|
1
|
|
|
2
|
- Review Need for integrated risk management approach
- Review a Unified Conceptual Framework that applies to all types of risk
- What distinguishing characteristics of risk are vital in ascertaining
the most effective approach to risk reduction or finance
- The key elements in a system designed to interact with risk-generating
activities throughout the organization.
|
|
3
|
- Would you accept with 100% certainty:
- Your Sales Director’s contention that sales will increase 20% next
quarter because the product you are about to introduce “beats the pants
off the competition?”
- A Nuclear Engineer’s contention that, because of redundant systems,
there is no chance of an accident that would result in explosion of
release of radioactivity?
|
|
4
|
- Is differentiated from Hazard Risk Management by addressing Strategic
risks, Operational risks, and Financial risks.
- Entails managing volatility “on the upside” (opportunuities) as well as
on the downside (potential losses or shortfalls).
|
|
5
|
- Advances in Technology: Effects on organization of corporate management
- With contemporary browser-based software, it is possible to obtain real-time
information from multiple systems and processes and bring it together,
in an easily-interpreted format, to a decision maker's desktop.
- Thus one decision maker now can do the work previously done by several
different specialists in the past.
- Redefinition of the role of the Risk Manager
- Inclusion of strategic and operational risks requires a more
collaborative approach with other functions and stakeholders.
- Intranet and extranet technologies aid the collaborative approach to risk
identification, measurement, aggregation, prioritization, goal-setting,
and follow-up.
|
|
6
|
- Maximize sales.
- Cut expenses to the minimum.
- Get the new product to market on time.
- Meet the quarterly budget forecast.
- With such single-minded objectives, WHO is weighing the tradeoffs or the
aggregate effect of individual actions?
|
|
7
|
- An outgrowth of the trend toward Enterprise Risk Management
- 24% of Tillinghaust-surveyed organizations have a Chief Risk Officer
position.
- 60% of Chief Risk Officer positions have been created within past 2
years.
- Most CROs report to CFO, though in companies with an active ERM program,
the majority report to either the CEO or the Board.
|
|
8
|
- Felix Kloman in An Iconoclastic View of Risk, Risk Management Reports,
December, 2000:
- “Over the years, numerous silos of risk management specialization have
been erected on the premise that each specialty is so arcane, so based
on long experience, that outsiders cannot appreciate, much less
practice, the trade. We see this in credit, safety and health,
financial derivatives, security, insurance, contingency planning,
auditing, contracts and regulatory management. Each group has its own
language, its own procedures, its own skill sets. Each wants to be left
alone to do the job. Yet this has led to enormous gaps and overlapping
and excessive costs in organizational risk responses. The recent move
to strategic, integrated, enterprise, or holistic risk management is a
recognition that the separation of risk functions is actually
counter-productive.
- Allowing the specialists to ply their trades separately does not work.
That is one reason for the rise of a new executive, the Chief Risk
Officer. This person is a generalist who reports to both the Chief
Executive and the Board and coordinates the work of other risk
specialists. According to a recent global Internet symposium …, there
are almost 200 "CROs" in place, generally in financial
institutions, energy and utility companies.”
|
|
9
|
|
|
10
|
- Old distinction between insurable risk and “business risk” is becoming
blurred.
- Fortuitous risks and non-fortuitous risks not always separable
- Defining risk as the “chance of loss” ignores the fact that frequency of
small losses can add up to a fairly predictable annual cost.
|
|
11
|
- Five-step risk management process:
- Identify risk exposures
- Quantify risks
- Avoid, Mitigate, and Transfer risks through safety, engineering,
contractual, and other means.
- Retain those risks which remain to the extent they are within the
organization’s financial capacity
- Insure or Avoid risks above the organization’s own “retention
capacity.”
|
|
12
|
- What if insurance is currently priced at less than the “burn rate?”
(expected losses)
- What if insurance is not available, or appears to be very expensive for
certain risks or certain limits?
- What if the rate of return on loss control investments fails to meet
company targets?
- With these thoughts in mind, let’s turn to a Unified Conceptual
Framework that applies to all types of risk.
|
|
13
|
- Financial theorists define risk as:
- Uncertainty as to achieving an
Expected Outcome, observed through:
- Variability from an Expected Result.
|
|
14
|
- The VALUE of an investment, such as a company’s stock is:
- Based both on the
- Amount of the Estimated Future Earnings Stream, and the
- Degree of Uncertainty in realizing those estimated earnings.
|
|
15
|
- Value =
- S Earnings 1...n
- __________
- Required Rate of Return
|
|
16
|
- Cost of risk reduction / transfer reduces incremental earnings stream
- Benefit of risk reduction is reduction in the denominator of the
equation – Investors’ required rate of return
- Net benefit is achieved IF Earnings minus cost of risk reduction,
divided by new (lower required rate of return) is higher than pre-risk
reduction equation.
|
|
17
|
- Stream of after-tax Revenue over time = each year’s Net Expected Savings
attributable to Risk Reduction
- Importance of Timing
- Importance of after-tax Discount Rate
|
|
18
|
- Net Cost of Risk Transfer = “Premium” less “Expected Losses”
- “Benefit” of Reduced Risk translates
into a lower Required Rate of Return “discount” factor applied to the
stream of future earnings.
- Net Benefit of Risk Reduction or Transfer expenditure is the combined
effect on V=E/R.
|
|
19
|
|
|
20
|
- Before Risk Reduction:
- Present Value of $1 billion annual after tax income for 30-yr. horizon
/ .09 required rate of return = $10.27 billion.
- After Risk Reduction:
- Present Value of $.95 billion annual after tax income for 30-yr.
horizon / .085 required rate of return = $10.61 billion.
- Decision: Yes, proceed with risk reduction.
|
|
21
|
- Risks that aggregate across the organization should be handled
differently by multi-divisional organizations than risks which are
unique to individual operations.
- Consider “law of large numbers” and correlation.
|
|
22
|
- Principal Risk Characteristics:
- Frequency of Loss
- Average Severity of Loss
- Degree of “Internal” Correlation
with other risks
- Relative “External” (I.e. Insurance or Capital Markets) risk
correlation.
- These factors affect the cost and benefit of risk transfer.
|
|
23
|
- Workers Compensation:
- High frequency, low severity, good internal correlation except for
persistent exposures, good relative external correlation except for
long-tail exposures.
- General Liability
- Medium frequency, potentially high severity, moderate / high internal
correlation, good relative external correlation.
- Property
- Low frequency, high potential severity, general lack of internal
correlation, excellent relative external correlation.
- Currency
- Technological Change
|
|
24
|
|
|
25
|
|
|
26
|
- Scott McNealy: “The network is the computer”
- Ability of HTML web pages to connect to any other computer connected to
the Internet
- One web page can draw data or applications from many computers at the
same time.
|
|
27
|
- Integration of differing types of data from varied systems can be
achieved at much lower cost than previously.
- Routine tasks of gathering information, processing transactional data,
and reporting are becoming less demanding.
- More attention is given to strategic risk management.
|
|
28
|
- Internet Technology is highly “scaleable”
- Geographic location of personnel becoming much less important
|
|
29
|
- Internet technology
- Rapidly being accepted as more than just a way of displaying text
information and graphics.
- Based on software and communications standards and shared protocols
- Provides a way for disparate organizations to share software
applications and databases.
- By providing easy access to and connections between "islands of
information," Internet technology is quickly emerging as the
software platform of choice.
- Systems that previously required expensive custom installation,
licensing, and training are becoming accessible to users having a
contemporary, free web browser, an appropriate access level, and user
privileges.
|
|
30
|
- David McNamee, CIA, CISA, CFE, CGFM
- in Mc2 Management Consulting:
- Managing risk in tomorrow's organizations means:
- Active monitoring: ensuring the
organization's sensitivity to detect risk.
- Agile systems: ensuring its
flexibility to respond to risk.
- Adaptive learning: ensuring the
capability of the organization's resources to mitigate risk.
|
|
31
|
- David McNamee, CIA, CISA, CFE, CGFM
- in Mc2 Management Consulting:
- “The key process in risk analysis is to identify all the sources of
material risks …. Risk
identification should proceed using the following three methods:
- 1. Environmental Assessment: Using the knowledge of the organization's
operations, consider the probable changes in the environment to
identify possible consequences.
- 2. Exposure Assessment: Using the knowledge of the organization's
resources, consider the possible consequences to the assets based on:
Size or Value, Type (Financial, Physical, Human, Intangible/Information
Assets),Portability/Accessibility and Location.
- 3. Threat Scenarios: Defining the difficult-to-measure low-probability
and high-consequence events such as natural disasters, sabotage,
terrorism, and fraud.
|
|
32
|
- Examples of environments that should be considered are:
- Economic: Possible changes in the general economy affecting prices and
employment levels.
- Political: The likelihood that government decisions will materially
affect the nature and scope of the organization's programs.
- Constituents: Changes in constituent needs and wants as well as changes
in the demographics of constituents to be served.
- Competition: Competition for resources, such as managerial talent and
funds, from either the private sector or from within government.
- Technology: Changes in both demand and supply of technology and
information and those effects on programs.
- Suppliers: Changes in the labor supply and unionism that may restrict
or expand opportunities and options for operations.
- Government Regulation: Significant pending legislative agenda items
with a probability of enactment and a material effect on operations.
- Physical: Changes in site, location, weather, terrain, and access that
could materially affect operations
|
|
33
|
- CARD®decisions Inc. CARD®map
(Canadian company located in Mississauga, Ontario)
- Methodware Operational Risk Advisor (New Zealand company)
- GIS (Geographic Information Systems) tools for viewing and measurement
of geographically-correlated risks (e.g. markets, windstorm and
earthquake)
|
|
34
|
|
|
35
|
|
|
36
|
|
|
37
|
|
|
38
|
|
|
39
|
|
|
40
|
|
|
41
|
- Statistical measurement of historical performance
- Stochastic Modeling / measurement of correlation effects through
aggregation
- Sample tool: @Risk (Palisade Software – www.palisade.com)
- Fault trees and event trees (chains of probabilities and outcomes)
- Delphi Technique
|
|
42
|
- Control Self Assessment (CSA) process
- Option Finder (Option Technologies Interactive, L.L.C.): used to
improve CSA workshop self-assessment honesty and compilation of survey
data
|
|
43
|
|
|
44
|
- Intranets a powerful tool for tracking assignments in a consistent
format across the organization
- Risk Communication:
- crisis response teams
- scenario planning
- contingency plans.
|
|
45
|
|
|
46
|
|
|
47
|
|
|
48
|
- Need for access by outside parties for sharing of information, data, and
workflow.
- Example: claims data needed by Risk Management department, other
department heads for cost allocation, TPAs, attorneys, actuaries, etc.
|
|
49
|
- Content and applications developed by specialists in “niche” areas of
knowledge.
- Not all users have access to the same data. Multi-tier access control
defines which applications users may access and what level of privilege
they have for obtaining specific specific “views” of information.
- More advanced user authentication, including digital signatures,
electronic tokens and “keys”, and biometrics are anticipated to improve
security.
- Need to coordinate with “single logon” to multiple applications.
|
|
50
|
- Sharing of software: systems usage costs plummet due to centralized
purchasing, system installation, hosting, support, and training.
- Sharing of data: enables benchmarking and data warehousing
- Access to sophisticated applications that previously were in the
province of specialists with expensive, sophisticated hardware and
software.
- Geographical Information Systems (GIS). Above-ground and underground
examples
- Data Warehousing, OLAP Data Mining (e.g. Seagate Info)
|
|
51
|
|
|
52
|
|
|
53
|
|
|
54
|
|
|
55
|
- No need to copy and re-enter:
- Underwriting and Exposure Data
- Certificates of Insurance information: “Decision Tree” self-service
- Claims and Injury Reporting
- Insurance coverage documents
|
|
56
|
- Certificates of Insurance
- MetroRisk “decision tree” certificates of insurance self-service
- Claims Reporting and Analysis
- Insurable Values / Underwriting Data
- Eaton Safety Intranet / Geographic Information System facilities
database
|
|
57
|
- EatonEHS.com
- Contacts database
- Facilities database
- Bulletin Board
- Conference presentations in Powerpoint with sound
- Procedures, Interactive Training
- Asbestos procedures / liason with external consultants
- OSHA 200 logs and annual safety performance reports
|
|
58
|
|
|
59
|
- Felix Kloman, in Four Cubed, Risk Management Reports
- “Communication is the weakest link in the risk management process and
is generally omitted from process descriptions. Few organizations take
the time to reduce what they know-and what they do not know-about risk,
its organizational implications, and its responses into terms
understandable to stakeholders.”
- Using Extranets to improve communication
|
|
60
|
- Rising to meet the challenge: industry responses (joint efforts, and
role of RIMS, PRDP, CIPRA, CAJPA, PARMA)
- XML standards, RIMS, PRDP, ANSI X-12 data standards
- Creating “critical mass” for standards implementation
- Task of integrating vendor products with existing information platforms
and access control
|
|
61
|
- Achieve the best combination of risk management techniques, consistent with the optimum effect on
the firm’s overall Value.
|
|
62
|
- Cost-effective alternative to including remote locations, sales offices,
or off-site employees in a wide area network.
- Permits “virtual workforce” to be fully connected to office and sales
support.
- Much cheaper than “connecting every employee’s home” to a wide area
network.
- Use for disaster recovery
|
|
63
|
- Allen Monroe
- Founder and CEO
- RiskINFO
- 545 Magnolia Avenue
- Larkspur, CA 94939
- (415) 927-8000
- Email: allen@riskinfo.com
- Web Sites: www.riskinfo.com, www.disasterplan.com, www.safetynetwork.com,
www.riskforum.com
|
Notes
