A discussion on why and how to adopt an enterprise risk framework within your organization.

1. Enterprise Risk Management A suggested approach Copyright 2009 Esposito Consulting Group

2. Risk Management Defined Enterprise risk management deals with risks and opportunities that affect value creation or preservation Risks are both opportunities and threats Risks exist at the: Strategic / corporate level Portfolio level Project level Operational level Copyright 2009 Esposito Consulting Group

3. Enterprise Risk Management Management must strike an optimal balance between growth goals and related risks. An effective framework seeks to: Align risk appetite and strategy Enhance risk response decisions Reduce operational surprises and losses Identify and manage cross-department risks Seize offered opportunities Improve capital deployment Copyright 2009 Esposito Consulting Group

5. Risk Management Standard Application Communicate and Consult Identify Evaluate Treat Define Analyze Monitor and review Copyright 2009 Esposito Consulting Group

6. Example Root Cause Risk Consequence Downstream Effect Broken Shoelace Trip & Fall Broken Wrist Medical Bills It is important to delineate what is the root cause and what is the risk. The broken shoelace is not the risk – that is the root cause. The risk is the adverse outcome (i.e. huge, unexpected medical bills). Copyright 2009 Esposito Consulting Group

7. Measuring risk impact Risk is measured in two ways: Probability – the evaluated likelihood of a particular threat or opportunity actually occurring Impact – the evaluated effect or result of a particular risk actually happening The resultant risk score is used build the risk table Copyright 2009 Esposito Consulting Group

8. Standard Risk Table Modeled upon AS/NZ 4360 Standard Copyright 2009 Esposito Consulting Group

9. Addressing Risk – Four Approaches Reject – The “head-in-the-sand” approach. Not recommended. Accept – Risk is within organization appetite. Risk accepted “as is”. Transfer – A third-party assumes some or all of the risk (example – insurance). Mitigate – Take action to address areas outside acceptable limits. Copyright 2009 Esposito Consulting Group

10. Assigning Ownership Once risks have been identified and scored, an owner must be assigned. All risks are entered into a Risk Register – a description of the risk; its score; its mitigation action; its assigned owner; and its expected completion date. Copyright 2009 Esposito Consulting Group

11. Continuous Monitoring Establish standard metrics – key performance indicators (KPIs) and key risk indicators (KRIs) KPIs measure progress toward goal. KRIs measure how risky an activity is – the possibility of future adverse impact. Copyright 2009 Esposito Consulting Group

12. Contact Us Esposito Consulting Group 303 Third Street, Suite 206 Cambridge, MA 02142 p: 619.301.9708 | f: 617.812.0477 e: MicheleEspositoECG@gmail.com Turning challenges into opportunities Copyright 2009 Esposito Consulting Group