eBusiness Enterprise Risk Management Mark Carey, CPA, CISA President x8431
Enterprise Risk Management Definition Enterprise Risk Management (ERM) is the capability to protect enterprise value by managing risk: –With a coordinated and systematic approach, –Organization-wide, and –Across all types of risk.
Business Risk Profiling: Risk Drivers StrategicOperationalStakeholderFinancialIntangible Macro Trends Competitor Economic Resource Allocation Program/Project Organization Structure Strategic Planning Governance Brand/Reputation Ethics Crisis Partnerships/JVs Processes Physical Assets Technology Infrastructure Business Interruption Legal Human Resources Environmental Hazard Customers Line Employees Management Suppliers Government Partners Community Market Accounting Credit Cash Management Taxes Regulatory Compliance Knowledge Intellectual Property Information Systems Databases Information for Decision Making
Business Impact Assessment Management challenges the numbers –Make it “real” for senior management –Typical approach/ measures often do not line up with how CEO, CFO, CIO evaluate their business and make decisions Shareholder Value Levers Risks That Matter Growth Accelerate growth in current businesses Drive adoption of next generation appliances, e- services and infrastructure in high growth markets Cost and Efficiency Value Web and Organizational Efficiency Streamline decentralized operating model Total Customer experience approach Capital Take advantage of strong balance sheet Market Variables Create e-services ecosystems - place HP at the center Risk Management Culture and Infrastructure RISK MANAGEMENT CULTURE AND INFRASTRUCTURE Risk Strategy Risk Management Processes Technology Functions Culture and Capability Governance IMPROVEMENT INITIATIVES Senior Management Validation and Support eRisk Rapid Response (eR 3 ) Process Risk Coverage Mapping Risk Management Workbench Detailed Risk Analysis eBusiness Risk Management Benchmark Customer Facing Business Models Virtual Supply Chain Partnerships and Alliances e-Business Infrastructure Venture Capital Investments Human Resource Organizational Change/Allocation of Resources Intellectual Property
EHS Internal Audit Insurance IT Security Physical Security Legal BCP GRM Legal IT Security BCP Legal Physical Security ERM Internal Audit EHS Risk Risk Management Process RM Process Risk 1 Risk 2 Risk 3 Risk 4 Risk 5 Risk 6 Metrics and Reporting Assess Risk Treat Risk Monitor & Report Coordination among risk functions to increase risk coverage and decrease cost Enable business initiatives to address risks issues quickly to decrease time to market Alignment with business strategies and objectives Consistent and organization-wide processes World-class risk management tools Focus on risks that impact stakeholder value Traditional Cost Assurance Revenue World-ClassTransformation Knowledge Sources RiskWeb Risk Management Tools Risk Strategy And Framework Practical Application: Hewlett-Packard ERM Transformation Source: Hewlett-Packard – Used with permission
eBusiness: So What? “The ‘telephone’ has too many shortcomings to be seriously considered a means of communication.” –Western Union Internal Memo, 1876 “This wireless music box has no imaginable commercial value. Who would pay for a message sent to nobody in particular?” –David Sarnoff’s associates in response to his urgings for investment in Radio in the 1920’s “Who the hell wants to hear actors talk ?” – Harry M. Warner, Warner Bros, 1927 “There is no reason for any individuals to have a computer in their home.” – Ken Olsen, President, Chairman and Founder of DEC, 1977 “Heavier-than-air flying machines are impossible.” – Lord Kelvin, President, Royal Society 1895 “Airplanes are interesting toys but of no military value.” –Marshall Ferdinand Foch, Professor of Strategy, Ecole Superiure de Guerre
eBusiness Trends Real Time Enterprise Low Tech, High Impact High Tech, Low Cost Cyber-Activism
“Real Time” Enterprise “Ciscoize” and “Dellize” Every Business Adaptive architecture, evolvable applications Federation NOT integration Architecture to connect architectures Rapid, incremental implementation Instantaneous “financials”, metrics, supply chain, customer support.… “Spontaneous transaction flow and information transparency throughout the extended enterprise” Customized from presentation “TECH WRECK or TECH TREND: Perspectives on Technology Investing”, Vinod Kholsa, Kleiner Perkins Caufield & Byers, September, 2001
Low Tech, High Impact Terrorists have employed low tech weapons to inflict massive physical or psychological damage –Box cutters –Envelopes Infrastructure is vulnerable to unsophisticated attacks Identify assets at risk –Strategic Initiatives –People –Process –Information Systems –Physical Infrastructure –Geography –Organization –Products –Flows (supplies, information, electricity, cash, etc.) Focus risk assessment on how the asset may be impacted
High Tech, Low Cost Sophisticated technologies/tools that may be employed as weapons of Mass Destruction/Interruption –Biological and chemical weapons –Technology Technologies/tools that have the ability to inflict massive damage are getting cheaper every day Sophisticated tools are increasingly affordable and are being used by competitors, customers, employees, litigation teams, etc.
Cyber Activism The Internet: “a powerful tool for communicating and coordinating action.” –Collection –Publication –Dialogue –Coordination of action –Direct lobbying of decision makers
eRisks….Just a Few Cyber terrorism Hactivism Data Privacy Critical Infrastructure Failure Intangible Property Third Parties
Cyber terrorism “The convergence of terrorism and cyberspace” Definition –“Unlawful attacks and threats of attack against computers, networks, and information stored therein when done to intimidate or coerce a government or its people in furtherance of political or social objectives” – FBI Definition Tamil guerrillas send 800 s a day to Sri Lankan embassies to “disrupt communications” NATO computers hit with bombs and denial-of- service attacks during 1999 Kosovo conflict Pro-Palestinian and pro-Israeli deface Israeli and Palestinian sites over a one month period in October, 2000.
Hacktivism Definition –Operations that exploit computers in ways that are unusual and often illegal to further social causes. Methods –Virtual Sit-Ins and Blockades – Bombs –Web Hacks and Computer Break-Ins –Computer Viruses and Worms
Data Privacy Credit card information Identity theft Bio-Metrics Differences in Regulations –United States –Canada –European Union –Other
Critical Infrastructure Failure Today’s business system –Complex –Tightly coupled –Heavily dependent on infrastructure Interconnectivity of infrastructure –Telecommunications –power generation and distribution –Transportation –Medical care –National defense –Other critical government services Ripple effects of infrastructure failure
Intangible Property Mismanagement –Lost or theft by competitors –Inability to profit –Sharing without compensation Poor use of risk management techniques –Insurance –Continuity planning –Business Controls Complicated by increase in # of third parties and “virtual” supply chain
Third Parties Risk appetite, strategy and sophistication variances Brand/reputation inequity Regulatory compliance complications Intangible property Contingency planning
eBusiness Risk Management Risk Strategy Risk Committees Risk, Incident and Crisis Management Risk Management Intranet Portals Enterprise Risk Management
Risk Strategy Accept Risk: Management decides to continue operations as is with a consensus to accept the inherent risks Transfer Risk: Management decides to transfer the risk from (for example) from one business unit to another or from one business area to a third party (i.e.. insurer) Eliminate Risk: Management decides to eliminate risk through the dissolution of a key business unit or operating area Acquire Risk: Management decides that the organization has a core competency managing this risk, and seeks to acquire additional risk of this type. Reduce Risk: Management decides to reduce current risks through improvement in controls and processes Share Risk: Management attempts to share risk through partnerships, outsourcing, or other risk sharing approaches
Silos Silos exist in: –Functions and Business Units : Corporate and operations Foreign and domestic –Information Systems and Databases –Processes Risk management Strategic planning Legal Create processes, systems and tools to reach across silos to provide the “big picture” Focus corporate risk management resources on what matters the most Leverage the “silo” expertise through better coordination for complex risks
Risk Committees Informal Groups Enterprise Risk Council Board of Directors –Audit Committee –Risk Committee Roles and Responsibilities Provide risk management program leadership, strategy and implementation direction Develop risk classification and measurement systems Develop and implement escalation metrics and triggers Develop and monitor early warning systems, based on escalation metrics and triggers Develop and deliver organization wide risk management training Coordinates risk management activities – some functions may report to CRO, while others will be coordinated
What is Incident and Crisis Management? Event - An internal or external action or occurrence that may or may not impact the organization’s stakeholders, processes, technology, infrastructure, brand or intangible property Incident - An unexpected, negative event involving potential damage to organization’s stakeholders, processes, technology, infrastructure, brand, or intangible property Crisis - An unexpected, negative event that threatens the lives of stakeholders or could materially impairs the organization and it’s ability to operate
Example: Objectives of an Incident & Crisis Management Program The incident and crisis management process is designed enhance our interactions with our customers. The following areas will be addressed: –Identify clear roles and responsibilities –Develop a consistent and coordinated approach –Improve communication to all stakeholders and media –Reduce incident reporting, verification and response time –Enable timely and efficient management of incidents –Leverage learnings and ensure process improvement
Risk, Incident and Crisis Management Risk Management and Business Controls Events Incidents Crises Impact Monitor & resolve the “critical few” with the crisis management team Assess potential impact of events and implement appropriate risk management & business controls Monitor & resolve quickly at most appropriate level using existing structure and processes Incident Management Process Crisis Management Process
EHS Internal Audit Insurance IT Security Physical Security Legal BCP GRM Legal IT Security BCP Legal Physical Security ERM Internal Audit EHS Risk Risk Management Process RM Process Risk 1 Risk 2 Risk 3 Risk 4 Risk 5 Risk 6 Metrics and Reporting Assess Risk Treat Risk Monitor & Report Coordination among risk functions to increase risk coverage and decrease cost Enable business initiatives to address risks issues quickly to decrease time to market Alignment with business strategies and objectives Consistent and organization-wide processes World-class risk management tools Focus on risks that impact stakeholder value Traditional Cost Assurance Revenue World-ClassTransformation Knowledge Sources RiskWeb Risk Management Tools Risk Strategy And Framework Practical Application: Hewlett-Packard ERM Transformation Source: Hewlett-Packard – Used with permission
RiskWeb: Risk Function Collaboration
Source: Hewlett-Packard – Used with permission RiskWeb: Knowledge Base
Source: Hewlett-Packard – Used with permission RiskWeb: Resource Center
Source: Hewlett-Packard – Used with permission RiskWeb: Discussion Forums
Tools RiskWeb Early Warning System Assessment and Quantification tools Culture Knowledge Mgmt Metrics Training Communication Assess Risk Treat Risk Monitor & Report Enterprise-wide Integration Strategic Planning Programs/PMO Processes Functions Risk Management Process Allocation of Capital Control Cost Drive Innovation Manage Growth Risk Attributes Lifecycle Individual Portfolio Qualitative Quantitative Organization Enterprise Risk Committee CRO or ERM Manager Risk Strategy & Appetite Internal Audit Risk Mgmt IT Security ERM BCP Legal EH&S Risk Strategy Appetite Prioritize Treatment Approach Program Strategy Develop Deploy Continuously Improve Risk Functions Business Objectives Risk Drivers Strategy Capability Capability Functions Process Organization Culture Tools Enterprise- Wide Integration Risk Attributes Risks Strategic Operational Stakeholder Financial Intangible ERM Framework