11/9/2015. Welcome. Regulators, governments, analysts, and the street are paying much more attention to this particular management capability

Transcription

1 Integrating Strategic Risk into Enterprise Risk Management (ERM) Craig Krimbill Senior Manager Deloitte Advisory November 9, 2015 Welcome Agenda Evolving enterprise risk management (ERM) Strategic risk What boards are asking? What executive management can do 2 Regulators, governments, analysts, and the street are paying much more attention to this particular management capability The proportion of significant losses in market value caused by each type of risk over the past decade [VALUE] [VALUE] The proportion auditors spent on each type [VALUE] 39% 86% Value Loss 6% Time Spent 13% 42% [VALUE] 6% Strategic Operating Strategic Operating Legal and compliance Financial reporting Legal and compliance Financial Reporting Source: HBR.org, How to Live with Risks July-August Issue

2 Strategic risk was added to ERM Source: Enterprise Risk Management Framework, Executive Summary Committee of Sponsoring Organizations of the Treadway Commission (COSO). All rights reserved. Used with permission. 4 ERM is evolving ERM is transforming and moving to the forefront of organizations, executives and board of directors.fueled by: Worldwide financial instability and networked economy Increasing regulations Hyper-connected world with constant threat of accelerating disruption and amplified reputational Routine and novel crises resulting from man-made and natural disasters Amplified media attention to corporations, geo-political, and economic uncertainty Extended enterprise (offshoring, outsourcing, and shared services) accountability Shifting competitive and stakeholders landscape Risk is everywhere external and internal, interconnected, growing, and ever-changing AND is essential to GROWTH 5 As a result many organizations are evolving their own ERM function Managing Crises Prepare, respond, and recover from issues, incidents, and crises to limit business disruptions, reputational damage, and value destruction Strategic Initiatives (Illustrative) Managing Business Risks Execute a consistent, pragmatic process to manage business unit while elevating with enterprise impact Managing Strategic Risks Proactively identify at the corporate level that undermine a company s ability to achieve or maintain exceptional performance Less time to respon d Risk Status More time to respond Grow domestic customer base Differentiate brand Expand internationally Deliver exceptional customer Grow e-commerce and provide Invest in infrastructure and supply services synergies within Omni channel chain Sample Risk Universe Crisis-Related Risks Business Business Issues Issues Continuity Continuity Business Managed Risks Accounting & Team Legal Financial Market Reporting Conduct Real Estate Liquidity & Credit Regulatory Guest Supply Chain/ Merchandising Third Parties Engagement Fulfillment Information Data Management Technology Strategic Risks Retail Dynamics Strategic Planning Governance Source: Enterprise Risk Management Framework, Executive Summary , Committee of Sponsoring Organizations of the Treadway Commission (COSO). All rights reserved. Used with permission 6 2

3 What are strategic? Strategic attack the basis for competitive advantage. They challenge the logic of strategic choices, threaten an organization s competitive position, and as a result, they can undermine a firm s ability to achieve or maintain exceptional performance. 7 What are strategic? Strategic attack the basis for competitive advantage. Long-term success relative to competition, for example: Superior talent acquisition Better customer service Exceptional supply chain efficiency Competitive pricing Innovation 8 What are strategic? They challenge the logic of strategic choices Integrated set of choices that create sustainable advantage, for example: Where to play? How to win? How to organize? 9 3

4 What are strategic? threaten an organization s competitive position Favorable position relative to competitors, for example: Premium player Low-cost player Innovator 10 What are strategic? and as a result, they can undermine a firm s ability to achieve or maintain exceptional performance. Outstanding long-term financial return, for example: Return on investment Return on assets Return on equity 11 Strategic can be calculated, imposed, or selfinflicted Risks can be categorized by an organization s ability to manage and receive value from them Expected reward for risk (value to an organization for taking on ) Calculated Calculated Risks resulting from organization's Risks resulting strategic from and Opportunities operational organization's choices strategic intended and to operational generate choices value intended to generate value (e.g., new markets and products, Imposed adoption of new technology) (e.g., new markets and products, adoption of new technology) Controllability Less More (ability of organization to minimize Risks originating from Self-inflicted the uncertainties creating ) uncontrollable and Self-inflicted unavoidable external factors (e.g., catastrophes, and regulatory Risks resulting from day-today operations, decisions, Threats changes) Risks resulting from day-today operations, decisions, and behaviors of and behaviors of constituencies constituencies (e.g., (e.g., poor poor judgment judgment, and gaps gaps in in compliance) 12 4

5 Why some companies fall prey to strategic Failing to align with planning process. Failing to identify new and emerging Failing to confront cognitive and institutional biases Relying on historical data Not considering an outside perspective Failing to communicate 13 Cognitive biases are pervasive in our daily life Anchoring, Anthropic bias, Attributional bias, Availability bias, Barnum effect, Base rate neglect, Behavioral confirmation, Belief perseverance, Bias blind spot, Clustering illusion, Confirmation bias, Conjunction fallacy, Contrast effect, Cultural bias, Dilution effect, Disconfirmation bias, Egocentric bias, Endowment effect, Experimenter s regress, False consensus effect, Framing effect, Fundamental attribution error, Gambler s fallacy, Group-serving bias, Group attribution error, Halo effect, Hindsight bias, Hostile media effect, Hyperbolic discounting, Illusion of control, Illusion of validity, Illusory correlation, Impact bias, Infrastructure bias, In-group bias, Just-world phenomenon, Kuleshove effect, Lake Wobegon effect, Logical fallacy, Loss aversion, Media bias, Memory bias, Mere exposure effect, Misinformation effect, Negativity effect, Negative perception of the color black, Notational bias, Out-group homogeneity bias, Overconfidence bias, Pathetic fallacy, Peak-end rule, Physical attractiveness stereotype, Planning fallacy, Picture superiority effect, Positivity effect, Preference reversal, Primacy effect, Priming Projection bias, Pseudo-certainty effect, Pseudo-opinion, Publication bias, Recency effect, Regression fallacy, Reporting bias, Risk-aversion, Rosy retrospection, Sample bias, Selection bias, Selective perception, Self-deception, Self-serving bias, Spacing effect, Statistical bias, Status quo bias, Sunk cost effects, Tunnel vision, Trait ascription bias, Valence effect 14 a. Thumbtacks in the box 5

6 b. Thumbtacks beside the box c. Solution What are boards asking? What are our beyond the known and how are we managing them? How prepared are we in the event of a crisis? How can we be best prepared for unforeseen crises? What s our company s real level of exposure to (cyber, financial, brand and reputation, and other types of)? How effective is our company at managing exposure within acceptable limits? What does maturity look like with regard to managing those? What are the questions we should be asking management about their risk exposures? How are our strategic choices changing the shape of encountered? 18 6

7 What are boards asking? What measures should we take to establish confidence in taking certain rewarded to pursuit new value? What does true resiliency look like and how are leading companies aligning their organizations and board oversight? What types of processes should we have in place to ensure we understand and manage the that we are taking? How are we addressing the that could make the company obsolete? How do we evaluate, assess, and address strategic beyond an annual exercise or point in time activity? How do we ingrain that discipline into oversight? 19 So what practices are boards and executives asking for? Traditional ERM typically meets the basic risk needs: business as usual or operational Many boards and executives want dynamic risk insights (brand, reputation, emerging and strategic ) for decision support 20 Evolving your risk management capabilities doesn t have to occur all at once Organization performance F E D C B A Phase I Phase II Phase III Enhance Integrate Optimize A Enhance risk governance and reporting cadence D Formalize crisis response program and approach / framework B Standardize & deploy Enterprisewide risk management processes E Operationalize risk sensing and other enhanced strategic risk capabilities C Develop risk response and mitigation strategies F Establish strategic risk initiatives to position risk as a strategic enabler & hardwire within the organization 21 7

8 As a result, effective risk management programs focus on both value protection and value creation The Upside and Downside of Risk Manage to help create value (future growth) New product development Rewarded Growth and expansion Target new markets Value Unrewarded Regulatory compliance Fraud Disasters Manage to help protect value (existing assets and capital) 22 This presentation contains general information only and Deloitte is not, by means of this document, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This document is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. In addition, this document contains the results of a survey conducted by Deloitte. The information obtained during the survey was taken as is and was not validated or confirmed by Deloitte. Deloitte shall not be responsible for any loss sustained by any person who relies on this document. As used in this document, Deloitte Advisory means Deloitte & Touche LLP, which provides audit and enterprise risk services; Deloitte Financial Advisory Services LLP, which provides forensic, dispute, and other consulting services, and its affiliate, Deloitte Transactions and Business Analytics LLP, which provides a wide range of advisory and analytics services. Deloitte Transactions and Business Analytics LLP and Deloitte Consulting LLP are not certified public accounting firms. These entities are separate subsidiaries of Deloitte LLP. Please see us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting. 36 USC Member of Deloitte Touche Tohmatsu Limited 8