Context of ERM(Enterprise Risk Management)
PPrasanna
Discussion6.docxThis week’s chapter readings focused on four mini-case studies with unique challenges presented that are highly relevant in the context of ERM. Provide a brief summary of each of the four case studies by discussing for each case what was the challenge presented and some strengths and weakness in the risk management approaches. Conclude your discussion, based on the case study from chapter 29 “Transforming Risk Management at Akawini Copper”, by providing your thoughts on risk management transformations, specifically discussing how we can monitor risk transformation progress and performance.
To complete this assignment, you must do the following: A) Create a new thread. Provide a brief summary of each of the four case studies by discussing for each case what was the challenge presented and some strengths and weakness in the approaches. Conclude your discussion, based on the case study from chapter 29 “Transforming Risk Management at Akawini Copper”, by providing your thoughts on risk management transformations, specifically discussing how we can monitor risk transformation progress and performance.
CASE STUDIES
CHAPTER 26 Bim Consultants Inc.
JOHN R.S. FRASER
Senior Vice President, Internal Audit, and former Chief Risk Officer, Hydro One Networks Inc.
Bim Consultants Inc. is a medium-sized consulting firm. It is a corporation with 30 partners who own most of the shares. It has 10 offices across Canada with 3,000 staff, and has been in business for 30 years. Senior staff also own shares and participate in an annual bonus scheme. Salaries are generally on the low side, but bonuses in good years can be quite high. The balance sheet is sound (see Exhibit 26.1).
|
Bim Consultants Inc. |
||
|
Summary Balance Sheet |
||
|
As of December 31, 2014 |
||
|
|
2014 |
2013 |
|
Year ended December 31 (Canadian dollars in millions) |
$ |
$ |
|
Current Assets |
|
|
|
Cash and Short-Term Investments |
12 |
7 |
|
Accounts Receivable |
175 |
168 |
|
|
187 |
175 |
|
Current Liabilities |
|
|
|
Accounts Payable |
34 |
27 |
|
Short-Term Loans |
100 |
110 |
|
|
134 |
137 |
|
Working Capital |
53 |
38 |
|
Fixed Assets |
|
|
|
Leasehold Improvements |
196 |
178 |
|
Furniture and Equipment |
100 |
94 |
|
Less Accumulated Depreciation & Amortization |
(153) |
(128) |
|
|
143 |
144 |
|
Net Assets |
196 |
181 |
|
Share Capital |
|
|
|
Common Shares |
100 |
100 |
|
Retained Earnings |
96 |
81 |
|
|
196 |
181 |
Exhibit 26.1 Bim Consultants Balance Sheet
The company has always prided itself on its customer focus. “Customers are number one” has been the mantra from the chairman, Mr. Smooth, for many years. Recently, however, revenue has been stagnant, and the younger partners are getting restless, wondering if the older partners have lost their edge and whether changes are needed to return to the glory days of large bonuses.
At a recent strategic planning meeting of the major partners, the decision was made to continue focusing on customers as number one, but also to explore how to increase revenue from within the existing clientele and to explore what additional services could be provided to enrich the client experience (and revenues). It was agreed that the strength of the firm was in its blue-chip client base and that this high-quality reputation was worth preserving. Some discussions were also held around the idea of selling a minority share of the company at a large multiple, if such a deal was identified. Bim Consultants' profit and loss and retained earnings are provided in Exhibit 26.2.
|
Bim Consultants Inc. |
||
|
Summary Profit and Loss and Retained Earnings |
||
|
For the Year Ended December 31, 2014 |
||
|
|
2014 |
2013 |
|
Year ended December 31 (Canadian dollars in millions) |
$ |
$ |
|
Revenue |
300 |
290 |
|
Expenses |
|
|
|
Salaries |
220 |
207 |
|
Other |
20 |
18 |
|
Net Profit before Income Tax |
60 |
65 |
|
Income Tax Provision |
27 |
29 |
|
Net Income after Tax |
33 |
36 |
|
Retained Earnings—Beginning of Year |
81 |
65 |
|
|
114 |
101 |
|
Dividends |
18 |
20 |
|
Retained Earnings—End of Year |
96 |
81 |
Exhibit 26.2 Bim Consultants Profit and Loss and Retained Earnings
Earlier this week, the chairman received a call from the president of the Canadian subsidiary of a U.S.–owned competitor, Bravado International, saying that Bravado was pulling out of Canada and would consider an offer to sell the subsidiary to Bim Consultants Inc. The Bravado subsidiary had 12 offices across Canada and just over 3,500 staff, but had often drawn on its U.S. resources when required for large engagements.
The chairman called an executive meeting and pointed out that making such a purchase would double sales, catapult Bim Consulting into the number one position in major markets in Canada, and provide a strong marketing thrust into previously untapped midtier markets. Based primarily on the persuasiveness of the chairman, the executive committee approved proceeding with the negotiations.
The president of the Bravado subsidiary cautioned Mr. Smooth that it was imperative not to have word of the negotiations leak out, as this could lead to a loss of key staff and possibly clients. Accordingly, he urged Mr. Smooth not to do the normal due diligence in the subsidiary's offices but to review the necessary records and meet with select senior executives of Bravado at an off-site location. This process seemed to work well, and the Bravado executives were well prepared and very likable. All the information checked out, and the way seemed clear to do a deal.
CHAPTER 27 Nerds Galore
ROB QUAIL, BASC
Director, Enterprise Risk Management, Hydro One Networks Inc.
Nerds Galore (NG) is a Canadian service company with 1,000 employees working out of offices in 12 Canadian cities; the head office is in Edmonton, Alberta. NG provides full-service information technology (IT) support to small and medium-sized Canadian businesses, including help desk, on-site troubleshooting, security, network setup and support, backup services, wireless networks, hardware and software procurement, and website design and hosting solutions.
Nerds Galore was formed in 2000 in the garage of its founder, Jeeves Stobes. NG has enjoyed strong growth in its segment and has an excellent reputation with its customers. In the beginning, NG focused on a particular customer subsegment, small start-up businesses, especially on low-tech businesses such as boutique services. Lately its strategy has shifted more to midsize customers (which have deeper pockets and less chance of going broke) with more sophisticated technology needs.
Recently there have been problems for NG.
There has been steady decline in customer satisfaction, as shown in Exhibit 27.1.
Exhibit 27.1 Nerds Galore Customer Satisfaction
Following a thorough investigation and follow-up with many of NG's key customers, the Executive Team has concluded that the main cause of this has been high internal staff turnover, leading to gaps in customer services and service continuity.
Indeed, staff retention has been an issue, as shown in Exhibit 27.2.
Exhibit 27.2 Nerds Galore Employee Turnover
To continue to provide strong customer service, it is critical that team members are competent in the latest technology, and yet turnover has approached 20 percent in three recent years. This is a particular problem for NG because of its high focus on customer service; new staff receive extensive and costly training in NG's customer service and cross-selling approaches. The company's pay package is competitive but not at the very top; instead NG uses its reputation for excellent customer relationship and staff development to attract motivated staff. Note that it's well known that one of NG's competitors was recently raided by a large systems integration firm and lost most of its network management technical staff in a single quarter. NG has been having a particularly difficult time retaining staff in the larger urban centers and other technology hubs in Canada where there are more competitors and the competitors generally pay more.
Despite the fact that customer satisfaction has been declining, the Executive Team did note that revenue numbers have not suffered; in fact, they have continued to climb year over year, as shown in Exhibit 27.3. It was concluded that this lack of a drop in revenues is due to two factors:
1. Many current customers have multiyear contracts with Nerds Galore.
2. Very small businesses that have made up the bulk of NG's customer base are generally tolerant of minor service hitches and less focused on optimal technology performance.
Exhibit 27.3 Nerds Galore Financial Performance
Recently, the company suffered a major shock when one of its employees was killed in a head-on car crash while rushing to a customer site during a snowstorm in Rimouski, Quebec. The employee who was killed was a well-known and much admired member of the team, and many staff thought at the time that NG's Executive Team didn't respond properly to this event. In fact, the Globe and Mail ran a story on workplace tragedy and its impact on morale and used Nerds Galore as a case study on how notto manage sudden trauma, and, while the company's customers didn't seem to notice, NG did experience a sudden jump in staff departures and some difficulty in recruiting replacements.
Also, there is a sense that staff efficiency is not what it should be; in particular, scheduling technicians for on-site technical work has been a problem. Small business customers tend to have diverse and unique technology needs, and finding specialists who can work in multiple areas such as network support and voice over Internet Protocol (VoIP) while working with a single customer is difficult; most of the propeller-heads (as NG affectionately terms its technicians) are specialists in a few areas, and the company has found that its specialists are spending a lot of time behind the wheel traveling from site to site dealing with point solutions to individual technical problems. NG's founder and CEO, Jeeves Stobes, freely admits that the company's own internal technology has not really kept pace with the growth of the company. NG lacks a customer/account management program and relies on whiteboards and e-mail managed by the company's small core of four senior work schedulers (long-service employees who work out of a war room in
|
|
Actual |
Targets |
||||||
|
|
2013 |
2014 |
2015 |
2016 |
2017 |
2018 |
|
|
|
Revenues ($M) (target is 15% year-over-year growth) |
100 |
115 |
132 |
152 |
175 |
201 |
|
|
|
Net Income ($M) (target is 15% of revenues) |
10 |
17 |
20 |
23 |
26 |
30 |
|
|
|
Customer Satisfaction (% “very satisfied”) (target is 95%) |
83 |
95 |
95 |
95 |
95 |
95 |
|
|
|
Staff levels |
1,000 |
1,100 |
1,200 |
1,300 |
1,400 |
1,500 |
|
|
Edmonton and know the company's customers and staff well) to schedule employees to customer sites. In addition, while the company has placed a premium on developing staff, this has been through informal mentoring and apprenticeships rather than formal development based on identified customer needs, and this approach has been difficult to sustain given the scrambles created by sudden staff departures.
As shown in Exhibit 27.4, CEO Stobes has set targets of 15 percent revenue growth year over year (which is close to recent rates of growth) and a net income target of 15 percent of annual revenues, which will be a stretch (recent years have yielded margins of 8 to 10 percent). Stobes has set a target of 95 percent customer satisfaction going forward.
Exhibit 27.4 Strategic Targets
Gil Bates, NG's vice president of human resources (HR), recently recruited from the competitor Propell-O-Rama, is concerned about not only the employee turnover rates but HR management in general. He has come forward with a five-point strategy for improved HR management, but has encountered stiff resistance from the rest of the Executive Team. The strategy is:
1. Attract the best talent. Do this by offering a positive and flexible work environment with flexible hours and a work-at-home culture.
2. Retain good people. Do this by offering employee recognition programs, providing multiskilling/cross-training (which will have the added benefit of greater customer satisfaction), and ensuring that compensation stays at or near the 75th percentile of competitors or comparators.
3. Manage talent. Put in place a formal talent management program so that high-potential employees are identified, developed, and mentored.
4. Optimize the use of people. Do this by purchasing and implementing a fully integrated customer management and workforce management tool, to allow greater scheduling and tracking of employee effort on customer accounts.
5. Rely on outsourcers to handle overflow of business requests that have highly volatile work volumes, or in areas where retaining internal capability and know-how is prohibitively expensive.
At a management discussion, it was agreed that the Executive Team would meet for a risk workshop to explore the following HR-related risks and to help the exectives evaluate the situation and decide on whether to invest in Bates's strategy:
· Inability to recruit people with needed skills
· Loss of staff with key internal knowledge
· Uncompetitive labor productivity
· Increased departures of skilled technical staff
· Loss of key business know-how
CHAPTER 28 The Reluctant General Counsel
NORMAN D. MARKS, CPA, CRMA
Fellow of the Open Compliance and Ethics Group, and Honorary Fellow of the Institute of Risk Management
Business Software Corporation (BSC) is a global software company headquartered in the Silicon Valley of California, with annual revenues of over $1 billion. It is listed on major North American stock exchanges. The head of the Internal Audit function, Jason Garnelas, has been asked by the board to lead the establishment of an enterprise risk management (ERM) function. Top management, led by the chief executive officer (CEO), John Black, and the chief financial officer (CFO), Jim Toll, have indicated their support for this important initiative. The plan is for Jason to run the program for the first year, at which point management and the board will consider whether it is necessary and appropriate to hire a full-time risk officer.
Jason is grateful for the support of both the board and top management, because it is unusual for an entrepreneurial technology company to recognize the value of risk management and dedicate both time and resources to its implementation. In fact, at a meeting of the executive leadership, John Black explains that he holds his direct reports individually and collectively responsible for the management of risks to the business. He sees the role of the risk officer, currently Jason Garnelas on a part-time basis, as a facilitator to the leadership team. Jason will lead the development of a framework and process, and will facilitate the identification, assessment, and treatment of risk, but all decisions are a management responsibility.
Jason holds a series of one-on-one meetings with each of the CEO's and CFO's direct reports to understand, with them, the more significant risks to the organization. Most of them engage actively and with energy into the discussions, as they can see that the process will contribute to their and the company's success. Due to their travels, Jason is initially unable to meet with the executive vice president (EVP) of development (responsible for all the software developers) and the general counsel. But he is able to develop a preliminary list and assessment of the more significant areas.
The preliminary assessment is reviewed with the executive leadership team, and the CEO expresses his appreciation for the work that has been performed, but he is concerned that several of his direct reports identified the same areas of risk with significantly different evaluations of both potential impact and likelihood. He decides to assign each area of risk to individual executives who will own them and be responsible not only for monitoring the risk levels and assessing the potential impact and likelihood, but also for ensuring that actions are taken as and when necessary to bring the risk levels in line with acceptable limits established by the CEO and the board.
As everybody leaves the meeting, Jason chats briefly with the EVP of development and the general counsel, George French. The EVP quickly agrees to meet later in the week for an hour to review the risks in his assigned areas. But the general counsel asks Jason to step into his office.
The general counsel tells Jason that while he agrees that a risk management program is fine in theory, he has strong reservations. His concerns fall into two general areas.
First, the company, like every technology company, is routinely engaged in multiple lawsuits. Some lawsuits, particularly those concerned with the protection of intellectual property, involve potential settlements in the hundreds of millions of dollars—both in favor of and against BSC. These lawsuits have been identified as areas of risk that should be addressed by the new risk management program, but any formal assessment is discoverable by the opposition attorneys and could be used against BSC both in negotiations and at trial.
George understands that Jason needs his and his team's input to identify the potential impact of both favorable and adverse results to current and future lawsuits, and the likelihood of those results. But, because of the risk to the company that would be created by a formal risk assessment of the lawsuits, he has decided he cannot participate.
Second, BSC is listed on some U.S. exchanges and is subject to all U.S. Securities and Exchange Commission (SEC) filing requirements. The quarterly and annual filings have to include a discussion of the significant risks facing the organization.
The general counsel is concerned that BSC's competitors could gain an unnecessary advantage from a risk management program. His reading of the SEC rules is that the discussion in the filings has to be consistent with any formal discussion of risks by management and the board. So, if the internal discussion is too detailed and includes specific likelihood and potential effects for each risk area, that would lead to excessive and unnecessary disclosures to the company's disadvantage.
George believes that participation by the legal department will constitute formal risk discussions. Discussion of risk by the rest of the management team is a normal part of running the business, but when he and his team join the discussion it raises risk management from informal discussions to a formal process that should influence the risk disclosures in the company's SEC filings.
George tells Jason that he commends him for the initiative but cannot support it by contributing legal advice to the risk assessment and evaluation process. That should be the responsibility of the executive leadership team, with Jason's assistance. The involvement of the legal department represents, itself, too great a risk.
CHAPTER 29 Transforming Risk Management at Akawini Copper
GRANT PURDY
Associate Director, Broadleaf Capital International
This case study describes how the approach to managing risk can be transformed and enhanced in a company. The case study is based on a hypothetical mining company, Akawini Copper, that has recently been acquired by an international concern, United Minerals. Akawini has a rudimentary approach to risk management (RM) that must be improved if the new owners are to realize the level of return claimed in the business case that was used to justify the acquisition. Akawini owns a single mine and concentrate plant approximately 50 kilometers from the coast. It ships the concentrate using trucks to a nearby port for export. The company earns revenue of $774 million a year from the sale of concentrate and employs a total of 1,500 people at the mine site and port.
THE ACQUISITION AND DUE DILIGENCE
United Minerals has developed and implemented a framework for managing risk based on ISO 31000 (ISO 2009). In particular, this has enabled it to properly integrate the risk management process into its approach to making decisions on major projects and investment decisions and also into the way it develops, plans, and executes projects.
During due diligence prior to the acquisition, the risk management team for United Minerals reviewed the current approach to risk management at Akawini and, from a cursory examination of documents, was able to determine that the approach was very limited and was unlikely to yield much real value. The team found, for example, that:
· A process for formal risk assessment was applied only to what were described as “business risks.” This occurred only once a year as part of a risk review that updated the current risk register so that it could be reported to an Audit Committee.
· There was a different process applied for safety risks that actually did not consider risks as such but generated a risk rating using a matrix system only for hazards.
· No systematic process for assessing and treating risks was used in support of major decisions. In particular, project management did not include any form of explicit risk management process.
· The Akawini risk manager mostly dealt with insurance matters and asked the company's external audit provider to offer a facilitator for the annual risk review.
· The annual internal audit plan did not seem to be based on the outcomes of the risk assessment and did not focus on assuring many of the critical controls.
· The risk criteria systems used for both “business risks” and “safety risks” covered only detrimental consequences and seemed to be based on five levels of consequences and consequence types that were not associated in any meaningful way with the company's objectives.
· Both systems used the term probability to estimate likelihood and did not consider the frequency or return period for consequences.
· In both systems, risks were analyzed incorrectly by combining the likelihood of an event with what was described as “the plausible worse-case consequences.” This produced many “extreme” risks, which were then being discounted by managers as implausible.
· Once risk registers were created on spreadsheets, they were kept on separate personal computers and were rarely considered until the next yearly review. Any risk treatment actions decided on were not followed up or closed out.
· Critical controls were not identified and were not assigned to individuals for ongoing monitoring and periodic review.
· There was no coherent process that defined and captured learnings from successes and failures.
The risk management team signaled its concerns to the acquisition team, and the need for improvement of Akawini Copper's approach to risk management to bring it into line with ISO 31000:2009. Then, the United Minerals framework was placed on the transformation plan and given a high priority.
THE TRANSFORMATION PROCESS
Once the acquisition had been completed, the risk management team followed the stepwise process in Exhibit 29.1 to transform the approach to risk management at Akawini.
Exhibit 29.1 Risk Management Transformation Process Steps
The starting point was a structured analysis of Akawini's current approach to managing risks, to identify where changes had to be made and then to assign a priority to particular tasks. This was conducted in two parts:
1. A full desk-based review of Akawini's risk management documentation
2. A complementary set of interviews with Akawini management
The second activity was particularly important because it was the experience of the United Mineral risk management team that it was vital to observe and review how risk management takes place in practice. This was particularly true if there might be any discontinuity of practice across Akawini or inconsistent processes and systems. It was also important to test out Akawini management's perceptions of the current approach to risk management to see if it was currently viewed as effective and if managers perceived it as likely to satisfy their future needs.
The risk management team conducted a series of structured interviews with senior management from Akawini so that the team could draw objective conclusions on:
· The suitability of the current approach to manage risk associated with an organization of the size and complexity of Akawini, its risk profile,1 and its risk attitude2
· The drivers of that attitude, based on what were recognized as the key success factors and growth objectives for the organization
· The perceived usefulness of the current risk management process and its degree of integration into key decision-making processes
· The strengths and limitations of the other risk-type specific approaches to risk management that coexisted in the company3—specifically, whether the tools and methods currently being used were capable of providing Akawini with a current, correct, and comprehensive understanding of its risks and informing it whether the risks were within its risk criteria4
· The level of understanding of senior management about aspects of the risk management culture
· An outline of the perceived risk profile of Akawini and whether this varied from that reported to the board in the past
Questions asked included:
· What is your definition of risk? How, in your view, do risk and its management relate to the company's objectives?
· What is the purpose of risk assessment? How often should risk assessment take place? What triggers it in your area?
· As a practical matter, how do you gain assurance that the critical controls that your part of the company relies on are in place, are effective, and work when required?
The risk management team members consolidated their findings and compared them with the elements of the existing United Minerals risk management framework and the requirements of ISO 31000. They particularly mapped what they found by comparing it with the principles for effective risk management in Clause 3 and the attributes in Annex A of the Standard.
GAINING SENIOR MANAGEMENT OWNERSHIP FOR TRANSFORMATION
For effective management, it was regarded as critical that senior management at Akawini appreciated and could comment on and contribute to the findings and conclusion of the review so that this would lead to ownership of the transformation plan. The risk management team therefore presented its findings and recommendations at a meeting with senior managers that covered:
· Fundamentals of risk and best practice risk management
· Overall findings and assessment of the benchmarking review
· Suggested improvements and enhancement strategies
· Draft enhancement plan
The risk management team elicited feedback and acceptance of the conditions it found and prompted a discussion on the desired situation. In this way the team helped managers identify what needed to change. The diagram of the desired framework architecture given in Figure 29.2 was used to demonstrate the strengths and weaknesses in the current approach.
Exhibit 29.2 Desired Framework Architecture
✓ Indicates that the element is present and effective, □ means that it is not present or is ineffective.
To demonstrate the desired outcomes, the risk management team explained that the primary purpose of risk management in United Minerals was to act in a dynamic fashion to support decisions and that the company framework had been designed to ensure that:
· Assumptions and preconceptions were properly challenged before decisions could be made.
· Appropriate actions were then taken to reduce the uncertainty that objectives would be achieved.
· Early warnings were provided if key controls were not in place or were not fully effective, so that preemptive action could be taken.
· The organization learned in a systematic way from its successes and failures, at a fundamental level so that learnings would lead to lasting changes.
To help the organization as a whole improve its ability to manage risk, the company had adopted 10 performance requirements that it called its “standards.” These were, in outline:
1. The risk management process will be integrated into all key decision making processes.
2. The risk management process will be integrated into strategic, business, and project planning processes.
3. Key controls will be identified and allocated to owners for monitoring.
4. After every major decision, event, or change or at the conclusion of all plans, the organization will learn lessons from successes and failures using root cause analysis.
5. The same, consistent methodology will be used for analyzing risks and for evaluating control effectiveness.
6. The significance of risks will be evaluated using one set of risk criteria.
7. Viable options for treating risks will always be considered, and those options will be implemented where there is a net benefit to the business.
8. Accountability for managing risk will be allocated in a manner that is fully consistent with the management of the business and with the delegations of authority system.
9. Only one database system will be used to hold and manage all forms of risk management information.
10. Sites will plan how they will implement these standards and will report on the progress with this implementation and the effectiveness of risk management as part of the company's governance processes.
THE TRANSFORMATION PLAN
The Akawini management team was then encouraged to discuss and compare options and to suggest major actions for the enhancement plan. The actions were allocated to members of the management team, and completion dates were agreed. These agreements were recorded and became the risk management plan that described the transformation process for managing risk at the sites. The management team was also asked to commit on a review and reporting process for the transformation plan.
