Video & Presentation: http://www.proformative.com/events/strategic-risk-management-cfo-getting-risk-management-right Enterprise Risk Management should be simple. Unfortunately, companies are responding to regulators and business imperatives to improve their risk management practices, all the while aligning with business strategy and performance as well as capital allocation. Leading practitioners are seeking insight and value from risk management and are using risk management to focus audit and compliance activities. In fact independent research commissioned by SAP and others suggests many successful ERM initiatives still make little use of the increasingly sophisticated technology available. This session will summarize recent research by SAP and others on the state of ERM and will provide simple, practical strategies for how Finance can drive risk management practices that build success and add value. Speakers: Bob Tizio, GRC Officer-Americas, SAP America Inc. Bruce McCuaig, Director, Solution Marketing for Governance Risk & Compliance, SAP Presentation delivered at CFO Dimensions 2013 - http://www.cfodimensions.com Track: Finance Technology | Session: 5

1. 1© 2013
Strategic Risk Management
As a CFO: Getting Risk
Management Right
An overview of recent research and suggested best
practices
Bruce McCuaig - Director Solution Marketing GRC
Bob Tizio - VP, GRC Officer – Americas, SAP America Inc.

2. 2© 2013
Agenda
• Overview of ERM research findings
• The state of ERM today
• Three value questions: a simple strategy for ERM
• 10 questions ERM must answer
• Case Study
• Q&A

3. 3© 2013
Risk Management Is
Growing In Importance

4. 4© 2013
Investment in ERM Technology is Lagging

5. 5© 2013
Enterprise-wide View of Exposures is Poor

6. 6© 2013
Surprises Are Persistent

7. 7© 2013
Qualitative Approaches Are Used for ERM

8. 8© 2013
Enterprise Level Risk Inventories Are
Emerging Slowly

9. 9© 2013
Integration Is Gaining Recognition

10. 10© 2013
Integrated Approaches Are
Exceeding Expectations

11. 11© 2013
ERM Today: Still Immature by Comparison
Risk management vs. Financial
management maturity criteria
Financial
management
Risk
management
Certified professionals a r
Standardized methodology a r
Independent audits a r
Board involvement a ar
Standardized reporting a r
Supporting technology a a

12. 12© 2013
Market
Risks
OperationsRisks
Finance
Risks
Human
Capital
Risks
IT
Risks
Legal
Risks
Supply
Chain
Risks
“Silo” or “Stove-pipe” Risk Management
ERM Today: Still Siloed After All These Years

13. 13© 2013
ERM Today: “Control” Paradigms Dominate

14. 14© 2013
ERM Today: Risk Reporting is Evolving

15. 15© 2013
ERM Today: Monitoring and Review is Weak

16. 16© 2013
Three Value Questions:
A Simple Strategy for ERM
Where is the
fundamental
value of the
business?
• Risk Management will
only add value if
aligned with value
drivers
What drives that
value?
• Risk Management will
only drive results if
complex cause/effect
relationships are
understood
What can cause
catastrophic loss
or disruptive
opportunity?
• ERM professionals
must identify
emerging risks and
opportunities
Caution: Any risk management
approach whose only goal is to add
controls will simply add cost. Risk
responses must reflect risk appetite

17. 17© 2013
Ten Questions for Getting ERM Right

18. 18© 2013
Risk Management As A Factor Of
Success And An Integral Part Of
Effective Corporate Management

19. 19© 2013
Items To Be Discussed
Risk Management Trends
Prerequisites and Key Factors for Successful Risk
Management
Strategic Risk Management
Elements of an integrated strategic/operational risk
management model
Providing transparency of risk information

20. 20© 2013
Current Challenges Facing
Companies And Risk Trends
Risk Management needs to focus on interdependencies & interconnection of risks
Focus on
new &
disruptive
technologies
Focus on
External
Impacts
Overall economic
& political
conditions
Uncertainty
surrounding political
leadership affecting
markets
Rapid speed of
disruptive
technological
innovations &
social networks
within the industry
May outpace our
ability to compete and
manage risks.
Focus on
Legal and
Regulatory
Compliance
Focus on
Profitable
Growth &
Market
Penetration
Focus on
Data
Protection &
Cyber
Security
Regulatory changes
and heightening
regulatory scrutiny
May affect the manner
in which
organization’s
products and services
will be delivered
Increasing
competition and
profitability
pressure
Because of market
consolidation
Cyber threats have
the potential to
significantly disrupt
core operations
Compromising
privacy
& information
security protection

21. 21© 2013
The Risk Management
Requirements Are Increased
External view
to integrate
outside-in
risk factors
Expanded
view on risk
trends and
risk patterns
Combine
operational &
strategic risk
management
Linkage of
risk trends to
operational &
strategic
targets
Transform risk management from:
purely operational focus to combine both operational & strategic
focus with outside-in views
compliance view to being a trusted business partner
being a pure facilitator & reporter to an advisor & supporter role
WHAT

22. 22© 2013
Resulting In New Implications For Successful
And Effective Risk Management
Shared targets
to achieve
business
objectives
Risk
management
along strategic
priorities
Closer
collaboration
and integration
into business
processes
Senior business
people with
extensive
know-how
from the
respective
areas
Risk Managers as
business
enabler
HOW

23. 23© 2013
The Right Conditions Of A Risk Management Organization
Are Key Factors Of Successful Risk Management
Drive Risk Culture from the Top
Integrate risk management into board area
priorities and projects to drive risk
management from the top and enable risk
managers.
A right organizational setup
A right level of integration throughout the
company – global vs. decentralized
organization
A tailored risk management approach
One view on risks combining operational and
strategic priorities and the integration of risk
management into the decision process.
A changed role of a risk manager
Risk managers with business know-how and
extensive business experience to give
guidance, provide mitigations and risk
transparency.
So you can:
• Get closer to the business
• Be involved & integrated
• Have insight into risk trends
• Foster collaboration &
business insights

24. 24© 2013
SAP’s Global Governance Structure

25. 25© 2013
Effective Risk Management is
Created By The Combination of
“Business Partnering” And “Stewardship”
… while maintaining a
level of trust and
confidence.
Stewardship
Compliance, Transparency,
Policy & Standards
Enable the business to take
risk-based decisions at any
time…
Business Partner
Value-adding risk management
services to business

26. 26© 2013
Key Success Factor Of A Successful Risk
Management Approach Is The Connection
Between Bottom-up And Top-down Risk
Strategic Risk Management
with strong focus on strategic targets, initiatives
& external trends and factors
to identify root causes
Operational Risk Management
with strong focus on financial, operational and compliance
targets
to identify risk patterns & risk trends
enables
deliversKRIs
End-to-End Risk Management

27. 27© 2013
enables
deliversKRIs
“What are early
signs of disruptive
change and how do
we adapt to
emerging risks?”
“The latest
competitive move –
how does it affect
my targets?”
“Do I have the risk
business model in
place to achieve my
strategic targets?”
“Has compliance
been ensured in our
goals?”
“Which external events
(technology, market, economy,
political, etc.) could challenge the
execution of our strategy and do
we have mitigation plans?”
“Do we have the
needed
transparency and
independent risk
insight?”
“How do latest
disruptive
technologies affect
my products and
buyers behaviour?”
“Are all teams
aligned to execute
on our strategic
goals?”
External Factors
Internal Factors
Strategic Risk Management Provides Deeper
Insight, Greater Transparency And Enables
Risk-based Decision Making

28. 28© 2013
Strategic Risk Management Combines Different
Views on Strategic Risks and Opportunities
Identify challenges not yet visible to management & business owner
Earlyidentification,visibilityandunifiedviewofmost
criticalrisksandopportunitiesendangeringthe
achievementofgrowth&innovationtargets
Early identification & development of right response strategy
Risk
related to
the
execution
of targets
Risk
Scenarios
External
Trends &
Risk
Drivers
Internal
Prediction
Adaptationtochangesintheexternal
environment
enables
deliversKRIs
“What are early
signs of disruptive
change and how di
we adapt to
emerging risks?”
“The latest
competitive move –
how does it affect
my targets?”
“Do I have the risk
business model in
place to achieve my
strategic targets?”
“Has compliance
been ensured in our
goals?”
“Which external events
(technology, market, economy,
political, etc.) could challenge the
execution of our strategy and do we
have mitigation plans?”
“Do we have the
needed
transparency and
independent risk
insight?”
“How do latest
disruptive
technologies affect
my products and
buyers behaviour?”
“Are all teams
aligned to execute
on our strategic
goals?”

29. 29© 2013
Strategic Risk Management Uses Tools And
Services To Get An Independent View On Risks To
Support The Strategic Business Objectives
Holistic identification of
risks & opportunities
related to growth &
innovation drivers
Identification of emerging
risks and opportunities based
on a 360° risk assessment
across all board areas
involving different
stakeholders inside and
outside of a strategic initiative,
including comprehensive
mitigation strategies.
Outside-in view
Earlier adaptation to
changes in the
external environment
through Competitive
Market Intelligence
(CMI) and
engagement with
analysts.
Innovative Tools
e.g. “Early Prediction” for
strategic initiatives through
Wisdom of the Crowd
leveraging the knowledge
and insight of employees
independent from
hierarchies.
Interconnectedness
& Dependencies
Identification of key
interdependencies that
affect multiple strategic
initiatives and might
hinder the overall
execution of our strategy.
Significant
Material Risks
Early detection of
relevant material risks,
quite often tail risks,
that could potentially
materialize and
significantly impact
the achievement of
strategic objectives.

30. 30© 2013
The Path To A Risk-smart Business
R
Strategy
Management
Process
Risk adjusted
Riskadjusted
Riskadjusted
Risk adjusted
Comprehensive view of
potential strategic risks
based on external and
internal business
variables, with regards to
their impact on strategic
objectives and their
relevance to a company’s
strategic priorities.
Trigger of mitigation
steps and corrective
actions.
.
Strategy mapping and Strategic Risk Assessments of selected key risk areas which have the
potential to impact our business results and intangible values such as reputation and brand image.
Strategic Risk
Assessments of selected
strategic initiatives &
business cases.
Scenario management &
simulation to “stress
test“ key assumptions and
impact
Internal early warning
system.
.
Manage the relationship between strategy performance, risks and controls.
Key risk indicators (KRIs) can be presented alongside key performance indicators (KPIs)
to monitor their impact on value drivers.
Strategy Development
Strategy Execution

31. 31© 2013
Strategic Risk Management Is Dependent On An
Integrated And Effective Operational Risk Management
• Risk Managers in the Sales &
Consulting area assess projects
and opportunities based on
High-Risk Scenarios
• These High-Risk Scenarios are
based on
• Early warning through KRIs
• Extensive business
experience
• Database of previous
incidents
• This enables risk managers to
act as business partner and
advisor
• The RDOA is a risk-based decision
process:
• based on SAP’s risk appetite
• to get ownership for appropriate
mitigations and approval for residual
risks at various levels of the company
• up to the Executive Board level…
• leading to full transparency
• The Executive Risk Committee
focuses on top projects and risk
trends on a regional level to mitigate
possible project risks (bottom up
approach).
• Involvement of relevant
stakeholders (CFO, COO, risk
management, legal, regional
management) and top management
attention through executive
sponsors (e.g. CFO, CEO).
• Top risks and global risk trends are
transferred on a global level to
evaluate the possible impact and
define mitigations
High Risk Scenarios Risk Delegation of Authority
(RDOA)
Executive Risk Committees

32. 32© 2013
The Outcome Of Integrated Risk Management
To Effective Corporate Management
Preparedness to react
faster on external
trends & factors
through early warning &
high transparence
combined with a high
degree of effective
mitigations.
Higher return on risk
management
investment through
tangible business
value add of senior risk
managers delivering
true business value.
Creation of a risk-
aware culture in which
people understand their
role in contributing to
the achievement of
objectives.
Effective combination
of operational and
strategic risk
management through
an end2end risk
management enables
effective execution on
strategic targets and
goals.

33. 33© 2013
Successful Risk Management Requires
Appropriate Transparency Of Risk Information
Need a system to accumulate risk information- we are
using SAP’s GRC suite.
Risks are validated by activity owners.
Operational risk information is provided monthly to key
stakeholders.
Quarterly Board report prepared detailing key strategic
and operational risks.
In process of moving to a consume on demand model
for real time risk reporting via Ipad reporting.

34. 34© 2013
iPad Application for Real Time Risk Reporting

35. 35© 2013
Thank You!
Strategic Risk Management As a CFO:
Getting Risk Management Right

36. 36© 2013
Thank You Sponsors!
PLATINUM
GOLD
SILVER
DIAMOND