Enterprise Risk Mgmt.

Key Rules for the ERM Assessment

Response
Avoid Reduce Strategies
Existing/Effective
Measures Transfer Accept
& Controls
Gross
Risk Planned
Net Resp. Measures
Risk Residual
Risk
Risk before any risk Risk taking into account effectiveness Remaining risk after planned
handling measures & of existing controls and measures measures have become effective
controls

The ERM process always considers the Net Risk (after existing and already effective measures &
controls).

The assessment needs to be performed for the reporting unit (Division, Cluster or Cross-Sector).

The impact and likelihood have to be assessed over a period of three FY (current FY plus next two
FYs).

The assessment of the impact has to be performed quantitative or qualitative (whatever is highest).

The assessment should reflect the likelihood that the risk occurs with the previously defined
impact.
Page 2 CF RIC CRD
COSO Cube:

These 8
objectives
help
determine if
your risk
management
process is
effective!

Page 3
 Common US Objectives

Growth  Pursue targeted markets together

People  Develop U.S. leaders for Siemens "We are more

powerful acting
as a whole rather
than a sum of the
Reputation  Get the recognition we deserve parts"

Cost/
 Optimize infrastructure
Service

Page 4
Appendix 2
ERM Categorization Model (1/1)

1. Strategic 2. Operations 3. Financial 4. Compliance

1.1 Corporate Governance
1.1.1 Board Performance
1.1.2 Tone at the Top & Culture
1.1.3 Accountability
1.1.4 Leadership
1.1.5 Limits of Authority
1.1.6 Performance Incentives
1.1.7 Change Readiness
1.2 Risk and Internal Control
1.2.1 Risk and Opportunity Mgmt
1.2.2 Control Environment (ICS/SOA)
1.3 Internal Audit
1.3.1 Internal Audit Organization
1.3.2 Int. Audit Process & Reporting
1.4 Corporate Sustainability
1.4.1 Corporate Social Responsibility
1.4.2 Corp. Environmental Responsibility
1.5 Strategy, Planning & Resource
Allocation
1.5.1 Strategic Planning
1.5.2 Organizational Structure
1.5.3 Outsourcing
1.5.4 Capacity
1.5.5 JV's / Alliances & Partnerships
1.5.6 Special Purpose Entities
1.5.7 Technology Foundation
1.5.8 Performance Gap
2.1 Product Lifecycle Mgmt
2.1.1 Research & Development
2.1.2 Sales & Pricing
2.1.3 Product Portfolio
2.2 Costumer Relationship Mgmt
2.2.1 Marketing Strategy
2.2.2 Customer Satisfaction
2.2.3 Channel Partner Relationships
2.2.4 Aftermarket Sales
2.2.5 Maintain Brand
2.3 Project Management
2.3.1 Acquisition
2.3.2 Bidding
2.3.3 Negotiation
2.3.4 Contract Management
2.3.5 Execution
2.3.6 Warranty
2.4 Supply Chain Mgmt
2.4.1 Master Planning & Forecast
2.4.2 Supplier Selection & Procurement
2.4.3 Inventory
2.4.4 Production
2.4.5 Quality
2.4.6 Time to Market (Const.)
2.4.7 Transport & Logistics
2.4.8 Distribution Channels
3.1 Treasury and Investment 4.1 Anti-Bribery and Anti-Corruption
Management 4.1.1 Anti-Bribery
3.1.1 Interest Rate 4.1.2 Anti-Corruption
3.1.2 Foreign Currency 4.1.3 Ethics
3.1.3 Commodity 4.2 Fraud
3.1.4 Derivatives 4.2.1 Fraud by Internal Parties
3.1.5 Hedging 4.2.2 Fraud by External Parties
3.1.6 Cash Management/Cash Flow 4.2.3 Collusion between Internal/
3.1.7 Funding & Capital Availability External Parties
3.1.8 Credit & Collections 4.3 Legal and Regulatory
3.1.9 Credit Collateral 4.3.1 Illegal Acts
3.1.10 Investment Management 4.3.2 Liability
3.2 Accounting & Financial Reporting 4.3.3 Intellectual Property
3.2.1 Accounting Information 4.3.4 Global Counterfeiting
3.2.2 Financial Reporting Evaluation 4.3.5 Industry Specific
3.2.3 Revenue Recognition 4.3.6 Trade
3.2.4 Closing, Consolidation and Financial 4.3.7 Labor
Reporting 4.3.8 Special Product Requirements
3.3 Controlling 4.3.9 Data Protection
3.3.1 Budgeting & Forecasting 4.3.10 International Dealings
3.3.2 Performance Measurement 4.3.11 Securities
3.4 Tax 4.4 Anti-Trust
3.4.1 Tax Authorities 4.4.1 Competitive Practices/Anti-Trust
3.4.2 Transfer Pricing 4.4.2 Competition Law
3.4.3 Indirect Tax 4.5 Export Control and Customs
3.5 Capital Structure 4.5.1 Export Control
3.5.1 Debt 4.5.2 Customs
3.5.2 Equity

Page 5 CF RIC CRD

Appendix 2
ERM Categorization Model (2/2)
1. Strategic
1.6 Market Dynamics/External Factor
1.6.1 Macro-Economic Factors
1.6.2 Political Factors
1.6.3 Competitor Behavior
1.6.4 Customer / Lifestyle Trends
1.6.5 Industry Specific Conditions
1.6.6 Technology Innovation
1.6.7 Socio-Demographic Factors
1.7 Major Initiatives
1.7.1 Vision & Direction
1.7.2 Planning & Execution
1.7.3 Measurement & Monitoring
1.7.4 Technology Implementation
1.8 Merger, Acquisition & Divesture
1.8.1 Valuation & Pricing
1.8.2 Due Diligence
1.8.3 Execution
1.8.4 Business Integration
1.9 Communication & Stakeholder
Relations
1.9.1 Media Relations
1.9.2 Investor Relations
1.9.3 Crisis Communication
1.9.4 Internal Communication
1.10 Preventive Crisis Mgmt & Business
Continuity
1.10.1 Crisis Management
1.10.2 Business Continuity
1.11 Quality Management
1.11.1 Quality Standards
1.11.2 Quality Development
Page 6
2. Operations 3. Financial 4. Compliance
2.5 Real Estate, Property, Plant and 3.5.3 Pension Funds
Facilities 3.5.4 Share-based Payments
2.5.1 Real Estate 3.6 Guarantees, Pensions, Insurance &
2.5.2 Property Plant & Facilities Letters of Credit
2.6 Human Resources 3.6.1 Guarantees
2.6.1 Key Personnel 3.6.2 Pension Management
2.6.2 Reward & Development 3.6.3 Insurance
2.6.3 Labor Relations 3.6.4 Letters of Credit
2.6.4 Recruiting & Retention
2.6.5 Succession Planning
2.6.6 HR Management
2.7 Environment, Health and Safety
2.7.1 Environmental Issues
2.7.2 Health
2.7.3 Safety
2.8 Information Technology
2.8.1 IT Strategic Planning & Architecture
2.8.2 IT Infrastructure
2.8.3 IT Information Security
2.8.4 IT Application Standards
2.8.5 IT Sourcing
CF RIC CRD
Top-Down Risk and Opportunity Assessment
Food for Thought…

Page 7 CF RIC CRD

 The most effective approach to identify risks & opportunities
for organizations is to understand and plan for “foreseeable
trends / surprises” that will occur, but not try to anticipate their
timing (Daniel Sharp – Harvard “Why Resilience Now, 2010”) RIC Cluster
Page 8 USA
Question / Discussion
What is a “black swan”?? How do you hunt them
down – find them??
Draw on a heat map and discuss – per Daniel
Spear material

Page 9
 Appendix 1
Risk Impact Scales – Cluster USA
C
Scale 9 8 7 6 5 4 3 2 1
Category* Major Significant Moderate Minor Marginal
No real
Business does not deliver on Business does not deliver on impact on
Business Business does not deliver on Ability to deliver key business
several or all key business more than one key business delivery of
Objectives objectives objective
one key business objective objectives impacted
key business
objectives
Extensive / persistent national
National media coverage and Local media coverage and
media coverage and Limited local media coverage
some international media limited national coverage No media
Media
Perspective ( 3 years)

international media coverage results in damage to the

coverage results in damage to results in damage to the image coverage
results in damage to the image image and brand
the image and brand and brand
and brand
Triggers
Requires investigation by Requires limited investigation
Reported to external authorities limited
Regulatory external authorities / regulatory by external authorities / Triggers internal investigation
/ regulatory bodies and requires internal
Bodies bodies and / or costly legal regulatory bodies and / or legal
internal investigation
and review
investigation
actions action
and review

Extensive (> 20%) senior Significant (10 – 20%) senior Moderate (5 - 10 %) senior Some (< 5 %) senior No senior
Management
management time and management time and management time and attention management time and management
Time attention needed to resolve attention needed to resolve needed to resolve attention needed to resolve intervention

> € 250m €175m - €250m €125m - €175m €100m - €125m € 75m - €100m € 50m - € 75m € 25m - € 50m € 10m - € 25m < € 10m
Financial
pre-tax profit pre-tax profit pre-tax profit pre-tax profit pre-tax profit pre-tax profit pre-tax profit pre-tax profit pre-tax profit

* Depending on the nature of the risk other qualitative perspectives may need to be taken into account.

Page 10 CF RIC CRD

 Appendix 1
Opportunity Impact Scales – Cluster USA

Scale 9 8 7 6 5 4 3 2 1
Category* Major Significant Moderate Minor Marginal
Perspective ( 3 years)

Opportunity
Opportunity supports the Opportunity supports the has no real
Opportunity supports the Opportunity has only a minor
Business achievement / out-performance achievement / out- impact on
achievement / out- performance impact on meeting key
Objectives of several or all key business performance of more than one
of one key business objective business objectives
meeting key
objectives key business objective business
objectives

> € 250m €175m - €250m €125m - €175m €100m - €125m € 75m - €100m € 50m - € 75m € 25m - € 50m € 10m - € 25m < € 10m
Financial
pre-tax profit pre-tax profit pre-tax profit pre-tax profit pre-tax profit pre-tax profit pre-tax profit pre-tax profit pre-tax profit

* Depending on the nature of the opportunity other qualitative perspectives may need to be taken into account.

Page 11 CF RIC CRD

Appendix 1
Risk & Opportunity Likelihood Scales

Category Definition

9 ≥ 90% chance the event will occur

Certain
8 ≥ 80% chance the event will occur

7 ≥ 70% chance the event will occur

Likelihood ( 3 years)

Probable
6 ≥ 60% chance the event will occur

5 ≥ 50% chance the event will occur

Likely
4 ≥ 40% chance the event will occur

3 ≥ 30% chance the event will occur

Possible
2 ≥ 20% chance the event will occur

Unlikely 1 < 20% chance the event will occur

Page 12 CF RIC CRD

DEMO ERM

Page 13
Common Myths - How To Assess and Mitigate ERM Risks

Source: Information
compiled and published by
business advisory firm
Page 14
Corporate Executive Board
Common Myths - How To Assess and Mitigate ERM Risks

Source: Information
compiled and published by
business advisory firm
Page 15
Corporate Executive Board
Common Myths - How To Assess and Mitigate ERM Risks

Source: Information
compiled and published by
business advisory firm
Page 16
Corporate Executive Board
ERM Improvement Areas

Page 17
Source: Information compiled and published by business advisory firm Corporate Executive Board Co.
 Top-down Risk Appetite Approach
in linkage to the Business Objectives

Page 18
Setting, Communicating and Achieving and Business Objectives is an essential part of
any companies Success

•Identify Enterprise Level Business Objectives clearly aligned with

Strategy Planning

•Define / manage long and short-term key initiatives supporting each

business objective

•Define Risk Appetite for each Enterprise Level Objective with Board
Members and Senior Management. Define specific risk tolerances for the
overall company and at all levels in the organization aligned with specific
sub unit objectives

•Provide a single page visual showing clear boundaries for Risk Appetite
applicable for the company for each key business objective (summarized
into no more than 7 company wide objectives) The risk appetite
dashboard should be used whenever possible for all strategic planning
and tactical execution decisions – assuring alignment with objectives and
clear risk based decisions making for the company.

Page 19
Linking Risk Appetite to company’s Strategic Objectives is
essential in creating an effective Risk Appetite Concept
Spider Chart - Risk Appetite linked to Strategic
Objectives

Top-line Growth
5
4
3
2
Operational Excellence Profit
1 Risk Appetite

Reputation Compliance

Defining a risk appetite for each of these strategic objectives provides relevant
information for decisions making around each strategic priority.

Page 20
 Levels of Risk Appetite
“EXAMPLE ONLY”

Tolerance for Uncertainty Choice Trade-Off

Rating Risk Taking Philosophy When faced with multiple How willing is Siemens to
options, how willing is Siemens trade-off this objective
How willing is Siemens to to select an option that puts this against achievement of
accept uncertain outcomes? objective at risk other objectives?

Will choose option with highest

5-Open Will take justified risks Fully anticipated return; accept possibility of failure Willing
Will take strongly justified Will choose to put at risk, but will Willing under certain
4-Flexible risks Expect some manage the impact conditions
Will accept if limited, and heavily
3-Cautions Preference for safe delivery Limited out-weighed by benefits Prefer to avoid

Will accept only if essential, and

2-Minimalist Extremely conservative Low limited possibility/extent of failure With extreme reluctance
Avoidance of risk is a core Will select the lowest risk option,
1-Averse objective Extremely low always Never

Page 21
Examples
Strategic
Objective Description
Top-line Growth Siemens reaching the EUR
100 mio sales Milestone.
According to Peter
Loescher's announcement is
Profit
Siemens targeting a profit
margin of 12 %.
The guidance for compliance
Compliance related topics is zero
tolerance.
Build our Reputation
worldwide. Brand Siemens corporate, cluster or country
Reputation
as an innovative ,sustainable level exposure to protracted
company of choice.
Streamline Supply Chain
(Indirect materials & Global
Value Sourcing). Implement
Operational
Finance Bundling. Siemens
Excellence
2014, cost reduction and
saving of EUR 6 billion by
2014.
Risk Tolerance
Siemens will only invest in core
businesses consistent with
identified mega trends (Energy,
Sustainability,…).
Siemens will only invest in
companies or projects with a
expected profit margin of 12% or
higher
Siemens has Zero tolerance for Siemens has Zero tolerance for Actual Risk Appetite = Desired
regulatory compliance violations. regulatory compliance violations Risk Appetite
Siemens will not take any
actions which could result in
negative external media
coverage
Siemens will accept no risks that
individually or in aggregate
threaten the achievement of the
required Siemens 2014 targeted
EUR 6 billion savings.
Page 22
Actual / Desired Risk Appetite
Risk Appetite Assessment
Achieving top-line profitable
growth in all core business sectors
Actual Risk Appetite > Desired
is an important strategic objective,
Risk Appetite (We took too much
where Siemens is willing to
risk in this area last year and lost
assume risk and the possibility of
margin???)
failure
Siemens will only invest in
companies or projects where the
Actual Risk Appetite < Desired
profit margin is above 12% and
Risk Appetite
the probability of not making or
exceeding the 12% margin target
Siemens will accept only limited
risk in investments or programs
Actual Risk Appetite > Desired
impacting brand and only if limited,
Risk Appetite
and heavily out-weighed by
benefits
Opportunities or actions promising
to exceed the Siemens 2014
targeted EUR 6 billion savings will Actual Risk Appetite > Desired
be accept if limited, and heavily Risk Appetite
out-weighed by benefits
 Reasons for the implementation Concept at

1. Risk appetite optimizes business performance by reducing uncertainty in the

achievement of strategic objectives and enabling risk-taking only where value
exists.

2. Risk appetite achieves external stakeholder expectations by limiting

excessive risk taking and triggering communication with key stakeholders
and day-to-day decision makers.

3. Risk appetite allocates risk management resources and drives awareness of

risk in the corporate culture.

4. A well-documented risk appetite provides clarity and norms around the

organization’s risk posture and ensures consistency in risk decisions.

http://www.executiveboard.com/risk-management-blog/four-tips-for-a-healthy-risk-
Page 23
appetite/?utm_source=InsightDaily&utm_medium=email&utm_campaign=risc-06.4.2013
 How to implement a Risk Appetite Concept
Practical and Actionable

• Linkingthe organization’s strategic objectives is the key to create an effective

risk appetite approach

• Starting with a manageable set of common strategic objectives (never more

than 7) providing a clear statement direction for all of Siemens. These strategic
objectives transcend business diversity.

• Gradually build on objectives initial successes

• Continuous improvement and integration of other strategic objectives

• Consideration of Tradeoffs (no isolated view on risks)

• Building consensus (Usage of a consistent metrics)

http://www.executiveboard.com/risk-management-blog/four-tips-for-a-healthy-risk-
appetite/?utm_source=InsightDaily&utm_medium=email&utm_campaign=risc-06.4.2013

Page 24
 Model 1: Westinghouse
Steps and Involvement
Determine In- Select Key
Year Objectives Identify activities Risk Indicators
Establish Three - in support of In-Year
(for the current for Each
Year goals Objectives
fiscal year) Objective

Who is CEO, Strategy, Senior Senior Leadership,

involved? Leadership Strategy, BU Leaders BU Leaders, ERM BU Leaders, ERM

Strategy cascade document

that Business unit level
includes financial goals, strategic deployment Business plans that are
safety goals, plan that supports the informed by Key risk indicators and monitoring
etc. For example: enterprise plan. risk assessment information. plans that support achieving
■ Achieve earnings growth of For example: For example: strategic
X% per year. ■ Plan to grow revenue ■ Create operational plan to goals. For example:
■ Become industry leader in of business in Europe transform (or exit) Europe ■ Electricity demand in Europe
Output safety, etc by Y%. activities. ■ Political climate in Europe

ERM conducts risk ERM partners with business units

workshops to pressure to create KRIs and a monitoring
test operational plans against plan that will help them achieve
ERM's Role risks. operational goals.

Page 25
 Model 1: Westinghouse

https://www.risc.executiveboard.com/Members/Popup/Download.aspx?cid=101213569&utm_campaign=RISC-
ACHOUDHARY-05.28.2013-M-W-NL-PDCT-All-All-All-BL-NL-WNL&utm_medium=email&utm_source=Eloqua&scAuth=true
Page 26
 Model 1: Westinghouse

https://www.risc.executiveboard.com/Members/Popup/Download.aspx?cid=101213569&utm_campaign=RISC-
ACHOUDHARY-05.28.2013-M-W-NL-PDCT-All-All-All-BL-NL-WNL&utm_medium=email&utm_source=Eloqua&scAuth=true

Page 27
 Model 2: Toronto Hydro

https://www.risc.executiveboard.com/Members/ResearchAndTools/Abstract.aspx?cid=101213567&fs=1&q=Toronto+Hydro&program=
&ds=1

Page 28
 Model 2: Toronto Hydro

Page 29
 Model 2: Toronto Hydro

3 different scenarios have already been considered during the planning process

Page 30
 Model 2: Toronto Hydro

Toronto Hydro refers its business success back to the Integration of ERM into the planning process

Page 31
Q&A
Open Session for Discussion / Q&A

Page 32