Video & Presentation: http://www.proformative.com/resources/video-presentation-taking-enterprise-risk-theoretical-practical Risk management has always been an integral part of business. But over the last two decades, a host of corporate scandals, security threats, recessions and a myriad of other crises have pushed risk management to the forefront of business strategy. Organizations are striving to manage and monitor risks more effectively, but many companies can?t seem to get beyond the theory and practically implement an effective ERM program. Join JetBlue Airways and Granite Consulting Group as they discuss practical ways of implementing ERM and how JetBlue evolved their risk program and created a strategically focused risk evaluation process setting the direction for future risk mitigation and operational improvement. Attendees will learn to go beyond linear "top 10" surveys and to incorporate practical and actionable strategies to implement an effective ERM program. Speakers: Michael Bechara, CPA, CRMA, Managing Director, Granite Consulting Group Inc. Luis Fernandes, CPA, Director of Corporate Audit, JetBlue Airways Presentation delivered at CFO Dimensions 2013 - http://www.cfodimensions.com Track: Governance, Risk, Compliance | Session: 4

1. 1© 2013
Crossing the Rubicon –
Taking Enterprise Risk from
Theoretical to Practical
Luis Fernandes Mike Bechara
jetBlue Airways Granite Consulting Grp.
Director of Internal Audit Managing Director

2. 2© 2013
Words of Wisdom
“In theory there is no difference between theory and
practice. In practice there is”

3. 3© 2013
Theory vs. Reality
Development has stagnated due to
misconceptions about implementation

4. 4© 2013
What We Will Learn Today
Reconcile theories
to realities
Tips & techniques
Ways to leverage
the ERM output

5. 5© 2013
ERM in Theory….(The COSO Definition)
1. Enterprise risk management is a process,
2. Effected by an entity’s board of directors, management
and other personnel,
3. Applied in strategy setting and across the enterprise
4. Designed to identify potential events that may affect the
entity,
5. Manage risk to be within its risk appetite,
6. Provide reasonable assurance regarding the achievement
of entity objectives.

6. 6© 2013
ERM in Reality….(Your Average Company)
1. Enterprise risk management is an opaque process,
2. Effected by Driven by the head of internal audit with updates to an
entity’s board of directors, management and other personnel,
3. Applied in Divorced from strategy setting and across the enterprise
corporate office based
4. Designed to identify potential events that may affect the entity,
with focus on what has already happened or one or two current
“hot” topics
5. Manage risk to be within its risk appetite (amorphous term)
6. Provide reasonable assurance regarding the achievement of entity
objectives which are often excluded from the discussion

7. 7© 2013
Theory 1: ERM is a Process
Misinterpretation
• If we have an ongoing process that’s good
enough!
• Because if we keep studying reports and
data ..that’s the same as actually
addressing the risks
Reality
• Risk assessment is a prophecy of the future
• You will never identify or predict all
risks….If you could you would be a
zillionaire!
• The tale of the Conservative Engineer
Tips & Techniques
• Facilitate the best assessment and
reevaluate periodically
• Build risk discussions into
business/financial reviews

8. 8© 2013
Theory 2: Effected by Mgt., Board & Others
Misinterpretation
• Divorcing risk from the business
• “Don’t call us we’ll call you!”
• This is a highly complex process that
is irrelevant for most people
Reality
• Risks are only relevant when viewed
through the prism of objectives
• We need to understand what we are
trying to achieve to identify what is
relevant
Tips & Techniques
• No one will understand the risks
better than those that face them
every day
• Evaluate your risks as they relate to
your company’s objectives

9. 9© 2013
Tips & Techniques: People
• Where does risk
information come from?
• Accounting Data
• Quality Data
• Industry Studies
• People

10. 10© 2013
Tips & Techniques: People
• Aren't they too subjective and unreliable?
• They face the risks everyday & understand them very well
• People have the ability to make predictions based on future
plans
• Historical data analysis assumes the future will look like the
past—things don’t happen the same way twice

11. 11© 2013
Theory 3: Applied in Strategy Setting
Misinterpretation
• Cataloging all risks
• False hope of “Total Information Awareness”
• A Risk Universe is only a start
Reality
• We are all adults here
• Bad things will happen and we wont care
about most of them
• Key is to focus on what matters
Tips & Techniques
• Use a top down business risk approach to
compliment the bottoms up risk universe
approach
• Concentrate on events that disrupt critical
goals & strategy

12. 12© 2013
Tips and Techniques: Use Multiple Analyses
A business risk approach compliments and strengthens the risk universe by linking
risks to objectives to present a more complete risk picture
Interview/survey
Management
Identify risks by functional area
Linearly rank risks by
likelihood and impact
Mitigate the top
vote getters
Understand company
objectives/strategy
Interview/survey
management
Use analytical tools to identify
the key risk patterns linked to
each objective
Mitigate the risks
associated with the top
objectives
BusinessRiskBased
RiskUniverse

13. 13© 2013
Theory 4: Events That May Affect the Entity
Misinterpretation
• We only have to assess one risk at a time
• The highest ranked risk is the most
“dangerous”
Reality
• Simple rankings are a start but are
inadequate by themselves
• Negative events are caused by multiple
risk factors
• Managing risk requires us to understand
the affect of individual risks manifesting
themselves simultaneously
Tips & Techniques
• How the risks interrelate to one another?
• How are risks influenced by priorities?
• Would certain risks combine to form and
ever greater threat?

14. 14© 2013
Tips & Techniques: Interrelated Risks
Lack of
Accounting
Experience
Poor
Communication
Excessive
Overtime
Aggressive
Marketing
Programs
System
Implementations

15. 15© 2013
Tips & Techniques: Interrelated Risks
Combination of:
1. Aggressive Marketing Programs
2. Excessive Overtime
3. Poor Communication
Lack of
Accounting
Experience
System
Implementations

16. 16© 2013
Theory 5: Manage Risk Within Appetite
Misinterpretation
• Risk is mitigated….Its Miller
time!
• Once we mitigate risks beyond a
certain level we’re done!
Reality
• Risks are like zombies..they rise
again if not monitored
• Mitigating risk is an ongoing
effort that takes time but pays
big dividends
Tips & Techniques
• Get internal Audit involved
• Monitor risks over time
• Just monitoring risks will have a
positive effect

17. 17© 2013
Tips & Strategies
Risk Monitoring Decisions
• When is a risk mitigated?
• How often do we check back?
• What should we check?

18. 18© 2013
Theory 6: Linked to Objectives
Misinterpretation
• The voting is over! Let’s mitigate the “Top
10 risks” and all will be well!
• Classic cart before the horse thinking
Reality
• Companies do not exist to manage risks they
exist to achieve objectives
• Would we come home and say, “Honey I
forgot to get the bread from the
supermarket…. but I didn’t into an accident!”
Tips & Techniques
• When allocating resources for mitigation
prioritize objectives…not risks
• Begin allocating resources towards the
mitigating the risks associated with the most
important objectives

19. 19© 2013
Before: The Traditional Analysis
A Major Airline
• Engaged in a typical risk assessment
process
• Identified 31 risks
• Ranked according to Likelihood,
Impact and Degree of Control
• Typical approach would be to
mitigate starting at the top
• Proceed as much as cost/benefit
dictates
• No links to business strategy or
objectives
• No related of risks to one another
to form risk patterns
Rank Risk Title Risk Description
1 Risk Description
2 Risk Description
3 Risk Description
4 Risk Description
5 Risk Description
6 Risk Description
7 Risk Description
8 Risk Description
9 Risk Description
10 Risk Description
11 Risk Description
12 Risk Description
13 Risk Description
14 Risk Description
15 Risk Description
16 Risk Description
17 Risk Description
18 Risk Description
19 Risk Description
20 Risk Description
21 Risk Description
22 Risk Description
23 Risk Description
24 Risk Description
25 Risk Description
26 Risk Description
27 Risk Description
28 Risk Description
29 Risk Description
30 Risk Description
31 Risk Description

20. 20© 2013
After: Business Based Analysis
Business Based Approach
• Surveyed the Executive
Team on their views of
company objectives and
risks
• Do you believe the
company will achieve
Objective 1
• How serious do you
believe each risk to be?
• Risks are linked to
business objectives
• Risks are grouped into the
risk patterns that are most
relevant for each objective

21. 21© 2013
After: Business Based Analysis
• Risks 21 and 23 were again
from the bottom of the list!
• A new risk that threaten this
objective was identified
through the survey process
• Objective was directly tied to
leadership

22. 22© 2013
What Uses Does the ERM Output Have?
Many, but here is one example……

23. 23© 2013
Practical Uses of ERM Data
External: Enhancing Enterprise Value

24. 24© 2013
How ERM Can Enhance Enterprise Value
Value
CFO
Influence
Your Company is constantly being
valued by investors, lenders,
rating agencies, acquisition
partners, etc.
Many say the CFO’s #1 job is to
guard and enhance enterprise
value
To do this we have to understand
how outsiders determine value
A quick walk down finance
memory lane……

25. 25© 2013
Three Valuation Approaches
Determination of Value
Asset
Market
Income

26. 26© 2013
Why is the ROR a Big Deal?
Low ROR
Equals
A High
Valuation
Determination of required rate of return is a key driver of enterprise value!
 Main driver of valuation is the rate
of return required by investors to
invest in your firm
 Aka: Discount rate

27. 27© 2013
How is the ROR Calculated?
• Common Methods of Calculating ROR
– Modified CAPM = Rf + B(RPm) + RPs + RPu
– Build Up Method = Rf + RPm+ RPs + Rpu
Risk Free Equity Premium Size Premium Company Premium
Rf RPm RPs RPu

28. 28© 2013
What Exactly Is RPu?
• What is RPu?
– The analyst’s judgment
regarding risks specific to
your company
– If he/she deems you risky
it will raise the ROR and
lower value
– Can also be negative
lowering ROR and raising
value
No objective source for RPu. It is subjective and based on analyst judgment

29. 29© 2013
How Does RPu Tie to ERM?
Company Risk
Premium
(ERM)
Management
Competition
Litigation
Customers
Suppliers
Strategy

30. 30© 2013
But How Do I Tell the ERM Story?
• Explain the present but focus
on the future!
• Explain how risks are being
managed & monitored
• Describe how objectives will be
achieved
• Ensure they understand that
ERM is a management tool not
a one time project
• Lengthy explanations of “history”
• Presenting risks outside the context
of objectives
• Indicating your risk program as
overly scientific or precise
• i.e. Risk A = 3.43256
• Lengthy discussions of survey
techniques or risk rating systems
• Specific terms like velocity, risk
appetite

31. 31© 2013
Recap: What We Learned
Theories vs. Realities in successfully implementing
an ERM program
No. Theory Practical Application
1 ERM is a process Build a good process and move
forward
2 Effected by the Board. Mgt. and
other personnel
Risks should be sourced from and
be a part of the business
3 Applied in strategy setting Risks to the Enterprise are not all
risks
4 Events that may affect the entity Risks combine to form patterns
5 Manage risk within appetite Appetite setting is not a one time
event
6 Linked to objectives Mitigate risks in the context of
objectives

32. 32© 2013
What We Learned
As a result
Enterprise Value
can increase
Managing Risks
down can
reduce the ROR

33. 33© 2013
Contact Information
Michael Bechara, CPA, CFE, CRMA
Managing Director
845.363.6610 Office • 845.282.3899 Cell • 845.230.8739 Fax
mbechara@consultgranite.com • www.consultgranite.com
Granite Consulting Group Inc.
1511 Route 22 , Suite 322 • Brewster, NY 10509

34. 34© 2013
Thank You!
Crossing the Rubicon – Taking Enterprise Risk
from Theoretical to Practical

35. 35© 2013
Thank You Sponsors!
PLATINUM
GOLD
SILVER
DIAMOND