JOHN R.S. FRASER
Vice President, Internal Audit & Chief Risk Officer, Hydro One Networks Inc.
One of the key building blocks of enterprise risk management (ERM) is the preparation and sharing of a corporate risk profile.1 One might even go so far as to state that where there is no corporate risk profile there is no ERM. How a profile is prepared, how frequently it is prepared, and with whom it is shared are all subject to different treatments in each organization. However, a good guiding principle to follow is to keep it simple. Tools and methodologies should follow suit and not become overly bureaucratic or complex.
This chapter will hopefully assist organizations in choosing the most effective type of risk profile for their needs and provide guidance in preparing and communicating it to management and boards. The following descriptions of alternative methods will assist students of ERM to understand how and why profiles assist management and boards, and how these may be done most effectively in varying situations.
The chapter is organized into two parts. In the first part, readers are provided with background information on the definition, purpose, use, and types of risk profiles along with the advantages and disadvantages of the various methodologies used to gather the information needed to prepare a risk profile. It also covers how and why profiles assist management and boards and how these may be done most effectively in varying situations. The second part of the chapter is dedicated to how to prepare the simplest type of profile—the “top 10.” It uses Hydro One as a case study.2 Since 1999 and over tumultuous periods of high risk, the top 10 method has proven its value to Hydro One’s management and board. The success of this type of profile is a result of its simple preparation and effectiveness of purpose.
A corporate risk profile is a periodic documentation of the key risks to an organization to achieving its stated business objectives over a specified future time period.3 For some businesses that are subject to great volatility it may be helpful to prepare these more frequently and, conversely, less frequently for static industries or organizations.
The primary purpose of a risk profile is to assist the CEO and management team in communicating with the board. This means that the risk profile is prepared as a service to the CEO and should reflect the CEO’s understanding and tone. Where a risk profile is prepared at lower levels of the organization, for example, at a division or subsidiary, it should be viewed as a management tool for the head of that division or subsidiary. The corporate risk profile can also be used by the management team for other purposes such as strategic and business planning, resource allocation and action plans.
A corporate risk profile should be prepared for use by the management of an organization as part of the ERM process. It is important to note, however, that it differs in many respects from risk descriptions included in filings for purely regulatory purposes. Typical differences include:
The term “risk profile” has been used in a number of ways by different disciplines and these may not reflect the meaning used in ERM. For instance, investment analysts prepare risk profiles to assess whether an organization is a sound investment and, likewise, rating agencies prepare them to decide how credit worthy an organization is. Such profiles take into account the industry, the demand for products and services, the quality of management, the competition, and the financial structure and strength of an organization. These are valid methodologies but have special purposes and define risk in terms of the users of that profile. In these cases, the investors or lenders. They are not risk profiles as used in ERM.
One also hears about developing a risk profile or a risk forecast of what an organization may look like at a future date. This may envision an organization’s capital structure or target market. This again, however, is more of a useful strategic planning and visioning exercise.
Preparing a risk profile is truly generic. The same principles and methodologies apply whether an organization is public or private stock, not-for-profit, or government. Even a home environment interested in preparing one, could follow the same principles and methodologies. A true ERM risk profile should be holistic and reflect all risks to the organization’s business objectives.
Different types of corporate risk profiles are used to demonstrate and communicate key risk information. Each type serves a purpose best suited to an organization’s needs and has features that help focus the attention of senior management and the board. For each type of risk profile, there are strengths and weaknesses just as there are advantages and disadvantages to the methodologies applied in gathering information for these profiles. The next section highlights three different types of commonly used corporate risk profiles: the top 10 list, the risk map, and the heat map.
The simplest method of identifying, ranking, and sharing the top risks facing an organization is often referred to as a “top 10” list. The term “top 10” is familiar, easily understood, and denotes a short yet important list of risks. It is successfully used because it is not an exhaustive list that confuses and often becomes unmanageable. The secret lies in keeping it simple and easy to communicate.
Simply put, a top 10 risk profile provides a ranked listing of the most significant risks facing an organization and likely to impact the organization’s ability to meet its stated objectives. A top 10 list should also provide trending information, such as whether a risk is getting more or less risky and a comparative rating of the risks at previous periods. (Special attention is given on how to prepare a top 10 list later.)
A risk map (see Exhibit 11.1) is one of the most widely described ways to present the largest risks facing an organization. It is visually appealing, and easy to understand and describe. It usually consists of two axis: the vertical axis showing the potential impact of the risk and the horizontal axis showing the estimated likelihood of the risk occurring, both usually on a scale from 1 (low) to 5 (high). The map is often divided into four quadrants4—for analysis purposes—as follows:
Risk maps are ideally best prepared during a risk workshop using voting technology.
Features that can be added to a risk map include:
A heat map is usually color-coded to show the levels of risks and mitigants5 in a matrix format. Descriptions of the levels and format used can vary but would generally consist of a matrix of the risk sources and the organizational units. Heat maps are well suited for risk surveys where participants assign a rating or color to the risks.
A risk source heat map typically shows a generic list of risks, sometimes grouped by categories such as strategic, operational, and systemic with columns to the right showing the ratings for the severity of each risk and the adequacy of the related mitigants.
An organization heat map can list the organizational entities such as departments, locations, or product lines in the first column while, next to each entity, are color-coded squares identifying the level of each risk. High risk is usually denoted by red, medium risk by yellow, and low risk by green.
A more sophisticated application of this type of heat map could be used by a worldwide trading operation. The map may be designed to show the trading desk locations across the columns on the page with the various product risks listed down the side (see the example in Exhibit 11.2). Such an application is ideal for an online computerized reporting risk management system. In this instance, the CEO or head trader, can look at the computer screen showing a real-time heat map and then double click on any yellow or red square to show greater detail as to what is causing the color. If the CEO clicked on New York’s precious metals’ red square it would bring up a more detailed view of the New York operation and reveal that traders’ desk profits have not been reconciled with the back office within the permitted time; hence, triggering a red flag to be turned on by the staff who are accountable as part of their duties.
Exhibit 11.3 Risk Information Gathering Alternatives
Advantages | Disadvantages | |
Risk Workshop | Popular with participants due to efficient use of time and learning/sharing opportunities Can target groups of people Immediate results Often described as “magical” due to the enriched discussions and information shared* |
High level of facilitation skills required Voting technology required Limited by geography Must have sufficient expertise and knowledge among the participants in the room |
Structured Interview | Creates conversations Efficient use of interviewee time Face-to-face contact promotes and strengthens relationships, enhancing ERM for a risk-aware culture |
Limited by geography High level of interview skills required, including familiarity with a wide variety of risk types No opportunity for dialogue among fellow decision makers Requires sufficient time to schedule and conduct interviews |
Formal Survey | Can cover a larger number of participants** Consistent structure Well documented |
Quality of responses may be an issue No conversations, no learning opportunity for respondents Sufficient preparation time is needed to compose questions Subject to delays |
*As described in detail during an interview in an article titled “Q&A With Hydro One’s Chief Risk Officer,” by Matt Kelly in Compliance Week, January 25, 2005.
**For geographically dispersed organizations, surveys can be submitted to and consolidated electronically at head office, or be conducted locally using a single off-the-shelf risk management application that rolls up the results automatically electronically to the corporate computer system.
There are a variety of ways to gather the information required to prepare risk profiles, as well as various advantages and disadvantages for each type of information gathering methodology used. Although the above comparative chart (Exhibit 11.3) depicts these, it is by no means exhaustive. Organizations should consider each methodology against their needs, resources, and capabilities.
In the first half of this chapter, we defined the purpose and uses of corporate risk profiles. Furthermore, we identified the most common types and the alternative methodologies for gathering information used in these risk profiles. This background knowledge is needed to proceed to the next part of this chapter, which focuses on how to prepare a top 10 risk profile and track its accuracy and usefulness. This section will cover in more detail significant aspects of what is involved in the preparation, consolidation, and documentation of this type of profile. Specifically, these aspects, in sequential order, include:
It is essential to develop a plan of action before embarking on the actual interviews. The duration, the resource requirements, and the level of detail all need to be considered in order to be most effective.
This is a key decision to ensure positive cooperation and feedback from organizational executives. For most organizations an annual profile may be too infrequent given the fluctuating changes in the marketplace and within the organization itself. On the other hand, a profile every quarter may be excessive, especially for organizations just starting ERM. A semi-annual profile is the most expedient interval to start. It can then be adjusted after some experimentation.
Hydro One’s experience has shown that interviewing the top 40 executives and risk specialists,6 draws the most efficient and balanced range of responses for an average-sized organization.7 Ideally, interviews are conducted by two members of the ERM team, one who is facilitating the interview and the other who is taking detailed notes.
Scheduling a half-hour interview can be more easily accommodated than an hour-long interview. As well, all interviews should be scheduled within a set time period. A three-week time period is practical and provides a picture at a point in time without becoming blurred unless events affecting the organization change dramatically during the process (e.g., market collapse, earthquake, hostile takeover attempt).
Since the CEO is the sponsor,8 care is required in approaching interviews and sessions involving the CEO as his or her views need to be reflected in the product, while still leaving the opportunity to make further refinements based on consultation with other members of the management team and other sources of information. Thus, it may be appropriate to interview the CEO for thoughts on various risks but caution the CEO that once this information is consolidated with other interviews and sources a different risk profile may emerge. Ultimately, however, the CEO should be prepared to review and discuss the report with the executive team before it is finalized and shared with the board.
At this point, key background information that can influence the risk profile should be gathered. This could include benchmarking information, performance measures, and other trend analyses that might be used as key risk indicators (see Chapter 8 on Key Risk Indicators), internal and external audit reports and results of risk workshops, both at the senior and line management levels.
In an ERM environment the interviews with senior management and risk specialists should be validated against other ERM information. Such other information ideally would include divisional risk assessments prepared as part of the annual business planning process, and risk assessments (e.g., from risk workshops) as part of major projects and initiatives throughout the year. The results of these divisional and project risk assessments should be consolidated and used as critical input to the corporate risk profile. Altogether, these significant sources of information should complement and validate each other with any significant differences investigated as to their cause.
As with undertaking any kind of major project or new initiative, preparation is essential. Crafting a corporate risk profile is no different. The bulk of the work is in preparing the interview tools. Here, the Hydro One experience is used to explain what they are, how they are developed, and why they are needed.
Before proceeding with ERM, and the eventual top 10 list, clearly articulated corporate business objectives must be identified. Surprisingly, this information is not always readily available in some organizations, where major business objectives may be understood but are not officially documented. They could be manifested by the large sums of money spent on certain initiatives, buried in annual reports and other disclosures, or scattered throughout business planning documents. Hence, it is imperative to first compile and get executive agreement on a list of the top 8 or 10 corporate business objectives over the next few years. These objectives should be stated in measurable terms such as growing sales by 20 percent, achieving certain profit levels, expanding overseas to certain countries, and reaching specific safety or customer satisfaction targets. These are, however, not to be confused with key performance indicators (performance measures), which all too often are prepared on an annual basis only. Business objectives must not only be articulated in terms of stretch targets or new initiatives but also in terms of preserving shareholder value, corporate reputation, employee morale, and an organization’s customer base.
For the remainder of the chapter, all further discussions about ERM and creating a top 10 profile will be framed in terms of risks to achieving corporate business objectives. In fact, the first matter raised at each interview should be to inform the interviewee that discussions will be focused on the risks to meeting the business objectives over the next few years.
One of the key inputs into preparing a corporate risk profile is having a good understanding of what external events have happened recently or might happen to impact the organization. This is sometimes referred to as an “environmental scan.” A simple way to prepare this is to compile an ongoing file of newspaper clippings, research reports, articles, and other items depicting events that have happened that could impact the organization or its stakeholders.9 Examples of these events include changes in governments, proposed and actual regulatory changes, stock market anomalies (e.g., inverted yield curves), surprising and relevant law suits raised or settled with similar businesses, disasters or crises. Compiled regularly, the file becomes a comprehensive compendium, which then needs to be summarized into one or two pages of the most impactful events or potential risk issues. It is subsequently distributed, in advance, to the interviewees or presented at the start of the interview with a qualifying statement that the summary is intended to remind the interviewees of what has happened since the last interview and get them thinking about what external events could impact the organization. Many interviewees find the summary informative and look forward to receiving it. It also provides them with an opportunity to identify, discuss, and even add additional events or items that may have been inadvertently omitted.
In many real-life examples of ERM, management is provided with and asked to rate, either a static list of risks, or to discuss risks without any prompts from the interviewer. As a result, interviewees do not always consider risks not already identified on the list provided or may not be responsive to general questions like “What keeps you awake at night?” At Hydro One, the practice is to bridge these two approaches and provide the interviewees with a list of past and potential risks at the start of the interview, urge them to be anticipatory in their thinking, and through gentle probing and discussion explore scenarios that could materialize into or create new risks.
What Is Presented in the List of Potential Risks? The list at Hydro One consists of brief descriptions of risks grouped into categories such as safety, regulatory and customer expectations. Each risk that was mentioned in the last risk profile is highlighted in the color denoting the previous risk rating. For example, red denotes high risks and yellow denotes medium risks. Risks that were not mentioned, because they were rated as low or are still evolving, are left uncolored and are referred to as “white spaces.” Examples include pandemic risks, regulatory changes, and pending environmental legislation.
What Is the Objective of the List? All of the risks are listed in three columns on a large sheet of paper, which allows interviewees to quickly scan and focus on their areas of interest. Some interviewees spend most of the interview process just on their area of accountability or specialty. Others may choose to discuss the risks that are of particular concern to them. The objective to presenting these risks is to solicit opinions as to whether the risks are likely to impact the business and in what time frame. It requires skill on behalf of the interviewer to work with the various personality types, gain the interviewee’s confidence, and retrieve accurate and appropriate information to prepare a valid risk profile.
Provide a Prior List of Top Risks In addition, interviewees should be provided—at the onset of the interview—with a matrix of the prior list of top risks and their respective ratings as identified in the previous risk profile. (See Exhibit 11.4.) This matrix has additional blank columns for recording the interviewee’s current ratings of risks, if different, and the expected trending, be it flat, upward, or downward. The interviewees are encouraged to provide their opinion prior to the end of the interview as to whether each rating should be adjusted and where they feel the trend is going. They are also asked whether any other risks should be included in the top 10 risks. A final column on the sheet is used for making brief comments by the interviewer.
Hydro One’s experience shows that some interviewees like this format and proceed to provide their assessments of each risk and add any new ones. Other interviewees prefer not to provide an opinion on the ratings and trending of these risks, but will speak knowledgeably about the risks and the relevant mitigants and provide valuable qualitative data and perspectives. Hydro One caters to these differences and does not impose a single expectation of each interviewee. This is where ERM may be considered as much an art as a science.
Written Notes With most interviews there can be a generous amount of discussion and information collected. It can be a challenge, therefore, to facilitate an interview while also taking copious notes. Ideally, then, there should be two interviewers from the ERM group, one team member leading the interview and the other team member taking detailed notes.
Feedback from the Interviewees on the Interview Process For several years now, Hydro One has been conducting these interviews. During that time, there has been positive feedback from the interviewees on the process involved. Overall, the interviewees have commented on learning more about the risks to the organization as a whole and thinking about them more on a practical level. The interviewers have also found the dialogue to be nondefensive, allowing the interview to play a key role in ensuring the business objectives are well understood throughout the broader management team.
Once all of the interviews have been completed it is time to summarize the findings. Often there is a tight deadline in order to present the results to the management team, and subsequently to a board level committee or the board itself. In a centralized organization only a few people may be conducting or summarizing the interviews, while in a large worldwide organization it may be done by local champions who then provide summarized documentation for consolidation at the head office by the ERM group.
A helpful method used at Hydro One is to prepare individual sheets for each major risk with two columns:
Each comment listed in either of the above two columns is annotated with the initials of the interviewee for quick reference and follow-up if required to any specific issue. Although all interviews are treated confidentially and sources are never revealed, the practice is to maintain documentation of the original interview notes and to occasionally follow up with the interviewee for further clarification as required.
These individual risk sheets, when completed, become a summary of the key facts and descriptions, thus providing the basis for compiling or updating the risk profile. If there are conflicting views on any risks, they would need to be explored and validated.
Wherever interviewees have provided new ratings and/or trends for a risk these need to be recorded and tallied on a spreadsheet to determine whether the overall ratings or trends should indeed be changed.
The decision to add a risk or change a risk rating comes from one or more of the following:
Sometimes the ERM group may have to draft descriptions of evolving risks on a pro forma basis to be discussed with the executive team for inclusion in the profile. This is because the ERM group may believe that the risks, which have not been prioritized before, are escalating. In describing these new risks the ERM group needs to substantiate the escalation with findings from the interviews and other evidence.
Once the interviews have been conducted and the results summarized, the risk manager is faced with deciding how best to communicate the profile. The following section provides some helpful principles to guide the crafting of the document and any related presentations.
When drafting the corporate risk profile, Hydro One follows some basic principles and best practices. First, the document is relatively simple and easy to understand. This goes back to the guiding principle of keeping ERM simple. Second, the document is a combination of descriptions and an easy-to-understand chart. One of its attractions is that it is written in plain lay English rather than legalese.
The document itself is divided into three parts. The first part focuses on foundational information such as the process followed, the number of interviews completed, the time frame for the assessment (e.g., three years forward), and the risks that have been removed from or added to the profile since the last one. The second part consists of a matrix (see Exhibit 11.5). This matrix lists the top risks, shows the current ratings, trends, and previous ratings for comparison, and references the risk descriptions on subsequent pages. The third part consists of a half-page narrative for each risk. Each narrative describes the sources of the risk, the business objectives impacted, and the mitigants in place or planned.
Hydro One evaluates and describes risks as “residual risks,” in other words, after taking into account current and planned mitigating actions. It does not use the term “inherent risk” except in rare cases such as the weather.10
Great care should be given to crafting the initial profile as it may be the first such document seen by management or the board. Recognizing Hydro One’s experience in using the top 10 method, a number of guidelines and tips follow:
For illustrative purposes, we provide an example of how a risk at Hydro One evolved as did the related risk profile descriptions. Several years ago, Hydro One labeled a risk as “asset condition” to reflect the potential impact on its objectives in the event of asset failures. It became evident later on that there were fundamental distinguishing risk characteristics between its transmission assets and its distribution assets. As a result, Hydro One split this risk grouping and gave each type of asset its own risk category and rating. As the electricity generation and demand locations started to shift in the province of Ontario, Hydro One then split the transmission asset risk into two separate parts. This split currently reflects the risks due to those from the existing condition of these assets versus those associated with not having sufficient assets in the right physical locations to meet growing shifts in generation and demand. More recently, distributed generation (e.g., windmills) has mushroomed and will require a multimillion dollar upgrade of the distribution grid. This has resulted in a new risk category being formed. Exhibit 11.6 shows the evolution of the single initial risk category, asset condition, into four discrete risk categories.
Once the risk profile has been prepared or updated by the ERM group, it is then presented to a management committee. Refinements are made and, in some cases, additional research may be required to resolve any questions of fact that are noted.
The management committee, led by the CEO, takes ownership of the profile (by accepting or approving it).
As mentioned earlier in the chapter, the primary purpose of the corporate risk profile is to share the key risks facing the organization with the board. The risk profile should then be shared with the full board at least annually. The profile should be presented to the board or a delegated board committee by the Chief Risk Officer or another member of senior management on behalf of the CEO and the management team. This is the practice at Hydro One. As part of good corporate governance, the board should also insist on viewing updated profiles on a periodic basis or requesting interim updates during a crisis.
A board subcommittee may also be charged as the designated forum for championing and monitoring ERM. Often it falls to the overburdened audit committee, but hopefully in the future more boards will appoint a specific risk committee to monitor ERM and ensure the oversight of all major risks. Such a committee would ideally be comprised of the chairs of all other board subcommittees.
The secondary purpose of the profile is to provide an important base for strategic planning. The profile reminds executive management and the board of the risks they currently face under the existing strategic plan. Thus, future deliberations as to changes in the board’s and management’s vision, and the undertaking of new initiatives and exploration of opportunities, can be framed in terms of how the existing risks might then be affected by new strategic directions.
There are a number of ways in which the accuracy and usefulness of the corporate risk profile can be monitored. The most obvious is the passage of time. Are unforeseen risks manifested over time and are organizations surprised by a risk that was not identified, discussed, evaluated, and mitigated to the extent deemed appropriate by management and the board? Should a major previously unidentified risk surface after a risk profile was prepared, management and the board must review and understand how this happened. More to the point, what was missed in the process that allowed such a risk to go undetected or unreported?
Another way to monitor the usefulness of the corporate risk profile is to compare how money and resources are allocated relative to the top 10 risks identified. For instance, is the board presented with proposals to approve expenditures that do not align with the risk profile? If resources and management attention are not allocated according to the risk profile the board should probe into whether the profile was inaccurate or why the need for additional resources was not thoroughly thought through.
In this chapter, we have seen how vital the corporate risk profile is to the overall ERM process. A distinction was drawn between a risk profile prepared for ERM as a practical management and governance tool and other types of risk profiles prepared for different purposes either within the organization or by others about the organization. Although there are varying levels of sophistication and effort that can be expended on preparing risk profiles, the chapter described a proven methodology that can be used by organizations getting started in ERM or those that are having difficulty implementing it. In essence, a corporate risk profile:
DeLoach, James W. 2000. Enterprise-wide risk management: Strategies for linking risk and opportunity. Upper Saddle River, NJ: Prentice Hall.
Fraser, John R.S., and Betty J. Simkins. 2007. Ten common misconceptions about enterprise risk management. Journal of Applied Corporate Finance.
HM Treasury. 2004. The orange book: Management of risk principles and concepts.
The Institute of Risk Management (UK) and the Institute of Insurance and Risk Managers (UK). 2002. The Risk Management Standard.
ISO/IEC CD 2. 2008. Guide 73 (April 1).
Kelly, Matt. 2005. Q&A with Hydro One’s chief risk officer. Compliance Week (January 25).
John Fraser is the Vice President, Internal Audit & Chief Risk Officer of Hydro One Networks Inc., one of Canada’s largest electricity transmission and distribution companies. He is an Ontario and Canadian Chartered Accountant, a Fellow of the Association of Chartered Certified Accountants (UK), a Certified Internal Auditor, and a Certified Information Systems Auditor. He has more than 30 years’ experience in the risk and control field mostly in the financial services sector, including areas such as finance, fraud, derivatives, safety, environmental, computers, and operations. He is currently the Chair of the Advisory Committee of the Conference Board of Canada’s Strategic Risk Council, a Practitioner Associate Editor of the Journal of Applied Finance, and a past member of the Risk Management and Governance Board of the Canadian Institute of Chartered Accountants. He is a recognized authority on enterprise risk management and has co-authored three academic papers on ERM—published in the Journal of Applied Corporate Finance and the Journal of Applied Finance.
18.118.0.248