Enterprise Risk Management Framework for establishing industry requirements

Enterprise Risk Management Framework for establishing industry requirements and priorities Andreas Vogel September 13 th, 2006 SAP CONFIDENTIAL

Framework for Discussion This is a strawman proposal which summarizes some thinking and brainstorming Next steps Ø Team discussion and refinement Ø Framework for discussion with ISMs and IBUs Ø Framework for discussion with partners, analysts, customers The goal is to create a product strategy which optimizes between market requirements and SAP development capabilities. ã SAP AG 2006, Enterprise Risk Management – Andreas Vogel / 1

Train of Thought (for non-audio consumption) Risk Management Processes q q q Identifying the key processes and process steps within Classify steps by generic vs. specific to a risk class Modeling and monitoring are risk class specific Risk Monitoring q Identify a list of risk classes, the corresponding key risk identifiers, and the industries where they apply (some are generic) Risk Modeling q q Understand pre-requisites for quantitative modeling Identify techniques Identify industries which satisfy pre-requisites Understand approach to solution for qualitative modeling and analysis Value drivers in key industries ERM value pyramid Used banking as an example to identify key value drivers within the ERM process q Provide similar analysis for other key industries q q ã SAP AG 2006, Enterprise Risk Management – Andreas Vogel / 2

Managing Enterprise Risk – Processes View Strategic Planning Setting Risk Appetite Periodically Risk Identification and Assessment Risk Identification q Surveys q Workshops q Review Risk Registration q Risk database q Description q Owners, etc. Risk Assessment q Qualitative q Quantitative Response Strategy q To hazards Actions to change q Frequency q Impact Models/Simulation q Va. R, Monte Carlo, etc. Periodically Risk Monitoring q Risk indicators Continuously Specific Generic ã SAP AG 2006, Enterprise Risk Management – Andreas Vogel / 3

Train of Thought (for non-audio consumption) Risk Management Processes q q q Identifying the key processes and process steps within Classify steps by generic vs. specific to a risk class Modeling and monitoring are risk class specific Risk Monitoring q Identify a list of risk classes, the corresponding key risk identifiers, and the industries where they apply (some are generic) Risk Modeling q q Understand pre-requisites for quantitative modeling Identify techniques Identify industries which satisfy pre-requisites Understand approach to solution for qualitative modeling and analysis Value drivers in key industries ERM value pyramid Used banking as an example to identify key value drivers within the ERM process q Provide similar analysis for other key industries q q ã SAP AG 2006, Enterprise Risk Management – Andreas Vogel / 4

Monitoring of Key Risk Indicators – Industry Specific Risk class Supply chain risk Risk indicator q Health of suppliers q Delay in logistics q Capacity (supplier, Source system Supply Chain Management systems Applicable industries q Manufacturing q High-Tech q Construction and Engineering warehouses) Environmental, q Accidents / incidents SAP EH&S Health & Safety q Inspection reports Physical access systems q Access violations HCM q Certifications q q q Project management q. Project status q Manufacturing (Automotive, Intellectual property q. Patent portfolio External (patent office, etc. ) q High-tech q Pharma Government (FDA, etc. ) approval q. Approval process External q. Pharma q. Utilities (Nuclear) q. Mining x. RPM, ERP/PS, Microsoft Project (delays, critical mile stones, etc) Mining Oil&Gas Bio-tech Utilities (Nuclear Power) Public sector Aerospace, . . . ) q High-Tech q Construction and Engineering q Professional Services ã SAP AG 2006, Enterprise Risk Management – Andreas Vogel / 5

Risk Monitoring of Key Risk Indicators - Generic Risk class IT Risk indicator q Atypical network Source system Applicable industries Open. View, Tivoli, Symantec, Cisco, etc. q Generic ERP / HR q Generic ERP – Financials, BW q Generic traffic q Password probing q … HR q Turn-over q Key people succession planning q Unions contracts q Harassment and discrimination Corporate governance q Accounting irregularities Big-ticket sales q Deals over threshold CRM ã SAP AG 2006, Enterprise Risk Management – Andreas Vogel / 6 q Generic

Train of Thought (for non-audio consumption) Risk Management Processes q q q Identifying the key processes and process steps within Classify steps by generic vs. specific to a risk class Modeling and monitoring are risk class specific Risk Monitoring q Identify a list of risk classes, the corresponding key risk identifiers, and the industries where they apply (some are generic) Risk Modeling q q Understand pre-requisites for quantitative modeling Identify techniques Identify industries which satisfy pre-requisites Understand approach to solution for qualitative modeling and analysis Value drivers in key industries ERM value pyramid Used banking as an example to identify key value drivers within the ERM process q Provide similar analysis for other key industries q q ã SAP AG 2006, Enterprise Risk Management – Andreas Vogel / 7

Risk Modeling and Simulation What could be done outside the financials services industry? Prerequisites for Quantitative Modeling q Statistically relevant historical data samples, e. g. Ø Stock market data Ø Accident static of thousands of employees over years Ø Historical demand data q Applicable modeling and simulation technique, e. g. Ø Value at Risk Ø Monte Carlo Simulation not available q Apply qualitative techniques Ø What-if scenario analysis How would tools for scenario analysis look like? ã SAP AG 2006, Enterprise Risk Management – Andreas Vogel / 8 q Apply quantitative modeling available and simulation techniques Ø Banking Ø Insurance Are there other industries Where quantitative modeling can be applied?

Train of Thought (for non-audio consumption) Risk Management Processes q q q Identifying the key processes and process steps within Classify steps by generic vs. specific to a risk class Modeling and monitoring are risk class specific Risk Monitoring q Identify a list of risk classes, the corresponding key risk identifiers, and the industries where they apply (some are generic) Risk Modeling q q Understand pre-requisites for quantitative modeling Identify techniques Identify industries which satisfy pre-requisites Understand approach to solution for qualitative modeling and analysis Value drivers in key industries ERM value pyramid Used banking as an example to identify key value drivers within the ERM process q Provide similar analysis for other key industries q q ã SAP AG 2006, Enterprise Risk Management – Andreas Vogel / 9

ERM Value Pyramid Requirements too sophisticated for current SAP offering Have agreement on what the sweet spot is and why? Need to review selected industry in this bucket with IBUs q ERM is core value driver q Companies have q Banking q Insurance sophisticated tools, processes and org structures in place q Budget available ERM is core business Sweet spot for SAP ERM q Failure to address certain ERM is key to business No $$$ classes of risk can put companies out of business q Often regulated industries q Budget available q Some processes and org structures in place q Failure to address certain ERM is important to business ã SAP AG 2006, Enterprise Risk Management – Andreas Vogel / 10 classes could have major impact on business q Processes and org structures rudimentary q Mining q Oil & Gas q Pharma / Biotech q Aerospace and Defense q Utilities q Remaining industries

ERM Value Pyramid based on Deloitte Input q ERM is core value driver q Companies have q Banking q Insurance sophisticated tools, processes and org structures in place q Budget available ERM is core business q Failure to address certain ERM is key to business classes of risk can put companies out of business q Often regulated industries q Budget available q Some processes and org structures in place q Failure to address certain ERM is important to business ã SAP AG 2006, Enterprise Risk Management – Andreas Vogel / 11 q Pharma q Utilities / Energy q Oil & Gas / Mining q Selected manufacturing (large and complex) q Public sector classes could have major q Healthcare impact on business q Telco q Processes and org structures q Retail rudimentary q May have very specific risks requiring special solutions

Value Drivers in Financial Services Can we make similar assessment for other industries? Strategic Planning Setting Risk Appetite Periodically Risk Identification and Assessment Risk Identification q Surveys q Workshops q Review Risk Registration q Risk database q Description q Owners, etc. Periodically Risk Assessment q Qualitative q Quantitative Models/Simulation q Va. R, Monte Carlo, etc. Response Strategy q To hazards Actions to change q Frequency q Impact q Investment decisions Risk Monitoring Continuously ã SAP AG 2006, Enterprise Risk Management – Andreas Vogel / 12 Monitoring q Risk indicators

Case Studies and Customer Interviews I Customer Industry Requirements / Practices Maturity Chase Manhattan 1 Financial Services q Risk identification Ø Well understood in finance q Risk assessment Ø Self-assessment scorecards q Modeling / Simulation Ø Value at Risk (VAR) Ø Stress testing q Organizationally Ø Vice Chairman Ø Chief Risk Officer Ø Highly organized committee structure q Process Ø Integrated core business processes du Pont 1 Chemical q Risk identification q Risk assessment Ø No risk maps q Modeling / Simulation Ø Earnings at Risk (EAR) Ø Worst case scenario probabilities Ø Risk profiles q Organizationally Ø CEO, CFO, Treasurer are key risk q Risk identification Ø Face 2 face between risk managers and q Organizationally Ø Treasurer and “Risk Champion” Ø Risk management group q Process Ø Risk managers partners to business q Systems Ø Gibraltar – Treasury Information System Ø Intranet – risk related info Microsoft 1 High-Tech business managers Ø Scenario analysis q Risk assessment Ø Risk maps (frequency) q Risk measurements Ø Not everything is measurable q Modeling / Simulation Ø Value at Risk (VAR) 1 managers Ø Risk management committee (incl. CFO) q Process Ø Risk management integrated in operational process Excerpt from Barton et al, “Making Enterprise Risk Management Pay Off”, fei Research Foundation, 2002 ã SAP AG 2006, Enterprise Risk Management – Andreas Vogel / 13

Case Studies and Customer Interviews II Customer Industry United Grain Growers 1 Unocal (now part of Chevron) 1 1 Requirements / Practices Maturity Agriculture q Risk identification ØBrainstorming sessions with senior management q Risk assessment ØBy management incl. prioritization q Risk measurements ØTechnology and regulatory risk cannot be quantified q Modeling / Simulation ØGain/loss probability curve ØRisk impact on earnings q Organizationally Ø CEO, CFO main driver Ø Treasurer, internal audit, corporate risk Oil & Gas q Risk identification Ø Risk identification/assessment within q Organizationally Ø Driven by Internal Audit and Health, business units Ø Industry specific risks: incidents, hedging prices, political risk, technical (deepwater drilling), etc. Ø Audit department created risk profiles Ø Questionnaire (800 questions) q Risk assessment Ø Risk peer reviews Ø Risk Matrix Status Board q Modeling / Simulation Ø Scenario analysis Ø Quantitative unknown Environment and Safety departments q Process Ø Risk management is integrated into line management manager Ø Risk management committee (incl. CFO) q Process Ø Senior management buy-in Ø Cross-silo integration Excerpt from Barton et al, “Making Enterprise Risk Management Pay Off”, fei Research Foundation, 2002 ã SAP AG 2006, Enterprise Risk Management – Andreas Vogel / 14

Case Studies and Customer Interviews III Customer Industry First Enery 2 Utility Requirements / Practices q Risk identification Ø Workshops with cross-functional teams Ø Additionally root cause analysis of risks q Risk assessment Ø Risk prioritization based on shareholder impact Ø Quantitative assessment for selected risks, e. g. lead to earnings insurance Ø Earnings at risk q Modeling / Simulation Ø Stress testing Ø Monte Carlo Canada Post 2 2 Automotive q Risk identification Ø Survey Ø Workshops with cross-functional teams q Risk assessment Ø Use risk framework for categorizing events Ø Risk maps Ø Control effectiveness in control framework q Risk measurements Ø Focus on qualitative assessments q Modeling / Simulation Ø n/a Maturity q Organizationally Ø Chief Risk Officer Ø ERM Department Ø Fully integrated with lines of business q Process Ø Moved from silo to integrated risk management q Systems Ø Desk Manual Ø Electricity book q Organizationally Ø Driven by internal auditing q Process Ø Developed Dynamic Assessment of Risk and Enablers (DARE) Ø “perfected” risk framework q Systems Ø Resolver Ballot Excerpt from Paul et al, “Enterprise Risk Management: Pulling it all together”, The Institute of Auditors Research Foundation, 2002 ã SAP AG 2006, Enterprise Risk Management – Andreas Vogel / 15

Case Studies and Customer Interviews IV Customer Industry Wal-Mart 2 General Motors 2 Chemical High-Tech Requirements / Practices q Risk identification Ø Workshop with cross-functional teams q Risk assessment Ø Risk map q Modeling / Simulation Ø n/a q Organizationally Ø Driven by internal audit Ø ERM team in place q Process Ø Moved from silo to integrated risk management, embedded into core business processes Ø Workshops Ø Scorecards Ø Monitoring actions plans q Process Ø Resolver Ballot q Risk identification q Organizationally Ø Objective Risk Management – identify risks Ø Driven by GM Audit Services (GMAS) within business unit to business strategy q Process q Risk assessment Ø Workshops Ø Use risk framework for categorizing events Ø Process risk management embedded in all (Business Risk Management – strategic, operational and process risks) q Risk measurements Ø Focus on qualitative assessment q Modeling / Simulation Ø n/a 2 Maturity key processes q Systems Ø Option Finder Ø Home-grown risk assessment tools Ø On-line risk repository Excerpt from Paul et al, “Enterprise Risk Management: Pulling it all together”, The Institute of Auditors Research Foundation, 2002 ã SAP AG 2006, Enterprise Risk Management – Andreas Vogel / 16

Southern Company 3 Profile Company Southern Company Contact Silvia King Manager Strategic Finance and Enterprise Risk smking@southerco. com Industry Utility Location Atlanta, GA Date 1/12 Software Microsoft Excel & PPT Decisioneering Crystal Ball (for modeling and Monte Carlo simulations) Follow-up interested 3 Key Take-aways Risk management at Southern Co q. Organizational structure: ERM within Finance q. Total 150 – 200 risk being managed, 7 -10 per business unit End-goal q. Risk-adjusted financial plans q. Finical reporting incl. risk Critical success factor in ERM q. Balancing and integrating facilitation and collaboration, and statistical methods q. Common dictionary for consistent definition across the organization On software solutions q. Risk map is a must-have Øbut needs excellent graphics to be useful ØRanking must be always relative, absolute numbers don’t make sense q. Tools for document processes and controls to deal with risk q. Linking risks with corresponding actions q. Linking to accountability and strategic goals On success factors for selling sw solutions q. Need to sell top down, CEO, CFO, directors q. Need to get acceptance by accounting firms and rating agencies Phone interview by Andreas in 2005/2006 ã SAP AG 2006, Enterprise Risk Management – Andreas Vogel / 17

Bombardier 3 Profile Company Bombardier Contact Bindesh Rach Director Enterprise Risk Management bindesh. rach@bombardier. com Industry Manufacturing Location Montreal, Quebec, Canada Date 1/17 Software home-grown Follow-up interest in design partnership 3 Key Take-aways On existing software solutions (Methodware, Paisley) q methodology needs to drive tools and not the other way around q Many organization are not yet ready for sophisticated tools On their in-house software solution q Risk register – database of identified risk, root cause, properties, potential impact, risk and mitigation owner, etc q 3 -dimensional analytical tool, enables managers on each hierarchy level to drill into the risk dimensions: Ø External and internal environment Ø Relationship to four objectives: strategy, compliance, reporting and operation Ø Hierarchy level On risk definition q Identify root cause for risk q Quantify wherever possible, $ value or other key risk indicators q Risk owner, mitigation owner q Tolerance, i. e. risk appetite (they have given up on business due to high risk and invested in risk with low risk On Bombardier process q Bindesh’s team owns methodology, system and knowledge transfer, acts as mentor and facilitator, actual risk management done by line management q Identification of risk , ownership, tolerance and key risk indicator q Classification in 46 risk categories q Mitigation plan (with owner) q Monitoring and reporting, connection to strategic planning (all PPT) q Use of value-at-risk, monte carlo, etc left to business units Phone interview by Andreas in 2005/2006 ã SAP AG 2006, Enterprise Risk Management – Andreas Vogel / 18

Hydro One 3 Profile Company Hydro One Contact John Fraser Chief Risk Officer johm. fraser@hydroone. com Industry Utility Location Toronto, Ontario, Canada Date 1/16 Software Resolver, Methodware, Paisley Follow-up interested 3 Key Take-aways On existing software solutions (Resolver, Methodware, Paisley) q Use Resolver for identification q Methodware as Risk Register q Paisley for process risk / management of controls / SOX q Tools consider as sufficient, need of an integrated tool acknowledged, but cost factor of software solutions stressed On integrated approach q stresses strong ties to strategic planning tools and associated tools On monitoring and alerting q sees close relationship to performance management, needs to be viewed and interpreted from a risk perspective On Hydro One process q key consideration is the cost factor – which risk are worthwhile to be managed? On Andreas framework q Validates framework Phone interview by Andreas in 2005/2006 ã SAP AG 2006, Enterprise Risk Management – Andreas Vogel / 19