Council on Competitiveness:

1
(No Transcript)
2
Council on Competitiveness Enterprise Resilience
3
A Private Sector Voice for Competitiveness

• Mission
• The Council on Competitiveness is the only group
  of corporate CEOs, labor leaders and university
  presidents committed to ensuring the future
  prosperity of Americans through enhanced U.S.
  competitiveness in the global economy and the
  creation of high-value economic activity in the
  United States.

COUNCIL ON COMPETITIVENESS ENTERPRISE RESILIENCE
4
From Security to Enterprise Resilience

• 2003 Symposium on Creating Opportunity out of
  Adversity
• 2005 Formation of the Competitiveness and
  Security Steering Committees
• 2006 Sector Case Studies to Identify Business
  Case for Security
• Chemical, Electric Power, Financial Services, Oil
  and Gas, Pharma
• Oct 2006 NASDAQ meeting. Aha! moments
• This is about risk and resilience, not about
  security.
• ERM systems dont assess operational risk
  exposure well
• Market makers (audit, insurance, ratings
  analysts) dont value resilience
• Corporate Boards are In the Dark
• A business case cannot be made by focusing on
  high impact, low probability events

COUNCIL ON COMPETITIVENESS ENTERPRISE RESILIENCE
5
Be Careful Out There
The world is becoming turbulent faster than
organizations are becoming resilient.
Technological discontinuities, regulatory
upheavals, geopolitical shocks, industry
de-verticalization and disintermediation, abrupt
shift in consumer taste and hordes of
non-traditional competitors these are just a
few of the forces undermining the advantages of
incumbency. Hamel and Valikangas Not to mention
IT and supply chain disruptions,
interdependencies, pandemics, climate change .
COUNCIL ON COMPETITIVENESS ENTERPRISE RESILIENCE
6
Thriving in the Turbulent Economy

• Risks are increasing because of
• Complexity (technology, infrastructure)
• Connectivity (global interdependence)
• Pace and potential for cascading effects
• The ability to manage the risks of turbulence
  will be a competitive differentiator for
  companies and for countries in a global
  economy.

COUNCIL ON COMPETITIVENESS ENTERPRISE RESILIENCE
7
What Keeps CEOs Up At Night
Top 10 Enterprise Risks 1.Damage to Reputation 2.
Business Interruption 3. Third Party Liability 4.
Supply Chain Failure 5. Market Environment 6.
Regulatory/Legislative Changes 7. Failure to
Attract or Retain Staff 8. Technological
Failure 9. Failure of Disaster Recovery Plan 10.
Loss of Data Aon, 2007
COUNCIL ON COMPETITIVENESS ENTERPRISE RESILIENCE
8
The Importance of Operational Risk Management

• Six of the top ten enterprise risks that keep
  CEOs up at night are operational risks
• and many of the others stem from a failure to
  manage operational risks effectively.

COUNCIL ON COMPETITIVENESS ENTERPRISE RESILIENCE
9
Operational Risk Fastest Growing Risk Domain
COUNCIL ON COMPETITIVENESS ENTERPRISE RESILIENCE
10
..With the Least Visibility to CEOs Boards
COUNCIL ON COMPETITIVENESS ENTERPRISE RESILIENCE
11
Finding a Common Lingo for Risk

• Operational Risk is defined, in Basel II as the
  risk of loss resulting from inadequate or failed
  internal processes, people and systems or from
  external events.
• Is this adequate?
• How do we get from after-action to anticipatory
  risk management (leading vs. lagging indicators)?
• How do we capture risk interdependencies (supply
  chain and IT supply chain and energy)?
• How do we get from risk management to value
  protection?

COUNCIL ON COMPETITIVENESS ENTERPRISE RESILIENCE
12
Bet the Company Risks

• A decade ago, exposure to operational risks was
  thought to be trivial compared to financial
  exposure. Today, failure to manage operational
  risks has bet the company consequences.
• More than 800 companies that announced a supply
  chain disruption between 1989 and 2000
  experienced 33-40 lower stock returns than their
  industry peers, regardless of industry, cause of
  disruption or time period. (Hendricks and
  Singhal, Georgia Tech)
• 25 of companies that experienced an IT outage
  lasting 2-6 days went bankrupt immediately.
  (Economist Intelligence Unit)
• 93 of companies that lost their data center for
  10 days or more filed for bankruptcy within a
  year. (Economist Intelligence Unit)

COUNCIL ON COMPETITIVENESS ENTERPRISE RESILIENCE
13
Whats the Problem

• No Bridges Risk management is segmented in
  different silos that have weak communications
  links between the silos and often none to
  business strategy and revenue growth.
• Lack of Tools The tools, models and talent to
  manage operational risk are less sophisticated
  than those applied to manage market and credit
  risk, although operational risks are rising.
• Lack of Metrics There are no metrics for
  effectiveness or return on investment, and no
  standards for best practice.
• Lack of Market Incentives Market mechanisms
  dont reward investment in risk management and
  resilience.

COUNCIL ON COMPETITIVENESS ENTERPRISE RESILIENCE
14
Challenges for Operational Risk Managers

• Establishing a common language
• Conversion of qualitative assessment into
  meaningful data
• Creation of leading, not just lagging indicators
• Understand interdependencies and cascading
  failure paths
• Move from compliance to business-led discipline
• Identify reporting indicators that matter to
  management
• Create the upside business case, not just loss
  avoidance

COUNCIL ON COMPETITIVENESS ENTERPRISE RESILIENCE
15
Things to Think About for Companies
Manage Outcomes, Not Triggers - Infinite number
of risks, finite number of effects Link Risk to
Value Creation, Not Just Value Protection -
Companies make money by taking risks and lose
money by failing to manage them Embed Risk
Management Processes into Every Position -
Everyone is accountable for risk management, but
what is their accountability?

COUNCIL ON COMPETITIVENESS ENTERPRISE RESILIENCE
16
Best Practices Risk Management DuPont Style
COUNCIL ON COMPETITIVENESS ENTERPRISE RESILIENCE
17
Best Practices Dispensing with Risk Silos
COUNCIL ON COMPETITIVENESS ENTERPRISE RESILIENCE
18
Things to Think About for Policymakers

• What would drive private sector demand for
  critical infrastructure protection?
• To what extent Is operational risk management the
  flip side of CIP?
• Why Do the Markets Undervalue Risk?
• Why are there limited incentives from the
  market-makers for managing risk effectively
  ratings, audit and insurance industries?
• What information do the markets need to assess
  and compare risk management practices?
• What Should Government Do to Strengthen the
  Rewards for Effective Risk Management?
• Carrots or Sticks?
• SEC Disclosure for Material Risk?
• Sarbox?

COUNCIL ON COMPETITIVENESS ENTERPRISE RESILIENCE
19
Last Thoughts

This Field is Becoming a Tower of Babel Folks
are are using words like resilience, protection,
disaster management, business continuity and
security almost interchangeably. As a result,
were talking past each other and the
conversation has lost meaning. In the end, it
doesnt matter what you call this -- Risk
Intelligence, Resilience, Security or just
superior business governance -- we need to
develop common definitions about the desired
outcome, common understandings about best
practices, standards and metrics and public
policies that support these ends.
COUNCIL ON COMPETITIVENESS ENTERPRISE RESILIENCE
20
(No Transcript)
21
(No Transcript)
22
(No Transcript)
23
(No Transcript)
24
(No Transcript)
25

Its Dangerous Out There Even When You Think
You Are Prepared!!
COUNCIL ON COMPETITIVENESS ENTERPRISE RESILIENCE