Title: Building Agility and Resilience into Risk Management Systems
1Building Agility and Resilience into Risk
Management Systems
FINANCE STRATEGY PRACTICE CFO Executive Board
Findings from our 2009 Research
2Executive Summary
Leading organizations have taken some simple
steps to improve their capacity for sensing and
responding to emerging risks.
While many organizations have locked down their
response to the risks presented by the current
financial crisis, they are now focused on better
understanding an operating environment
characterized by a high degree of economic
uncertainty and consequent market volatility. It
comes as no surprise then that CFOs have
increased their investment in risk management
processes in an effort to better sense and
prepare for over the horizon risks.
Unfortunately, traditional risk management
approaches promote a check the box mentality,
incentivizing management to focus the majority of
its efforts on process improvement rather than
mitigation planning and directly preparing for
significant emerging risks. Through the course
of our research we found that a number of
companies have successfully modified their risk
sensing and response mechanisms to make their
organizations more effective at anticipating and
responding to emerging risks. They key steps
theyve taken are further described in this brief
If you are interested in learning more about this
research, please contact Anna Kipchuk at
kipchuka_at_executiveboard.com
Three Steps for Improving Risk Agility
1
Use forward-looking risk indicators and
prediction markets to swiftly identify emerging
risks.
2
Consider the speed at which risks will impact the
organization when prioritizing and escalating
risks.
3
Use scenario planning to ensure budgets and
resource allocation decisions stay relevant to a
changing environment.
3A (Loud) Wake-Up Call
When making new investments in risk management,
avoid the same mistakes that made ERM ineffective
heading into this downturn.
Top Drivers for Risk Management Investments in
2009
2009 Average Increase in Risk Management Budgets
- In spite of falling Finance budgets, risk is one
of the few areas where CFOs are increasing
investments in 2009, specifically risk tracking,
reporting and consulting services. - These investments are being driven from the very
top of the organization in response to a greater
need for broader risk sensing and mitigation
capabilities. - In light of this renewed focus on risk, CFOs must
avoid making the same mistakes that caused their
existing risk management frameworks to fall short
in helping to predict and prepare for this
downturn.
What Went Wrong with Risk Management?
- Misguided Focus on Risk Detection Rather Than
Risk Agility Despite the increasing volatility
of internal and external risk environments,
companies focused on risk detection rather than
creating an agile, risk-ready organization. - Compliance Risk Outweighs Business Risk in
Governance Management and Boards over-invested
in managing compliance-related risks,
inadvertently crowding out scrutiny of business
risks and the underlying assumptions in corporate
strategy. - ERM Systems Created a Check the Box Mentality
ERM systems can provide good hygiene and
visibility, but companies focused 80 of their
energies on technical assessments and 20 or less
on actual management of risks and opportunities. - Focus on Affirming Risk Assumptions Rather than
Negation Risk reporting meant compiling
aggregate data to support managements risk
assumptions, rather than testing the validity of
the assumptions against outliers, abnormalities,
and alternative frames of reference. - Oversimplification of Risk Metrics Not all risks
are created equal or distributed normally.
However companies did not take a differentiated
approach to risk evaluation, management or
escalation for various types of risks, especially
fat tail risks.
Source Aberdeen Group, Enterprise Risk
Management The Art of Avoiding Unpleasant
Surprises, February 2009, Financial Times Risk
Integration Strategy Council research..
4Many New to World Risks
The emergence of new critical risk areas
escalates the need to reevaluate fundamental risk
assessment and mitigation processes
Audit Plan Hot Spots Dashboard 2007-2009
- Our research finds that most companies do not
have a mechanism for continually assessing new
risks and making changes to audit plans or other
risk frameworks at a speed that reflects the
rapidly changing risk environment.
Source Audit Director Roundtable research.
5A Case for Risk Agility
Standard risk management processes place too much
onus on process management, reducing executive
time spent on more valuable risk mitigation
activities.
Incorrect Prioritization Allocation of Board and
Management Resources on Risk Management
Risk Management
Senior Management spend 80 of their time on risk
processes (completing forms and evaluating risks)
and only 20 of their energy actively managing
risks and opportunities.
- Research from MIT shows that companies that over
invest in active management of risks and
opportunities (risk agility) tend to outperform
their peers in both sales and margin growth,
adding evidence for the case that executives need
to allocate more time to direct risk management.
Risk Processes
The Case for Agility 2002-2004, MIT-CISR
The Importance of Agility to Overall Business
Success EIU 2009 Survey
Unimportant
Neutral
Important or Extremely Important
n 349 Business Executives and Board Members
n 649
Source Corporate Strategy Board research Risk
Integration Strategy Council research.
6Building Risk Agility
Improving organizational risk agility
requires changes to risk identification, assessmen
t, and response behaviors.
Three Steps to Risk Agility Organizations Should
Incorporate Agility into All Aspects of the Risk
Management Process
Timeline of a Risk Event
Resource Mobilization
Risk Assessment
Risk Identification
Traditional identification is a largely static
and calendar-driven process, reliant on lagging
indicators and the knowledge of a few individuals.
Traditional risk assessments, which focus on
impact and likelihood, fail to take into account
the velocity of risk and may be outpaced by
swiftly emerging risks.
Traditional resource allocation is
calendar-driven, thus budgets and resource
allocation decisions quickly become obsolete in
the face of a changing business environment.
Early Risk Detection Use forward-looking risk
indicators and prediction markets to swiftly
identify emerging risks.
Risk Velocity Sensing Consider the speed at which
risks will impact the organization when
prioritizing and escalating risks.
Rapid Resource Mobilization Use scenario planning
to ensure budgets and resource allocation
decisions stay relevant to a changing environment.
7Improving Risk Agility
1
Use forward-looking risk indicators and
prediction markets to swiftly identify emerging
risks.
Use leading indicators of significant risk events
to anticipate them and prepare Traditional risk
identification frameworks rely on lagging
financial and operating metrics to confirm,
rather than predict or test resiliency of current
plans.
Early Risk Detection
Tap into organizational risk intelligence using
prediction markets to anticipate and respond to
risk. Risk management by committee fails to
sustain focus on key risks and capture changes in
a timely manner, but tools like prediction
markets can improve continuous monitoring of
probable risk events.
Consider the speed at which risks will impact the
organization when prioritizing and escalating
risks.
Risk Velocity Sensing
2
Rapid Resource Mobilization
3
Use scenario planning to ensure budgets and
resource allocation decisions stay relevant to a
changing environment.
8Numbers to Manage By
Traditional risk monitoring relies on
cataloguing and assessment of a broad range of
lagging indicators which fail to anticipate
emerging risks across the enterprise.
Expanding the Universe of Risk Metrics and
Owners
- Financial Risk
- Market/Credit Risk
- Fraud
- Tax Risk
- Operational Risk
- RD
- ?Supply Chain
- ?Sales and Marketing
- ?Business Continuity
- ?Internal Processes and Controls
Financial
Customer
Internal Business Process
Learning Growth
- When we mapped the ever expanding set of risk
indicators that companies monitor, we found only
a few examples of synthetic, leading indicators
(e.g. customer tenure and RD effectiveness).
- HR Risk
- ?Compliance
- ?Health and Safety
- ?Litigation
- Contracts
- Reputational Risk
- Company Brands
- ?Customer Service
- ?Market Conduct
- Strategic Risk
- MA Activity
- ?Loss of IP
- ?Changes in Competitive Landscape
- ?Market Demand
Schematic The Predictability Actionability
Frontier in Risk Metrics Operating Indicators
- Highly Aggregated
- Non-prescriptive
- Narrowly Focused on Outputs
- Backward-Looking
High
Actionability (How much managers can directly
influence this metric)
Low
High
Low
Predictiveness (Ability to forecast changes in
risk exposure)
9Digging into the Future
To rapidly identify emerging risks and drill down
into their root causes, RTI builds a risk
dashboard based on metrics they believe are
predictive of trouble.
Key Risk Indicator Dashboard Illustrative
- ?The risk dashboard consists of Key Risk
Indicators (KRI) spanning 9 major risk areas,
capturing the entire risk profile of the
organization. - The use of predictive metrics provides a
forward-looking view of risk and allows for the
easy identification of root causes if KRI
performance changes. - For each metric there is an underlying list of
root causes that management reviews to explain
and mitigate an emerging risk. For example, the
root cause of retention problems is deemed to be
an unacceptably low promotion rate, highlighted
at right.
Performance against the underlying metrics
impacts the performance of the KRI. Here a red
metric translates into a red KRI highlighting the
need for immediate action.
Source RTI International.
10Measuring What Matters
RTI screens possible operational metrics using a
clear set of decision criteria designed to ensure
an accurate and forward-looking view of risk.
Metric Screening Decision Tree Illustrative
Leads, Not Lags Is the metric a
leading indicator of future risks?
Relevance Is the metric aligned with a
defined KPI at the group level?
Reliability Is the metric reliable, with any
inherent biases known and predictable?
Availability Is the metric sourced from
within or in-expensively from a third party?
Applicability Is the metric an operational or a
true indicator of risk?
- ?Once the breadth and depth of available
information has been uncovered, the Executive
Leadership team decides which metrics should be
selected to build the KRIs. - The use of these decision screens allows RTI to
focus on those metrics that will provide a true
and forward-looking view of risk across the
enterprise.
The metric is rejected if it does not satisfy one
of the five criteria.
Metric selected for inclusion in Key Risk
Indicator
Source RTI International.
11Promote More Inclusive Discussions
Audit Committees are concerned that centralized
risk management crowds out information flow on
emerging risks
Audit Committee Reaction to Statement
(2009) Centralized risk management can
overemphasize detail at the expense of
quick-and-dirty early risk detection.
31
37
32
Only 32 of directors are confident that
centralized risk management does not impede early
risk detection.
n 35 Audit Committee chairs and members.
12The Risk-Breathing Organization
Periodic risk reviews conducted by a few
individuals can miss risks as they emerge.
Ensure the entire organization is continuously
sensing emerging risk.
Traditional Risk Evaluation vs. Ongoing
Prediction Markets
Traditional Risk Evaluation Periodic risk reviews
by select individuals fail to capture the
on-going changing nature of risk, missing risk
events as they occur.
- ?The perspective of expert committees that meet
once a quarter to evaluate risks shifts
drastically quarter to quarter based on the
timing of their discussions. Committee-based
risk management can also fall by the way-side
when a risk is perceived to be less relevant or
urgent. - Conversely, a prediction market, a mechanisms
whereby individuals can trade their knowledge of
a risk, operates continuously and reflects a
change in risk much more quickly.
Prediction Market Model The entire organization
needs to view risks continually to fully grasp
the risk environment, and immediately detect
risk as they emerge.
What is a Prediction Market? A prediction market
is a speculative market wherein virtual cash
values (with no real monetary value) are linked
to any particular event, where the current market
prices will indicate the probability of an event
occurring or signify the expected value of the
variable being measured.
13The Wisdom of the Crowds
Best Buy uses prediction markets to garner the
collective expertise of the organization and
enable reliable risk decisions.
Risk Management Insight
- ??Recognizing that no individual can monitor
numerous and constantly changing risks, Best Buy
uses a prediction market for supplier risk to
tap into everyones expertise for a more frequent
and robust risk viewpoint. - The diagram at right highlights how the multiple
dimensions of supply chain risk reside with
different constituents that dont naturally
interact. The prediction market helps to remove
organizational barriers and to pool expertise on
a specific risk on an ongoing basis.
Source Best Buy.
14Risk Prediction Markets in Action
Best Buy leverages the collective wisdom of
the organization to quickly and reliably identify
risk events across a variety of functional and
geography specific risks.
Use of Prediction Markets to Identify
Risks Illustrative
- ???As prediction markets reflect the collective
knowledge of the organization, any changes in
contract value will mean that new information has
surfaced in relation to a particular project.
A sharp significant drop in the contract value
below set threshold suggests the market has new
risk information (on existing risks or new risks)
detrimental to the store opening in China.
Contract Value
Contract Value refers to the stock price of a
particular market measured in virtual currency
(that has no real monetary value).
It the prediction market helps on two fronts
both the speed and accuracy of information, so
that management can move faster to deal with
problems or exploit opportunities. Jeff
Severts, VP Best Buy
Market Overview on the 21/11/2008
Source Best Buy.
15Continuous Risk Monitoring
Decoupled from a calendar driven process,
prediction markets provide management with
real-time feedback on risks and effectiveness of
mitigation actions.
Calendar-Driven Risk Process
- ???Calendar-driven risk identification can be
untimely or slow, delaying a managements ability
to identify and mitigate emerging risks in a
timely fashion. - Participants in the prediction market not only
monitor risks continuously, but also provide
feedback on the success of ongoing mitigation
actions, thereby guiding the accuracy of
mitigation plans.
As prediction markets constantly assess risk,
identification is instant and provides a snapshot
of the potential severity enabling an agile and
swift response.
On-Going Risk Assessment
The potential is that prediction markets may be
the thing that enables a big company to act more
like a small, nimble company again. Jeff
Severts, VP Best Buy
Source Best Buy New York Times, Betting to
Improve the Odds (4 September 2008).
16Running a Prediction Market
Best Buy uses a straightforward implementation
framework for running prediction markets on
strategically important projects.
Four Steps for Setting Up a Prediction Market
Define Projects to be Tracked
Secure Sufficient Participation
Develop a Trading Mechanism
Close Trading Process
China Store Launch on Time Illustrative
Winner Certification
- When properly executed, prediction markets offer
a scalable and flexible solution to project risk
assessment and enable quicker managerial decision
making and actions.
- ????Provide an explicit definition of the main
objective of the project - ?Assign ownership of tracking to the prediction
market team - Liaise with the project team to establish a
threshold of acceptable stock price (i.e., if
stock falls below this level it signals new risk)
- ?????Invite all employees to participate
- ?Award a non-financial incentive to the most
accurate trader - ?Do not mandate participation, make usage a fun
and competitive experience
- ??????Create an IT platform to host prediction
markets - Award all participants the same amount of
virtual credit to be on markets - ?Clearly state the background to the market with
minimal information - ?Provide clear guidelines, terms and conditions
for how to use the markets
- ??????Identify and reward the ten traders who
show the highest growth in their market
portfolios during the trading period
Source Best Buy
17Improving Risk Agility
Early Risk Detection
Use forward-looking risk indicators and
prediction markets to swiftly identify emerging
risks.
1
2
Consider the speed at which risks will impact the
organization when prioritizing and escalating
risks.
Amend risk mitigation plans based on risk
velocity considerations and prioritize
high-impact, quick-implementation action plans to
speed management response.
Risk Velocity Sensing
Take risk evaluations from theory to practice and
test the business impact of probable
high-velocity risks in scenario planning
exercises to assess the true magnitude financial,
operating, and human costs.
Rapid Resource Mobilization
3
Use scenario planning to ensure budgets and
resource allocation decisions stay relevant to a
changing environment.
18Consider Velocity
Incorporate the velocity of risk events into
your risk prioritization criteria to improve your
assessment of risk exposure and response planning.
Importance and Use of Risk Velocity in Risk
Assessments November 2007, Chief Risk and Audit
Officers
- Traditional risk assessments that prioritize risk
on probability and impact are outpaced by the
speed at which risks move throughout the
organization. - While 70 of finance executives agree that risk
velocity is a core consideration, only 11 have
introduced it into their risk assessments.
Risk Prioritization Matrix Incorporating Risk
Velocity Illustrative
ImpactWhat is the maximum business damage this
risk could cause? ProbabilityHow likely is this
risk to materialize? SpeedAt what speed will
this risk impact the organization?
RISK AHigh Severity and Likelihood but Low Speed
of Onset Increased employee attrition will have
a significant impact on the organization and is
very likely to happen. The risk is forecast to
materialize across the course of the next 18
months.
RISK BHigh Severity and Likelihood and High
Speed of Onset A new competitor will have a
significant impact on the organization and is
very likely to happen. The risk is forecast to
materialize within the next two months when the
new competitor begins trading.
Source Deloitte Risk Integration Strategy
Council Research..
19Assess the Speed of Risk Events
DB evaluates how quickly risk events are likely
to be realized and uses this information to
prioritize its audit schedule.
Risk Velocity Assessment in Audit Planning
1
2
3
Global leadership team and operational heads
evaluate 20 enterprise-wide risks on three
criteria.
Internal Audit and C-suite review survey results
and adjust prioritization if necessary.
Velocity-adjusted prioritization functions as
basis for audit schedule.
- DB uses a simple three step process for
incorporating velocity into risk assessments
evaluating risks based on the three dimensions,
reviewing results, and prioritizing the audit
schedule with risk velocity in mind in order to
keep the company ahead of its most critical risks.
Annual Online Risk Survey Illustrative
Audit Plan Illustrative
Source DB Corporation Audit Director
Roundtable research.
20Prioritize Mitigation Actions According to Risk
Velocity
Internal Audit evaluates managements
mitigation plans through a risk velocity lens
and educates management about timely and
high impact responses.
Example Fraud Risk Mitigation Steps Illustrative
2
Audit outlines remediation steps in response to
anticipated risk velocity. For instance, TE
training offers a more timely response than a due
diligence review.
1
Management proposes big fixes with extended lag
times, often misaligned to the potential velocity
of risk impact on the organization.
- DBs Audit group reviews managements proposed
risk mitigation steps with risk velocity in mind,
ensuring that action steps are matched with the
potential velocity that the risk could present. - If management proposals for a high velocity risk
will take a long time to implement, Audit
proactively updates the action plan so that it
more closely aligns to the risk velocity.
Source DB Corporation Audit Director
Roundtable research.
21Go Beyond Theory to Test Business Impact
Alpha Company incorporates risk velocity into
scenario planning exercises to help the
management team understand the operational impact
of high-velocity risks
Incorporating Risk Velocity into Business Impact
Analysis
- Scenario Hurricane Hits Manhattan, NY
- Likelihood Highly Probable
- Risk Velocity High
- Impact
- Finance Loss of Working Capital of XMM per day
- Revenue Loss of XMM day
- Capital reserves depleted XMM per day
- Logistics Permanent loss of x communications
centers in three boroughs - Telecom Permanent loss of x transportation
vehicles - Permanent loss of x storage facilities and x
units of inventory - Temporary loss of x storage facilities
- Human Capital X employees require evacuation
- X per day in productivity losses
- X per month in increased medical and
disability costs -
- By placing high velocity risks on a timeline as
part of their scenario planning exercise, Alpha
Company realized that they had been
underestimating the impact of significant risk
events on key operating and financial metrics.
You need to get off paper and do real life
scenario planning applying the speed of risk to
the overall analysis. Once we began to discuss
the tactical implications for our business we
realized that the working capital impact of this
scenario would be most devastating and must be
planned for immediately. CFO, Alpha Company
Pseudonym
22Top Ten Emerging Risks Likelihood, Impact
Velocity
Emerging Risk Survey Results August 2009
High
Source Risk Integration Strategy Council.
23Improving Risk Agility
1
Early Risk Detection
Use forward-looking risk indicators and
prediction markets to swiftly identify emerging
risks.
Consider the speed at which risks will impact the
organization when prioritizing and escalating
risks.
Risk Velocity Sensing
2
3
Use scenario planning to ensure budgets and
resource allocation decisions stay relevant to a
changing environment.
Rapid Resource Mobilization
Speed up resource allocation decisions by
building alternate budgets and plans for each
risk scenario with triggers for adjusting
materially-significant cost categories that are
flexible and highly variable.
24Swift and Proactive
Finance must ensure that risk information
continuously feeds the resource allocation
processes.
Example IT Budget Changes Given an Emerging Risk
Illustrative
- Operating and capital budgets typically react
slowly as cost changes make their way down
through the organization in response to a risk
event. - Risk-aligned operating budgets react more
readily, as shown in the diagram, because they
incorporate triggers for resource reallocation
based on pre-agreed upon contingency plans.
Changes are swift and precise
Risk-Aligned Operating Budget Process
Traditional Risk and Operating Budget Processes
Based on potential risks and scenarios,
budgets and contingency plans are set.
Triggers lead to a rapid and precise resource
reallocation.
Source Risk Integration Strategy Council
Research..
25Plan B, C, D
- Lego links the resource allocation process with
risk management by supplementing its initial
budget based on the most probable scenario with
contingency budgets based on identified risk and
opportunity scenarios. - To avoid painful re-budgeting in the moment as
risks materialize, Lego builds contingency
budgets in advance to enable a faster response. - Inputs to Create Risk/Opportunity Scenarios
Include - Information included in risk database
- Update view of demand
- Information obtained from customers
- Retailer trends by categories
- Objectives by categories
-
Scenario Development and Resource Allocation
Process Illustrative
1. Senior management develops scenarios based
on probable risks and consumer demand information
2. Budget contingency budget setting
3. Continuous resource adjustments
Apr.
May
June
July
Aug.
Sept.
Oct.
Nov.
Dec.
Jan.
- Scenario A
- Stagnant traditional toy segment
- Classic lines remain stable while new lines show
limited growth - Revenue growth 10
Lego creates between 2 and 6 scenarios
depending on the volatility of the market in a
given period. It creates one budget for the
probable scenario and contingency budgets for the
rest.
Source LEGO Risk Integration Strategy Council
Research..
26Drafting a Contingency Budget
- Lego eliminated the need to create entirely new
contingency budgets by carefully selecting cost
categories that may be affected under various
circumstances. - Lego builds contingency budgets for less than a
dozen line items the cost categories included
must be flexible, variable and have a material
impact on the budget. - Lego projects the long-term implications of each
scenario by detailing month-by-month changes for
each cost category.
Criteria Used to Isolate Cost Categories to Be
Included in the Contingency Budgets Illustrative
Changes in Material Costs Illustrative
Lego clearly defines what to do in case the
scenario they planned for changes
Source LEGO Risk Integration Strategy Council
Research..
27Triggering a Contingency Plan
- Lego uses pre-defined triggers to determine
whether a new scenario has emerged. - Lego evaluates corporate performance through
daily flash reports, monthly sales and operating
reviews and senior-level Operations Board. - The objective of these analyses and discussions
is to determine if and how the scenario has
changed and whether a resource adjustment is
required.
Decision Making Process to Trigger Resource
Reallocation Illustrative
Performance and Scenarios Monitoring Illustrative
Are we working under the same scenario we planned
for?
No changes required
Are the changes we are observing temporary?
Make temporary adjustments
Implement relevant contingency plan
Performance information is evaluated daily,
monthly and at the Operations Board level to
determine if scenarios have changed and decide on
next steps.
Source LEGO Risk Integration Strategy Council
Research..
28Risk Management Self Evaluation Framework
- Use this Framework to assess the current status
of your own Risk Management program and as a
roadmap for specific improvement opportunities. - Please check the box next to each individual
criterion your program achieves. - Results Guide
- Checks only within Level 1 indicate a risk
management program on par with approximately 50
of other companies. - Three or more checks in Level 2 indicates
placement in the 75th percentile of risk
management programs. - Three or more checks in Level 3 indicates
placement in the top 10 percent of risk
management programs.
Source Risk Integration Strategy Council
Research..
29Additional Resources on Risk Management
Benchmarks, best practices and tools from our
recent research on these topics can be found on
the CFO Executive Boards website, in the Risk
Management Resource Center.
https//cfo.executiveboard.com/Members/DecisionSup
portCenters/Abstract.aspx?cid100053942
30(No Transcript)