Enterprise Risk Management

Colleagues, I like to participate in the discussion on ERM for a number of reasons. First of all I am of the opinion that it is the way to go and now with Sarbox in the USA, Turnbull in the UK, KontraG in Germany, Standard 4360 in Australia, Coso and other Corporate Governance/ERM initiatives around the world. Secondly because there is a lot of confusion about the definition of ERM. I think that one of the first things we need to do is clarify what we all understand under ERM and ensure we are talking about the same subject/definition. Otherwise I fear the same confusion arising as we saw in the past, e.g. on definitions on Estimated Maximum Losses (EML, PML, MPL and so on). I personally have already experienced that a process to satisfy Sarbox requirements on reporting is determined to be THE ERM process while in my humble opinion it is only a part of an ERM process. Thirdly there is either a potential competenty battle or void who should lead the process. There are Internal Audit functions that are of the opinion that they should lead the initiative. My personal opinion is that they should also audit the ERM process and therefore can not lead it. Fourthly because I am of the opinon that the true Risk Manager is well equiped to lead the process and we can all share and learn from each others experiences. Now let me get of my hobbyhorse.....sorry. take care. See website for corporate governance links: http://www.corpgov.net/links/links.html ------------------------------- Hans Berkers TPG Director, Risk Management -------------------------------

------------------------------------------ This message has been cross-posted to both the Enterprise Risk Management and the Risk Professionals E-Groups. ------------------------------------------ Our German colleague makes some very good points. I will be the first to say the auditors cannot lead ERM as a corporate initiative due to the conflict of interest. My CIA agrees 100% and is my strongest internal partner. This partnership, among others, is critical to long term success. RIMS' Executive Council took up on its monthly call yesterday, a general proposal that would address these issues and more, including attempting to align the many stakeholders in ERM. We expect to develop a task force of deputy members to move this forward quickly. Part of the goal will be to figure out what to do with the framework effort completed by COSO and PwC which has value for these purposes but which needs much work to get it to a tactical level. Stay tuned. ------------------------------- Christopher Mandel AVP, Enterprise Risk Mgmt, USAA Chief Risk Oficer, RIMS -------------------------------
Original Message----- Sent: January 7, 2004 14:07 Subject: Enterprise Risk Management Colleagues, I like to participate in the discussion on ERM for a number of reasons. First of all I am of the opinion that it is the way to go and now with Sarbox in the USA, Turnbull in the UK, KontraG in Germany, Standard 4360 in Australia, Coso and other Corporate Governance/ERM initiatives around the world. Secondly because there is a lot of confusion about the definition of ERM. I think that one of the first things we need to do is clarify what we all understand under ERM and ensure we are talking about the same subject/definition. Otherwise I fear the same confusion arising as we saw in the past, e.g. on definitions on Estimated Maximum Losses (EML, PML, MPL and so on). I personally have already experienced that a process to satisfy Sarbox requirements on reporting is determined to be THE ERM process while in my humble opinion it is only a part of an ERM process. Thirdly there is either a potential competenty battle or void who should lead the process. There are Internal Audit functions that are of the opinion that they should lead the initiative. My personal opinion is that they should also audit the ERM process and therefore can not lead it. Fourthly because I am of the opinon that the true Risk Manager is well equiped to lead the process and we can all share and learn from each others experiences. Now let me get of my hobbyhorse.....sorry. take care. See website for corporate governance links: http://www.corpgov.net/links/links.html ------------------------------- Hans Berkers TPG Director, Risk Management -------------------------------

I share that hobby horse or at least the saddle. Risk Managers should be leading this charge. ------------------------------- Michael Evans Sutter Health SVP & Chief Risk Officer -------------------------------
Original Message----- Sent: January 7, 2004 14:07 Subject: Enterprise Risk Management Colleagues, I like to participate in the discussion on ERM for a number of reasons. First of all I am of the opinion that it is the way to go and now with Sarbox in the USA, Turnbull in the UK, KontraG in Germany, Standard 4360 in Australia, Coso and other Corporate Governance/ERM initiatives around the world. Secondly because there is a lot of confusion about the definition of ERM. I think that one of the first things we need to do is clarify what we all understand under ERM and ensure we are talking about the same subject/definition. Otherwise I fear the same confusion arising as we saw in the past, e.g. on definitions on Estimated Maximum Losses (EML, PML, MPL and so on). I personally have already experienced that a process to satisfy Sarbox requirements on reporting is determined to be THE ERM process while in my humble opinion it is only a part of an ERM process. Thirdly there is either a potential competenty battle or void who should lead the process. There are Internal Audit functions that are of the opinion that they should lead the initiative. My personal opinion is that they should also audit the ERM process and therefore can not lead it. Fourthly because I am of the opinon that the true Risk Manager is well equiped to lead the process and we can all share and learn from each others experiences. Now let me get of my hobbyhorse.....sorry. take care. See website for corporate governance links: http://www.corpgov.net/links/links.html ------------------------------- Hans Berkers TPG Director, Risk Management -------------------------------

I would also like to put my hand up as an interested party in this discussion. We have been engaged in developing and implementing an ERM system in Ridley for the past 2 years. As Hans Berkers mentioned, there are many definitions of ERM. For us the process has included the steps of: Breaking the business down into its components; Mapping the business processes of each component; Determining how each process step is achieved; Brainstorming the risks associated with each step (identifying potential causes and outcomes in the absence of controls); Identifying and rating the efficacy of existing controls; Determining potential additional controls; and Identifying the quantity and quality of information relied upon to assess the risk. We have also developed a numeric risk rating system based on the Australian Risk Management Standard AS4360 which allows us to prioritise the risks. The ERM process (which we have called Risk Profiling) has been led by Risk Management but has necessarily involved the management teams of the various sub-units and the senior management team as well. The outcomes have been useful, especially in the context of strategic business planning. If I can contribute from these experiences to the ERM discussion then I am happy to do so. All the best John Pearce Group Risk Manager Ridley Corporation Ltd ------------------------------- John Pearce Ridley Corp. Group Risk Manager -------------------------------
Original Message----- Sent: January 7, 2004 14:07 Subject: Enterprise Risk Management Colleagues, I like to participate in the discussion on ERM for a number of reasons. First of all I am of the opinion that it is the way to go and now with Sarbox in the USA, Turnbull in the UK, KontraG in Germany, Standard 4360 in Australia, Coso and other Corporate Governance/ERM initiatives around the world. Secondly because there is a lot of confusion about the definition of ERM. I think that one of the first things we need to do is clarify what we all understand under ERM and ensure we are talking about the same subject/definition. Otherwise I fear the same confusion arising as we saw in the past, e.g. on definitions on Estimated Maximum Losses (EML, PML, MPL and so on). I personally have already experienced that a process to satisfy Sarbox requirements on reporting is determined to be THE ERM process while in my humble opinion it is only a part of an ERM process. Thirdly there is either a potential competenty battle or void who should lead the process. There are Internal Audit functions that are of the opinion that they should lead the initiative. My personal opinion is that they should also audit the ERM process and therefore can not lead it. Fourthly because I am of the opinon that the true Risk Manager is well equiped to lead the process and we can all share and learn from each others experiences. Now let me get of my hobbyhorse.....sorry. take care. See website for corporate governance links: http://www.corpgov.net/links/links.html ------------------------------- Hans Berkers TPG Director, Risk Management -------------------------------

I agree with this part of the conversation as well. Our internal auditor is a strong partner, but definitely understands the difference between his role and ours. Our ERM program is lead by risk management, but would not be successful without the participation of others in the governance roles. In our case that includes not only internal audit, but compliance, actuarial, investments, capital, tax, and controller. I think that ERM is the ultimate example of the need for cross-disciplinary cooperation. One of our key successes with the auditor is to accept that there will be some overlap and duplication. We acknowledge that risk management monitors risk on behalf of senior management for the purpose of identification of exposures and development of action plans. The auditor may do similar or repetitive monitoring, but he does so on behalf of the Board and the shareholders to assure that systems are in place and working. We do share our information, but recognize that there are two separate perspectives and functions. I am very excited about RIMS stepping to the front to provide a forum for ERM. Many other organizations are purporting to do so, but they have a more specific focus - such as the auditors and the financial risk managers. Their approach limits the consensus approach that I have described above. I know that RIMS is going to more formally announce this - but I am looking forward to this so much - I can't resist! Due to the response to the topic on this e-group, there will be an additional session scheduled at RIMS in San Diego for a roundtable discussion among those of us who have begun the dialog. Chris and I will be coordinating it and I hope that many of you will attend. On another note - I have a question about risk identification. We have been using a bottom up approach which encompasses developing Top Ten risks for each of our business units which cascades up into a Top Ten risk list for the organization. Primarily, this has turned into a short to medium term view of the Top Ten exposures that threaten the business plan. I am trying to establish a longer view approach utilizing scenario planning techniques to look at macro trends both internally and externally that could affect the company over 5 to 10 years. Has anyone done something like this? Any tips on success points? Thanks a lot! ------------------------------- Susan Meltzer Sun Life Financial Asst. VP, Insurance and Risk Mgmt. -------------------------------
Original Message----- Sent: January 8, 2004 16:50 Subject: RE: Enterprise Risk Management I share that hobby horse or at least the saddle. Risk Managers should be leading this charge. ------------------------------- Michael Evans Sutter Health SVP & Chief Risk Officer -------------------------------

I fully agree that Risk Managers should lead ERM within their organizations. I recently served on an advisory committee for a joint Conference Board of Canada/Deloitte study on implementing ERM within public sector organizations. Their findings were published in December amd would make interesting reading for the members of this forum, (www.conferenceboard.ca). Within the British Columbia provincial public sector, Risk Management is leading ERM. Internal Audit does have a role in the implementation phase, primarily to facilitate risk identification and analysis, and they are strong advocates for ERM. Once the implementation phase is completed, they will revert to their more traditional role, as they recognize the potential conflict. ------------------------------- Philip Grewar Government of British Columbia Director, Risk Management -------------------------------
Original Message----- Sent: January 8, 2004 11:19 Subject: RE: Enterprise Risk Management ------------------------------------------ This message has been cross-posted to both the Enterprise Risk Management and the Risk Professionals E-Groups. ------------------------------------------ Our German colleague makes some very good points. I will be the first to say the auditors cannot lead ERM as a corporate initiative due to the conflict of interest. My CIA agrees 100% and is my strongest internal partner. This partnership, among others, is critical to long term success. RIMS' Executive Council took up on its monthly call yesterday, a general proposal that would address these issues and more, including attempting to align the many stakeholders in ERM. We expect to develop a task force of deputy members to move this forward quickly. Part of the goal will be to figure out what to do with the framework effort completed by COSO and PwC which has value for these purposes but which needs much work to get it to a tactical level. Stay tuned. ------------------------------- Christopher Mandel AVP, Enterprise Risk Mgmt, USAA Chief Risk Oficer, RIMS -------------------------------

The kind of info sharing exhibited by Phil Grewar with the Conference Board's Study link is one great example of how this forum can really work well. For the record, we are proceeding with another session on ERM at the San Diego RIMS Conference as a result of the feedback from this group to Susan and I directly. It will likely be on Wed morning from 9-11 and be facilitated by both of us and others that may be so inclined. We expect it will be an atypical conference session without too much formality and a real chance for dialogue and cross sharing of learning. The session will be in the final program described as: Enterprise Risk Management Roundtable This session is being held for risk managers who have begun the ERM process within their companies. There will be no formal agenda or speakers, however, the moderators will provide an overview of the ERM programs within their companies. Participants will be asked to contribute their experiences in adopting ERM within their own organizations so that discussion, sharing and networking will be the key aspects of the session. Level 400 - Members only In addition, the conference will include these other ERM related sessions: RM200 -- ERM: Reality or Fantasy FN202 -- Is Risk Mapping Worth It? IS914 -- Industry Group: Insurance Co ERM IS926 -- Industry Group: Utilities and ERM Hoping to see many of you there. ------------------------------- Christopher Mandel USAA Enterprise Risk Management AVP, Enterprise Risk Mgmt. -------------------------------
Original Message----- Sent: January 11, 2004 14:53 Subject: RE: Enterprise Risk Management I fully agree that Risk Managers should lead ERM within their organizations. I recently served on an advisory committee for a joint Conference Board of Canada/Deloitte study on implementing ERM within public sector organizations. Their findings were published in December amd would make interesting reading for the members of this forum, (www.conferenceboard.ca). Within the British Columbia provincial public sector, Risk Management is leading ERM. Internal Audit does have a role in the implementation phase, primarily to facilitate risk identification and analysis, and they are strong advocates for ERM. Once the implementation phase is completed, they will revert to their more traditional role, as they recognize the potential conflict. ------------------------------- Philip Grewar Government of British Columbia Director, Risk Management -------------------------------

Susan, I think that the bottom up approach is a good start. But as we all know, people have very subjective opinions on risk. What is a major risk for one is not for the other depending on their experience. So at a point in time you have to add in workshops where you use your expertise, the risk identified by other parts of the organization, etc. to get a discussion going whether that particular part of the business has considered/forgotten some risks. Than, it is my experience, that there are a lot of organizations that do not have a good handle on where they "bleed" money. So not necessarily catastrophic type of losses but the millions that get lost in employee theft, stock loss tolecrances, etc. This is most of the time not seen as a risk: "it is part of doing business, isn't it" and "accidents do happen". I don't have to share with this community that that was the attitude that was in the USA on WC until the early 80-ties when the losses became a significant part of the employee cost. Nowadays loss prevention programs and such on WC are standard. Where we can also add value in this discussion is to identify the "new WC-like risk". Is EPL going to be one? Are there other risks outthere that we not consider to be catastrophic yet but are growing in that direction? ------------------------------- Hans Berkers TPG Director, Risk Management -------------------------------
Original Message----- Sent: January 9, 2004 09:27 Subject: RE: Enterprise Risk Management I agree with this part of the conversation as well. Our internal auditor is a strong partner, but definitely understands the difference between his role and ours. Our ERM program is lead by risk management, but would not be successful without the participation of others in the governance roles. In our case that includes not only internal audit, but compliance, actuarial, investments, capital, tax, and controller. I think that ERM is the ultimate example of the need for cross-disciplinary cooperation. One of our key successes with the auditor is to accept that there will be some overlap and duplication. We acknowledge that risk management monitors risk on behalf of senior management for the purpose of identification of exposures and development of action plans. The auditor may do similar or repetitive monitoring, but he does so on behalf of the Board and the shareholders to assure that systems are in place and working. We do share our information, but recognize that there are two separate perspectives and functions. I am very excited about RIMS stepping to the front to provide a forum for ERM. Many other organizations are purporting to do so, but they have a more specific focus - such as the auditors and the financial risk managers. Their approach limits the consensus approach that I have described above. I know that RIMS is going to more formally announce this - but I am looking forward to this so much - I can't resist! Due to the response to the topic on this e-group, there will be an additional session scheduled at RIMS in San Diego for a roundtable discussion among those of us who have begun the dialog. Chris and I will be coordinating it and I hope that many of you will attend. On another note - I have a question about risk identification. We have been using a bottom up approach which encompasses developing Top Ten risks for each of our business units which cascades up into a Top Ten risk list for the organization. Primarily, this has turned into a short to medium term view of the Top Ten exposures that threaten the business plan. I am trying to establish a longer view approach utilizing scenario planning techniques to look at macro trends both internally and externally that could affect the company over 5 to 10 years. Has anyone done something like this? Any tips on success points? Thanks a lot! ------------------------------- Susan Meltzer Sun Life Financial Asst. VP, Insurance and Risk Mgmt. -------------------------------

Hi! 1. I absolutely agree with bottom up approach and concur with suggestion that ideally "Risk Management" should be involved in some way in facilitating and challenging the identification process (as per Susan and Hans comments) - it's amazing what can come out of the exercise. The challenge is three-fold, 1. getting it done in a timely manner 2.making sure that it is not perceived nor becomes simply an "exercise" and 3. consolidating and filtering all of the info to identify a Top Ten for the organization's business plan as a whole. Ideally, this risk identification prcess should be incorporated into the organization's strategic planning process I am definitely looking forward to the ERM forum at RIMS!!!!! Where do I sign up? Diane Wolfson CAE, Inc. Director, Risk Management -------------------------------
Original Message----- Sent: January 12, 2004 16:57 Subject: RE: Enterprise Risk Management The kind of info sharing exhibited by Phil Grewar with the Conference Board's Study link is one great example of how this forum can really work well. For the record, we are proceeding with another session on ERM at the San Diego RIMS Conference as a result of the feedback from this group to Susan and I directly. It will likely be on Wed morning from 9-11 and be facilitated by both of us and others that may be so inclined. We expect it will be an atypical conference session without too much formality and a real chance for dialogue and cross sharing of learning. The session will be in the final program described as: Enterprise Risk Management Roundtable This session is being held for risk managers who have begun the ERM process within their companies. There will be no formal agenda or speakers, however, the moderators will provide an overview of the ERM programs within their companies. Participants will be asked to contribute their experiences in adopting ERM within their own organizations so that discussion, sharing and networking will be the key aspects of the session. Level 400 - Members only In addition, the conference will include these other ERM related sessions: RM200 -- ERM: Reality or Fantasy FN202 -- Is Risk Mapping Worth It? IS914 -- Industry Group: Insurance Co ERM IS926 -- Industry Group: Utilities and ERM Hoping to see many of you there. ------------------------------- Christopher Mandel USAA Enterprise Risk Management AVP, Enterprise Risk Mgmt. -------------------------------