Building Agility and Resilience into Risk Management Systems

1
Building Agility and Resilience into Risk
Management Systems
FINANCE STRATEGY PRACTICE CFO Executive Board
Findings from our 2009 Research
2
Executive Summary
Leading organizations have taken some simple
steps to improve their capacity for sensing and
responding to emerging risks.
While many organizations have locked down their
response to the risks presented by the current
financial crisis, they are now focused on better
understanding an operating environment
characterized by a high degree of economic
uncertainty and consequent market volatility. It
comes as no surprise then that CFOs have
increased their investment in risk management
processes in an effort to better sense and
prepare for over the horizon risks.
Unfortunately, traditional risk management
approaches promote a check the box mentality,
incentivizing management to focus the majority of
its efforts on process improvement rather than
mitigation planning and directly preparing for
significant emerging risks. Through the course
of our research we found that a number of
companies have successfully modified their risk
sensing and response mechanisms to make their
organizations more effective at anticipating and
responding to emerging risks. They key steps
theyve taken are further described in this brief
If you are interested in learning more about this
research, please contact Anna Kipchuk at
kipchuka_at_executiveboard.com
Three Steps for Improving Risk Agility
1
Use forward-looking risk indicators and
prediction markets to swiftly identify emerging
risks.
2
Consider the speed at which risks will impact the
organization when prioritizing and escalating
risks.
3
Use scenario planning to ensure budgets and
resource allocation decisions stay relevant to a
changing environment.
3
A (Loud) Wake-Up Call
When making new investments in risk management,
avoid the same mistakes that made ERM ineffective
heading into this downturn.
Top Drivers for Risk Management Investments in
2009
2009 Average Increase in Risk Management Budgets

• In spite of falling Finance budgets, risk is one
  of the few areas where CFOs are increasing
  investments in 2009, specifically risk tracking,
  reporting and consulting services.
• These investments are being driven from the very
  top of the organization in response to a greater
  need for broader risk sensing and mitigation
  capabilities.
• In light of this renewed focus on risk, CFOs must
  avoid making the same mistakes that caused their
  existing risk management frameworks to fall short
  in helping to predict and prepare for this
  downturn.

What Went Wrong with Risk Management?

• Misguided Focus on Risk Detection Rather Than
  Risk Agility Despite the increasing volatility
  of internal and external risk environments,
  companies focused on risk detection rather than
  creating an agile, risk-ready organization.
• Compliance Risk Outweighs Business Risk in
  Governance Management and Boards over-invested
  in managing compliance-related risks,
  inadvertently crowding out scrutiny of business
  risks and the underlying assumptions in corporate
  strategy.
• ERM Systems Created a Check the Box Mentality
  ERM systems can provide good hygiene and
  visibility, but companies focused 80 of their
  energies on technical assessments and 20 or less
  on actual management of risks and opportunities.
• Focus on Affirming Risk Assumptions Rather than
  Negation Risk reporting meant compiling
  aggregate data to support managements risk
  assumptions, rather than testing the validity of
  the assumptions against outliers, abnormalities,
  and alternative frames of reference.
• Oversimplification of Risk Metrics Not all risks
  are created equal or distributed normally.
  However companies did not take a differentiated
  approach to risk evaluation, management or
  escalation for various types of risks, especially
  fat tail risks.

Source Aberdeen Group, Enterprise Risk
Management The Art of Avoiding Unpleasant
Surprises, February 2009, Financial Times Risk
Integration Strategy Council research..
4
Many New to World Risks
The emergence of new critical risk areas
escalates the need to reevaluate fundamental risk
assessment and mitigation processes
Audit Plan Hot Spots Dashboard 2007-2009

• Our research finds that most companies do not
  have a mechanism for continually assessing new
  risks and making changes to audit plans or other
  risk frameworks at a speed that reflects the
  rapidly changing risk environment.

Source Audit Director Roundtable research.
5
A Case for Risk Agility
Standard risk management processes place too much
onus on process management, reducing executive
time spent on more valuable risk mitigation
activities.
Incorrect Prioritization Allocation of Board and
Management Resources on Risk Management
Risk Management
Senior Management spend 80 of their time on risk
processes (completing forms and evaluating risks)
and only 20 of their energy actively managing
risks and opportunities.

• Research from MIT shows that companies that over
  invest in active management of risks and
  opportunities (risk agility) tend to outperform
  their peers in both sales and margin growth,
  adding evidence for the case that executives need
  to allocate more time to direct risk management.

Risk Processes
The Case for Agility 2002-2004, MIT-CISR
The Importance of Agility to Overall Business
Success EIU 2009 Survey
Unimportant
Neutral
Important or Extremely Important
n 349 Business Executives and Board Members
n 649
Source Corporate Strategy Board research Risk
Integration Strategy Council research.
6
Building Risk Agility
Improving organizational risk agility
requires changes to risk identification, assessmen
t, and response behaviors.
Three Steps to Risk Agility Organizations Should
Incorporate Agility into All Aspects of the Risk
Management Process
Timeline of a Risk Event
Resource Mobilization
Risk Assessment
Risk Identification
Traditional identification is a largely static
and calendar-driven process, reliant on lagging
indicators and the knowledge of a few individuals.
Traditional risk assessments, which focus on
impact and likelihood, fail to take into account
the velocity of risk and may be outpaced by
swiftly emerging risks.
Traditional resource allocation is
calendar-driven, thus budgets and resource
allocation decisions quickly become obsolete in
the face of a changing business environment.
Early Risk Detection Use forward-looking risk
indicators and prediction markets to swiftly
identify emerging risks.
Risk Velocity Sensing Consider the speed at which
risks will impact the organization when
prioritizing and escalating risks.
Rapid Resource Mobilization Use scenario planning
to ensure budgets and resource allocation
decisions stay relevant to a changing environment.
7
Improving Risk Agility
1
Use forward-looking risk indicators and
prediction markets to swiftly identify emerging
risks.
Use leading indicators of significant risk events
to anticipate them and prepare Traditional risk
identification frameworks rely on lagging
financial and operating metrics to confirm,
rather than predict or test resiliency of current
plans.
Early Risk Detection
Tap into organizational risk intelligence using
prediction markets to anticipate and respond to
risk. Risk management by committee fails to
sustain focus on key risks and capture changes in
a timely manner, but tools like prediction
markets can improve continuous monitoring of
probable risk events.
Consider the speed at which risks will impact the
organization when prioritizing and escalating
risks.
Risk Velocity Sensing
2
Rapid Resource Mobilization
3
Use scenario planning to ensure budgets and
resource allocation decisions stay relevant to a
changing environment.
8
Numbers to Manage By
Traditional risk monitoring relies on
cataloguing and assessment of a broad range of
lagging indicators which fail to anticipate
emerging risks across the enterprise.
Expanding the Universe of Risk Metrics and
Owners

• Financial Risk
• Market/Credit Risk
• Fraud
• Tax Risk

• Operational Risk
• RD
• ?Supply Chain
• ?Sales and Marketing
• ?Business Continuity
• ?Internal Processes and Controls

Financial
Customer
Internal Business Process
Learning Growth

• When we mapped the ever expanding set of risk
  indicators that companies monitor, we found only
  a few examples of synthetic, leading indicators
  (e.g. customer tenure and RD effectiveness).

• HR Risk
• ?Compliance
• ?Health and Safety
• ?Litigation
• Contracts

• Reputational Risk
• Company Brands
• ?Customer Service
• ?Market Conduct

• Strategic Risk
• MA Activity
• ?Loss of IP
• ?Changes in Competitive Landscape
• ?Market Demand

Schematic The Predictability Actionability
Frontier in Risk Metrics Operating Indicators

• Highly Aggregated
• Non-prescriptive
• Narrowly Focused on Outputs
• Backward-Looking

High
Actionability (How much managers can directly
influence this metric)
Low
High
Low
Predictiveness (Ability to forecast changes in
risk exposure)
9
Digging into the Future
To rapidly identify emerging risks and drill down
into their root causes, RTI builds a risk
dashboard based on metrics they believe are
predictive of trouble.
Key Risk Indicator Dashboard Illustrative

• ?The risk dashboard consists of Key Risk
  Indicators (KRI) spanning 9 major risk areas,
  capturing the entire risk profile of the
  organization.
• The use of predictive metrics provides a
  forward-looking view of risk and allows for the
  easy identification of root causes if KRI
  performance changes.
• For each metric there is an underlying list of
  root causes that management reviews to explain
  and mitigate an emerging risk. For example, the
  root cause of retention problems is deemed to be
  an unacceptably low promotion rate, highlighted
  at right.

Performance against the underlying metrics
impacts the performance of the KRI. Here a red
metric translates into a red KRI highlighting the
need for immediate action.
Source RTI International.
10
Measuring What Matters
RTI screens possible operational metrics using a
clear set of decision criteria designed to ensure
an accurate and forward-looking view of risk.
Metric Screening Decision Tree Illustrative
Leads, Not Lags Is the metric a
leading indicator of future risks?
Relevance Is the metric aligned with a
defined KPI at the group level?
Reliability Is the metric reliable, with any
inherent biases known and predictable?
Availability Is the metric sourced from
within or in-expensively from a third party?
Applicability Is the metric an operational or a
true indicator of risk?

• ?Once the breadth and depth of available
  information has been uncovered, the Executive
  Leadership team decides which metrics should be
  selected to build the KRIs.
• The use of these decision screens allows RTI to
  focus on those metrics that will provide a true
  and forward-looking view of risk across the
  enterprise.

The metric is rejected if it does not satisfy one
of the five criteria.
Metric selected for inclusion in Key Risk
Indicator
Source RTI International.
11
Promote More Inclusive Discussions
Audit Committees are concerned that centralized
risk management crowds out information flow on
emerging risks
Audit Committee Reaction to Statement
(2009) Centralized risk management can
overemphasize detail at the expense of
quick-and-dirty early risk detection.
31
37
32
Only 32 of directors are confident that
centralized risk management does not impede early
risk detection.
n 35 Audit Committee chairs and members.
12
The Risk-Breathing Organization
Periodic risk reviews conducted by a few
individuals can miss risks as they emerge.
Ensure the entire organization is continuously
sensing emerging risk.
Traditional Risk Evaluation vs. Ongoing
Prediction Markets
Traditional Risk Evaluation Periodic risk reviews
by select individuals fail to capture the
on-going changing nature of risk, missing risk
events as they occur.

• ?The perspective of expert committees that meet
  once a quarter to evaluate risks shifts
  drastically quarter to quarter based on the
  timing of their discussions. Committee-based
  risk management can also fall by the way-side
  when a risk is perceived to be less relevant or
  urgent.
• Conversely, a prediction market, a mechanisms
  whereby individuals can trade their knowledge of
  a risk, operates continuously and reflects a
  change in risk much more quickly.

Prediction Market Model The entire organization
needs to view risks continually to fully grasp
the risk environment, and immediately detect
risk as they emerge.
What is a Prediction Market? A prediction market
is a speculative market wherein virtual cash
values (with no real monetary value) are linked
to any particular event, where the current market
prices will indicate the probability of an event
occurring or signify the expected value of the
variable being measured.
13
The Wisdom of the Crowds
Best Buy uses prediction markets to garner the
collective expertise of the organization and
enable reliable risk decisions.
Risk Management Insight

• ??Recognizing that no individual can monitor
  numerous and constantly changing risks, Best Buy
  uses a prediction market for supplier risk to
  tap into everyones expertise for a more frequent
  and robust risk viewpoint.
• The diagram at right highlights how the multiple
  dimensions of supply chain risk reside with
  different constituents that dont naturally
  interact. The prediction market helps to remove
  organizational barriers and to pool expertise on
  a specific risk on an ongoing basis.

Source Best Buy.
14
Risk Prediction Markets in Action
Best Buy leverages the collective wisdom of
the organization to quickly and reliably identify
risk events across a variety of functional and
geography specific risks.
Use of Prediction Markets to Identify
Risks Illustrative

• ???As prediction markets reflect the collective
  knowledge of the organization, any changes in
  contract value will mean that new information has
  surfaced in relation to a particular project.

A sharp significant drop in the contract value
below set threshold suggests the market has new
risk information (on existing risks or new risks)
detrimental to the store opening in China.
Contract Value
Contract Value refers to the stock price of a
particular market measured in virtual currency
(that has no real monetary value).
It the prediction market helps on two fronts
both the speed and accuracy of information, so
that management can move faster to deal with
problems or exploit opportunities. Jeff
Severts, VP Best Buy
Market Overview on the 21/11/2008
Source Best Buy.
15
Continuous Risk Monitoring
Decoupled from a calendar driven process,
prediction markets provide management with
real-time feedback on risks and effectiveness of
mitigation actions.
Calendar-Driven Risk Process

• ???Calendar-driven risk identification can be
  untimely or slow, delaying a managements ability
  to identify and mitigate emerging risks in a
  timely fashion.
• Participants in the prediction market not only
  monitor risks continuously, but also provide
  feedback on the success of ongoing mitigation
  actions, thereby guiding the accuracy of
  mitigation plans.

As prediction markets constantly assess risk,
identification is instant and provides a snapshot
of the potential severity enabling an agile and
swift response.
On-Going Risk Assessment
The potential is that prediction markets may be
the thing that enables a big company to act more
like a small, nimble company again. Jeff
Severts, VP Best Buy
Source Best Buy New York Times, Betting to
Improve the Odds (4 September 2008).
16
Running a Prediction Market
Best Buy uses a straightforward implementation
framework for running prediction markets on
strategically important projects.
Four Steps for Setting Up a Prediction Market
Define Projects to be Tracked
Secure Sufficient Participation
Develop a Trading Mechanism
Close Trading Process
China Store Launch on Time Illustrative
Winner Certification

• When properly executed, prediction markets offer
  a scalable and flexible solution to project risk
  assessment and enable quicker managerial decision
  making and actions.

• ????Provide an explicit definition of the main
  objective of the project
• ?Assign ownership of tracking to the prediction
  market team
• Liaise with the project team to establish a
  threshold of acceptable stock price (i.e., if
  stock falls below this level it signals new risk)

• ?????Invite all employees to participate
• ?Award a non-financial incentive to the most
  accurate trader
• ?Do not mandate participation, make usage a fun
  and competitive experience

• ??????Create an IT platform to host prediction
  markets
• Award all participants the same amount of
  virtual credit to be on markets
• ?Clearly state the background to the market with
  minimal information
• ?Provide clear guidelines, terms and conditions
  for how to use the markets

• ??????Identify and reward the ten traders who
  show the highest growth in their market
  portfolios during the trading period

Source Best Buy
17
Improving Risk Agility
Early Risk Detection
Use forward-looking risk indicators and
prediction markets to swiftly identify emerging
risks.
1
2
Consider the speed at which risks will impact the
organization when prioritizing and escalating
risks.
Amend risk mitigation plans based on risk
velocity considerations and prioritize
high-impact, quick-implementation action plans to
speed management response.
Risk Velocity Sensing
Take risk evaluations from theory to practice and
test the business impact of probable
high-velocity risks in scenario planning
exercises to assess the true magnitude financial,
operating, and human costs.
Rapid Resource Mobilization
3
Use scenario planning to ensure budgets and
resource allocation decisions stay relevant to a
changing environment.
18
Consider Velocity
Incorporate the velocity of risk events into
your risk prioritization criteria to improve your
assessment of risk exposure and response planning.
Importance and Use of Risk Velocity in Risk
Assessments November 2007, Chief Risk and Audit
Officers

• Traditional risk assessments that prioritize risk
  on probability and impact are outpaced by the
  speed at which risks move throughout the
  organization.
• While 70 of finance executives agree that risk
  velocity is a core consideration, only 11 have
  introduced it into their risk assessments.

Risk Prioritization Matrix Incorporating Risk
Velocity Illustrative
ImpactWhat is the maximum business damage this
risk could cause? ProbabilityHow likely is this
risk to materialize? SpeedAt what speed will
this risk impact the organization?
RISK AHigh Severity and Likelihood but Low Speed
of Onset Increased employee attrition will have
a significant impact on the organization and is
very likely to happen. The risk is forecast to
materialize across the course of the next 18
months.
RISK BHigh Severity and Likelihood and High
Speed of Onset A new competitor will have a
significant impact on the organization and is
very likely to happen. The risk is forecast to
materialize within the next two months when the
new competitor begins trading.
Source Deloitte Risk Integration Strategy
Council Research..
19
Assess the Speed of Risk Events
DB evaluates how quickly risk events are likely
to be realized and uses this information to
prioritize its audit schedule.
Risk Velocity Assessment in Audit Planning
1
2
3
Global leadership team and operational heads
evaluate 20 enterprise-wide risks on three
criteria.
Internal Audit and C-suite review survey results
and adjust prioritization if necessary.
Velocity-adjusted prioritization functions as
basis for audit schedule.

• DB uses a simple three step process for
  incorporating velocity into risk assessments
  evaluating risks based on the three dimensions,
  reviewing results, and prioritizing the audit
  schedule with risk velocity in mind in order to
  keep the company ahead of its most critical risks.

Annual Online Risk Survey Illustrative
Audit Plan Illustrative
Source DB Corporation Audit Director
Roundtable research.
20
Prioritize Mitigation Actions According to Risk
Velocity
Internal Audit evaluates managements
mitigation plans through a risk velocity lens
and educates management about timely and
high impact responses.
Example Fraud Risk Mitigation Steps Illustrative
2
Audit outlines remediation steps in response to
anticipated risk velocity. For instance, TE
training offers a more timely response than a due
diligence review.
1
Management proposes big fixes with extended lag
times, often misaligned to the potential velocity
of risk impact on the organization.

• DBs Audit group reviews managements proposed
  risk mitigation steps with risk velocity in mind,
  ensuring that action steps are matched with the
  potential velocity that the risk could present.
• If management proposals for a high velocity risk
  will take a long time to implement, Audit
  proactively updates the action plan so that it
  more closely aligns to the risk velocity.

Source DB Corporation Audit Director
Roundtable research.
21
Go Beyond Theory to Test Business Impact
Alpha Company incorporates risk velocity into
scenario planning exercises to help the
management team understand the operational impact
of high-velocity risks
Incorporating Risk Velocity into Business Impact
Analysis

• Scenario Hurricane Hits Manhattan, NY
• Likelihood Highly Probable
• Risk Velocity High
• Impact
• Finance Loss of Working Capital of XMM per day
• Revenue Loss of XMM day
• Capital reserves depleted XMM per day
• Logistics Permanent loss of x communications
  centers in three boroughs
• Telecom Permanent loss of x transportation
  vehicles
• Permanent loss of x storage facilities and x
  units of inventory
• Temporary loss of x storage facilities
• Human Capital X employees require evacuation
• X per day in productivity losses
• X per month in increased medical and
  disability costs

• By placing high velocity risks on a timeline as
  part of their scenario planning exercise, Alpha
  Company realized that they had been
  underestimating the impact of significant risk
  events on key operating and financial metrics.

You need to get off paper and do real life
scenario planning applying the speed of risk to
the overall analysis. Once we began to discuss
the tactical implications for our business we
realized that the working capital impact of this
scenario would be most devastating and must be
planned for immediately. CFO, Alpha Company
Pseudonym
22
Top Ten Emerging Risks Likelihood, Impact
Velocity
Emerging Risk Survey Results August 2009
High
Source Risk Integration Strategy Council.
23
Improving Risk Agility
1
Early Risk Detection
Use forward-looking risk indicators and
prediction markets to swiftly identify emerging
risks.
Consider the speed at which risks will impact the
organization when prioritizing and escalating
risks.
Risk Velocity Sensing
2
3
Use scenario planning to ensure budgets and
resource allocation decisions stay relevant to a
changing environment.
Rapid Resource Mobilization
Speed up resource allocation decisions by
building alternate budgets and plans for each
risk scenario with triggers for adjusting
materially-significant cost categories that are
flexible and highly variable.
24
Swift and Proactive
Finance must ensure that risk information
continuously feeds the resource allocation
processes.
Example IT Budget Changes Given an Emerging Risk
Illustrative

• Operating and capital budgets typically react
  slowly as cost changes make their way down
  through the organization in response to a risk
  event.
• Risk-aligned operating budgets react more
  readily, as shown in the diagram, because they
  incorporate triggers for resource reallocation
  based on pre-agreed upon contingency plans.

Changes are swift and precise
Risk-Aligned Operating Budget Process
Traditional Risk and Operating Budget Processes
Based on potential risks and scenarios,
budgets and contingency plans are set.
Triggers lead to a rapid and precise resource
reallocation.
Source Risk Integration Strategy Council
Research..
25
Plan B, C, D

• Lego links the resource allocation process with
  risk management by supplementing its initial
  budget based on the most probable scenario with
  contingency budgets based on identified risk and
  opportunity scenarios.
• To avoid painful re-budgeting in the moment as
  risks materialize, Lego builds contingency
  budgets in advance to enable a faster response.
• Inputs to Create Risk/Opportunity Scenarios
  Include
• Information included in risk database
• Update view of demand
• Information obtained from customers
• Retailer trends by categories
• Objectives by categories

Scenario Development and Resource Allocation
Process Illustrative
1. Senior management develops scenarios based
on probable risks and consumer demand information
2. Budget contingency budget setting
3. Continuous resource adjustments
Apr.
May
June
July
Aug.
Sept.
Oct.
Nov.
Dec.
Jan.

• Scenario A
• Stagnant traditional toy segment
• Classic lines remain stable while new lines show
  limited growth
• Revenue growth 10

Lego creates between 2 and 6 scenarios
depending on the volatility of the market in a
given period. It creates one budget for the
probable scenario and contingency budgets for the
rest.
Source LEGO Risk Integration Strategy Council
Research..
26
Drafting a Contingency Budget

• Lego eliminated the need to create entirely new
  contingency budgets by carefully selecting cost
  categories that may be affected under various
  circumstances.
• Lego builds contingency budgets for less than a
  dozen line items the cost categories included
  must be flexible, variable and have a material
  impact on the budget.
• Lego projects the long-term implications of each
  scenario by detailing month-by-month changes for
  each cost category.

Criteria Used to Isolate Cost Categories to Be
Included in the Contingency Budgets Illustrative
Changes in Material Costs Illustrative
Lego clearly defines what to do in case the
scenario they planned for changes
Source LEGO Risk Integration Strategy Council
Research..
27
Triggering a Contingency Plan

• Lego uses pre-defined triggers to determine
  whether a new scenario has emerged.
• Lego evaluates corporate performance through
  daily flash reports, monthly sales and operating
  reviews and senior-level Operations Board.
• The objective of these analyses and discussions
  is to determine if and how the scenario has
  changed and whether a resource adjustment is
  required.

Decision Making Process to Trigger Resource
Reallocation Illustrative
Performance and Scenarios Monitoring Illustrative
Are we working under the same scenario we planned
for?
No changes required
Are the changes we are observing temporary?
Make temporary adjustments
Implement relevant contingency plan
Performance information is evaluated daily,
monthly and at the Operations Board level to
determine if scenarios have changed and decide on
next steps.
Source LEGO Risk Integration Strategy Council
Research..
28
Risk Management Self Evaluation Framework

• Use this Framework to assess the current status
  of your own Risk Management program and as a
  roadmap for specific improvement opportunities.
• Please check the box next to each individual
  criterion your program achieves.
• Results Guide
• Checks only within Level 1 indicate a risk
  management program on par with approximately 50
  of other companies.
• Three or more checks in Level 2 indicates
  placement in the 75th percentile of risk
  management programs.
• Three or more checks in Level 3 indicates
  placement in the top 10 percent of risk
  management programs.

Source Risk Integration Strategy Council
Research..
29
Additional Resources on Risk Management
Benchmarks, best practices and tools from our
recent research on these topics can be found on
the CFO Executive Boards website, in the Risk
Management Resource Center.
https//cfo.executiveboard.com/Members/DecisionSup
portCenters/Abstract.aspx?cid100053942
30
(No Transcript)