A Top Down & Bottom UpStrategic Approach to ERM Marcus Evans 5th Annual ERM Conference Jennifer McCallister March 20, 2012
Speaker Overview • Kentucky native • Over 12 years of business experience spanning multiple functions including sales support, operations, finance, compensation, and internal auditing • Over nine years of health care industry knowledge and experience • Subject matter expert on risk identification, risk assessment and mitigation, and process maturity to leaders across the organization • Bachelor of Science degree in Business Administration from the University of Louisville • Master of Business Administration degree from Sullivan University • Certification in Risk Management Assurance (CRMA) through the Institute of Internal Auditors
Humana- Company Overview Humana is a leading health care company that offers a wide range of insurance products and health and wellness services that incorporate an integrated approach to lifelong well-being. • Headquartered in Louisville, Kentucky • One of the nation’s largest publicly traded health and supplemental benefits companies • Ranked 79th on Fortune’s list of largest corporations • 2011 revenues of approximately $36.8 billion • Approximately 12 million medical members, 7.9 million specialty members • Operates several hundred health centers and worksite clinics nationwide Internal Audit Consulting Group • 70+ Associates, with all backgrounds and specialties • Strategic, Financial, Operational and Compliance Reviews • ERM Program, PMM, GRC system & facilitate the Operating Committee • Alumni throughout the enterprise
Session Agenda • ERM Program Benefits & Deliverables • Current Program Overview • Program Overview • Risk Framework • Program Cadence • Top Down Approach • Bottom Up Approach • Maturing the Program • Quantification & Sensitivity Analysis • Education to the Masses- Risk 101 • Embed Risk Ambassadors
Program Benefits & Deliverables Final Deliverable: Report with risks identified by the business, analysis of risks, and mitigation strategies to optimize the risks.
What is Enterprise Risk Management (ERM)? • Process applied in strategy setting across the organization • Designed to identify potential risks and manage those risks within the organization’s risk appetite • Considers threats, opportunities, and uncertainties that may impact the organizations strategic and financial objectives • Guides leaders in decision making regarding appropriate mitigation strategies toward all risks – as opposed to those that are obvious /pressing at the time
Overview of Humana’s Risk Assessment Program Annual Strategy Sessions Annual Audit Planning Risks Identified by ERMC ERMC & AC Discussions Quarterly Filings Risks Identified by the Business Risks Identified by Internal Audit Annual 10K Filing Annual Budget Planning Functional Area Leadership Discussions Executive & Operating Committee Risk & Strategy Discussions Segment Leadership Discussions
A Top Down/Bottom Up Approach to ERM • Oversight by the Audit Committee of the Board which by its own charter and NYSE rules is accountable for discussing Humana policies with respect to risk assessment and risk management • Full Board reviews risk factors in connection with annual Form 10-K filing • Enterprise Risk Management Committee was initiated by the Chief Executive Officer and members include senior leadership • Structured Risk Discussions with Functional & Segment Leaders are held to synchronize Risk Tolerance; identify most significant risks for discussion with ERMC and complements annual strategic initiative process • Process Facilitated by Internal Audit which utilizes Internal Audit’s independent and objective business and risk knowledge; complements audit’s engagement planning process and Audit Committee expectations Top Down Bottom Up Understanding the risk factors leads to making the right decisions.
Enterprise Risk Report Out Elements Risk Definition: Risk Appetite Objectives: Risk Owner: Are current mitigation efforts adequate to manage the risks within the risk appetite? Yes/No? Risk Velocity:High/Moderate/Low Risk Optimization Target: 1/2/3/4/5 • Related Initiatives/Ground Taken Internal Audit Validation/Opinion
Risk Optimization Options Risk Optimization: The determination of the appropriate level of mitigation and monitoring necessary to manage the risk within the risk appetite of the organization. UnmanagedAwareness of the risk is absent or the risk is not being addressed. Ad HocMitigation of the risk is sporadic and not tied to a shared risk appetite. Qualitative Validation Management of the risk is underway and tied to a shared risk appetite vision. Validation of mitigation efforts by independent party. Quantitative Validation Data is available and used to explain the risk appetite which has been reviewed with senior management and the Board. Best Practice The risk appetite is quantitatively developed and includes a scenario and sensitivity analysis.
Risk Velocity Options Risk Velocity How quickly a risk can create a material loss or missed opportunity. • High Risk Velocity • The risk can materially impact the organization within a matter of hours or days in such a manner as management has little time or ability to react to the risk in the absence of preplanned, deliberate mitigation efforts. There is limited ability to see the event before its impact is felt. • Moderate Risk Velocity • The risk can be identified before its impact is felt, but mitigation efforts generally must be already underway and understood in order to limit the impact of the risk. • Low Risk Velocity • While the risk may have a material impact to the organization, the development of the risk event materializes over time allowing for contingency plans and actions to be put into place after the risk event is understood.
Bottom Up Approach ERM Workshop Methodology Performed at the business process, segment, or product level
ERM Workshop Phases • Phase 1: Leader Introduction & Buy-In • Support from the top is essential to the success of ERM workshops • VP level discussion to obtain buy-in
ERM Workshop Phases • Phase 2: Leader Risk Discussion • VP’s perspective on risks impacting the specific business area or segment • Understand the business segment’s strategy and objectives and brainstorm major risks
ERM Workshop Phases • Phase 3: Education & Survey • Educational materials are used to introduce key concepts • Risk survey distributed to solicit input from Segment Management on risk & culture
ERM Workshop Phases • Phase 4: Workshop • Confirm risk statements • Vote on Impact/How Well Managed • Prioritize Risks
Workshop Ranking and Prioritization • Rating Voting • Participants rate each risk statement on two dimensions: • How impactful is the risk • How well do we currently manage the risk • Once complete, all risks will be plotted on a heat map • Ranking Voting • Participants are presented with two risk statements and are asked to choose which the greater risk is • At the end of the exercise, a list of prioritized risks will be generated
Risk Ranking & Prioritization Impact Factors IMPACT FACTOR RANGE High-Medium-Low
Risk Ranking & Prioritization Mitigation Consideration MITIGATION FACTOR RANGE WELL MANAGED – SOMEWHAT MANAGED – NOT MANAGED
ERM Workshop Phases • Phase 5: Final Deliverable • Report to the business leaders outlining the identified risks • Prioritized risks are plotted on a heat map to visually display voting results • Mitigation activities are outlined for each of the risks identified
Workshop Trending Insert form number via Header and Footer option or delete, if not needed
Quantitative Analysis • Core Value Drivers • Risks to the Value Drivers • Sensitivity of those Risks • Quantitative values may be applied to risks when using qualitative analysis. (Impact & Probability) • Numerical techniques for decision analysis are used for a more mature quantitative analysis approach. These techniques include Monte Carlo analysis, PERT, computer simulations, sensitivity analysis • Care should always be taken as a good quantitative technique with bad data is worse than not using the technique at all. • Elaborate statistical models and simulations can impress people into making the wrong decision based on excellent analysis of bad data. • Consideration of the cost of applying the technique and collecting the data can sometimes be more than the cost of the risks the technique helps to quantify
Risk 101 • Risk 101 training - understand what “risk” is – and why everyone needs to have it, how to identify risks in a variety of ways, and most important, how to effectively manage risk • Embedded Ambassadors – “tone at the top” as well as ambassadors of benefits received at the process level (education to process owners) • Annual Ethics Training – basic education on ERM is communicated across the enterprise • Risk is Everyone’s Responsibility!
Questions and Contact Info. Jennifer McCallister, MBA, CRMA Consulting Leader| Internal Audit Consulting Group Humana 101 S. 5th St., Ste. 900 | Louisville, KY, 40202 T 502.580.4234 F 502.508.4234 firstname.lastname@example.org Humana.com