Risk Scorecard net An Overview of Risk Breakdown

Risk. Scorecard. net An Overview of Risk Breakdown Frameworks Brett. Knowles@Risk. Scorecard. net 416 -7684 © Risk. Scorecard. net

Establishing your Risk Categories Risk. Scorecard. net § The Risk Categories will be used by you and your team as a “memory jogger” to surface risk related situations. § There a number of Risk Category lists – the goal of this step is to find the framework that works best for your organization. © Risk. Scorecard. net

Corporate Risk vs. Regulatory Risks Risk. Scorecard. net Duration: The time horizon for a corporate risk profile should typically be in the range of three to five years, whereas regulatory filings are usually for a much longer term or in perpetuity. For example, matters for which lawsuits could be brought by investors in the future. Types of Risks: Regulatory filings are usually restricted to those areas that would be of interest to an investors, customers, employees and other stakeholders. By contrast “corporate” (internal) risks also include issues that will impact the organization’s performance success and viability. Purpose: Corporate risk profiles are prepared to assist in better managing the company. Regulatory filings are usually prepared with both promotional and legal protection motives. Although these two types of risk descriptions can and should be reconciled, they have different purposes. Yet arguably, they should remain mutually exclusive. Paraphrased form: Fraser, J. R. S. , How to Prepare a Risk Profile , p 171, Chapter 11, Enterprise Risk Management, John Wiley & Son, 2010 © Risk. Scorecard. net

Establishing your Risk Categories Risk. Scorecard. net In this session we will use the COSO* categories used in the CMA MAG “Identifying, Measuring and Managing Organizational Risk for Improved Performance”. * Committee of Sponsoring Organizations of the Treadway Commission © Risk. Scorecard. net

COSO Risk Categories Risk. Scorecard. net Identifying, Measuring, and Managing Organizational Risks for Improved Performance, Marc J. Epstein, and Adriana Rejc Buhovac, Published by The Society of Management Accountants of Canada, the American Institute of Certified Public Accountants and the Chartered Institute of Management Accountants, 2005. Adapted from Committee of Sponsoring Organizations of the Treadway Commission (COSO, 2004) © Risk. Scorecard. net

Strategic Risk Type Risk. Scorecard. net Risks Definition Example Economic Risks related to macroeconomicpolicies and economic cycles. Government’s monetary and fiscalpolicy Industry Risks related to competitive positioning, industry profit margins, market structure, and competition laws Changes in supply and demand, industry concentration, or competitive structure; introduction ofnew products and services Strategic Transaction Risks related to activities undertaken to initiate significant change in strategic direction Asset reallocation via mergers and acquisitions, spin-offs, alliances, and joint ventures Social Risks related to changing demographics and social mores Child labor; changes in family structures and work/life priorities(human resource issues that could alter demand for products/services or change buying venues) Technological Risks related to technological progress and technology-driven disruptive forces Engineering success/failure; technological obsolescence of product or product assembly (issues that could give a competitor an advantage) Political Risks related to changes ingovernment, public policy, andfederal oversight, and global risksrelated to political instability Management of government relations; terrorist activities Organizational Risks related to control systems, business policies, and businessculture Alignment between performance measurement and reward systems Identifying, Measuring, and Managing Organizational Risks for Improved Performance, Marc J. Epstein, and Adriana Rejc Buhovac, Published by The Society of Management Accountants of Canada, the American Institute of Certified Public Accountants and the Chartered Institute of Management Accountants, 2005. Adapted from Committee of Sponsoring Organizations of the Treadway Commission (COSO, 2004) © Risk. Scorecard. net

Operational Risk Type Risk. Scorecard. net Environmental Risks Definition Example Risks related to the natural environment that could result in damage to buildings, restricted access to raw materials, or loss of human capital Risks related to credit, interest rates, the stock market, currency, and collateral Weather conditions, such as earthquake, fire, or flood; environmental pollution Business Continuity Risks related to conditions that could result in work stoppage or adversely affect production, delivery, marketing, supplier and customer management, outsourcing, or compliance with industry and other standards and codes Reliability within the supply chain; supplier integrity; quality of goods; price of external supply Innovation Risks Under performance in new product development and in Research Risks related to the transformation of some aspect of the business in &Development (R&D) investment an effort to improve operating performance Commercial Risks related to the expected performance of products or services Quality of engineering, marketing, communication, and sales; product liability in the event of failure Project Risks related to the completion of a project Technical difficulties; commercial obstacles Human Resource Risks related to the adequacy and execution of human resource standards, policies, and practices Ethical/unethical conduct by management and employees; availability of assistance to employees for career planning and personal development; issues that could result in work stoppage, loss of personnel, or monetary or reputational damage Health and Safety Risks related to employee health and safety in the workplace Unsafe equipment or environment; workplace stress; potential for injury from repetitive strain or falls from heights Property Risks related to the security of both tangible and intangible assets Inventory protection against spoilage or theft; intellectual property rights; potential for enforcement action Reputational Risks related to the perception of the organization by its stakeholders, the media, and the general public that could impact liquidity, capital, or credit rating Publicity regarding production methods, business practices, or internal controls Financial Risks Foreign exchange rates; strategic equity; asset liquidity; employee stock option program; commodity risks Identifying, Measuring, and Managing Organizational Risks for Improved Performance, Marc J. Epstein, and Adriana Rejc Buhovac, Published by The Society of Management Accountants of Canada, the American Institute of Certified Public Accountants and the Chartered Institute of Management Accountants, 2005. Adapted from Committee of Sponsoring Organizations of the Treadway Commission (COSO, 2004) © Risk. Scorecard. net

Reporting Risks Risk. Scorecard. net Risk Type Definition Example Information Risks related to the quality and accessibility of information Data accuracy, relevance, reliability, and completeness; security of information; integration of information systems Reporting Risks related to the process of capturing, analyzing, and submitting data in a meaningful format to managers and external stakeholders for decision-making purposes Reliability and completeness of financial information; efficiency of the process for internal decision-making and for external reporting Identifying, Measuring, and Managing Organizational Risks for Improved Performance, Marc J. Epstein, and Adriana Rejc Buhovac, Published by The Society of Management Accountants of Canada, the American Institute of Certified Public Accountants and the Chartered Institute of Management Accountants, 2005. Adapted from Committee of Sponsoring Organizations of the Treadway Commission (COSO, 2004) © Risk. Scorecard. net

Compliance Risks Risk. Scorecard. net Risk Type Definition Example Legal and Regulatory Risks related to meeting legal and regulatory requirements with respect to corporate governance, labor relations, industry standards, the environment, etc. Employee compliance with the organization's code of conduct and Non-Governmental Organization standards; human rights violations(e. g. , child labor) Control Risks related to the internal control systems and security policies that could result in system downtime, backlogs, fraud, and the inability to continue business operations Data integrity; data and system availability; potential for malpractice by employees or outsiders (e. g. , theft, deception, forgery, false accounting); potential for operational errors (e. g. Clerical, record-keeping, and those resulting from faulty IT systems) Professional Risks related to organizational liability and the personal liability of directors and managers Misrepresentation; defamation; corporate insolvency Identifying, Measuring, and Managing Organizational Risks for Improved Performance, Marc J. Epstein, and Adriana Rejc Buhovac, Published by The Society of Management Accountants of Canada, the American Institute of Certified Public Accountants and the Chartered Institute of Management Accountants, 2005. Adapted from Committee of Sponsoring Organizations of the Treadway Commission (COSO, 2004) © Risk. Scorecard. net

Risk. Scorecard. net SIMPLER, PROCESS BASED FRAMEWORK © Risk. Scorecard. net

Risk. Scorecard. net RISKS OPERATIONAL INTERNALLY CONTROLLED CUSTOMER RELATED Human Capital Facilities & Machine Methods & Systems Materials & Suppliers Demand Relationship Customer's Success ENVIRONMENTAL Regulatory & Political Natural 13 categories vs. COSO’s 22 categories © Risk. Scorecard. net FINANCIAL RISKS Costs Financing External Financial Risks

Process Based Risk Category ENVIRONFINANCIAL RISKS MENTAL CUSTOMER RELATED OPERATIONAL INTERNALLY CONTROLLED Risk. Scorecard. net. Human Capital Employee Engagement, skills, retention, capacity, agility Facilities & Machine Capacity, capabilities, quality Methods & Systems Value Chain, Fraud, unauthorized, illegal, unethical, incorrect, or inappropriate actions Materials & Suppliers Supply Chain, material quality issues, quality of supply, Demand Market Risk - not enough volume at the price we must charge Relationship Risk - We are not able to build or maintain our target relationships Customer's Success Customer Risk - customer's profitability, viability, growth Regulatory & Political Changes in our regulatory , legal and liability environment, political disasters and major macroeconomic shifts Natural Weather, floods, acts of God. Costs Unanticipated / planned cost shifts Financing Investor Risk, Insufficient Funding, Rate Issues, External Financial Risks Valuation Risk © Risk. Scorecard. net

The Institute of Risk Management’s Risk Categories Risk. Scorecard. net Strategic/commercial • Under-performance to specification • Management will under-performance to expectations • Collapse of contractors • Insolvency of promoter • Failure of suppliers to meet contractual commitments (e. g. quality, quantity, timescales or own risk exposure) • Insufficient capital revenues • Market fluctuations • Fraud/theft • Partnerships failing to deliver the desired outcome • Situation non-insurable (or cost of insurance outweighs the benefit) • Lack of capital investment availability. Economic/financial/market • Exchange rate fluctuation • Interest rate instability • Inflation • Shortage of working capital • Failure to meet projected revenue targets • Market developments adversely affect plans. Legal and regulatory • New or changed legislation invalidates assumptions upon which the activity is based • Failure to obtain appropriate approval (e. g. planning, consent) • Unforeseen inclusion of contingent liabilities • Loss of intellectual property rights • Failure to achieve satisfactory contractual arrangements • Unexpected regulatory controls or licensing requirements • Changes in tax or tariff structure. Environmental • Natural disasters • Storms, flooding, tempests • Pollution incidents • Transport problems, including aircraft/vehicle collisions. Organizational /management/human factors • Management incompetence • Inadequate corporate policies • Inadequate adoption of management practices • Poor leadership • Inadequate authority of key personnel to fulfill roles • Poor staff selection procedures • Lack of clarity over roles and responsibilities • Vested interests creating conflict and compromising the overall aims • Individual or group interests given unwarranted priority • Personality clashes • Indecision or inappropriate decision making • Lack of operational support • Inadequate or inaccurate information • Health and safety constraints. Political • Change of government policy, national or international (e. g. approach to nationalization) • Change of government • War and disorder • Adverse public opinion/media intervention. Technical/operational/infrastructure • Inadequate design • Professional negligence • Human error/incompetence • Infrastructure failure • Operation lifetime lower than expected • Residual value of assets lower than expected • Increased dismantling/decommissioning costs • Safety being compromised • Performance failure • Residual maintenance problems • Scope 'creep' • Unclear expectations • Breaches in security/information security • Lack or inadequacy of business continuity. The Institute of Risk Management, 6 Lloyd’s Avenue, London EC 3 N 3 AX, http: //theirm. org/publications/documents/ARMS_2002_IRM. pdf © Risk. Scorecard. net

Common Types of Risk. Scorecard. net The Institute of Risk Management, 6 Lloyd’s Avenue, London EC 3 N 3 AX, http: //theirm. org/publications/documents/ARMS_2002_IRM. pdf © Risk. Scorecard. net

Common Types of Risk http: //theirm. org/publications/documents/ARMS_2002_IRM. pdf EXTERNAL DRIVEN RISKS Risk. Scorecard. net FINANCIAL RISKS STRATEGIC RISKS INTEREST RATES COMPETITION FOREIGN EXCHANGE CUSTOMER CHANGES CREDIT INDUSTRY CHANGES CUSTOMER DEMAND M & A INTGRATION RESEARCH & DEVELOPMENT LIQUIDITY & CASH FLOW INTELECTUAL CAPITAL INERNALLY DRIVEN RISKS ACCOUNTING & CONTROLS INFORMATION SYSTEMS PRODUCTS & SERVICES PUBLIC ACESS RECRUITMENT EMPLOYEES SUPPLY CHAIN PROPERTIES CULTURE NATURAL EVENTS SUPPLIERS BOARD COMPOSITION CONTRACTS REGULATIONS ENVIRONMENT OPERATIONAL RISKS HAZARD RISKS © Risk. Scorecard. net

Kaplan & Mikes Framework Risk. Scorecard. net Managing Risks: A New Framework, Robert S. Kaplan, Anette Mikes, Harvard Business Review, June 2012 © Risk. Scorecard. net

3 types of risk Category I: Preventable risks. These are internal risks, arising from within the Risk. Scorecard. net organization, that are controllable and ought to be eliminated or avoided. Examples are the risks from employees’ and managers’ unauthorized, illegal, unethical, incorrect, or inappropriate actions and the risks from breakdowns in routine operational processes. This risk category is best managed through active prevention: monitoring operational processes and guiding people’s behaviors and decisions toward desired norms. Category II: Strategy risks. A company voluntarily accepts some risk in order to generate superior returns from its strategy. A bank assumes credit risk, for example, when it lends money; many companies take on risks through their research and development activities. Strategy risks are quite different from preventable risks because they are not inherently undesirable. A strategy with high expected returns generally requires the company to take on significant risks, and managing those risks is a key driver in capturing the potential gains. Strategy risks cannot be managed through a rulesbased control model. Instead, you need a risk-management system designed to reduce the probability that the assumed risks actually materialize and to improve the company’s ability to manage or contain the risk events should they occur. Such a system would not stop companies from undertaking risky ventures; to the contrary, it would enable companies to take on higher-risk, higher-reward ventures than could competitors with less effective risk management. Category III: External risks. Some risks arise from events outside the company and are beyond its influence or control. Sources of these risks include natural and political disasters and major macroeconomic shifts. External risks require yet another approach. Because companies cannot prevent such events from occurring, their management must focus on identification (they tend to be obvious in hindsight) and mitigation of their impact. Managing Risks: A New Framework, Robert S. Kaplan, Anette Mikes, Harvard Business Review, June 2012 © Risk. Scorecard. net

Risk. Scorecard. net http: //www. rmsolutions. ca/ http: //www. ey. com/GL/en/Services/Advisory/IT -Risk-and-Assurance/Business-risks-fuse-with -IT-risks---The-IT-megatrends © Risk. Scorecard. net