More Related Content Similar to Strategic Risk Management as a CFO: Getting Risk Management Right (20) More from Proformative, Inc. (20) Strategic Risk Management as a CFO: Getting Risk Management Right1. 1Ā© 2013
Strategic Risk Management
As a CFO: Getting Risk
Management Right
An overview of recent research and suggested best
practices
Bruce McCuaig - Director Solution Marketing GRC
Bob Tizio - VP, GRC Officer ā Americas, SAP America Inc.
2. 2Ā© 2013
Agenda
ā¢ Overview of ERM research findings
ā¢ The state of ERM today
ā¢ Three value questions: a simple strategy for ERM
ā¢ 10 questions ERM must answer
ā¢ Case Study
ā¢ Q&A
11. 11Ā© 2013
ERM Today: Still Immature by Comparison
Risk management vs. Financial
management maturity criteria
Financial
management
Risk
management
Certified professionals a r
Standardized methodology a r
Independent audits a r
Board involvement a ar
Standardized reporting a r
Supporting technology a a
16. 16Ā© 2013
Three Value Questions:
A Simple Strategy for ERM
Where is the
fundamental
value of the
business?
ā¢ Risk Management will
only add value if
aligned with value
drivers
What drives that
value?
ā¢ Risk Management will
only drive results if
complex cause/effect
relationships are
understood
What can cause
catastrophic loss
or disruptive
opportunity?
ā¢ ERM professionals
must identify
emerging risks and
opportunities
Caution: Any risk management
approach whose only goal is to add
controls will simply add cost. Risk
responses must reflect risk appetite
19. 19Ā© 2013
Items To Be Discussed
Risk Management Trends
Prerequisites and Key Factors for Successful Risk
Management
Strategic Risk Management
Elements of an integrated strategic/operational risk
management model
Providing transparency of risk information
20. 20Ā© 2013
Current Challenges Facing
Companies And Risk Trends
Risk Management needs to focus on interdependencies & interconnection of risks
Focus on
new &
disruptive
technologies
Focus on
External
Impacts
Overall economic
& political
conditions
Uncertainty
surrounding political
leadership affecting
markets
Rapid speed of
disruptive
technological
innovations &
social networks
within the industry
May outpace our
ability to compete and
manage risks.
Focus on
Legal and
Regulatory
Compliance
Focus on
Profitable
Growth &
Market
Penetration
Focus on
Data
Protection &
Cyber
Security
Regulatory changes
and heightening
regulatory scrutiny
May affect the manner
in which
organizationās
products and services
will be delivered
Increasing
competition and
profitability
pressure
Because of market
consolidation
Cyber threats have
the potential to
significantly disrupt
core operations
Compromising
privacy
& information
security protection
21. 21Ā© 2013
The Risk Management
Requirements Are Increased
External view
to integrate
outside-in
risk factors
Expanded
view on risk
trends and
risk patterns
Combine
operational &
strategic risk
management
Linkage of
risk trends to
operational &
strategic
targets
Transform risk management from:
purely operational focus to combine both operational & strategic
focus with outside-in views
compliance view to being a trusted business partner
being a pure facilitator & reporter to an advisor & supporter role
WHAT
22. 22Ā© 2013
Resulting In New Implications For Successful
And Effective Risk Management
Shared targets
to achieve
business
objectives
Risk
management
along strategic
priorities
Closer
collaboration
and integration
into business
processes
Senior business
people with
extensive
know-how
from the
respective
areas
Risk Managers as
business
enabler
HOW
23. 23Ā© 2013
The Right Conditions Of A Risk Management Organization
Are Key Factors Of Successful Risk Management
Drive Risk Culture from the Top
Integrate risk management into board area
priorities and projects to drive risk
management from the top and enable risk
managers.
A right organizational setup
A right level of integration throughout the
company ā global vs. decentralized
organization
A tailored risk management approach
One view on risks combining operational and
strategic priorities and the integration of risk
management into the decision process.
A changed role of a risk manager
Risk managers with business know-how and
extensive business experience to give
guidance, provide mitigations and risk
transparency.
So you can:
ā¢ Get closer to the business
ā¢ Be involved & integrated
ā¢ Have insight into risk trends
ā¢ Foster collaboration &
business insights
25. 25Ā© 2013
Effective Risk Management is
Created By The Combination of
āBusiness Partneringā And āStewardshipā
ā¦ while maintaining a
level of trust and
confidence.
Stewardship
Compliance, Transparency,
Policy & Standards
Enable the business to take
risk-based decisions at any
timeā¦
Business Partner
Value-adding risk management
services to business
26. 26Ā© 2013
Key Success Factor Of A Successful Risk
Management Approach Is The Connection
Between Bottom-up And Top-down Risk
Strategic Risk Management
with strong focus on strategic targets, initiatives
& external trends and factors
to identify root causes
Operational Risk Management
with strong focus on financial, operational and compliance
targets
to identify risk patterns & risk trends
enables
deliversKRIs
End-to-End Risk Management
27. 27Ā© 2013
enables
deliversKRIs
āWhat are early
signs of disruptive
change and how do
we adapt to
emerging risks?ā
āThe latest
competitive move ā
how does it affect
my targets?ā
āDo I have the risk
business model in
place to achieve my
strategic targets?ā
āHas compliance
been ensured in our
goals?ā
āWhich external events
(technology, market, economy,
political, etc.) could challenge the
execution of our strategy and do
we have mitigation plans?ā
āDo we have the
needed
transparency and
independent risk
insight?ā
āHow do latest
disruptive
technologies affect
my products and
buyers behaviour?ā
āAre all teams
aligned to execute
on our strategic
goals?ā
External Factors
Internal Factors
Strategic Risk Management Provides Deeper
Insight, Greater Transparency And Enables
Risk-based Decision Making
28. 28Ā© 2013
Strategic Risk Management Combines Different
Views on Strategic Risks and Opportunities
Identify challenges not yet visible to management & business owner
Earlyidentification,visibilityandunifiedviewofmost
criticalrisksandopportunitiesendangeringthe
achievementofgrowth&innovationtargets
Early identification & development of right response strategy
Risk
related to
the
execution
of targets
Risk
Scenarios
External
Trends &
Risk
Drivers
Internal
Prediction
Adaptationtochangesintheexternal
environment
enables
deliversKRIs
āWhat are early
signs of disruptive
change and how di
we adapt to
emerging risks?ā
āThe latest
competitive move ā
how does it affect
my targets?ā
āDo I have the risk
business model in
place to achieve my
strategic targets?ā
āHas compliance
been ensured in our
goals?ā
āWhich external events
(technology, market, economy,
political, etc.) could challenge the
execution of our strategy and do we
have mitigation plans?ā
āDo we have the
needed
transparency and
independent risk
insight?ā
āHow do latest
disruptive
technologies affect
my products and
buyers behaviour?ā
āAre all teams
aligned to execute
on our strategic
goals?ā
29. 29Ā© 2013
Strategic Risk Management Uses Tools And
Services To Get An Independent View On Risks To
Support The Strategic Business Objectives
Holistic identification of
risks & opportunities
related to growth &
innovation drivers
Identification of emerging
risks and opportunities based
on a 360Ā° risk assessment
across all board areas
involving different
stakeholders inside and
outside of a strategic initiative,
including comprehensive
mitigation strategies.
Outside-in view
Earlier adaptation to
changes in the
external environment
through Competitive
Market Intelligence
(CMI) and
engagement with
analysts.
Innovative Tools
e.g. āEarly Predictionā for
strategic initiatives through
Wisdom of the Crowd
leveraging the knowledge
and insight of employees
independent from
hierarchies.
Interconnectedness
& Dependencies
Identification of key
interdependencies that
affect multiple strategic
initiatives and might
hinder the overall
execution of our strategy.
Significant
Material Risks
Early detection of
relevant material risks,
quite often tail risks,
that could potentially
materialize and
significantly impact
the achievement of
strategic objectives.
30. 30Ā© 2013
The Path To A Risk-smart Business
R
Strategy
Management
Process
Risk adjusted
Riskadjusted
Riskadjusted
Risk adjusted
Comprehensive view of
potential strategic risks
based on external and
internal business
variables, with regards to
their impact on strategic
objectives and their
relevance to a companyās
strategic priorities.
Trigger of mitigation
steps and corrective
actions.
.
Strategy mapping and Strategic Risk Assessments of selected key risk areas which have the
potential to impact our business results and intangible values such as reputation and brand image.
Strategic Risk
Assessments of selected
strategic initiatives &
business cases.
Scenario management &
simulation to āstress
testā key assumptions and
impact
Internal early warning
system.
.
Manage the relationship between strategy performance, risks and controls.
Key risk indicators (KRIs) can be presented alongside key performance indicators (KPIs)
to monitor their impact on value drivers.
Strategy Development
Strategy Execution
31. 31Ā© 2013
Strategic Risk Management Is Dependent On An
Integrated And Effective Operational Risk Management
ā¢ Risk Managers in the Sales &
Consulting area assess projects
and opportunities based on
High-Risk Scenarios
ā¢ These High-Risk Scenarios are
based on
ā¢ Early warning through KRIs
ā¢ Extensive business
experience
ā¢ Database of previous
incidents
ā¢ This enables risk managers to
act as business partner and
advisor
ā¢ The RDOA is a risk-based decision
process:
ā¢ based on SAPās risk appetite
ā¢ to get ownership for appropriate
mitigations and approval for residual
risks at various levels of the company
ā¢ up to the Executive Board levelā¦
ā¢ leading to full transparency
ā¢ The Executive Risk Committee
focuses on top projects and risk
trends on a regional level to mitigate
possible project risks (bottom up
approach).
ā¢ Involvement of relevant
stakeholders (CFO, COO, risk
management, legal, regional
management) and top management
attention through executive
sponsors (e.g. CFO, CEO).
ā¢ Top risks and global risk trends are
transferred on a global level to
evaluate the possible impact and
define mitigations
High Risk Scenarios Risk Delegation of Authority
(RDOA)
Executive Risk Committees
32. 32Ā© 2013
The Outcome Of Integrated Risk Management
To Effective Corporate Management
Preparedness to react
faster on external
trends & factors
through early warning &
high transparence
combined with a high
degree of effective
mitigations.
Higher return on risk
management
investment through
tangible business
value add of senior risk
managers delivering
true business value.
Creation of a risk-
aware culture in which
people understand their
role in contributing to
the achievement of
objectives.
Effective combination
of operational and
strategic risk
management through
an end2end risk
management enables
effective execution on
strategic targets and
goals.
33. 33Ā© 2013
Successful Risk Management Requires
Appropriate Transparency Of Risk Information
Need a system to accumulate risk information- we are
using SAPās GRC suite.
Risks are validated by activity owners.
Operational risk information is provided monthly to key
stakeholders.
Quarterly Board report prepared detailing key strategic
and operational risks.
In process of moving to a consume on demand model
for real time risk reporting via Ipad reporting.
Editor's Notes Our survey tells us that standards and practices for ERM are a mess.