Strategic Risk Management as a CFO: Getting Risk Management Right

1. 1© 2013 Strategic Risk Management As a CFO: Getting Risk Management Right An overview of recent research and suggested best practices Bruce McCuaig - Director Solution Marketing GRC Bob Tizio - VP, GRC Officer – Americas, SAP America Inc.

11. 11© 2013 ERM Today: Still Immature by Comparison Risk management vs. Financial management maturity criteria Financial management Risk management Certified professionals a r Standardized methodology a r Independent audits a r Board involvement a ar Standardized reporting a r Supporting technology a a

16. 16© 2013 Three Value Questions: A Simple Strategy for ERM Where is the fundamental value of the business? • Risk Management will only add value if aligned with value drivers What drives that value? • Risk Management will only drive results if complex cause/effect relationships are understood What can cause catastrophic loss or disruptive opportunity? • ERM professionals must identify emerging risks and opportunities Caution: Any risk management approach whose only goal is to add controls will simply add cost. Risk responses must reflect risk appetite

19. 19© 2013 Items To Be Discussed Risk Management Trends Prerequisites and Key Factors for Successful Risk Management Strategic Risk Management Elements of an integrated strategic/operational risk management model Providing transparency of risk information

20. 20© 2013 Current Challenges Facing Companies And Risk Trends Risk Management needs to focus on interdependencies & interconnection of risks Focus on new & disruptive technologies Focus on External Impacts Overall economic & political conditions Uncertainty surrounding political leadership affecting markets Rapid speed of disruptive technological innovations & social networks within the industry May outpace our ability to compete and manage risks. Focus on Legal and Regulatory Compliance Focus on Profitable Growth & Market Penetration Focus on Data Protection & Cyber Security Regulatory changes and heightening regulatory scrutiny May affect the manner in which organization’s products and services will be delivered Increasing competition and profitability pressure Because of market consolidation Cyber threats have the potential to significantly disrupt core operations Compromising privacy & information security protection

21. 21© 2013 The Risk Management Requirements Are Increased External view to integrate outside-in risk factors Expanded view on risk trends and risk patterns Combine operational & strategic risk management Linkage of risk trends to operational & strategic targets Transform risk management from: purely operational focus to combine both operational & strategic focus with outside-in views compliance view to being a trusted business partner being a pure facilitator & reporter to an advisor & supporter role WHAT

22. 22© 2013 Resulting In New Implications For Successful And Effective Risk Management Shared targets to achieve business objectives Risk management along strategic priorities Closer collaboration and integration into business processes Senior business people with extensive know-how from the respective areas Risk Managers as business enabler HOW

23. 23© 2013 The Right Conditions Of A Risk Management Organization Are Key Factors Of Successful Risk Management Drive Risk Culture from the Top Integrate risk management into board area priorities and projects to drive risk management from the top and enable risk managers. A right organizational setup A right level of integration throughout the company – global vs. decentralized organization A tailored risk management approach One view on risks combining operational and strategic priorities and the integration of risk management into the decision process. A changed role of a risk manager Risk managers with business know-how and extensive business experience to give guidance, provide mitigations and risk transparency. So you can: • Get closer to the business • Be involved & integrated • Have insight into risk trends • Foster collaboration & business insights

25. 25© 2013 Effective Risk Management is Created By The Combination of “Business Partnering” And “Stewardship” … while maintaining a level of trust and confidence. Stewardship Compliance, Transparency, Policy & Standards Enable the business to take risk-based decisions at any time… Business Partner Value-adding risk management services to business

26. 26© 2013 Key Success Factor Of A Successful Risk Management Approach Is The Connection Between Bottom-up And Top-down Risk Strategic Risk Management with strong focus on strategic targets, initiatives & external trends and factors to identify root causes Operational Risk Management with strong focus on financial, operational and compliance targets to identify risk patterns & risk trends enables deliversKRIs End-to-End Risk Management

27. 27© 2013 enables deliversKRIs “What are early signs of disruptive change and how do we adapt to emerging risks?” “The latest competitive move – how does it affect my targets?” “Do I have the risk business model in place to achieve my strategic targets?” “Has compliance been ensured in our goals?” “Which external events (technology, market, economy, political, etc.) could challenge the execution of our strategy and do we have mitigation plans?” “Do we have the needed transparency and independent risk insight?” “How do latest disruptive technologies affect my products and buyers behaviour?” “Are all teams aligned to execute on our strategic goals?” External Factors Internal Factors Strategic Risk Management Provides Deeper Insight, Greater Transparency And Enables Risk-based Decision Making

28. 28© 2013 Strategic Risk Management Combines Different Views on Strategic Risks and Opportunities Identify challenges not yet visible to management & business owner Earlyidentification,visibilityandunifiedviewofmost criticalrisksandopportunitiesendangeringthe achievementofgrowth&innovationtargets Early identification & development of right response strategy Risk related to the execution of targets Risk Scenarios External Trends & Risk Drivers Internal Prediction Adaptationtochangesintheexternal environment enables deliversKRIs “What are early signs of disruptive change and how di we adapt to emerging risks?” “The latest competitive move – how does it affect my targets?” “Do I have the risk business model in place to achieve my strategic targets?” “Has compliance been ensured in our goals?” “Which external events (technology, market, economy, political, etc.) could challenge the execution of our strategy and do we have mitigation plans?” “Do we have the needed transparency and independent risk insight?” “How do latest disruptive technologies affect my products and buyers behaviour?” “Are all teams aligned to execute on our strategic goals?”

29. 29© 2013 Strategic Risk Management Uses Tools And Services To Get An Independent View On Risks To Support The Strategic Business Objectives Holistic identification of risks & opportunities related to growth & innovation drivers Identification of emerging risks and opportunities based on a 360° risk assessment across all board areas involving different stakeholders inside and outside of a strategic initiative, including comprehensive mitigation strategies. Outside-in view Earlier adaptation to changes in the external environment through Competitive Market Intelligence (CMI) and engagement with analysts. Innovative Tools e.g. “Early Prediction” for strategic initiatives through Wisdom of the Crowd leveraging the knowledge and insight of employees independent from hierarchies. Interconnectedness & Dependencies Identification of key interdependencies that affect multiple strategic initiatives and might hinder the overall execution of our strategy. Significant Material Risks Early detection of relevant material risks, quite often tail risks, that could potentially materialize and significantly impact the achievement of strategic objectives.

30. 30© 2013 The Path To A Risk-smart Business R Strategy Management Process Risk adjusted Riskadjusted Riskadjusted Risk adjusted Comprehensive view of potential strategic risks based on external and internal business variables, with regards to their impact on strategic objectives and their relevance to a company’s strategic priorities. Trigger of mitigation steps and corrective actions. . Strategy mapping and Strategic Risk Assessments of selected key risk areas which have the potential to impact our business results and intangible values such as reputation and brand image. Strategic Risk Assessments of selected strategic initiatives & business cases. Scenario management & simulation to “stress test“ key assumptions and impact Internal early warning system. . Manage the relationship between strategy performance, risks and controls. Key risk indicators (KRIs) can be presented alongside key performance indicators (KPIs) to monitor their impact on value drivers. Strategy Development Strategy Execution

31. 31© 2013 Strategic Risk Management Is Dependent On An Integrated And Effective Operational Risk Management • Risk Managers in the Sales & Consulting area assess projects and opportunities based on High-Risk Scenarios • These High-Risk Scenarios are based on • Early warning through KRIs • Extensive business experience • Database of previous incidents • This enables risk managers to act as business partner and advisor • The RDOA is a risk-based decision process: • based on SAP’s risk appetite • to get ownership for appropriate mitigations and approval for residual risks at various levels of the company • up to the Executive Board level… • leading to full transparency • The Executive Risk Committee focuses on top projects and risk trends on a regional level to mitigate possible project risks (bottom up approach). • Involvement of relevant stakeholders (CFO, COO, risk management, legal, regional management) and top management attention through executive sponsors (e.g. CFO, CEO). • Top risks and global risk trends are transferred on a global level to evaluate the possible impact and define mitigations High Risk Scenarios Risk Delegation of Authority (RDOA) Executive Risk Committees

32. 32© 2013 The Outcome Of Integrated Risk Management To Effective Corporate Management Preparedness to react faster on external trends & factors through early warning & high transparence combined with a high degree of effective mitigations. Higher return on risk management investment through tangible business value add of senior risk managers delivering true business value. Creation of a risk- aware culture in which people understand their role in contributing to the achievement of objectives. Effective combination of operational and strategic risk management through an end2end risk management enables effective execution on strategic targets and goals.

33. 33© 2013 Successful Risk Management Requires Appropriate Transparency Of Risk Information Need a system to accumulate risk information- we are using SAP’s GRC suite. Risks are validated by activity owners. Operational risk information is provided monthly to key stakeholders. Quarterly Board report prepared detailing key strategic and operational risks. In process of moving to a consume on demand model for real time risk reporting via Ipad reporting.

Strategic Risk Management as a CFO: Getting Risk Management Right

Proformative, Inc.

Strategic Risk Management as a CFO: Getting Risk Management Right