is a good example of ineffective risk management…
Obviously, her plan to reduce her risk didn’t work…This shows why planning is so important –
And why your ERM process must be tailored to your company..
companyEarlier, we talked about the importance of effectiveness.
This is a good example of ineffective risk management…
Obviously, her plan to reduce her risk didn’t work…
15. The Evolution of ERM at �Reynolds American So, now let’s talk a little about how Reynolds American got started with ERM.So, now let’s talk a little about how Reynolds American got started with ERM.
16. 16 Integration risk
Strategic risk
Business process risk
RAI & ERM: Getting Started The merger in 8/04 provided an optimum beginning.
We provided a need to assess the risks associated with integrating two large companies.
It also provided the opportunity to assess best practices associated with risk management – those present at each company as well as best practices in other companies.
What we found was that:
B&W had a FORMAL strategic risk management process, but RJR did not.
RJR had a formal Business Process Risk management process, but B&W did not.
The merger in 8/04 provided an optimum beginning.
We provided a need to assess the risks associated with integrating two large companies.
It also provided the opportunity to assess best practices associated with risk management – those present at each company as well as best practices in other companies.
What we found was that:
B&W had a FORMAL strategic risk management process, but RJR did not.
RJR had a formal Business Process Risk management process, but B&W did not.
17. 17 During the integration risk assessment, RAI explored a comprehensive ERM approach
Needed to balance:
NYSE listing requirements
Regulatory developments
Consultant input on best practices
With:
Management’s concern of initiative overload
Fear of “SOX-like” complexity and bureaucracy
RAI & ERM: Getting Started As a part of our search for best practices, we came across the concept of ERM.
However, implementing ERM was not a “slam dunk.”
On the plus side, NYSE, regulatory, etc.
On the minus side, there was concern of initiative overload.
Concerning “Initiative Overload” -- The company had numerous initiatives in place to integrate the two companies and to establish a new corporate culture for the combined organization. There was legitimate fear of “breaking the Camel’s back.”
As a part of our search for best practices, we came across the concept of ERM.
However, implementing ERM was not a “slam dunk.”
On the plus side, NYSE, regulatory, etc.
On the minus side, there was concern of initiative overload.
Concerning “Initiative Overload” -- The company had numerous initiatives in place to integrate the two companies and to establish a new corporate culture for the combined organization. There was legitimate fear of “breaking the Camel’s back.”
18. 18 Leveraged existing processes into an “ERM Light” framework
Launched in September 2005
Right for RAI’s culture
Pragmatic approach
Substance vs. form
Consultant expertise for “sanity check”
Aligned with COSO
RAI & ERM: Getting Started So, where did we come out?
We decided to take a slow, stealthy approach.
This leveraged existing processes (SRA, BPRA) vs. creating new initiatives.
We conducted extensive research and used a broad range of resources to find the ERM approach best suited to RAI. (conferences, case studies, literature reviews, consultants)
I call it “ERM Light” because RAI’s FORMAL ERM framework was designed to be relatively “informal” rather than bureaucratic.So, where did we come out?
We decided to take a slow, stealthy approach.
This leveraged existing processes (SRA, BPRA) vs. creating new initiatives.
We conducted extensive research and used a broad range of resources to find the ERM approach best suited to RAI. (conferences, case studies, literature reviews, consultants)
I call it “ERM Light” because RAI’s FORMAL ERM framework was designed to be relatively “informal” rather than bureaucratic.
19. ERM Framework Overview So now, I’ll take you through how we developed our ERM framework.So now, I’ll take you through how we developed our ERM framework.
20. 20 Getting started is not as easy as it sounds.Getting started is not as easy as it sounds.
21. 21 Four-step process
Define strategies and success factors
Define Risk Universe
Define ongoing process
Align with COSO framework Developing a Framework Today we’ll talk about what ERM is, why it’s important, how it works at RAI.
My goal is to leave you with some practical advice and useful handouts.Today we’ll talk about what ERM is, why it’s important, how it works at RAI.
My goal is to leave you with some practical advice and useful handouts.
22. 22 Step One:
Define strategies, objectives and critical success factors needed to achieve corporate mission
Developing a Framework At RAI, the first piece of the puzzle was reviewing what the company wants to achieve and how it plans to get there.
As you will recall, our ERM goal is to identify and manage potential threats that could prevent RAI from achieving its vision of sustainable earnings growth.
Obviously, a critical step is to identify those goals across all business units and functions.
Discuss the pyramid.
Discuss importance of alignment and line of sight. At RAI, the first piece of the puzzle was reviewing what the company wants to achieve and how it plans to get there.
As you will recall, our ERM goal is to identify and manage potential threats that could prevent RAI from achieving its vision of sustainable earnings growth.
Obviously, a critical step is to identify those goals across all business units and functions.
Discuss the pyramid.
Discuss importance of alignment and line of sight.
23. 23 Step Two is to define the risk universe.
It is kind of like finding the outside pieces of the jigsaw puzzle.
It helps to frame the discussion.
For us, we identified five broad categories of risks.Step Two is to define the risk universe.
It is kind of like finding the outside pieces of the jigsaw puzzle.
It helps to frame the discussion.
For us, we identified five broad categories of risks.
24. 24 I’m going to go thru these fairly quickly – just to give you an idea of the types of risks we included in each category.
The top tier of risks are associated with corporate strategies, at the holding company and within each subsidiary.
For example, the holding company would be very focused on opportunity and business concentration risk; the subsidiaries would be more focused on business model and brand portfolio risks.
Discuss conflicting strategies.
Business model – Investment, Selective Support & Non-Support.
Brand portfolio – Camel/Kool
I’m going to go thru these fairly quickly – just to give you an idea of the types of risks we included in each category.
The top tier of risks are associated with corporate strategies, at the holding company and within each subsidiary.
For example, the holding company would be very focused on opportunity and business concentration risk; the subsidiaries would be more focused on business model and brand portfolio risks.
Discuss conflicting strategies.
Business model – Investment, Selective Support & Non-Support.
Brand portfolio – Camel/Kool
25. 25 Each subsidiary is focused on marketing/business environment risk as it relates to their business.
As you might imagine, the holding company is also focused against political and legal and regulatory risk.
The holding company would want to ensure that strategies in these areas are consistent across the subsidiaries.Each subsidiary is focused on marketing/business environment risk as it relates to their business.
As you might imagine, the holding company is also focused against political and legal and regulatory risk.
The holding company would want to ensure that strategies in these areas are consistent across the subsidiaries.
26. 26 As you can see, some of these risks relate more to the operating companies, while others are more closely associated with the holding company.As you can see, some of these risks relate more to the operating companies, while others are more closely associated with the holding company.
27. 27 As you might expect, the majority of these risks are at the operating company level.As you might expect, the majority of these risks are at the operating company level.
28. 28 Finally, compliance, financial reporting and fraud risks are present in both the operating and holding companies.Finally, compliance, financial reporting and fraud risks are present in both the operating and holding companies.
29. 29 Step Three: �Define an Ongoing Dynamic Process Our next step was construct an ongoing, dynamic and integrated ERM process.
Remember that our goal was to have an informal, but structured, process.
The SRA was our first step and it provided the foundation.
Discuss the chart.Our next step was construct an ongoing, dynamic and integrated ERM process.
Remember that our goal was to have an informal, but structured, process.
The SRA was our first step and it provided the foundation.
Discuss the chart.
30. 30 Step Four:�Align ERM Process with COSO Lastly, we assessed our framework and processes for alignment with COSO.
The COSO framework is very useful because it provides a methodical way to identify and address all the components that need to be reviewed.
Our process incorporates the 8 components represented on the face of the cube, and we assess strategic, operational, reporting and compliance risks at both the holding company and the subsidiary level, and by function within these broad categories.Lastly, we assessed our framework and processes for alignment with COSO.
The COSO framework is very useful because it provides a methodical way to identify and address all the components that need to be reviewed.
Our process incorporates the 8 components represented on the face of the cube, and we assess strategic, operational, reporting and compliance risks at both the holding company and the subsidiary level, and by function within these broad categories.
31. RAI’s ERM Process Okay, now that you have the theory…
How does the “nuts and bolts” process work at RAI?
Okay, now that you have the theory…
How does the “nuts and bolts” process work at RAI?
32. 32 Strategic Risk Assessment As I said earlier, we start with our Strategic Risk Assessment.
For us, the SRA is the foundation of ERM.
Although we update this quarterly, we have a “deep dive” during the summer, concurrent with operating plan development.As I said earlier, we start with our Strategic Risk Assessment.
For us, the SRA is the foundation of ERM.
Although we update this quarterly, we have a “deep dive” during the summer, concurrent with operating plan development.
33. 33 Process Leaders:
SVP Strategy & Planning
VP and General Auditor
Risk Owners:
Functional Leadership
Oversight:
RAI Leadership Team
Audit Committee (review role only)
Deep Dive Process Keep in mind that our process is informal, so there isn’t anyone who has risk in their title.
However, risk management is part of everyone’s daily job.
And the people who manage the functions are those who own the risks in that area.Keep in mind that our process is informal, so there isn’t anyone who has risk in their title.
However, risk management is part of everyone’s daily job.
And the people who manage the functions are those who own the risks in that area.
34. 34 What is involved?
Identify strategies
Identify threats
Quantify risks
Likelihood
Impact
Identify gaps
Report
Deep Dive Process Business unit identification of strategies which support corporate vision of sustainable earnings growth.
Identification of external and internal factors that may impact RAI’s ability to achieve its strategic objectives.
Quantification of risks as to likelihood and impact.
Assessment of mitigation effectiveness and gaps.
Analysis and reporting.
I’ll give you two tips.
Keep the discussion focused on significant risks. For each area, there may be 3-5 top strategic risks. There is probably not just one, but there aren’t 10 either.
Use top line estimates to increase discussion and avoid scenario overload.Business unit identification of strategies which support corporate vision of sustainable earnings growth.
Identification of external and internal factors that may impact RAI’s ability to achieve its strategic objectives.
Quantification of risks as to likelihood and impact.
Assessment of mitigation effectiveness and gaps.
Analysis and reporting.
I’ll give you two tips.
Keep the discussion focused on significant risks. For each area, there may be 3-5 top strategic risks. There is probably not just one, but there aren’t 10 either.
Use top line estimates to increase discussion and avoid scenario overload.
35. 35 Deep Dive Process This is the template we use to compile strategic risks.
As you recall, one of our key strategies was a high performing culture.
Therefore we identified the risk that we would be unable to attract, retain and engage top talent.
Those of you who were here last month may remember the Wachovia presentation. Don indicated that Wachovia uses qualitative assessments for operational risks.
We attempt to quantify our top risks, at least at a top line level.
Discuss risk assumption.
This is a great example of how your ERM framework must fit your company’s needs and culture.
This is the template we use to compile strategic risks.
As you recall, one of our key strategies was a high performing culture.
Therefore we identified the risk that we would be unable to attract, retain and engage top talent.
Those of you who were here last month may remember the Wachovia presentation. Don indicated that Wachovia uses qualitative assessments for operational risks.
We attempt to quantify our top risks, at least at a top line level.
Discuss risk assumption.
This is a great example of how your ERM framework must fit your company’s needs and culture.
36. 36 How are risks quantified? Deep Dive Process As you can see, our impact is over 5 years.
Obviously, likelihood is still very subjective but is based upon experience.
For category 4, >$150mm, we do quantify and gauge the actual estimated impact over 5 years.As you can see, our impact is over 5 years.
Obviously, likelihood is still very subjective but is based upon experience.
For category 4, >$150mm, we do quantify and gauge the actual estimated impact over 5 years.
37. 37 How are risks quantified? Deep Dive Process As you can see, our impact is over 5 years.
Obviously, likelihood is still very subjective but is based upon experience.
For category 4, >$150mm, we do quantify and gauge the actual estimated impact over 5 years.As you can see, our impact is over 5 years.
Obviously, likelihood is still very subjective but is based upon experience.
For category 4, >$150mm, we do quantify and gauge the actual estimated impact over 5 years.
38. 38
39. 39 Here is a more specific example of a risk profile matrix as it might apply to Reynolds American’s largest subsidiary, R.J. Reynolds Tobacco Company.
Let’s talk for a minute about litigation risk.
The nature of our litigation makes it a full Board responsibility.
Management briefs the full Board quarterly on litigation.
For any risk above the solvency frontier, we ensure the highest level of attention and resources are devoted to managing and mitigating these risks, by both management and the full Board.Here is a more specific example of a risk profile matrix as it might apply to Reynolds American’s largest subsidiary, R.J. Reynolds Tobacco Company.
Let’s talk for a minute about litigation risk.
The nature of our litigation makes it a full Board responsibility.
Management briefs the full Board quarterly on litigation.
For any risk above the solvency frontier, we ensure the highest level of attention and resources are devoted to managing and mitigating these risks, by both management and the full Board.
40. 40 Annual Operating Plan The second element is the Annual Operating Plan, and it takes place in September/October.
How does RAI utilize the annual operating plan cycle to bolster ERM?
RAI business units identify strategies and objectives for the upcoming year.
Remediation activities identified during the SRA are built into the Operating Plans for the upcoming year.
Why do we include the Operating Plan as part of the ERM process?
Because the op plan feeds the next ERM activity.
The second element is the Annual Operating Plan, and it takes place in September/October.
How does RAI utilize the annual operating plan cycle to bolster ERM?
RAI business units identify strategies and objectives for the upcoming year.
Remediation activities identified during the SRA are built into the Operating Plans for the upcoming year.
Why do we include the Operating Plan as part of the ERM process?
Because the op plan feeds the next ERM activity.
41. 41 Business Process Risk Assessment The third element is Business Process Risk Assessment.
As I said, business process strategies and objectives are defined during the op plan.
Threats to the achievement of these objectives are assessed during this process.
This is a more detailed level of risk assessment.
For example, with the SRA, we identified the top 20-30 risks across the companies.
During this process, we will identify the top 100 highest risk business processes.
Here, I’d repeat the same tip you heard earlier …
Use top line estimates to increase discussion and avoid scenario overload.
At this point, the important thing is the discussion vs. a precise quantification of impact.
The third element is Business Process Risk Assessment.
As I said, business process strategies and objectives are defined during the op plan.
Threats to the achievement of these objectives are assessed during this process.
This is a more detailed level of risk assessment.
For example, with the SRA, we identified the top 20-30 risks across the companies.
During this process, we will identify the top 100 highest risk business processes.
Here, I’d repeat the same tip you heard earlier …
Use top line estimates to increase discussion and avoid scenario overload.
At this point, the important thing is the discussion vs. a precise quantification of impact.
42. 42 Business Process Risk Assessment Let me bring this together for you.
You will recall that a key goal for RAI is a high performing culture.
And one of our strategic risks was the inability to attract and retain top talent.
A critical success metric is succession planning coverage.
Two of the business processes that are key to our success in this area are listed here.
We then rate the degree of risk present in each of these business processes.Let me bring this together for you.
You will recall that a key goal for RAI is a high performing culture.
And one of our strategic risks was the inability to attract and retain top talent.
A critical success metric is succession planning coverage.
Two of the business processes that are key to our success in this area are listed here.
We then rate the degree of risk present in each of these business processes.
43. 43 Business Process Risk Assessment This really measures the process owner’s confidence in their management oversight and controls.
Likelihood measures the probability that, despite the best plans �and controls, things can go wrong. What is the likelihood that something could go wrong in the process?
This really measures the process owner’s confidence in their management oversight and controls.
Likelihood measures the probability that, despite the best plans and controls, things can go wrong. What is the likelihood that something could go wrong in the process?
44. 44 Business Process Risk Assessment Impact is a topline estimate of the annual dollars at risk if something goes wrong. What is the cost (financial, legal, PR, negative customer impact, loss of business opportunity, inefficienty, etc.) to the company if what can go wrong, does go wrong? Please estimate; do not calculate.
This is really an estimate of inherent risks.
It asks the process owner to estimate the total dollars at risk.
The impacts are aligned with our SOX guidelines.Impact is a topline estimate of the annual dollars at risk if something goes wrong. What is the cost (financial, legal, PR, negative customer impact, loss of business opportunity, inefficienty, etc.) to the company if what can go wrong, does go wrong? Please estimate; do not calculate.
This is really an estimate of inherent risks.
It asks the process owner to estimate the total dollars at risk.
The impacts are aligned with our SOX guidelines.
45. 45 Annual Audit Plan The fourth component of our ERM process is the annual audit plan.
It incorporates audit activities around both strategic and business process risks (discuss).
It gives the company assurance on highest risk areas and risk mitigation activities.
The fourth component of our ERM process is the annual audit plan.
It incorporates audit activities around both strategic and business process risks (discuss).
It gives the company assurance on highest risk areas and risk mitigation activities.
46. 46 Quarterly Update Lastly, we do an exception based update of our strategic risks on a quarterly basis.
Who/What is involved?
Quarterly exception-based process
Identification of new risks, changes to existing risks and the status of mitigation activities
Recognition of potential emerging risks
Results communicated to CEO, Leadership Team and Audit Committee
Lastly, we do an exception based update of our strategic risks on a quarterly basis.
Who/What is involved?
Quarterly exception-based process
Identification of new risks, changes to existing risks and the status of mitigation activities
Recognition of potential emerging risks
Results communicated to CEO, Leadership Team and Audit Committee
47. Key Considerations and Next Steps So, what have we learned that might benefit you on your company’s ERM journey?So, what have we learned that might benefit you on your company’s ERM journey?
48. 48 Summary Our ERM approach works well for our culture.
We are continuing to refine our processes to provide real time/actionable information for decision making.
For instance, doing a good job of identifying emerging risks is crucial to staying one step ahead of potential problems.
More actionable methodology refers to developing ways to better predict and manage “Perfect Storms” – i.e., scenarios where several risks simultaneously converge.Our ERM approach works well for our culture.
We are continuing to refine our processes to provide real time/actionable information for decision making.
For instance, doing a good job of identifying emerging risks is crucial to staying one step ahead of potential problems.
More actionable methodology refers to developing ways to better predict and manage “Perfect Storms” – i.e., scenarios where several risks simultaneously converge.
49. 49 Supported by top leadership / CEO
Based on extensive research / best practices
Leveraged existing processes
Minimized bureaucracy and number crunching
Used consultant as a “sanity check”
Keys to Success Obviously, to be successful, it is critical for ERM to be a top down process.
Other things that worked for us were…Obviously, to be successful, it is critical for ERM to be a top down process.
Other things that worked for us were…
50. 50 Next step on RAI’s ERM journey:
Better “emerging risk” identification
Next Steps Our ERM approach works well for our culture.
We are continuing to refine our processes to provide real time/actionable information for decision making.
For instance, doing a good job of identifying emerging risks is crucial to staying one step ahead of potential problems.
More actionable methodology refers to developing ways to better predict and manage “Perfect Storms” – i.e., scenarios where several risks simultaneously converge.Our ERM approach works well for our culture.
We are continuing to refine our processes to provide real time/actionable information for decision making.
For instance, doing a good job of identifying emerging risks is crucial to staying one step ahead of potential problems.
More actionable methodology refers to developing ways to better predict and manage “Perfect Storms” – i.e., scenarios where several risks simultaneously converge.
51. ����Thank you!���Q & A
