™™ A COLLECTION OF DISCUSSION GROUP RESPONSES 29 May 2009 FINANCE PRACTICE RISK INTEGRATION STRATEGY COUNCIL TM

™™

A COLLECTION OF DISCUSSION GROUP RESPONSES

29 May 2009

FINANCE PRACTICE

RISK INTEGRATION STRATEGY COUNCILTM

Risk Integration Strategy Council, Finance Practice

INDEX OF DISCUSSIONS

© 2009 The Corporate Executive Board Company. All Rights Reserved. 2

Discussion Subject Key Takeaway Slide

Role of ERM Director 57% of the respondents have ERM Director responsible for managing risks Slide 5-6

Board Level Risk Committees While none of the responding companies have a Board level Risk Committee, 40% of the companies have the full Board responsible for the Risk function

Slide 7

Audit Consultants Wanting to Consult in Area Being Audited

92% of the responding companies are not in favor of Audit consultants providing general consultancy services

Slide 8

Minimizing Air Travel Risk 73% of the responding companies do not have a formal policy to limit the risk of corporate officers traveling together

Slide 9-10

Materiality of Issues Reported to Board

92% of the responding companies report all issues to Board/Audit Committee Slide 11

Chief Financial Risk OfficerWhile none of the responding companies have a Chief Financial Risk Officer, 50% of the companies have their CROs responsible for the Risk function

Slide 12


INDEX OF DISCUSSIONS (CONTINUED)


Discussion Subject Key Takeaway Slide

Aligning the ERM Risk Assessment to External Reporting

While 86% of the responding companies leverage ERM in strategic planning, financial budgeting and planning processes, 56% use ERM risk assessment to drive disclosures

Slide 13

Insurance Counterparty RiskWhile all responding companies have diversified their insurance providers, 58% have used brokers for the selection and diversification of insurance providers

Slide 14

Risk Databases

While there is a multiplicity of available external providers (such as STAR and CATSWeb) that build and market risk databases/software, 62% of the responding companies continue to use Internal or Excel-based risk databases

Slide 15–16

Reporting Risks to the BoardThe Audit Committee is responsible for reporting/managing all risks to the Board at 83% of the responding companies

Slide 17-19

Reporting Structure - Head of Internal Audit

Internal Audit Heads at 81% of the responding companies have a solid line reporting relationship with the Chairman of the Audit Committee, 45% have a dotted line reporting relationship with the CFO

Slide 20


DISCUSSION GROUPS IN THE RISK TERRAIN


Insurance Discussion Group

Risk Management Implementation Discussion Group

Risk Management for Internal Audit Discussion Group

Risk Technology Discussion Group

To subscribe to any of these groups, write to Harpreet at [email protected]


Yes 57%

No43%


ROLE OF ERM DIRECTOR

Question

What are the roles and responsibilities of the ERM Director in the risk management process?

Does the ERM Director have only a "reporting" role or does he have the authority to manage certain risks?

Does the ERM Director actively help management in mitigating certain risks?

Is your ERM Director responsible for the risk management process ?

n = 7.

Issue—Role, responsibility and authority of the ERM Director in the risk management process

Key Takeaways

• 57% of the respondents have an ERM Director in charge of the risk management process

• While the remaining have ERM VP, CRO or Manager ERM in charge of the risk management process

“The ERM Director is responsible for the risk management framework and process. This role focuses specifically on: •Framework content, currency and business application; •Board and Executive Reporting and •Risk Program management (administrative scheduling).

The ERM Director has a reporting role and should not manage specific risks unless they fall within their sphere of expertise. It is imperative that local management maintain accountability and responsibility for the development and execution of risk mitigation (under the guidance of the risk management function).

The ERM Director and their team must facilitate the risk management process to provide assurance that all things reasonably practicable are considered when formulating mitigation plans. This includes guiding the business in defining their risk appetite which will be used in determining which risks are acceptable and which risks require further action.”

Corporate Risk Manager | Utilities

Answers from Our Members

Click here to access the discussion thread

May 21, 2009

Related roles in charge of risk

management processes include:

•ERM VP

•CRO

• Manager ERM



ROLE OF ERM DIRECTOR(CONTINUED)

“We do not have an ERM Director, we have a CRO and a Manager ERM.

The CRO reports directly to the CEO and is responsible for the development and implementation of ERM policies, framework and communication with the Executive Council, Audit Committee, and Board. The CRO ensures that adequate funding and resources are provided to ensure the effectiveness of ERM framework. The CRO is the Chairman of the Risk Committee. The CRO provides education in the ERM process to individual business unit leaders and ensures overall embedding of ERM in the strategic planning and business development process.The Manager of Enterprise Risk Management reports to the CRO and provides support to the CRO, Executive Management and the Board with analyses, reports and objective assessments associated with the company’s ERM program. The Manager of ERM also develops, coordinates and manages the processes related to the execution of the ERM program. The Manager of ERM works closely with business units and corporate staff to understand and communicate the ERM framework, risk treatment strategies, accountabilities and measurements.”

Manager ERM | Manufacturing

“The general duties with regard to ERM is to ensure that the major risks are adequately represented and communicated to executive management and the board. There is also a direct linkage between the risks represented in the ERM effort and the risk disclosures in the 10K.

There is the responsibility to directly manage certain risks for which the expertise is centralized within the risk management organization. Other risks are best left to be directly managed by the functions with the specific expertise.

The risk management staff has broadly diverse skills (engineering, finance, economics) and as such is used to help quantify risks and facilitate mitigation strategies for many risks in the business.” Vice President and Chief Risk Officer | Utilities

Answers from Our Members (Continued)

May 21, 2009


No100%


BOARD LEVEL RISK COMMITTEES

Question

We are interested in the roles and responsibilities of Board-level risk committees at other organizations. Specifically,

Do these Board committees engage in oversight of management's risk governance or get involved in approval of specific business strategies and limits on business activities?

Any insights/information would be highly appreciated.

Does your company have a Board Level Risk Committee?

n = 5.

Issue—Role, responsibilities and existence of Board level Risk Committees.

Key Takeaways

• None of the responding companies have a Board Level Risk Committee.

• Trends in oversight of the Risk function include:

• In 2/5 responding companies, the oversight/ monitoring of Risk function is done by Audit Committee

• In 2/5 responding companies, the oversight/ monitoring of Risk function is done by the full Board

• 1/5 responding companies, believes that the oversight/ monitoring of Risk function can be done by either Audit Committee or the full Board

“I do think there is a subtle but important distinction between a committee which oversees "risk" and one which oversees "risk management".From previous experience with a big4 firm, all too often terms of reference were not sufficiently clear.My preference / guidance to clients would be to carefully consider why the committee was required – i.e., what gap in the existing committee structure was it trying to fill, or supplement by differential focus.ie1 it is a core executive and board responsibility to actively discuss risk - arguably within Exec / strategic planning discussions or the Board itself. Bringing this type of discussion into a risk committee could actually inhibit embedding of risk within management and/or oversight routines.ie2 the risk committee focus needs to be aligned with the audit committee. Overseeing risk management systems and risk governance is by default an audit committee responsibility. I would be interested in examples of where a clean and sustainable line could be drawn between the responsibilities of a Board Risk and Board Audit committee.Overall - outside Financial Services where there are specific technical matters, I was never a big fan of (optional) risk committees as they often served to confuse rather than enhance discussion and accountability for risk, and the scope and authority of other (mandated) committees.

Corporate Risk Manager | Utilities


Click here to participate in this discussion

May 11, 2009



AUDIT CONSULTANTS WANTING TO CONSULTQuestion

We utilize consultants for audit work for which we do not have technical expertise. We have identified that some of these consultants wish to "pitch" for work being done in the business units in which they are auditing.

While they will not be consulting on the specific issues for which they are auditing ( say, they may audit GST while being required to consult on payroll tax), we are not comfortable with this as we are not sure whether there is an adequate separation to ensure that independence and objectivity is not compromised.

How has your firm handled this?

No92%

Yes8%

Should Audit consultants be allowed to provide general consultancy services ?

n = 12.

Issue—Audit Consultants providing consulting services in the business units they audit.

Key Takeaways

• 92% of the responding companies are not in favor of Audit consultants providing general consultancy services

• 8% of the responding companies believe “If the area that they are pitching work for is not what is being audited, then there would be no independence concerns”.

“I believe that it is a conflict of interests to both "audit" and consult in this situation. I believe that the "audit" firm should be allowed to do only one of these two activities for a single client. Otherwise, the "auditor" may put its efforts "fishing" for consulting work that may be more lucrative than auditing. We do not allow our "audit firms" to also consult at CalPERS. This applies to both our financial statement auditor by Board policy, and to our real estate compliance auditors by practice. In our experience, our audit firms have been careful to search for conflicts of interest prior to accepting various engagements by applying AICPA standards and ethics.

I also note that Arthur Andersen and other large CPA firms had difficulty being objective in their audit work when they were generating more money from consulting fees than audit fees from the client. The prime example of this is the Enron debacle. A few years ago, three of remaining Big Four firms spun-off their consulting practices (Deloitte's spin-off was not completed). Shortly thereafter, the other three firms were right back into consulting. Today, there is potential to revert back to the old practice of performing both auditing and consulting for the same client, with the same conflicts of interest and risks as before.”

Tax Senior Manager | Computer Software & Services



April 29, 2009



MINIMIZING AIR TRAVEL RISK Question

We currently have a policy limiting the risk of corporate officers traveling together, either commercially or on the corporate plane, but this does not specifically include Board of Directors.

1) Do you have a corporate policy limiting the number of board directors who can travel together?

2) If yes, how many directors are allowed to travel on the same flight?

Yes27%

No73%

n = 15.

Issue—Company policy limiting the risk of corporate officers traveling together.

“We do not have a policy. We performed a benchmark some years ago and while we learned that there were disparate practices, it seemed clear that "traveling" together should not be limited to consideration air. Multiple execs in a car is more risky than air statistically.”

VP Chief Audit Executive | Leisure

Key Takeaways

• 73% of the responding companies do not have a formal policy to limit the risk of corporate officers traveling together

• Trends observed in limitation on number of corporate officers travelling together:

In 2/4 responding companies, the policy prohibits more than three directors from travelling together

In 1/4 responding companies, the policy prohibits more than 50% of any management team from travelling together

In 1/4 responding companies, the policy prohibits more than five company officers from travelling together


Do you have a policy limiting the risk of corporate officers traveling together?


April 17, 2009

“1. Policy does identify limits.

2. Prior life, no more than three directors on the same flight; no more than two C-level officers.”

Vice President, Internal Audit | Transportation

“We have a policy that applies to all company management and board members stating that no more than 50% of any mgmt team (or board members/directors) can travel together. We have 22 directors on our full board.”

VP, Audit Services | Insurance



Importance at Group

level27%

Importance at

Country level27%

Materiality to the

business46%

MATERIALITY OF ISSUES REPORTED TO BOARD Question

We have a diverse business covering many countries and incorporating many differing types of businesses. When doing reviews in small countries we may identify issues which are important for that country but at a group level may / may not be significant.

1) How does your company address this issue?

2) Do you have a dual rating system , one for group impact and one for business impact?

3) Do you dual rate reports overall AND issues or just reports?

4) Do you just rate according to business impact or just for group impact?

5) How does the board know what is the most important or does a principle exists that all significant issues where they sit need to be forwarded to the Board?

How do you Classify Issues?

Issue—Reporting of issues that may be insignificant at a group level.

Key Takeaways

• 54% of the responding companies classify issues according to their importance at the country or group level

• 46% of responding companies classify issues according to their materiality to the business

• 80% of the responding companies dual rate reports

• 49%% of the responding companies rate reports, while 13% rate issues

• 58% of the responding companies rate by business impact

• 92% of the responding companies report all issues to Board/Audit Committee

Yes20% No

80%

Dual Rating?

n = 12.

n = 12.


April 15, 2009

Reports49%

Both38%

Issues 13%

Rate Issues or Reports?

n = 12.

Group Impact42%

Business Impact58%

Rate by Business Impact

or Group Impact?

n = 12.

Yes92%No

8%

Report all issues

To Board/Audit Committee?

n = 12.



MATERIALITY OF ISSUES REPORTED TO BOARD (CONTINUED)

“We've faced the same issue. We rate all of our audit points on a 4 point scale - a priority 0 is significant to the company or the line of business as a whole; a priority 1 is significant to that particular line of business. Priority 2's and 3's are lower on the scale. That has worked successfully in helping to ensure that even a small line of business places the right priority on closing points while highlighting to senior management the issues that are important at the macro level.

We issue one rating per issue and do not put an overall rating on the report. However, our report summary will highlight and call out anything significant from a quality of earnings, quality of internal controls, or business practices perspective.

On a quarterly basis, I include a report in our pre-read materials to the audit committee that shows a summary of audit point activity for each of our lines of business. I also show all open priority 0 and priority 1 points with a brief description of the issue, the line of business, the issue rating, expected issue resolution date and whether the point is due, not due, overdue or postponed. I would discuss specific points of concern with the AC Chair directly.”

Senior Vice President, Internal Audit | Food


April 15, 2009

“We are a Fortune 50 company with big, medium and small business in over 90 countries.

1. Audits are based on country scope, not total company scope.

2. We have one rating system for all size businesses.

3. We issue one report with the rating for the business

4. We rate based on business impact of business audited.

5. All failed audits are reported in summary form to Audit Committee, but we provide context of the size of entity. Specific issues are only reported to Audit Committee if they are thematic of a company-wide issue. Otherwise they are reported only to senior company management through our issued report. The Audit Committee does not receive copies of audit reports. I only provide overall summaries at each A.C. meeting.”

Vice President and General Auditor | Food



No100%


CHIEF FINANCIAL RISK OFFICER Question

Does your company have a Chief Financial Risk Officer?

If yes, what are the responsibilities of the role? Specifically, how is it different from a Chief Risk Officer?

n = 8.

Issue—Roles and responsibilities of a Chief Financial Risk Officer.

“Effectively NO. The CFO is (following same principles at group and division) the Chief Risk Officer for the division and by default also the Chief Financial Risk Officer. How does this work out in practice. We have a number of key players managing the principle financial risks - treasury; supplier/customer financials; performance; insurance; etc. The CFO (and me as the Head of Risk Management for division) coordinates and brings it all together.”

Head of Risk Management and Internal Control | Aerospace/Defense

Key Takeaways

• None of the responding companies have a Chief Financial Risk Officer.

• Trends in heading the Risk function include :

In 4/8 responding companies, the responsibility for Risk Management lies with the Chief Risk Officer

In 4/8 responding companies, the responsibility for Risk Management lies with the Chief Financial Officer


Does your company have a Chief Financial Risk Officer?


April 14, 2009

“We have a Chief Risk Officer and take an integrated approach to risks. We believe having a stand-alone Chief Financial Risk Officer or any other chief officer for specific risks creates gaps and overlaps. It also makes it difficult to aggregate risks into an enterprise-wide risk profile and adjust positions between risks. Our CRO office has expertise in all the specific risks that we face.”

Senior Executive | Insurance

“No Chief Financial Risk Officer. We have these related chiefs: Chief Financial Officer , Chief Privacy Officer Chief Information Security Officer and Chief Risk Officer”

Senior Executive | Fortune 500


Yes57%

No43%


ALIGNING THE ERM RISK ASSESSMENT TO EXTERNAL REPORTING Question

I'm working on a project to align our ERM risk assessment with our external reporting. Specifically, our disclosure of risk factors in our 10-k.

1) Does your company leverage the ERM risk assessment to drive your disclosure?

2) Is your company leveraging ERM in your strategic planning processes and financial budgeting and planning processes?

Any guidance/assistance would be greatly appreciated.

Does ERM Risk Assessment drive disclosures in your company?

Issue—Aligning ERM Risk Assessment with our external reporting in 10-K.

Key Takeaways

• 56% of the responding companies use ERM risk assessment to drive disclosures

• 86% of the responding companies leverage ERM in strategic planning, financial budgeting and planning processes

No14%

Yes86%

Do you leverage ERM in Strategic Planning, Financial Budgeting and

Planning processes?

n = 7.

n = 7.

“1. Our ERM risks and our 10K risks differ to some degree. We have risks in our ERM risk universe that are not in our 10K - primarily due to materiality. Nearly all 10K risks are represented in some form within our ERM risk universe, however. Each year we map between the 10K and the ERM risk universe (to and from) to identify any gaps for consideration and update as appropriate.

2. Our ERM model is now moving toward greater linkage with our strategic planning process but we are in the early stages of this. We are starting with promoting risk discussions within our budget/business planning process. We are also driving discussions of risk at individual operating companies through their risk committees.”

VP Chief Audit Executive | Leisure


“1. Currently the ERM process supports the disclosure process through the Disclosure Committee. Going forward, it will become more of a driver.

2. ERM is being integrated into the strategic planning and operational review processes in 2009. These, in turn, will support the planning and budgeting processes.”

VP Internal Audit | Health Products & Services


April 03, 2009


Yes58%

No42%


INSURANCE COUNTERPARTY RISKQuestion

a. Is anyone in the group diversifying insurance providers, and if so, how are you working with broker dealers or on your own?

b. What metrics are you using to assess insurance counterparty risk?

n = 12.

Issue—Diversifying insurance providers and assessing insurance counterparty risk.

“a) We diversify or manage our risks and insurance portfolio by reviewing alternative insurers. We deal with many of the world’s top insurers and fortunately many other insurers are eager to get involved in our portfolio. We constantly monitor the balance between long term relationships and long term outlook versus changing insurers, with a leaning towards relationships and stability. We work with both of the world’s largest brokers as well as maintaining close relationships with insurers’ senior management to gather pertinent information that is not publically available.

b) We monitor financial stability through A M Best and Moody rating agencies as well as through the top brokers’ minimum financial standings. We decide on coverage purchases by insurer’s market share and stature as well as underwriting results through direct contact and annual statistical results from insurance periodicals.”

CFO | Telecommunications

Key Takeaways

• All responding companies have diversified their insurance providers

• 58% of the responding companies used brokers for the selection and diversification of insurance providers.

• The common metrics used to assess insurance counterparty risk include :

A.M. Best ratings: 3/12 companies

Moody’s ratings: 3/12 companies

S&P ratings: 2/12 companies

Fitch ratings: 1/12 companies

CDS spreads: 2/12 companies


Have you used brokers for the selection and diversification of insurance providers?


April 03, 2009

“a) We use one broker but our insurance is with different providers in each layer of coverage.

b) We generally look at the external rating agencies credit ratings, if available, and will augment those with our internal reviews.”

CFO | Utilities



STARS14%

Excel72%

CATSWeb14%

RISK DATABASES

Question

We are interested in feedback/information around Risk Databases. Specifically:

1.What software platforms others use to identify, track and report risks? Do you use Excel or other software to track risks?

2.How does senior management access the information?

Any feedback/suggestions would be highly appreciated.

Risk Database/Software used?

n = 7.

Issue—Soft wares to identify, track and report risks.

Key Takeaways

• 72% companies continue to use Internal or Excel-based risk databases.

• Trends observed in senior management access the information include:

1/7 responding companies’ senior management would have real-time access to risk reports via Archer

5/7 responding companies send manually extracted PPT/PDF updates to the senior management on a regular basis

1/7 responding companies use Hyperion to extract risk reports

Other

Highlighted

Database/

Software

include:

•OpenPages

•Axentis

•Cura

•Methodware

•KnowRisk

•RMSS

•EMERSON


March 23, 2009

“1. An ERM software was recently implemented at our company to enhance and automate our risk management process. We used a web-based software called CATSWeb. CATSWeb was designed to help firms track issues and actions from identification through disposition and corrective action. Our company uses CATSWeb to identify and record risks that may be of concern to our company and to mitigate the risk depending on likelihood and impact. In the case where the risk is mitigated, individual Risk Mitigation Plans in CATSWeb for each identified risks are created. Using the CATSWeb software helps us search the database across years and risk types (Strategic, Operational, Financial) for certain risks, key words, by Risk Owner etc.

2. We also Hyperion software to create reports that are distributed to senior management. The purpose of Hyperion is to automate the process of creating Risk Scorecards and Heat Maps using the risk data that is stored in CATSWeb. Senior management can, but does not use the CATSWeb software directly.

Director of Enterprise Risk Management | Utilities




RISK DATABASES (CONTINUED)

“Depends on state of maturity. We took a poll of some firms a while back and found that most people are using spreadsheets and IBM Lotus Notes team rooms. Those drowning in spreadsheets are using general purpose workflow packages such as IBM's FileNet or Oracle's Stellant to organize and gain efficiency.

Others have picked special purpose tools like OpenPages or Axentis. Then there is the group that is seeing governance, risk and compliance as using similar information to what is used for business performance management, so they are building off solutions such as IBM's Cognos or offerings from SAP. Many of these have role based views for managers and everyone else.”


“1. STARS; however, it has been very challenging for Property Risks. Casualty works just fine. The big issue with this program is that Casualty and Property work on the same platform, so the fields are shared, and this creates confusion for running reports. We are checking the EMERSON system, for this is a system that you can customize in accordance with your needs. Property and Casualty are totally independent.. Before we used excel; however, file was getting bigger and difficult to manage.Excel is a great tool if your claims frequency is not high.

2. They request the reports to the Risk Management department directly.”



March 23, 2009



Audit Committee

83%

Entire Board17%

REPORTING RISKS TO THE BOARD

Question

We are interested in company practices around reporting the following risks (see listing below) to the Board of Directors or Subcommittee of the Board?

Specifically, which risks are reported to/managed by which Subcommittee of the Board.

•Risk Category

•Investment Risk (Credit, Market)

•Legal/Compliance Risk

•Operational Risk

•Financial Risk (Liquidity, Financial Reporting, Tax)

•Strategic Risk

•Product Risk

•Reputation Risk

•IT/Systems Risk

All risks are reported to/managed by?

Issue—Reporting of specific risks to Board or its sub-committees.

Key Takeaways

• In 83% of the responding companies, the Audit Committee is responsible to report/manage all risks to the Board

• 66% of the responding companies report risks on a quarterly basis

Annually17%

Quarterly66%

Twice/year17%

Reporting frequency?

n = 12.

n = 12.


March 10, 2009

Additional Risk categories highlighted by

respondents include:

Socio-political Risk

Supply chain Risk

Environmental Risk

Strategic Risk

Competitive Risk

Property risk

Global Economic Risk

International Country Risk

Disruptive Technology Risk

External Hazards Risk

Innovation Risk

People Risk

Physical Risk

Political Risk

3rd Party Risk



REPORTING RISKS TO THE BOARD (CONTINUED)

“Quarterly, the Audit Committee of our Board of Directors receives/reviews updates to the Company's enterprise risk profile. This covers the full spectrum of enterprise key risks including those noted in your question but also includes things such as security (IT, Network and physical) risks, regulatory/political intervention risks, competition risks, global economic risks, exchange rate risk, customer/supplier viability risks, international country risk, disruptive technology risk, external hazards risks, and operational execution/delivery risks.In addition, as part of the standing Audit Committee agenda, on a quarterly basis, detailed information is provided with respect to: Investment Risk (Credit, Market), Legal/Compliance Risk, Financial Risk (Liquidity, Financial Reporting, Tax), IT/Systems Risk (as it pertains to major systems upgrades and/or technology build outs), and HR Risk (specific to Health and Safety).The Audit Committee also receives regular quarterly updates on Financing items such as Hedging, Share repurchases, Public Debt Issuance, Derivatives, and Guarantees and Indemnities; Ethics reporting; business continuity planning; property risk management; and environment risk management and corporate social responsibility updates.

CONTINUED…..

CONTINUED…..

It should be noted that other board committees monitor and address certain risk categories to a deeper degree, for example our Pension Committee provides oversight and governance to the associated pension plan risks, the HR&C committee provides oversight to risks associated with human resources, compensation and succession planning, and the corporate governance committee provides oversight to ongoing monitoring and adoption of corporate governance good practices and to the delegation of authority (and policy parameters) between the board and management.

Last, our key risks are vitally linked with our strategic planning process and so the full board has a view into each of the risks as it participates with our executive leadership team in our ongoing strategic planning process/activities.

CFO | Telecommunications


March 10, 2009



REPORTING RISKS TO THE BOARD (CONTINUED)

“We track eight categories of risk: 1) credit, 2) liquidity, 3) interest rate, 4) platform (IT), 5) operations (transactional performance, financial controls, etc.), 6) compliance, 7) strategic (including reputational), and 8) legal. The Finance Committee has primary responsibility for overseeing liquidity and interest rate risk. The Audit and Risk Committee oversee the other six areas. Each quarter a risk report is prepared by the Chief Risk Officer drawing on inputs by each "risk stewards" that measures conditions and reports on mitigation initiatives in each risk area. In addition, the report identifies and reports on the "Top 10" risks at the moment. The report is reviewed in depth by the Audit and Risk Committee and then distributed to the full board with comments (during the board meeting) by the Chairman of the Audit and Risk Committee. At least once a year, the Chief Risk Officer makes an substantive presentation on risk management conditions, process, organization and activities to the full board. Credit performance is reviewed at each board meeting.”

Director, Chairman of Audit & Risk Committee | Financial Services


“We have a well developed risk reporting and management process that we do "bottoms -up' twice a year. We collect the risks granularly from all levels of the organization and then we combine and collate the risks at the summary level. We hold an overall Senior-level management review and match the "bottoms-up" risks to a "tops - down" list also. We then rank the risks on a relative basis (net of mitigation actions).

We report on each of the categorized risks that are detailed in your question and also some additional risks (perhaps more applicable to our situation) such as "socio-political, supply chain,

environmental, strategic and competitive risks.We report in a detailed fashion to the Audit Committee and in summary form to the overall BOD. The detailed review is restricted to the highest ranked risks that are categorized as the most likely and with the highest impact based on the combined score from those two characteristics.The BOD are very active in their review and evaluation and have added much value by suggesting enhancements and additions..”

CFO | Computer Hardware

March 10, 2009


15

31

10

4

3

2

1

1

1

1

0 5 10 15 20 25 30 35

Chairman of the Audit Committee

CFO

CEO

General Counsel Chief

Finance Director

Chief Legal Officer

Executive Group Board member

CAO

VP, Strategic Risk and Sourcing Services

Board Chairman


Issues—Reporting lines for Head of Internal Audit.

REPORTING STRUCTURE - HEAD OF INTERNAL AUDIT

Question

Who does your Head of Internal Audit report to ?

(a) Chairman of the Audit Committee;

(b) Chief Executive Officer;

(c) Finance Director;

(d) Other - please specify

“Functional reporting line to Chair of Board Audit Committee.

Administrative reporting line to Chief Financial Officer (who is a member of the Executive).

It's not the reporting lines that are so critical (IIA Standard suggests CEO) but the reception and support provided by the next level of management/board.”

Sr VP Taxation | Consumer Products

Head of Internal Audit has a dotted line reporting relationship with:

n = 69.

Key Takeaways

• 81% Internal Audit Heads have a solid line reporting relationship with the Chairman of the Audit Committee

• 45% Internal Audit Heads have a dotted line reporting relationship with the CFO



Chairman of the Audit

Committee81%

Legal Counsel

Chief2%

CFO8%

CEO9%

Head of Internal Audit has a solid line reporting relationship with:

n = 69.

March 03, 2009

CORPORATE EXECUTIVE BOARD

WWW.EXECUTIVEBOARD.COM

™

The Risk Integration Strategy Council has worked to ensure the accuracy of the information it provides to its

members. This report relies upon data obtained from many sources, however, and the Risk Integration

Strategy Council cannot guarantee the accuracy of the information or its analysis in all cases. Furthermore,

the Risk Integration Strategy Council is not engaged in rendering legal, accounting, or other professional

services. Its reports should not be construed as professional advice on any particular set of facts or

circumstances. Members requiring such services are advised to consult an appropriate professional. Neither

the Corporate Executive Board nor its programs are responsible for any claims or losses that may arise from

a) any errors or omissions in their reports, whether caused by the Risk Integration Strategy Council or its

sources, or b) reliance upon any recommendation made by the Risk Integration Strategy Council.

LEGAL CAVEAT LEGAL CAVEAT

As always, members are welcome to an unlimited number of copies of the materials contained within this

handout. Furthermore, members may copy any graphic herein for their own internal purpose. The Corporate

Executive Board requests only that members retain the copyright mark on all pages produced. Please

contact your Member Support Center at +1-866-913-8102 for any help we may provide. The pages herein

are the property of the Corporate Executive Board. Beyond the membership, no copyrighted materials of the

Corporate Executive Board may be reproduced without prior approval.

COPIES AND COPYRIGHTCOPIES AND COPYRIGHT

Documents

™™ A COLLECTION OF DISCUSSION GROUP RESPONSES 29 May 2009 FINANCE PRACTICE RISK INTEGRATION STRATEGY COUNCIL TM