Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
SlideShare a Scribd company logo

Strategic Risk Management as a CFO: Getting Risk Management Right

Download as PPTX, PDF
Proformative, Inc.
Proformative, Inc.

Video & Presentation: http://www.proformative.com/events/strategic-risk-management-cfo-getting-risk-management-right Enterprise Risk Management should be simple. Unfortunately, companies are responding to regulators and business imperatives to improve their risk management practices, all the while aligning with business strategy and performance as well as capital allocation. Leading practitioners are seeking insight and value from risk management and are using risk management to focus audit and compliance activities. In fact independent research commissioned by SAP and others suggests many successful ERM initiatives still make little use of the increasingly sophisticated technology available. This session will summarize recent research by SAP and others on the state of ERM and will provide simple, practical strategies for how Finance can drive risk management practices that build success and add value. Speakers: Bob Tizio, GRC Officer-Americas, SAP America Inc. Bruce McCuaig, Director, Solution Marketing for Governance Risk & Compliance, SAP Presentation delivered at CFO Dimensions 2013 - http://www.cfodimensions.com Track: Finance Technology | Session: 5

1 of 36
1© 2013 Strategic Risk Management As a CFO: Getting Risk Management Right An overview of recent research and suggested best practices Bruce McCuaig - Director Solution Marketing GRC Bob Tizio - VP, GRC Officer – Americas, SAP America Inc.
2© 2013 Agenda • Overview of ERM research findings • The state of ERM today • Three value questions: a simple strategy for ERM • 10 questions ERM must answer • Case Study • Q&A
3© 2013 Risk Management Is Growing In Importance
4© 2013 Investment in ERM Technology is Lagging
5© 2013 Enterprise-wide View of Exposures is Poor
6© 2013 Surprises Are Persistent
7© 2013 Qualitative Approaches Are Used for ERM
8© 2013 Enterprise Level Risk Inventories Are Emerging Slowly
9© 2013 Integration Is Gaining Recognition
10© 2013 Integrated Approaches Are Exceeding Expectations
11© 2013 ERM Today: Still Immature by Comparison Risk management vs. Financial management maturity criteria Financial management Risk management Certified professionals a r Standardized methodology a r Independent audits a r Board involvement a ar Standardized reporting a r Supporting technology a a
12© 2013 Market Risks OperationsRisks Finance Risks Human Capital Risks IT Risks Legal Risks Supply Chain Risks “Silo” or “Stove-pipe” Risk Management ERM Today: Still Siloed After All These Years
13© 2013 ERM Today: “Control” Paradigms Dominate
14© 2013 ERM Today: Risk Reporting is Evolving
15© 2013 ERM Today: Monitoring and Review is Weak
16© 2013 Three Value Questions: A Simple Strategy for ERM Where is the fundamental value of the business? • Risk Management will only add value if aligned with value drivers What drives that value? • Risk Management will only drive results if complex cause/effect relationships are understood What can cause catastrophic loss or disruptive opportunity? • ERM professionals must identify emerging risks and opportunities Caution: Any risk management approach whose only goal is to add controls will simply add cost. Risk responses must reflect risk appetite
17© 2013 Ten Questions for Getting ERM Right
18© 2013 Risk Management As A Factor Of Success And An Integral Part Of Effective Corporate Management
19© 2013 Items To Be Discussed Risk Management Trends Prerequisites and Key Factors for Successful Risk Management Strategic Risk Management Elements of an integrated strategic/operational risk management model Providing transparency of risk information
20© 2013 Current Challenges Facing Companies And Risk Trends Risk Management needs to focus on interdependencies & interconnection of risks Focus on new & disruptive technologies Focus on External Impacts Overall economic & political conditions Uncertainty surrounding political leadership affecting markets Rapid speed of disruptive technological innovations & social networks within the industry May outpace our ability to compete and manage risks. Focus on Legal and Regulatory Compliance Focus on Profitable Growth & Market Penetration Focus on Data Protection & Cyber Security Regulatory changes and heightening regulatory scrutiny May affect the manner in which organization’s products and services will be delivered Increasing competition and profitability pressure Because of market consolidation Cyber threats have the potential to significantly disrupt core operations Compromising privacy & information security protection
21© 2013 The Risk Management Requirements Are Increased External view to integrate outside-in risk factors Expanded view on risk trends and risk patterns Combine operational & strategic risk management Linkage of risk trends to operational & strategic targets Transform risk management from: purely operational focus to combine both operational & strategic focus with outside-in views compliance view to being a trusted business partner being a pure facilitator & reporter to an advisor & supporter role WHAT
22© 2013 Resulting In New Implications For Successful And Effective Risk Management Shared targets to achieve business objectives Risk management along strategic priorities Closer collaboration and integration into business processes Senior business people with extensive know-how from the respective areas Risk Managers as business enabler HOW
23© 2013 The Right Conditions Of A Risk Management Organization Are Key Factors Of Successful Risk Management Drive Risk Culture from the Top Integrate risk management into board area priorities and projects to drive risk management from the top and enable risk managers. A right organizational setup A right level of integration throughout the company – global vs. decentralized organization A tailored risk management approach One view on risks combining operational and strategic priorities and the integration of risk management into the decision process. A changed role of a risk manager Risk managers with business know-how and extensive business experience to give guidance, provide mitigations and risk transparency. So you can: • Get closer to the business • Be involved & integrated • Have insight into risk trends • Foster collaboration & business insights
24© 2013 SAP’s Global Governance Structure
25© 2013 Effective Risk Management is Created By The Combination of “Business Partnering” And “Stewardship” … while maintaining a level of trust and confidence. Stewardship Compliance, Transparency, Policy & Standards Enable the business to take risk-based decisions at any time… Business Partner Value-adding risk management services to business
26© 2013 Key Success Factor Of A Successful Risk Management Approach Is The Connection Between Bottom-up And Top-down Risk Strategic Risk Management with strong focus on strategic targets, initiatives & external trends and factors to identify root causes Operational Risk Management with strong focus on financial, operational and compliance targets to identify risk patterns & risk trends enables deliversKRIs End-to-End Risk Management
27© 2013 enables deliversKRIs “What are early signs of disruptive change and how do we adapt to emerging risks?” “The latest competitive move – how does it affect my targets?” “Do I have the risk business model in place to achieve my strategic targets?” “Has compliance been ensured in our goals?” “Which external events (technology, market, economy, political, etc.) could challenge the execution of our strategy and do we have mitigation plans?” “Do we have the needed transparency and independent risk insight?” “How do latest disruptive technologies affect my products and buyers behaviour?” “Are all teams aligned to execute on our strategic goals?” External Factors Internal Factors Strategic Risk Management Provides Deeper Insight, Greater Transparency And Enables Risk-based Decision Making
28© 2013 Strategic Risk Management Combines Different Views on Strategic Risks and Opportunities Identify challenges not yet visible to management & business owner Earlyidentification,visibilityandunifiedviewofmost criticalrisksandopportunitiesendangeringthe achievementofgrowth&innovationtargets Early identification & development of right response strategy Risk related to the execution of targets Risk Scenarios External Trends & Risk Drivers Internal Prediction Adaptationtochangesintheexternal environment enables deliversKRIs “What are early signs of disruptive change and how di we adapt to emerging risks?” “The latest competitive move – how does it affect my targets?” “Do I have the risk business model in place to achieve my strategic targets?” “Has compliance been ensured in our goals?” “Which external events (technology, market, economy, political, etc.) could challenge the execution of our strategy and do we have mitigation plans?” “Do we have the needed transparency and independent risk insight?” “How do latest disruptive technologies affect my products and buyers behaviour?” “Are all teams aligned to execute on our strategic goals?”
29© 2013 Strategic Risk Management Uses Tools And Services To Get An Independent View On Risks To Support The Strategic Business Objectives Holistic identification of risks & opportunities related to growth & innovation drivers Identification of emerging risks and opportunities based on a 360° risk assessment across all board areas involving different stakeholders inside and outside of a strategic initiative, including comprehensive mitigation strategies. Outside-in view Earlier adaptation to changes in the external environment through Competitive Market Intelligence (CMI) and engagement with analysts. Innovative Tools e.g. “Early Prediction” for strategic initiatives through Wisdom of the Crowd leveraging the knowledge and insight of employees independent from hierarchies. Interconnectedness & Dependencies Identification of key interdependencies that affect multiple strategic initiatives and might hinder the overall execution of our strategy. Significant Material Risks Early detection of relevant material risks, quite often tail risks, that could potentially materialize and significantly impact the achievement of strategic objectives.
30© 2013 The Path To A Risk-smart Business R Strategy Management Process Risk adjusted Riskadjusted Riskadjusted Risk adjusted Comprehensive view of potential strategic risks based on external and internal business variables, with regards to their impact on strategic objectives and their relevance to a company’s strategic priorities. Trigger of mitigation steps and corrective actions. . Strategy mapping and Strategic Risk Assessments of selected key risk areas which have the potential to impact our business results and intangible values such as reputation and brand image. Strategic Risk Assessments of selected strategic initiatives & business cases. Scenario management & simulation to “stress test“ key assumptions and impact Internal early warning system. . Manage the relationship between strategy performance, risks and controls. Key risk indicators (KRIs) can be presented alongside key performance indicators (KPIs) to monitor their impact on value drivers. Strategy Development Strategy Execution
31© 2013 Strategic Risk Management Is Dependent On An Integrated And Effective Operational Risk Management • Risk Managers in the Sales & Consulting area assess projects and opportunities based on High-Risk Scenarios • These High-Risk Scenarios are based on • Early warning through KRIs • Extensive business experience • Database of previous incidents • This enables risk managers to act as business partner and advisor • The RDOA is a risk-based decision process: • based on SAP’s risk appetite • to get ownership for appropriate mitigations and approval for residual risks at various levels of the company • up to the Executive Board level… • leading to full transparency • The Executive Risk Committee focuses on top projects and risk trends on a regional level to mitigate possible project risks (bottom up approach). • Involvement of relevant stakeholders (CFO, COO, risk management, legal, regional management) and top management attention through executive sponsors (e.g. CFO, CEO). • Top risks and global risk trends are transferred on a global level to evaluate the possible impact and define mitigations High Risk Scenarios Risk Delegation of Authority (RDOA) Executive Risk Committees
32© 2013 The Outcome Of Integrated Risk Management To Effective Corporate Management Preparedness to react faster on external trends & factors through early warning & high transparence combined with a high degree of effective mitigations. Higher return on risk management investment through tangible business value add of senior risk managers delivering true business value. Creation of a risk- aware culture in which people understand their role in contributing to the achievement of objectives. Effective combination of operational and strategic risk management through an end2end risk management enables effective execution on strategic targets and goals.
33© 2013 Successful Risk Management Requires Appropriate Transparency Of Risk Information Need a system to accumulate risk information- we are using SAP’s GRC suite. Risks are validated by activity owners. Operational risk information is provided monthly to key stakeholders. Quarterly Board report prepared detailing key strategic and operational risks. In process of moving to a consume on demand model for real time risk reporting via Ipad reporting.
34© 2013 iPad Application for Real Time Risk Reporting
35© 2013 Thank You! Strategic Risk Management As a CFO: Getting Risk Management Right
36© 2013 Thank You Sponsors! PLATINUM GOLD SILVER DIAMOND

More Related Content

Strategic Risk Management as a CFO: Getting Risk Management Right

  • 1. 1© 2013 Strategic Risk Management As a CFO: Getting Risk Management Right An overview of recent research and suggested best practices Bruce McCuaig - Director Solution Marketing GRC Bob Tizio - VP, GRC Officer – Americas, SAP America Inc.
  • 2. 2© 2013 Agenda • Overview of ERM research findings • The state of ERM today • Three value questions: a simple strategy for ERM • 10 questions ERM must answer • Case Study • Q&A
  • 3. 3© 2013 Risk Management Is Growing In Importance
  • 4. 4© 2013 Investment in ERM Technology is Lagging
  • 5. 5© 2013 Enterprise-wide View of Exposures is Poor
  • 8. 8© 2013 Enterprise Level Risk Inventories Are Emerging Slowly
  • 9. 9© 2013 Integration Is Gaining Recognition
  • 10. 10© 2013 Integrated Approaches Are Exceeding Expectations
  • 11. 11© 2013 ERM Today: Still Immature by Comparison Risk management vs. Financial management maturity criteria Financial management Risk management Certified professionals a r Standardized methodology a r Independent audits a r Board involvement a ar Standardized reporting a r Supporting technology a a
  • 13. 13© 2013 ERM Today: “Control” Paradigms Dominate
  • 14. 14© 2013 ERM Today: Risk Reporting is Evolving
  • 15. 15© 2013 ERM Today: Monitoring and Review is Weak
  • 16. 16© 2013 Three Value Questions: A Simple Strategy for ERM Where is the fundamental value of the business? • Risk Management will only add value if aligned with value drivers What drives that value? • Risk Management will only drive results if complex cause/effect relationships are understood What can cause catastrophic loss or disruptive opportunity? • ERM professionals must identify emerging risks and opportunities Caution: Any risk management approach whose only goal is to add controls will simply add cost. Risk responses must reflect risk appetite
  • 17. 17© 2013 Ten Questions for Getting ERM Right
  • 18. 18© 2013 Risk Management As A Factor Of Success And An Integral Part Of Effective Corporate Management
  • 19. 19© 2013 Items To Be Discussed Risk Management Trends Prerequisites and Key Factors for Successful Risk Management Strategic Risk Management Elements of an integrated strategic/operational risk management model Providing transparency of risk information
  • 20. 20© 2013 Current Challenges Facing Companies And Risk Trends Risk Management needs to focus on interdependencies & interconnection of risks Focus on new & disruptive technologies Focus on External Impacts Overall economic & political conditions Uncertainty surrounding political leadership affecting markets Rapid speed of disruptive technological innovations & social networks within the industry May outpace our ability to compete and manage risks. Focus on Legal and Regulatory Compliance Focus on Profitable Growth & Market Penetration Focus on Data Protection & Cyber Security Regulatory changes and heightening regulatory scrutiny May affect the manner in which organization’s products and services will be delivered Increasing competition and profitability pressure Because of market consolidation Cyber threats have the potential to significantly disrupt core operations Compromising privacy & information security protection
  • 21. 21© 2013 The Risk Management Requirements Are Increased External view to integrate outside-in risk factors Expanded view on risk trends and risk patterns Combine operational & strategic risk management Linkage of risk trends to operational & strategic targets Transform risk management from: purely operational focus to combine both operational & strategic focus with outside-in views compliance view to being a trusted business partner being a pure facilitator & reporter to an advisor & supporter role WHAT
  • 22. 22© 2013 Resulting In New Implications For Successful And Effective Risk Management Shared targets to achieve business objectives Risk management along strategic priorities Closer collaboration and integration into business processes Senior business people with extensive know-how from the respective areas Risk Managers as business enabler HOW
  • 23. 23© 2013 The Right Conditions Of A Risk Management Organization Are Key Factors Of Successful Risk Management Drive Risk Culture from the Top Integrate risk management into board area priorities and projects to drive risk management from the top and enable risk managers. A right organizational setup A right level of integration throughout the company – global vs. decentralized organization A tailored risk management approach One view on risks combining operational and strategic priorities and the integration of risk management into the decision process. A changed role of a risk manager Risk managers with business know-how and extensive business experience to give guidance, provide mitigations and risk transparency. So you can: • Get closer to the business • Be involved & integrated • Have insight into risk trends • Foster collaboration & business insights
  • 24. 24© 2013 SAP’s Global Governance Structure
  • 25. 25© 2013 Effective Risk Management is Created By The Combination of “Business Partnering” And “Stewardship” … while maintaining a level of trust and confidence. Stewardship Compliance, Transparency, Policy & Standards Enable the business to take risk-based decisions at any time… Business Partner Value-adding risk management services to business
  • 26. 26© 2013 Key Success Factor Of A Successful Risk Management Approach Is The Connection Between Bottom-up And Top-down Risk Strategic Risk Management with strong focus on strategic targets, initiatives & external trends and factors to identify root causes Operational Risk Management with strong focus on financial, operational and compliance targets to identify risk patterns & risk trends enables deliversKRIs End-to-End Risk Management
  • 27. 27© 2013 enables deliversKRIs “What are early signs of disruptive change and how do we adapt to emerging risks?” “The latest competitive move – how does it affect my targets?” “Do I have the risk business model in place to achieve my strategic targets?” “Has compliance been ensured in our goals?” “Which external events (technology, market, economy, political, etc.) could challenge the execution of our strategy and do we have mitigation plans?” “Do we have the needed transparency and independent risk insight?” “How do latest disruptive technologies affect my products and buyers behaviour?” “Are all teams aligned to execute on our strategic goals?” External Factors Internal Factors Strategic Risk Management Provides Deeper Insight, Greater Transparency And Enables Risk-based Decision Making
  • 28. 28© 2013 Strategic Risk Management Combines Different Views on Strategic Risks and Opportunities Identify challenges not yet visible to management & business owner Earlyidentification,visibilityandunifiedviewofmost criticalrisksandopportunitiesendangeringthe achievementofgrowth&innovationtargets Early identification & development of right response strategy Risk related to the execution of targets Risk Scenarios External Trends & Risk Drivers Internal Prediction Adaptationtochangesintheexternal environment enables deliversKRIs “What are early signs of disruptive change and how di we adapt to emerging risks?” “The latest competitive move – how does it affect my targets?” “Do I have the risk business model in place to achieve my strategic targets?” “Has compliance been ensured in our goals?” “Which external events (technology, market, economy, political, etc.) could challenge the execution of our strategy and do we have mitigation plans?” “Do we have the needed transparency and independent risk insight?” “How do latest disruptive technologies affect my products and buyers behaviour?” “Are all teams aligned to execute on our strategic goals?”
  • 29. 29© 2013 Strategic Risk Management Uses Tools And Services To Get An Independent View On Risks To Support The Strategic Business Objectives Holistic identification of risks & opportunities related to growth & innovation drivers Identification of emerging risks and opportunities based on a 360° risk assessment across all board areas involving different stakeholders inside and outside of a strategic initiative, including comprehensive mitigation strategies. Outside-in view Earlier adaptation to changes in the external environment through Competitive Market Intelligence (CMI) and engagement with analysts. Innovative Tools e.g. “Early Prediction” for strategic initiatives through Wisdom of the Crowd leveraging the knowledge and insight of employees independent from hierarchies. Interconnectedness & Dependencies Identification of key interdependencies that affect multiple strategic initiatives and might hinder the overall execution of our strategy. Significant Material Risks Early detection of relevant material risks, quite often tail risks, that could potentially materialize and significantly impact the achievement of strategic objectives.
  • 30. 30© 2013 The Path To A Risk-smart Business R Strategy Management Process Risk adjusted Riskadjusted Riskadjusted Risk adjusted Comprehensive view of potential strategic risks based on external and internal business variables, with regards to their impact on strategic objectives and their relevance to a company’s strategic priorities. Trigger of mitigation steps and corrective actions. . Strategy mapping and Strategic Risk Assessments of selected key risk areas which have the potential to impact our business results and intangible values such as reputation and brand image. Strategic Risk Assessments of selected strategic initiatives & business cases. Scenario management & simulation to “stress test“ key assumptions and impact Internal early warning system. . Manage the relationship between strategy performance, risks and controls. Key risk indicators (KRIs) can be presented alongside key performance indicators (KPIs) to monitor their impact on value drivers. Strategy Development Strategy Execution
  • 31. 31© 2013 Strategic Risk Management Is Dependent On An Integrated And Effective Operational Risk Management • Risk Managers in the Sales & Consulting area assess projects and opportunities based on High-Risk Scenarios • These High-Risk Scenarios are based on • Early warning through KRIs • Extensive business experience • Database of previous incidents • This enables risk managers to act as business partner and advisor • The RDOA is a risk-based decision process: • based on SAP’s risk appetite • to get ownership for appropriate mitigations and approval for residual risks at various levels of the company • up to the Executive Board level… • leading to full transparency • The Executive Risk Committee focuses on top projects and risk trends on a regional level to mitigate possible project risks (bottom up approach). • Involvement of relevant stakeholders (CFO, COO, risk management, legal, regional management) and top management attention through executive sponsors (e.g. CFO, CEO). • Top risks and global risk trends are transferred on a global level to evaluate the possible impact and define mitigations High Risk Scenarios Risk Delegation of Authority (RDOA) Executive Risk Committees
  • 32. 32© 2013 The Outcome Of Integrated Risk Management To Effective Corporate Management Preparedness to react faster on external trends & factors through early warning & high transparence combined with a high degree of effective mitigations. Higher return on risk management investment through tangible business value add of senior risk managers delivering true business value. Creation of a risk- aware culture in which people understand their role in contributing to the achievement of objectives. Effective combination of operational and strategic risk management through an end2end risk management enables effective execution on strategic targets and goals.
  • 33. 33© 2013 Successful Risk Management Requires Appropriate Transparency Of Risk Information Need a system to accumulate risk information- we are using SAP’s GRC suite. Risks are validated by activity owners. Operational risk information is provided monthly to key stakeholders. Quarterly Board report prepared detailing key strategic and operational risks. In process of moving to a consume on demand model for real time risk reporting via Ipad reporting.
  • 34. 34© 2013 iPad Application for Real Time Risk Reporting
  • 35. 35© 2013 Thank You! Strategic Risk Management As a CFO: Getting Risk Management Right
  • 36. 36© 2013 Thank You Sponsors! PLATINUM GOLD SILVER DIAMOND

Editor's Notes

  1. Our survey tells us that standards and practices for ERM are a mess.