Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

CHAPTER 11
How to Prepare a Risk Profile

JOHN R.S. FRASER

Vice President, Internal Audit & Chief Risk Officer, Hydro One Networks Inc.

INTRODUCTION

One of the key building blocks of enterprise risk management (ERM) is the preparation and sharing of a corporate risk profile.¹ One might even go so far as to state that where there is no corporate risk profile there is no ERM. How a profile is prepared, how frequently it is prepared, and with whom it is shared are all subject to different treatments in each organization. However, a good guiding principle to follow is to keep it simple. Tools and methodologies should follow suit and not become overly bureaucratic or complex.

This chapter will hopefully assist organizations in choosing the most effective type of risk profile for their needs and provide guidance in preparing and communicating it to management and boards. The following descriptions of alternative methods will assist students of ERM to understand how and why profiles assist management and boards, and how these may be done most effectively in varying situations.

The chapter is organized into two parts. In the first part, readers are provided with background information on the definition, purpose, use, and types of risk profiles along with the advantages and disadvantages of the various methodologies used to gather the information needed to prepare a risk profile. It also covers how and why profiles assist management and boards and how these may be done most effectively in varying situations. The second part of the chapter is dedicated to how to prepare the simplest type of profile—the “top 10.” It uses Hydro One as a case study.² Since 1999 and over tumultuous periods of high risk, the top 10 method has proven its value to Hydro One’s management and board. The success of this type of profile is a result of its simple preparation and effectiveness of purpose.

DEFINITION AND USES OF A CORPORATE RISK PROFILE

A corporate risk profile is a periodic documentation of the key risks to an organization to achieving its stated business objectives over a specified future time period.³ For some businesses that are subject to great volatility it may be helpful to prepare these more frequently and, conversely, less frequently for static industries or organizations.

The primary purpose of a risk profile is to assist the CEO and management team in communicating with the board. This means that the risk profile is prepared as a service to the CEO and should reflect the CEO’s understanding and tone. Where a risk profile is prepared at lower levels of the organization, for example, at a division or subsidiary, it should be viewed as a management tool for the head of that division or subsidiary. The corporate risk profile can also be used by the management team for other purposes such as strategic and business planning, resource allocation and action plans.

A corporate risk profile should be prepared for use by the management of an organization as part of the ERM process. It is important to note, however, that it differs in many respects from risk descriptions included in filings for purely regulatory purposes. Typical differences include:

Duration: The time horizon for a corporate risk profile should typically be in the range of three to five years, whereas regulatory filings are usually for a much longer term or in perpetuity. For example, matters for which lawsuits could be brought by investors in the future.
Types of risks: Regulatory filings are usually restricted to financial matters, that is, those areas that would be of interest to an investor. By contrast, where an organization sets a corporate target for safety and has risks of achieving this target it is unlikely to be of much interest to investors.
Purpose: Corporate risk profiles are prepared to assist in better managing the company. Regulatory filings are usually prepared with both promotional and legal protection motives. Although these two types of risk descriptions can and should be reconciled, they have different purposes. Yet arguably, they should remain mutually exclusive.

The term “risk profile” has been used in a number of ways by different disciplines and these may not reflect the meaning used in ERM. For instance, investment analysts prepare risk profiles to assess whether an organization is a sound investment and, likewise, rating agencies prepare them to decide how credit worthy an organization is. Such profiles take into account the industry, the demand for products and services, the quality of management, the competition, and the financial structure and strength of an organization. These are valid methodologies but have special purposes and define risk in terms of the users of that profile. In these cases, the investors or lenders. They are not risk profiles as used in ERM.

One also hears about developing a risk profile or a risk forecast of what an organization may look like at a future date. This may envision an organization’s capital structure or target market. This again, however, is more of a useful strategic planning and visioning exercise.

Preparing a risk profile is truly generic. The same principles and methodologies apply whether an organization is public or private stock, not-for-profit, or government. Even a home environment interested in preparing one, could follow the same principles and methodologies. A true ERM risk profile should be holistic and reflect all risks to the organization’s business objectives.

COMMON TYPES OF CORPORATE RISK PROFILES

Different types of corporate risk profiles are used to demonstrate and communicate key risk information. Each type serves a purpose best suited to an organization’s needs and has features that help focus the attention of senior management and the board. For each type of risk profile, there are strengths and weaknesses just as there are advantages and disadvantages to the methodologies applied in gathering information for these profiles. The next section highlights three different types of commonly used corporate risk profiles: the top 10 list, the risk map, and the heat map.

The “Top 10” List

The simplest method of identifying, ranking, and sharing the top risks facing an organization is often referred to as a “top 10” list. The term “top 10” is familiar, easily understood, and denotes a short yet important list of risks. It is successfully used because it is not an exhaustive list that confuses and often becomes unmanageable. The secret lies in keeping it simple and easy to communicate.

Simply put, a top 10 risk profile provides a ranked listing of the most significant risks facing an organization and likely to impact the organization’s ability to meet its stated objectives. A top 10 list should also provide trending information, such as whether a risk is getting more or less risky and a comparative rating of the risks at previous periods. (Special attention is given on how to prepare a top 10 list later.)

The Risk Map

A risk map (see Exhibit 11.1) is one of the most widely described ways to present the largest risks facing an organization. It is visually appealing, and easy to understand and describe. It usually consists of two axis: the vertical axis showing the potential impact of the risk and the horizontal axis showing the estimated likelihood of the risk occurring, both usually on a scale from 1 (low) to 5 (high). The map is often divided into four quadrants⁴—for analysis purposes—as follows:

High Impact/Low Likelihood: Risks falling into this quadrant (see upper left quadrant) are often of a crisis nature (e.g., ice storms, earthquakes) or described as “fat tail” events when applying “value at risk” thinking. Such events, because of their unpredictability, are often mitigated by use of insurance or disaster recovery planning.
Low Impact/Low Likelihood: Risks falling into this quadrant (see lower left quadrant) are typical of business as usual events that are not critical to the business but need to be either accepted or managed by normal operational means.
High Impact/High Likelihood: Risks falling into this quadrant (see upper right quadrant) are urgent and require the extensive attention of the board and management. Complete focus should be exercised until these have been mitigated to an acceptable level.
Low Impact/High Likelihood: Risks falling into this quadrant (see lower right quadrant) are often foreseeable or transactional type errors that need to be mitigated through procedural type controls to an acceptable cost/benefit level.

020 — **Exhibit 11.1** Risk Map—December 2006

Risk maps are ideally best prepared during a risk workshop using voting technology.

Features that can be added to a risk map include:

Mitigants: The adequacy of mitigants over each risk can be shown, for example, by the color or the size of the symbol (e.g., a bubble as shown in Exhibit 11.1) used for each risk, where small symbols show low levels of mitigation and large symbols show high levels of mitigation. This helps the reader to better understand the full picture.
Trends: Arrows showing the increasing or decreasing trend for each risk can be helpful to readers.
Risk versus controls chart: Risks can also be later plotted on another chart, reflecting both the magnitude and probability on the vertical axis and the adequacy of mitigants on the horizontal axis. This demonstrates whether there is an alignment of the mitigants with the severity of the risks. The chart helps ensure appropriate use of resources by identifying risks that are overcontrolled and those that are undercontrolled.

The Heat Map

A heat map is usually color-coded to show the levels of risks and mitigants⁵ in a matrix format. Descriptions of the levels and format used can vary but would generally consist of a matrix of the risk sources and the organizational units. Heat maps are well suited for risk surveys where participants assign a rating or color to the risks.

A risk source heat map typically shows a generic list of risks, sometimes grouped by categories such as strategic, operational, and systemic with columns to the right showing the ratings for the severity of each risk and the adequacy of the related mitigants.

An organization heat map can list the organizational entities such as departments, locations, or product lines in the first column while, next to each entity, are color-coded squares identifying the level of each risk. High risk is usually denoted by red, medium risk by yellow, and low risk by green.

A more sophisticated application of this type of heat map could be used by a worldwide trading operation. The map may be designed to show the trading desk locations across the columns on the page with the various product risks listed down the side (see the example in Exhibit 11.2). Such an application is ideal for an online computerized reporting risk management system. In this instance, the CEO or head trader, can look at the computer screen showing a real-time heat map and then double click on any yellow or red square to show greater detail as to what is causing the color. If the CEO clicked on New York’s precious metals’ red square it would bring up a more detailed view of the New York operation and reveal that traders’ desk profits have not been reconciled with the back office within the permitted time; hence, triggering a red flag to be turned on by the staff who are accountable as part of their duties.

Exhibit 11.3 Risk Information Gathering Alternatives

	Advantages	Disadvantages
Risk Workshop	Popular with participants due to efficient use of time and learning/sharing opportunities Can target groups of people Immediate results Often described as “magical” due to the enriched discussions and information shared*	High level of facilitation skills required Voting technology required Limited by geography Must have sufficient expertise and knowledge among the participants in the room
Structured Interview	Creates conversations Efficient use of interviewee time Face-to-face contact promotes and strengthens relationships, enhancing ERM for a risk-aware culture	Limited by geography High level of interview skills required, including familiarity with a wide variety of risk types No opportunity for dialogue among fellow decision makers Requires sufficient time to schedule and conduct interviews
Formal Survey	Can cover a larger number of participants** Consistent structure Well documented	Quality of responses may be an issue No conversations, no learning opportunity for respondents Sufficient preparation time is needed to compose questions Subject to delays

*As described in detail during an interview in an article titled “Q&A With Hydro One’s Chief Risk Officer,” by Matt Kelly in Compliance Week, January 25, 2005.

**For geographically dispersed organizations, surveys can be submitted to and consolidated electronically at head office, or be conducted locally using a single off-the-shelf risk management application that rolls up the results automatically electronically to the corporate computer system.

ADVANTAGES AND DISADVANTAGES OF INFORMATION-GATHERING METHODOLOGIES

There are a variety of ways to gather the information required to prepare risk profiles, as well as various advantages and disadvantages for each type of information gathering methodology used. Although the above comparative chart (Exhibit 11.3) depicts these, it is by no means exhaustive. Organizations should consider each methodology against their needs, resources, and capabilities.

HOW TO PREPARE A “TOP 10” RISK PROFILE—HYDRO ONE’S EXPERIENCE

In the first half of this chapter, we defined the purpose and uses of corporate risk profiles. Furthermore, we identified the most common types and the alternative methodologies for gathering information used in these risk profiles. This background knowledge is needed to proceed to the next part of this chapter, which focuses on how to prepare a top 10 risk profile and track its accuracy and usefulness. This section will cover in more detail significant aspects of what is involved in the preparation, consolidation, and documentation of this type of profile. Specifically, these aspects, in sequential order, include:

Scheduling interviews and gathering background information.
Preparing interview tools such as obtaining corporate business objectives, scanning events, listing potential risks, providing a list of prior risks, and compiling written notes.
Summarizing the interview findings.
Summarizing the risk ratings and trends.
Drafting the top 10 risk profile.
Reviewing the draft risk profile.
Communicating the risk profile with the board or board committee.
Tracking the results.

Step 1: Schedule Interviews and Gather Background Information

It is essential to develop a plan of action before embarking on the actual interviews. The duration, the resource requirements, and the level of detail all need to be considered in order to be most effective.

How Often Should a Top 10 Profile Be Prepared?

This is a key decision to ensure positive cooperation and feedback from organizational executives. For most organizations an annual profile may be too infrequent given the fluctuating changes in the marketplace and within the organization itself. On the other hand, a profile every quarter may be excessive, especially for organizations just starting ERM. A semi-annual profile is the most expedient interval to start. It can then be adjusted after some experimentation.

Who Should Be Interviewed and How Should Interviews Be Scheduled?

Hydro One’s experience has shown that interviewing the top 40 executives and risk specialists,⁶ draws the most efficient and balanced range of responses for an average-sized organization.⁷ Ideally, interviews are conducted by two members of the ERM team, one who is facilitating the interview and the other who is taking detailed notes.

Scheduling a half-hour interview can be more easily accommodated than an hour-long interview. As well, all interviews should be scheduled within a set time period. A three-week time period is practical and provides a picture at a point in time without becoming blurred unless events affecting the organization change dramatically during the process (e.g., market collapse, earthquake, hostile takeover attempt).

What to Consider When Interviewing the CEO?

Since the CEO is the sponsor,⁸ care is required in approaching interviews and sessions involving the CEO as his or her views need to be reflected in the product, while still leaving the opportunity to make further refinements based on consultation with other members of the management team and other sources of information. Thus, it may be appropriate to interview the CEO for thoughts on various risks but caution the CEO that once this information is consolidated with other interviews and sources a different risk profile may emerge. Ultimately, however, the CEO should be prepared to review and discuss the report with the executive team before it is finalized and shared with the board.

What Background Information Needs to Be Gathered?

At this point, key background information that can influence the risk profile should be gathered. This could include benchmarking information, performance measures, and other trend analyses that might be used as key risk indicators (see Chapter 8 on Key Risk Indicators), internal and external audit reports and results of risk workshops, both at the senior and line management levels.

In an ERM environment the interviews with senior management and risk specialists should be validated against other ERM information. Such other information ideally would include divisional risk assessments prepared as part of the annual business planning process, and risk assessments (e.g., from risk workshops) as part of major projects and initiatives throughout the year. The results of these divisional and project risk assessments should be consolidated and used as critical input to the corporate risk profile. Altogether, these significant sources of information should complement and validate each other with any significant differences investigated as to their cause.

Step 2: Prepare the Interview Tools

As with undertaking any kind of major project or new initiative, preparation is essential. Crafting a corporate risk profile is no different. The bulk of the work is in preparing the interview tools. Here, the Hydro One experience is used to explain what they are, how they are developed, and why they are needed.

Obtaining Corporate Business Objectives

Before proceeding with ERM, and the eventual top 10 list, clearly articulated corporate business objectives must be identified. Surprisingly, this information is not always readily available in some organizations, where major business objectives may be understood but are not officially documented. They could be manifested by the large sums of money spent on certain initiatives, buried in annual reports and other disclosures, or scattered throughout business planning documents. Hence, it is imperative to first compile and get executive agreement on a list of the top 8 or 10 corporate business objectives over the next few years. These objectives should be stated in measurable terms such as growing sales by 20 percent, achieving certain profit levels, expanding overseas to certain countries, and reaching specific safety or customer satisfaction targets. These are, however, not to be confused with key performance indicators (performance measures), which all too often are prepared on an annual basis only. Business objectives must not only be articulated in terms of stretch targets or new initiatives but also in terms of preserving shareholder value, corporate reputation, employee morale, and an organization’s customer base.

For the remainder of the chapter, all further discussions about ERM and creating a top 10 profile will be framed in terms of risks to achieving corporate business objectives. In fact, the first matter raised at each interview should be to inform the interviewee that discussions will be focused on the risks to meeting the business objectives over the next few years.

Scanning of Events

One of the key inputs into preparing a corporate risk profile is having a good understanding of what external events have happened recently or might happen to impact the organization. This is sometimes referred to as an “environmental scan.” A simple way to prepare this is to compile an ongoing file of newspaper clippings, research reports, articles, and other items depicting events that have happened that could impact the organization or its stakeholders.⁹ Examples of these events include changes in governments, proposed and actual regulatory changes, stock market anomalies (e.g., inverted yield curves), surprising and relevant law suits raised or settled with similar businesses, disasters or crises. Compiled regularly, the file becomes a comprehensive compendium, which then needs to be summarized into one or two pages of the most impactful events or potential risk issues. It is subsequently distributed, in advance, to the interviewees or presented at the start of the interview with a qualifying statement that the summary is intended to remind the interviewees of what has happened since the last interview and get them thinking about what external events could impact the organization. Many interviewees find the summary informative and look forward to receiving it. It also provides them with an opportunity to identify, discuss, and even add additional events or items that may have been inadvertently omitted.

Prepare a List of Potential Risks

In many real-life examples of ERM, management is provided with and asked to rate, either a static list of risks, or to discuss risks without any prompts from the interviewer. As a result, interviewees do not always consider risks not already identified on the list provided or may not be responsive to general questions like “What keeps you awake at night?” At Hydro One, the practice is to bridge these two approaches and provide the interviewees with a list of past and potential risks at the start of the interview, urge them to be anticipatory in their thinking, and through gentle probing and discussion explore scenarios that could materialize into or create new risks.

What Is Presented in the List of Potential Risks? The list at Hydro One consists of brief descriptions of risks grouped into categories such as safety, regulatory and customer expectations. Each risk that was mentioned in the last risk profile is highlighted in the color denoting the previous risk rating. For example, red denotes high risks and yellow denotes medium risks. Risks that were not mentioned, because they were rated as low or are still evolving, are left uncolored and are referred to as “white spaces.” Examples include pandemic risks, regulatory changes, and pending environmental legislation.

What Is the Objective of the List? All of the risks are listed in three columns on a large sheet of paper, which allows interviewees to quickly scan and focus on their areas of interest. Some interviewees spend most of the interview process just on their area of accountability or specialty. Others may choose to discuss the risks that are of particular concern to them. The objective to presenting these risks is to solicit opinions as to whether the risks are likely to impact the business and in what time frame. It requires skill on behalf of the interviewer to work with the various personality types, gain the interviewee’s confidence, and retrieve accurate and appropriate information to prepare a valid risk profile.

Provide a Prior List of Top Risks In addition, interviewees should be provided—at the onset of the interview—with a matrix of the prior list of top risks and their respective ratings as identified in the previous risk profile. (See Exhibit 11.4.) This matrix has additional blank columns for recording the interviewee’s current ratings of risks, if different, and the expected trending, be it flat, upward, or downward. The interviewees are encouraged to provide their opinion prior to the end of the interview as to whether each rating should be adjusted and where they feel the trend is going. They are also asked whether any other risks should be included in the top 10 risks. A final column on the sheet is used for making brief comments by the interviewer.

023 — **Exhibit 11.4** Risk Profile—Interview Sheet

Hydro One’s experience shows that some interviewees like this format and proceed to provide their assessments of each risk and add any new ones. Other interviewees prefer not to provide an opinion on the ratings and trending of these risks, but will speak knowledgeably about the risks and the relevant mitigants and provide valuable qualitative data and perspectives. Hydro One caters to these differences and does not impose a single expectation of each interviewee. This is where ERM may be considered as much an art as a science.

Written Notes With most interviews there can be a generous amount of discussion and information collected. It can be a challenge, therefore, to facilitate an interview while also taking copious notes. Ideally, then, there should be two interviewers from the ERM group, one team member leading the interview and the other team member taking detailed notes.

Feedback from the Interviewees on the Interview Process For several years now, Hydro One has been conducting these interviews. During that time, there has been positive feedback from the interviewees on the process involved. Overall, the interviewees have commented on learning more about the risks to the organization as a whole and thinking about them more on a practical level. The interviewers have also found the dialogue to be nondefensive, allowing the interview to play a key role in ensuring the business objectives are well understood throughout the broader management team.

Step 3: Summarize the Interview Findings

Once all of the interviews have been completed it is time to summarize the findings. Often there is a tight deadline in order to present the results to the management team, and subsequently to a board level committee or the board itself. In a centralized organization only a few people may be conducting or summarizing the interviews, while in a large worldwide organization it may be done by local champions who then provide summarized documentation for consolidation at the head office by the ERM group.

Helpful Tips When Summarizing

A helpful method used at Hydro One is to prepare individual sheets for each major risk with two columns:

The first identifies the sources of risk and causes for any increases in risk.
The second denotes the mitigation efforts and causes for any decreases in risk.

Each comment listed in either of the above two columns is annotated with the initials of the interviewee for quick reference and follow-up if required to any specific issue. Although all interviews are treated confidentially and sources are never revealed, the practice is to maintain documentation of the original interview notes and to occasionally follow up with the interviewee for further clarification as required.

These individual risk sheets, when completed, become a summary of the key facts and descriptions, thus providing the basis for compiling or updating the risk profile. If there are conflicting views on any risks, they would need to be explored and validated.

Step 4: Summarize the Risk Ratings and Trends

Wherever interviewees have provided new ratings and/or trends for a risk these need to be recorded and tallied on a spreadsheet to determine whether the overall ratings or trends should indeed be changed.

The decision to add a risk or change a risk rating comes from one or more of the following:

The key issues from the summarized interview findings.
Risk ratings collected from the interviewees.
Trends indicated by the interviewees.

Sometimes the ERM group may have to draft descriptions of evolving risks on a pro forma basis to be discussed with the executive team for inclusion in the profile. This is because the ERM group may believe that the risks, which have not been prioritized before, are escalating. In describing these new risks the ERM group needs to substantiate the escalation with findings from the interviews and other evidence.

Step 5: Draft the Top 10 Risk Profile

Once the interviews have been conducted and the results summarized, the risk manager is faced with deciding how best to communicate the profile. The following section provides some helpful principles to guide the crafting of the document and any related presentations.

Keep It Simple

When drafting the corporate risk profile, Hydro One follows some basic principles and best practices. First, the document is relatively simple and easy to understand. This goes back to the guiding principle of keeping ERM simple. Second, the document is a combination of descriptions and an easy-to-understand chart. One of its attractions is that it is written in plain lay English rather than legalese.

Key Foundational Elements

The document itself is divided into three parts. The first part focuses on foundational information such as the process followed, the number of interviews completed, the time frame for the assessment (e.g., three years forward), and the risks that have been removed from or added to the profile since the last one. The second part consists of a matrix (see Exhibit 11.5). This matrix lists the top risks, shows the current ratings, trends, and previous ratings for comparison, and references the risk descriptions on subsequent pages. The third part consists of a half-page narrative for each risk. Each narrative describes the sources of the risk, the business objectives impacted, and the mitigants in place or planned.

024 — **Exhibit 11.5** Risk Profile Matrix

Hydro One evaluates and describes risks as “residual risks,” in other words, after taking into account current and planned mitigating actions. It does not use the term “inherent risk” except in rare cases such as the weather.¹⁰

Tips to Consider When Crafting the Initial Draft

Great care should be given to crafting the initial profile as it may be the first such document seen by management or the board. Recognizing Hydro One’s experience in using the top 10 method, a number of guidelines and tips follow:

Assess the business context, the management style, the CEO’s known preferences and interests, and any sensitive areas and issues. This knowledge may help guide the writer of the profile as to how risks should be described in light of the circumstances and personalities involved.
“Take Baby Steps.” Describe the essence of the risks in a broad enough manner so readers can relate rather than having to dive into overly detailed descriptions that may not be as universal in understanding and application.
Use the corporate vernacular. Play back corporate terms and examples that will resonate and be easily understood by management and the board.
Portray the corporate risk profile in a palatable fashion. Practically speaking, the profile should be viewed as a reflection of management’s understanding of the key risks faced by the enterprise and the mitigants underway or planned to manage them. This is not to say that risks should be downplayed or sugar-coated. Rather they can be expressed as a realistic “roadmap” or opportunity for improvement. Trying to cover too much detail, or to be too stark in the initial depiction of risks, is likely to threaten not only future exercises in risk profiling, but the entire ERM process.
Capture and describe any wide divergent views of risk. It is often defined as uncertainty about future events. Therefore, where it is apparent that there is a wide divergence of views on the impact, probability, or adequacy of the mitigation of the risks, it is important to capture and describe this uncertainty in the profile. Avoid suggesting a level of precision about a rating or number that may not reflect reality. The reason is that mathematical formulae may portray exact numbers and therefore imply greater certainty than may be appropriate.
Refrain from using strict predefined categories or descriptions of risk. In practice risks evolve, get addressed, and often diminish either due to management’s mitigation strategies, changes in strategic objectives, or due to external factors. Hydro One’s risk descriptions are customized and continue to evolve, split, and regroup much like amoeba in a Petri dish. By opting to customize categories and descriptions, the profile is a more accurate reflection of the evolving environment. It does, however, require greater skill and knowledge of the business.

An Example of Hydro One’s Evolving Risk Categories

For illustrative purposes, we provide an example of how a risk at Hydro One evolved as did the related risk profile descriptions. Several years ago, Hydro One labeled a risk as “asset condition” to reflect the potential impact on its objectives in the event of asset failures. It became evident later on that there were fundamental distinguishing risk characteristics between its transmission assets and its distribution assets. As a result, Hydro One split this risk grouping and gave each type of asset its own risk category and rating. As the electricity generation and demand locations started to shift in the province of Ontario, Hydro One then split the transmission asset risk into two separate parts. This split currently reflects the risks due to those from the existing condition of these assets versus those associated with not having sufficient assets in the right physical locations to meet growing shifts in generation and demand. More recently, distributed generation (e.g., windmills) has mushroomed and will require a multimillion dollar upgrade of the distribution grid. This has resulted in a new risk category being formed. Exhibit 11.6 shows the evolution of the single initial risk category, asset condition, into four discrete risk categories.

Step 6: Review the Draft Risk Profile

Once the risk profile has been prepared or updated by the ERM group, it is then presented to a management committee. Refinements are made and, in some cases, additional research may be required to resolve any questions of fact that are noted.

025 — **Exhibit 11.6** The Evolution of Asset Risks

The management committee, led by the CEO, takes ownership of the profile (by accepting or approving it).

Step 7: Communicate the Risk Profile with the Board or Board Committee

As mentioned earlier in the chapter, the primary purpose of the corporate risk profile is to share the key risks facing the organization with the board. The risk profile should then be shared with the full board at least annually. The profile should be presented to the board or a delegated board committee by the Chief Risk Officer or another member of senior management on behalf of the CEO and the management team. This is the practice at Hydro One. As part of good corporate governance, the board should also insist on viewing updated profiles on a periodic basis or requesting interim updates during a crisis.

A board subcommittee may also be charged as the designated forum for championing and monitoring ERM. Often it falls to the overburdened audit committee, but hopefully in the future more boards will appoint a specific risk committee to monitor ERM and ensure the oversight of all major risks. Such a committee would ideally be comprised of the chairs of all other board subcommittees.

The secondary purpose of the profile is to provide an important base for strategic planning. The profile reminds executive management and the board of the risks they currently face under the existing strategic plan. Thus, future deliberations as to changes in the board’s and management’s vision, and the undertaking of new initiatives and exploration of opportunities, can be framed in terms of how the existing risks might then be affected by new strategic directions.

Step 8: Track the Results

There are a number of ways in which the accuracy and usefulness of the corporate risk profile can be monitored. The most obvious is the passage of time. Are unforeseen risks manifested over time and are organizations surprised by a risk that was not identified, discussed, evaluated, and mitigated to the extent deemed appropriate by management and the board? Should a major previously unidentified risk surface after a risk profile was prepared, management and the board must review and understand how this happened. More to the point, what was missed in the process that allowed such a risk to go undetected or unreported?

Another way to monitor the usefulness of the corporate risk profile is to compare how money and resources are allocated relative to the top 10 risks identified. For instance, is the board presented with proposals to approve expenditures that do not align with the risk profile? If resources and management attention are not allocated according to the risk profile the board should probe into whether the profile was inaccurate or why the need for additional resources was not thoroughly thought through.

CONCLUSION

In this chapter, we have seen how vital the corporate risk profile is to the overall ERM process. A distinction was drawn between a risk profile prepared for ERM as a practical management and governance tool and other types of risk profiles prepared for different purposes either within the organization or by others about the organization. Although there are varying levels of sophistication and effort that can be expended on preparing risk profiles, the chapter described a proven methodology that can be used by organizations getting started in ERM or those that are having difficulty implementing it. In essence, a corporate risk profile:

Helps to align the understanding of business objectives and related risks between the board, executive management, and line management.
Helps to ensure significant risks are understood in a structured and consistent framework.
Plays an integral part in strategic planning and resource allocation.
Assists in marketing the value of ERM by demonstrating how the process works and how it adds value.

NOTES

1. ISO defines a risk profile as “a description of a set of risks” and risk as “the effect of uncertainty on objectives” (ISO/IEC CD 2 Guide 73 as of April 1, 2008).
HM Treasury’s The Orange Book: Management of Risk Principles and Concepts (October 2004) defines a Risk Profile as “the documented and prioritized overall assessment of the range of specific risks faced by an organization.”
The 2002 Risk Management Standard produced by the Institute of Risk Management (UK) and the Institute of Insurance and Risk Managers (UK) defines a Risk Profile thus in section 4.5: “The result of the risk analysis process can be used to produce a risk profile which gives a significance rating to each risk and provides a tool for prioritizing risk treatment efforts. This ranks each identified risk so as to give a view of the relative importance.”

REFERENCES

DeLoach, James W. 2000. Enterprise-wide risk management: Strategies for linking risk and opportunity. Upper Saddle River, NJ: Prentice Hall.

Fraser, John R.S., and Betty J. Simkins. 2007. Ten common misconceptions about enterprise risk management. Journal of Applied Corporate Finance.

HM Treasury. 2004. The orange book: Management of risk principles and concepts.

The Institute of Risk Management (UK) and the Institute of Insurance and Risk Managers (UK). 2002. The Risk Management Standard.

ISO/IEC CD 2. 2008. Guide 73 (April 1).

Kelly, Matt. 2005. Q&A with Hydro One’s chief risk officer. Compliance Week (January 25).

ABOUT THE AUTHOR

John Fraser is the Vice President, Internal Audit & Chief Risk Officer of Hydro One Networks Inc., one of Canada’s largest electricity transmission and distribution companies. He is an Ontario and Canadian Chartered Accountant, a Fellow of the Association of Chartered Certified Accountants (UK), a Certified Internal Auditor, and a Certified Information Systems Auditor. He has more than 30 years’ experience in the risk and control field mostly in the financial services sector, including areas such as finance, fraud, derivatives, safety, environmental, computers, and operations. He is currently the Chair of the Advisory Committee of the Conference Board of Canada’s Strategic Risk Council, a Practitioner Associate Editor of the Journal of Applied Finance, and a past member of the Risk Management and Governance Board of the Canadian Institute of Chartered Accountants. He is a recognized authority on enterprise risk management and has co-authored three academic papers on ERM—published in the Journal of Applied Corporate Finance and the Journal of Applied Finance.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.