Enterprise Risk Management · Enterprise risk management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and

11/14/2014

1

Enterprise Risk ManagementAre You Doing Enough?

Society of Corporate Compliance & Ethics – Southeast Regional Conference

David KiddUnited Parcel ServiceNovember 7, 2014

SCCE – Southeast Regional Conference / 11/7/2014



11/14/2014

2

Risk Management / Enterprise Risk management

Why All the Attention?

Attributes of an Effective ERM Program

Are You Doing Enough?



(Traditional) Risk ManagementProcess of assessing, minimizing, and/or preventing an unforeseen loss through

the user of insurance or other financial measure

• Home owners/Renters Insurance/Life Insurance/Savings• Fuel Prices – Supplier contracts / Options (Buy & Sell)• Asset Protection – Traditional Insurance• Portfolio/Fund – Treasury notes, fixed income, indexes, stocks• Data Breach – Cyber‐Security Insurance

EXAMPLE –


Risk Management / Enterprise Risk Management

11/14/2014

3

Minimum age to rent a car: 26• Age 18‐20 $68 per day surcharge• Age 21‐25 $28 per day surcharge



We Rent Cars to Minors!


11/14/2014

4

Enterprise Risk Management dates back to the 1960’s• Professors Robert Mehr and Bob Hedges• First textbook “Risk Management and the Business Enterprise”

“Risks should be managed in a comprehensive manner, and not simply insured.

Objective: To maximize the productive efficiency of the enterprise



Enterprise Risk ManagementProcess used by organizations to identify and manage risks and seize opportunities related to the achievement of company objectives.

• Geopolitical – Emerging/Frontier Markets• Mergers/Acquisitions – Capitalize on synergies/Culture• Work Stoppage – Labor Agreements (Union Contracts)• Financial – FX, Interest Rates, Commodity Prices, Fraud

EXAMPLE –

Risk and Opportunity



11/14/2014

5

Enterprise risk management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.

Source: Committee of Sponsoring Organizations of the Treadway Commission / ERM ‐ Integrated Framework / September 2004

September 2004



Enterprise Risk ManagementWhy all the attention?


11/14/2014

6

Trigger/Event

Laws / Regulation

Investor / Consumer Confidence SEC 33‐9089Sarbanes‐Oxley ActDepartment of

Homeland Security

Transportation Security Administration

Dodd‐Frank Act

2001 2002 2008

???

Basel ORSA/Solvency


Enterprise Risk Management – Why all the attention?

Enterprise Risk Management – Why all the attention? Accounting Scandals


11/14/2014

7

(1) Fiduciary Failure. The Enron Board of Directors failed to safeguard Enron shareholders and contributed to the collapse of the seventh largest public company in the United States, by allowing Enron to engage in high risk accounting, inappropriate conflict of interest transactions, extensive undisclosed off-the-books activities, and excessive executive compensation. The Board witnessed numerous indications of questionable practices by Enron management over several years, but chose to ignore them to the detriment of Enron shareholders, employees and business associates.

(2) High Risk Accounting. The Enron Board of Directors knowingly allowed Enron to engage in high risk accounting practices.

(3) Inappropriate Conflicts of Interest. Despite clear conflicts of interest, the Enron Board of Directors approved an unprecedented arrangement allowing Enron’s Chief Financial Officer to establish and operate the LJM private equity funds which transacted business with Enron and profited at Enron’s expense. The Board exercised inadequate oversight of LJM transaction and compensation controls and failed to protect Enron shareholders from unfair dealing.

(4) Extensive Undisclosed Off-The-Books Activity. The Enron Board of Directors knowingly allowed Enron to conduct billions of dollars in off-the-books activity to make its financial condition appear better than it was and failed to ensure adequate public disclosure of material off-the books liabilities that contributed to Enron’s collapse.

(5) Excessive Compensation. The Enron Board of Directors approved excessive compensation for company executives, failed to monitor the cumulative cash drain caused by Enron’s 2000 annual bonus and performance unit plans, and failed to monitor or halt abuse by Board Chairman and Chief Executive Officer Kenneth Lay of a company-financed, multi-million dollar, personal credit line.

(6) Lack of Independence. The independence of the Enron Board of Directors was compromised by financial ties between the company and certain Board members. The Board also failed to ensure the independence of the company’s auditor, allowing Andersen to provide internal audit and consulting services while serving as Enron’s outside auditor.

Source: PERMANENT SUBCOMMITTEE ON INVESTIGATION OF THE COMMITTEE ON GOVERNMENTAL AFFAIRS UNITED STATES SENATE / July 8, 2002


The Enron Board of Directors failed to safeguard Enron shareholders and contributed to the collapse of the seventh largest public company in the United States, by allowing Enron to engage in high risk accounting, inappropriate conflict of interest transactions, extensive undisclosed off-the-books activities, and excessive executive compensation. The Board witnessed numerous indications of questionable practices by Enron management over several years, but chose to ignore them to the detriment of Enron shareholders, employees and business associates.


Enterprise Risk Management – Why all the attention? Global Financial Crisis

SCCE– 2014 Atlanta Annual Conference / 11/7/2014

11/14/2014

8


Without a doubt, the recent financial crisis has tested companies and their boards in ways not seen in many decades and has had a profound impact on corporate governance and risk management. Indeed, one group of institutional investors with $9.5 trillion in assets under management, has claimed, “It is now widely agreed that corporate governance failings were not the only cause of the crisis but they were highly significant, above all because boards failed to understand and manage risk and tolerated perverse incentives.”

Source: The Metropolitan Corporate Counsel / The Board’s Role in Risk Management – Lessons Learned From the Financial Crisis / King & Spalding, LLP SCCE – Southeast Regional Conference / 11/7/2014


SEC 33‐9089

Risk: by requiring disclosure about the board’s role in risk oversight and, to the extent that risks arising from a company’s compensation policies and practices are reasonably likely to have a material adverse effect on the company, disclosure about such policies and practices as they relate to risk management;

Governance and Director Qualifications: by requiring expanded disclosure of the background and qualifications of directors and director nominees and new disclosure about a company’s board leadership structure, and accelerating the reporting of information regarding voting results; and

Compensation: by revising the reporting of stock and option awards in the Summary Compensation Table16

and Director Compensation Table,17 and requiring disclosure of potential conflicts of interest of compensation consultants in certain circumstances.

February 2010


11/14/2014

9

2013 Annual Corporate Directors Survey

‐ 934 public company directors responded ‐ >70% serve on boards of companies with >$1 billion in annual revenue

Source: PWC’s 2013 Annual Corporate Directors Survey SCCE – Southeast Regional Conference / 11/7/2014




11/14/2014

10

• ERM ambassador / Salesman• Communication (Top down/Bottom up) – A seat at the table?• Understand risk definitions and their value (Risk appetite, Inherent risk, residual risk, risk capacity, risk tolerance, etc.)

• Risk Assessment Objectives ‐ (Accept, Transfer, Terminate)• Culture (Bureaucratic) • Dynamic Program (Survey, benchmarking, external research, willingness to share)• Linkage between enterprise risks and strategic objectives• Linkage to governance activities/committees• 10‐K “Risk Factor” Comparison / Competitors and other organizations• Learn the backgrounds of Board Members – What other boards do members serve on?

• Constructively Dissatisfied



Attributes of an Effective ERM ProgramInternal Environment – The internal environment encompasses the tone of an organization, and

sets the basis for how risk is viewed and addressed by an entity’s people, including risk management philosophy and risk appetite, integrity and ethical values, and the environment in which they operate.

Objective Setting – Objectives must exist before management can identify potential events affecting

their achievement. Enterprise risk management ensures that management has in place a process to set objectives and that the chosen objectives support and align with the entity’s mission and are consistent with its risk appetite.

Event Identification – Internal and external events affecting achievement of an entity’s objectives

must be identified, distinguishing between risks and opportunities. Opportunities are channeled back to management’s strategy or objective‐setting processes.

Risk Assessment – Risks are analyzed, considering likelihood and impact, as a basis for determining

how they should be managed. Risks are assessed on an inherent and a residual basis.

Risk Response – Management selects risk responses – avoiding, accepting, reducing, or sharing risk –

developing a set of actions to align risks with the entity’s risk tolerances and risk appetite.

Control Activities – Policies and procedures are established and implemented to help ensure the risk

responses are effectively carried out.

Information and Communication – Relevant information is identified, captured, and

communicated in a form and timeframe that enable people to carry out their responsibilities. Effective communication also occurs in a broader sense, flowing down, across, and up the entity.

Monitoring – The entirety of enterprise risk management is monitored and modifications made as

necessary. Monitoring is accomplished through ongoing management activities, separate evaluations, or both.


11/14/2014

11

Terrorism

Enterprise Risk and Control Framework

Ethics & Compliance

VP

Compliance

MC

VP

Sales & Marketing

MC

Operations/Infrastructure

VP

Legal & Public Affairs

MC

VP

InformationTechnology

MC

VP

Human Resources

MC

VP

Operations / Engineering

MC

Strategic

VP

MC

CorporateGovernance

VP

MC

VP

Security

MC

VP

Strategy

MC

VP

Finance & Accounting

Reporting

MC

UPS RiskCategories

COSO Framework

MCSponsor

ERCSponsor

Sustainability / Brand

Management

Compliance Monitoring &

Reporting

Ethical Culture “Tone at the

Top”

Compliance Structure & Oversight

Regulatory Compliance

Compliance Policies &

Procedures

Compliance Communication

& Training

Addressing Allegations

Compliance Program

Assessment

Records & Information

Management

Risk Sub-categories

Occupational Health & Safety

HR ResourcePolicies &

Procedures

Talent Pipeline/Recruitment

Performance &Compensation

Health & Welfare Benefits

Retirement & Pension

Programs

Training and Development

Company Culture

Retention / Succession

Diversity

Architecture

Global Business Services

I.T. RecordsManagement

Technology Licensing

I.T. Asset Management

I.T. Business Continuity

Management

I.T. ChangeManagement

I.T. Contracting & Outsourcing

Privacy and Data

Protection

I.T. Operations

I.T. Physical & Environmental

Security

I.T. ProblemManagement

I.T. Project Management

Competition / Antitrust

Contract Management

GovernmentInvestigations

Intellectual Property (IP)

Labor &Employment

Issues

Laws and Regulations

Litigation & Dispute

Resolution

Privacy and Security Laws

Union Labor/ Workforce

Issues

Facilities andEquipment

Market Research

Customers

Competition

Marketing Strategy

MarketingPrograms

Revenue Management /

Pricing

Product Development

E-Commerce/Internet Strategy

Sales Strategy

Customer Relations/

Customer Support

Customer Technology

EnvironmentalConcerns

Energy Management

Operational Security

Operational Planning

OperationsManagement

Asset Utilization

Operational Reporting

OperationsPerformance Management

Distribution &Warehousing

Social Media

Communication(Employee/ Customer)

Branding &Reputation

Advertisements & Sponsorships

Philanthropy

Sustainability Programs

SocialConcerns

Public Relations

Branding &Reputation

Board Effectiveness

Board Structure& Senior

Leadership

Risk Oversight & Management

Audit Quality

External Fraud

Business Continuity

EconomicConditions

GeopoliticalConcerns

Technology Strategy

Vision, Mission,and Values

IndustryTrends

Organization Structure

Third Party/Joint Venture

Strategy Communication

GrowthStrategy

BusinessConcentration

Mergers/Acquisitions/Divestitures

Scenario Planning

Business Model

Customer Credit Policy

Credit Rating

Financial AssetInvestment

Commodity Price Impact

Compliance w/Accounting

Standards

Financial Statement

Fraud

Accounting Processes

Business Information &

Analysis

CapitalManagement

Planning/Budgeting/Forecasting

Taxation

Procurement

Insurance and Hedging

Investor Relations

Aviation Security

Acquisition Integration

ILLUSTRATIVE

Risk Rating MatrixLikelihood of Risk Occurring

Impact if Risk Occurred

Value Likelihood Description

5 Very High Event has occurred in last 12 months, or; >75% chance of occurring within seven years.

4 High Event has occurred in last 24 months, or; 50‐75% chance of occurring within seven years.

3 Medium 20‐50% chance of occurring within seven years.

2 Low 10‐20% chance of occurring within seven years.

1 Very Low <10% of occurring within seven years.

Value Impact Mission Financial Operations Brand

5Very High(Severe)

Severely impacts our ability to achieve UPS Mission

Results in a single year financial impact >$ with ongoing impact

Severely disrupts enterprise‐wide customer service or operations reliability long term

Severe impact on brand reputation

4High

(Significant)

Significantly impacts our ability to achieve UPS Mission

Results in a single year financial impact greater than $ and less than $, with some ongoing impact

Significantly disrupts enterprise‐wide customer service or operations reliability

Significant impact on brand reputation

3Medium(Moderate)

Moderately impacts our ability to achieve UPS Mission


Moderate impact on enterprise‐wide customer service or operations reliability

Moderate impact on brand reputation

2Low

(Minor)

Minor impact on our ability to achieve UPS Mission


Limited disruption of customer service or operations reliability

Limited impact on brand reputation

1Very Low

(Insignificant)

Insignificant impact on our ability to achieve UPS Mission

Results in a single year financial impact <$, and little ongoing impact

Minimal disruption of customer service or operations reliability

Limited to no impact on brand reputation

ILLUSTRATIVE

11/14/2014

12

Enterprise Risk ManagementEnterprise Risk Management CONFIDENTIAL Likelihood

Impact

VL L M H VH

VL

LM

HVH

VL L M H VH

VL

LM

HVH

Consolidated Risk Map

7

13

9

14 1611

2 35 6

1

8

20

10

19

15

18

12

4

17

B

O

L

Z

W

F

H I R

N

AA

A K

ID J

UGMX V Q

TS

E PCY

BB

VH Very High

H High

M Medium

L Low

VL Very Low

ILLUSTRATIVE

Enterprise Risk ManagementEnterprise Risk Management CONFIDENTIAL

Risk Contributors Controls / Mitigation Status L IPlanned

Completion

Aggressive regulatory agencies pushing bans on carbon emitting vehicles

‐Deploy Public Affairs strategy to reach an agreement to delay the mandate, or obtain an exemption‐Collaborate/partner with IBT to strengthen position

Limited number of non‐carbon vehicles to meet the mandate

‐ Work with multiple manufactures to procure the necessary number of vehicles‐ Invest in additional forms of carbon‐free alternatives, including CNG/LNG, hydraulic, etc.

Limitations with battery life may require multiple trips to and from the hub/center

‐ Establish satellite locations in closer proximity to impacted delivery zones.‐Consider leasing/acquiring space within restricted areas

Risk Category:Compliance & Ethics

MC Sponsor Mary Doe

ERC Sponsor John Doe

Risk Sub-Category:Regulatory Compliance

Risk Owner(s) Bob, Sally, Joe

Risk SME(s) Rick, Sue, Steve

2013 Risk StatusL I

Current (Executed) 4 3

Planned Mitigation 1 1

Future (Planned) 3 2

Risk Statement

There is a risk that legislation in the next year could prohibit carbon emitting vehicles from operating within city limits.

Confidential, unpublished property of UPS. Do not distribute ‐ limited solely to authorized personnel.

Risk Profile ILLUSTRATIVE

11/14/2014

13

Attributes of an Effective ERM Program / 10‐K Risk Factors

• The Company’s products and services may experience quality problems from time to time that can result in decreased sales and operating margin and harm to the Company’s reputation.

• The Company could be impacted by unfavorable results of legal proceedings, such as being found to have infringed on intellectual property rights.

• There may be breaches of the Company’s information technology systems that materially damage business partner and customer relationships, curtail or otherwise adversely impact access to online stores and services, or subject the Company to significant reputational, financial, legal, and operational consequences.

• The Company’s success depends largely on the continued service and availability of key personnel.

• The Company’s future performance depends in part on support from third-party software developers.


Attributes of an Effective ERM Program / Proxy Review

Board Oversight of Risk ManagementThe Board believes that evaluating how the executive team manages the various risks confronting the Company is one of its most important areas of oversight. In carrying out this critical responsibility, the Board has designated the Audit Committee with primary responsibility for overseeing enterprise risk management. In fulfilling its oversight responsibilities with regard to risks inherent in the Company’s business, including the identification, assessment, management, and monitoring of those risks, and risk management decisions, practices and activities of the Company, the Audit Committee is assisted by a Risk Oversight Committee consisting of key members of management, including the Company’s Chief Financial Officer and General Counsel. The Risk Oversight Committee reports regularly to the Audit Committee, and the Audit Committee makes periodic reports to the Board. See the Audit Committee’s Charter at www.apple.com/investor for more information about its risk oversight function


11/14/2014

14

Attributes of an Effective ERM Program / Proxy Review

Board Risk OversightOur Board of Directors has oversight for risk management with a focus on the most significant risks facing the company, including strategic, operational, financial, and legal and compliance risks. At the end of each year, management and the Board jointly develop a list of major risks that GE plans to prioritize in the next year. Throughout the year, the Board and the committees to which it has delegated responsibility dedicate a portion of their meetings to review and discuss specific risk topics in greater detail. Strategic, operational and reputational risks are presented and discussed in the context of the CEO’s report on operations to the Board at regularly scheduled Board meetings and at presentations to the Board and its committees by the vice chairmen, CRO, general counsel and other employees.

Risks identified through our risk management processes are prioritized and, depending on the probability and severity of the risk, escalated to the chief risk officer (CRO). We have general response strategies for managing risks, which categorize risks according to whether the company will avoid, transfer, reduce or accept the risk. These response strategies are tailored to ensure that risks are within acceptable GE Board general guidelines. Depending on the nature of the risk involved and the particular business or function affected, we use a wide variety of risk mitigation strategies, including delegation of authorities, standardized processes and strategic planning reviews, operating reviews, insurance and hedging.


Enterprise Risk ManagementAre You Doing Enough?


11/14/2014

15

Are You Doing Enough?

• Board feedback

• C‐Suite engagement

• Customer engagement / New business opportunities

• Risk assessment

• Networking / Relationships / Credibility

• Insurance Incentives

• Constructively Dissatisfied


Thank You

Questions?

David KiddUnited Parcel ServiceNovember 7, 2014


Documents

Enterprise Risk Management · Enterprise risk management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and