April 18, 2005

Excellence in Risk Management II

A Qualitative Survey of Enterprise Risk Management Programs

What Is ERM?

Respondents shared these definitions with us:

Assessing and addressing risk from all sources.

A process to manage all risks of the enterprise.

Managing your !usiness "ith a more deli!erate and systematic focus on risk.

#mplementing the infrastructure and culture "ithin the organi$ation to make good decisions on risk.
2

Marsh

Excellence in Risk Management Studies

E&cellence in Risk Management # studied the risk management practices of %' top(performing risk managers in )orth America. *indings presented at the 2''+ R#MS conference included the follo"ing,
- .he events of the past /' years have resulted in a dramatic shift in the the

importance of risk management and its practices.

- .here is an opportunity for risk managers to play a more strategic role in

their organi$ations.
- 0ompanies can recogni$e a significant financial impact !y controlling risk

and recogni$ing profit from risk(related strategies.

- Successful risk management relies on a ro!ust hierarchy of information

and integrated information systems.

1sing E&cellence # as a foundation of understanding2 E&cellence ## e&amines the characteristics and practices of organi$ations that are implementing an enterprise("ide risk management program.
%

Marsh

Excellence in Risk Management II Research Parameters and Methodology

Methodology,

Qualitative versus 3uantitative approach #n(depth intervie"s "ithin five large organi$ations that are implementing an ERM program #ndustries represented, #nformation services 425 *inancial services 425 0ommodity services 4/5 #ntervie"s "ith 26 individuals at these organi$ations2 including risk management at each company #ntervie"s "ere administered !y phone to o!tain insights on practices2 perceptions2 organi$ational dynamics2 and relationships #ntervie"s "ere supplemented !y a short closed(end 3uestionnaire covering !asic topics #ntervie"s "ere conducted !y 7reen"ich Associates
+

Marsh

Who We Intervie ed

Risk Management 485 9perations 4:5 Audit 465 0ompliance and ;egal 4%5 <usiness(1nit =ead 4/5 Safety 4/5

Marsh

!ey "akea ays

Recogni$e the fundamental !enefits of ERM

1nderstand ho" to implement ERM

1nderstand ho" to sustain ERM in your company

Marsh

>

Enter#rise Risk Management$##lying Risk Management %isci#line More &roadly

Objective Setting

Monitoring

Risk Identification

?All Types of Risk ?Broad Focus ?Continuous

Communication

Risk Assessment

Control Activities
Marsh

Risk Mitigation

8 Source: The Committee of Sponsoring Organizations of the Treadway Commission

Survey Results 'vervie

@hy ERMA

7etting Senior(Management Support

0reating a Process to Support ERM

<uilding ERM #nto the 0orporate 0ulture

Bey .akea"ays

Marsh

Why ERM?

ERM &ene(its

Im liberating people in our company about risk and uncertainty so that they can better achieve the ob ectives that they made to the board!" #$isk %anager

Marsh

/'

$s 'rgani)ations $do#t ERM* the Role o( Risk Manager &ecomes More Strategic
Strategic Risk Management

Impact On Organizations Bottom Line and Culture

Progressive Risk Management

Organizational Buy In

Traditional Risk Management

Technical !anagement
Marsh //

$s +om#anies %evelo# an ERM $##roach* Potential &ene(its Multi#ly

!RM Approac"

Optimizing Risk

" Support O#$ecti%es " Impro%e &arnings and Cash 'low " !anage (rowth " Capture Opportunities

Advanced Risk Management

Managing Risk

" Reduce Losses " Lower Insurance Costs

efensive Risk Management

Transferring Risk Marsh

" )urchase Insurance and Co%er Ris*s

/2

"he Role o( Risk Management in the ,irm

Agree#Strongl$ Agree

T"e role of t"e risk manager "as become muc" more strategic %it" implementation of !RM

Risk Manager

80%

Other

80%

T"e firm vie%s risk management as a ke$ strategic function

Risk Manager

80%

Other

73%

Marsh

&Risk Manager' n()* Ot"er' n(+),

/%

&ene(its o( ERM Im#lementation in [Link] Risk $reas

Strategic
Risk Manager Other

-ig"l$ Significant .enefits &/ 0 ),

80% 75%

,inancial

Risk Manager Other

60% 88%

'#erational

Risk Manager Other

100% 81%

-a)ard

Risk Manager Other

20% 31%

Q2/. @ith the implementation of an integrated approach to risk management across the firm in all of the risk areas 4ERM52 ho" "ould you rate the !enefits accruingCor e&pected to accrueCin each of the maDor types of riskA Please rate on a scale of / to 62 "here / is )one and 6 is =ighly Significant.

Marsh

&Risk Manager' n()* Ot"er' n(+1,

/+

Present and ,uture &ene(its o( ERM

Agree#Strongl$ Agree

T"ere are tremendous future potential benefits in !RM t"at "ave not $et been realized

Risk Manager

100%

Other

80%

Risk Manager T"e firm is recognizing substantial benefits from !RM toda$

80%

Other

40%

Marsh

&Risk Manager' n()* Ot"er' n(+),

/6

Perceived &ene(its o( ERM

-ig"l$ Significant .enefits &/ 0 ),

Improved communications on risk taking to s"are"olders#board .etter3informed decisions

Risk Manager Other

100% 100%

Risk Manager Other

100% 94%

.etter allocation of capital and resources to address risk

Risk Manager Other

100% 88%

Improved corporate governance practices

Risk Manager Other

80% 94%

Marsh

&Risk Manager' n()* Ot"er' n(+1,

/>

Exam#les o( ERM &ene(its

Multimillion(dollar proDect undertaken once risk profile understood 9ffshore outsourcing program cancelled once high risk "as assessed )atural hedge discovered *acilitated MEA process Reduced insurance rates Fecided not to discontinue product once risk "as understood

Marsh

/8

ERM%riving ,orces

External Forces Sarbanes3O4le$

Si4 Sigma Corporate Scandals Regulator$ Initiatives September ++ 5atural isasters

Company Risk Management Focus

1nderstanding Risk 0ontrolling Risk 9ptimi$ing Risk

Internal Forces
Managing !arnings and Cas" 6lo%s Stake"older Accountabilit$ Meeting Objectives Regulator$ Compliance

Marsh

/:

/etting Senior0Management Su##ort

+onsensus "hat &oard and Senior0Management &uy0In o( ERM Is Essential to $cce#tance 1y the 'rgani)ation
Board & Alignment 'ith board ob ectives & (enior#level champion & )ontinued involvement Senior Management & (ets the tone & *ink to investors F n!tiona" Management

B siness #nits and O$erations

Marsh

2'

+ontinued Su##ort ,rom Senior Management Re2uires %irect +ommunication &y ERM "eam
&

Risk committees ? Senior(management risk committee ? <oard level, audit committee G separate risk committee ? #nternal audit

? 0ontinuous communications ? FonHt shoot the messenger attitude ? =elp from !rokers and consultants ? 0an Dump(start process
Marsh 2/

+reating a Process to Su##ort ERM

$ccounta1ility and Re#orting at $ll 3evels Is Re2uired to Su##ort the ERM Process

$isk )ommittee

+oard (enior %anagement )ross#.unctional ,$% /eam

$isk )ommittee

),- ).- %RO )-- )/-

Risk Management& ' dit& %om$"ian!e()ega"

+usiness 0nits

.unctional %anagement

-perations

Marsh

2%

'rgani)ation to Su##ort ERM!ey "akea ays ? Separate risk committees to !oard and senior management ? Risk management representation in senior management ? 0ross(functional ERM teamCrisk management2 internal audit2 legal2 and compliance form core team ? Representation from operationsG!usiness units and functional management ? =uman resources conspicuous in its a!sence
Marsh 2+

3ink to Strategic '[Link] and Integrate ERM "hinking Into Regular &usiness $ctivities

ecisions

Objectives

6inancial Strateg$ Corporate Strateg$

Enterprise Risk Management Policies and Procedures Plans and .udgets

Marsh

26

Rein(orce the ERM Process With a +ommon 3anguage and "raining

& Esta!lish

a common language a!out risk

? Simple ? #n conformity "ith culture ? .ake a consultative approach to training !y using "orkshops ? 1se availa!le technology ? Beep it simple

Marsh

2>

&uilding ERM Into the +or#orate +ulture

ERM in the +or#orate +ulture

$isk management is everybodys ob! ,verybody 'ho does anything in the company is a risk manager to some e1tent!" #(enior %anager

/he most important thing is to get buy#in 2rom the most senior levels o2 the organi3ation 2irst! 0ntil you do that, youre going to have great ideas, but theyll never see the light o2 day!" #$isk %anager

Marsh

2:

Em1edding ERM in +or#orate +ulture

Agree#Strongl$ Agree

Implementation of Risk Manager !RM re7uires and results in a cultural c"ange in t"e organization Other

100%

93%

Marsh

&Risk Manager' n()* Ot"er' n(+),

2I

-o

to In(luence "hinking to Include ERM

)ommunications 7rooming" Internally )ompensation

*earning 5 6evelopment

'"" %om$an* +m$"o*ees

4er2ormance %easurement

*i2etime" %entality to ,$%

Marsh %'

!ey "akea ays

ERM Risk $nalysis Involves ,ive ,undamental Ste#s$##lied to $ll $reas o( Risk

1! Identi2y $isks

2! Assess Impact

8! Assess *ikelihood

9! :uanti2y 5 4rioriti3e

5! -ptimi3e

Marsh

%2

ERM %emands a Strategic Role (or Risk Managers

Strategi! Risk Management

+RM '$$roa!h

0raditiona" Risk Management

-[Link],e Risk Management

)o m

pa

ny

,$

,v o
%%

/rogressi,e Risk Management

'd,an!ed Risk Management

Marsh

lut i

1')#+

on

sk $i n %a

er ag ,v olu tio n

,or 3o 0,re2uency Risks* ERM +an Reveal -idden Risks Re2uiring $ction and -el# in Prioriti)ing Resources

;igh Impact

;igh Impact *o' *ikelihood

;igh Impact ;igh *ikelihood

*o' Impact

*o' Impact *o' *ikelihood

*o' Impact ;igh *ikelihood

Marsh

*o' *ikelihood

;igh *ikelihood

%+

+autions

? FonHt treat ERM as one(time proDect ? 9verkill can create !acklash ? )eed tangi!le accomplishments to keep momentum

Marsh

%6

Recommendations

Just do itK 7et started #dentify a champion 7et senior(management !uy(in Start prioriti$ing risks using .op/' approach Perform !usiness practice revie"s =old risk "orkshops ;everage e&isting initiatives - Sar!anes(9&ley - Si& Sigma - Audit and compliance initiatives - Strategic planning

Maintain sensitivity to seismic events in the company Employ team approach to the task of implementing ERM *ormali$e it, - Structured approach to organi$ing processes G lines of reporting Beep ERM technology simple and understanda!le Em!ed ERM in e&isting !usiness processes .reat ERM as a process2 not a proDect
%>

Marsh

,inal "hought

/he key to high#per2ormance risk management is aligning risk strategy among key risk stakeholders, obtaining and sustaining senior management engagement, and achieving e22ective integration 'ith strategic planning!"
#$isk %anager

Marsh

%8

"hank 4ou
RIMS and Marsh are #roud to have s#onsored the Excellence in Risk Management II survey

!arsh is part of the family of !!C companies+ including ,roll+ (uy Carpenter+ )utnam In%estments+ !ercer -uman Resource Consulting .including !ercer -ealth / Benefits+ !ercer -R Ser%ices+ !ercer In%estment Consulting+ and !ercer (lo#al In%estments0+ and !ercer specialty consulting #usinesses .including !ercer !anagement Consulting+ !ercer Oli%er 1yman+ !ercer 2elta Organizational Consulting+ 3&R4 &conomic Consulting+ and Lippincott !ercer0"

The Ris* and Insurance !anagement Society+ Inc" .RI!S0 is a not for profit organization dedicated to ad%ancing the practice of ris* management+ a professional discipline that protects physical+ financial and human resources" 'ounded in 5678+ RI!S represents nearly 9+888 industrial+ ser%ice+ nonprofit+ charita#le+ and go%ernmental entities" The Society ser%es o%er 6+:88 ris* management professionals around the world"

Copyright 2005 Marsh nc! All rights reser"ed!

0ompliance L MA>(/'+:'