ERM Enterprise Risk Management Not just insurance auditing

ERM!!! Enterprise Risk Management Not just insurance, auditing, risk analysis A philosophy – A way of business Korea Telecom 2007 Olson: ERM 1

Definition • Systematic, integrated approach – Manage all risks facing organization • External – – – • Economic (market - price, demand change) Financial (insurance, currency exchange) Political/Legal Technological Demographic Internal – – Human error Fraud Systems failure Disrupted production • Means to anticipate, measure, control risk Korea Telecom 2007 Olson: ERM 1

DIFFERENCES Traditional Risk Mgmt ERM Individual hazards Context - business strategy Identification & assessment Risk portfolio development Focus on discrete risks Focus on critical risks Risk mitigation Risk optimization Risk limits Risk strategy No owners Defined responsibilities Haphazard quantification Monitor & measure “Not my job” “Everyone’s responsibility” Korea Telecom 2007 Olson: ERM 1

Risk & Business • Taking risk is fundamental to doing business – Insurance • Lloyd’s of London – Hedging • Risk exchange swaps • Derivatives/options • Catastrophe equity puts (cat-e-puts) – ERM seeks to rationally manage these risks • Be a Risk Shaper Korea Telecom 2007 Olson: ERM 1

Types of Risk Stroh [2005] • External environment – Competitors; Legal; Medical; Markets • Business strategies & policies – Capital allocation; Product portfolio; Policies • Business process execution – Planning; Technology; Resources • People – Leadership; Skills; Accountability; Fraud • Analysis & reporting – Performance; Budgeting; Accounting; Disclosure • Technology & data – Architecture; Integrity; Security; Recovery Korea Telecom 2007 Olson: ERM 1

Another view Slywotzky & Drzik, HBR [2005] • Financial – Currency fluctuation • DEFENSE: Hedging • Hazard – Chemical spill • DEFENSE: Insurance • Operational – Computer system failure • DEFENSE: Backup (dispersion, firewalls) • New technology overtaking your product – ACE inhibitors, calcium channel blockers ate into hypertension drug market of beta-blockers & diuretics • Demand shifts – Gradual – Oldsmobile; Rapid - Station wagons to Minivans Korea Telecom 2007 Olson: ERM 1

Industry Margin Squeeze • Pharmaceutical R&D • Cost escalation – Semiconductor industry • Airline deregulation • Suppliers gain upper hand – Flat panel displays, Intel direct marketing • Cycle volatility – DEFENSE: Shift compete/collaborate ratio • Coproduction; supply chain coordination; joint R&D; collaborative marketing • Airlines, Utilities, Textiles, Steel, Music, Autos Korea Telecom 2007 Olson: ERM 1

Technology Shift • Loss of patent protection • Outdated manufacturing process – DEFENSE: Double bet • • Invest in multiple versions of technology Microsoft: OS/2 & Windows Intel: RISC & CISC Motorola didn’t – Nokia, Samsung entered Korea Telecom 2007 Olson: ERM 1

Brand Erosion • Perrier – contamination • Firestone – Ford Explorer • GM Saturn – not enough new models – DEFENSE: Redefine scope • Emphasize service, quality – DEFENSE: Reallocate brand investment • AMEX – responded to VISA campaign, reduced transaction fees, sped up payments, more ads Korea Telecom 2007 Olson: ERM 1

One-of-a-kind Competitor • Competitor redefines market • Wal-Mart – DEFENSE: Create new, non-overlapping business design • Target – unique product selection Korea Telecom 2007 Olson: ERM 1

Customer Priority Shift – DEFENSE: Analyze proprietary information • Identify next customer shift – Coach leather goods – competes with Gucci – Went trendy, aggressive in-market testing » Customer interviews, in-store product tests – DEFENSE: Market experiments • Capital One – 65, 000 experiments annually – Identify ever-smaller customer segments for credit cards Korea Telecom 2007 Olson: ERM 1

New Project Failure • Edsel – DEFENSE: Initial analysis • Best defense – DEFENSE: Smart sequencing • Do better-controllable projects first – Applied Materials – chip-making – DEFENSE: Develop excess options • Improve odds of eventual success – Toyota – hybrid: proliferation of Prius options – DEFENSE: Stepping-stone method • Create series of projects – Toyota – rolling out Prius Korea Telecom 2007 Olson: ERM 1

Market Stagnation – DEFENSE: Generate demand innovation • House of Quality? – Air Liquide industrial gas » Developed technology allowing customers to establish small gas production facilities on-site Korea Telecom 2007 Olson: ERM 1

Means to Control Enterprise Risk • Honeywell (1997) – Multi-year contract combining property, liability, option hedging risks against adverse currency exchange rates • Dickinson [2001] – Holistic approach • Extend contingency planning with comprehensive internal risk management systems • CRO / CEA – Chief Risk Officer / Chief Auditing Executive Korea Telecom 2007 Olson: ERM 1

COSO Committee of Sponsoring Organizations Treadway Committee – 1990 s Smiechewicz [2001] • Assign responsibility – Board of directors • Establish organization’s risk appetite • establish audit & risk management policies – Executives assume ownership • Policies express position on integrity, ethics • Responsibilities for insurance, auditing, loan review, credit, legal compliance, quality, security • Common language – Risk definitions specific to organization • Value-adding framework Korea Telecom 2007 Olson: ERM 1

COSO Integrated Framework 2004 Levinsohn [2004]; Bowling & Rieger [2005] • Internal environment – describe domain • Objective setting – objectives consistent with mission, risk appetite • Event identification – risks/opportunities • Risk assessment - analysis • Risk response – based on risk tolerance & appetite • Control activities • Information & communication – to responsible people • Monitoring Korea Telecom 2007 Olson: ERM 1

Risk Management Tools • Simulation (Beneda [2005]) – Monte Carlo – Crystal Ball • Multiple criteria optimization (Dash & Kajiji [2005]) – Goal programming - tradeoffs • SYSTEMS FAILURE METHOD – Information Systems Project Management Korea Telecom 2007 Olson: ERM 1

ERM Software Rhoden [2006] Penny [2002] • Algorithmics Incorporated – ERM software, global financial institutions Jane’s Defence Industry [2005] • Strategic Thought – Active Risk Manager – defence industry Rhoden [2006] • Q 5 AIMS – From Q 5 Systems Ltd – Safety audit & corrective action tracking – Mobile devices, Web-link • Preceptor – Learning management system – Regulatory compliance, technical training • Picketdyna. Q – Workplace audit & assessment management – Regulatory references built in Korea Telecom 2007 Olson: ERM 1

Experiences with ERM • Walker [2003] – – – First. Energy Corp – auditing, problem-solving Wal-Mart – best auditing practices, governance Unoval – auditing to consultation Canada Post – auditing efficiency GM – corporate governance • Kleffner et al. [2003] – Canadian risk & insurance • 31% adopted ERM Korea Telecom 2007 Olson: ERM 1

United. Health Management Stroh [2005] Decompose strategic risks / opportunities Top Strategic level business risk Mitigation / acceleration plan Assure leadership that top risks are in sight Internal risk sensing External risk sensing 3 rd Market / business Financial 4 th Ops Audit plan Advisory services - controls 5 th Compliance Partner with external audit Financial controls 2 nd Korea Telecom 2007 Identify gaps in plans Test/verify assumptions Olson: ERM 1

UHM Lessons Learned • • • ERM value must be apparent to executive sponsors in a timely fashion Begin the process by focusing on the most important risks, thus avoiding swamping the organization with all possible risks, which would likely discourage participation Obtain sponsorship, and assign accountability for specific risks to responsible organizational members Standardize approaches where possible, setting minimum thresholds of execution Develop a diverse set of ERM team members Keep ERM implementation simple Korea Telecom 2007 Olson: ERM 1

ERM Research • • Mostly descriptive, frameworks SURVEY – Lynch-Bell [2002] surveyed 52 companies • Examined practices of governance, strategy, processes, technology, functions, culture – Milladge [2005]; Gates [2006] surveyed 271 members of the Conference Board • Skelton & Thamhain [2003]; Thamhain [2004] – 3 year field study R&D product development – Suggest look-ahead simulation, rapid prototyping to anticipate problems • Beasley et al. [2005] – Gathered data on 123 organizations, found ERM implementation positively related to: • • • Chief risk officer presence Board independence Top management support Big Four auditor presence Entity size Banking, Education, Insurance Korea Telecom 2007 Olson: ERM 1