Risk Management

May 26, 2011

Bates Richmond, Director of Risk Management, Texas Instruments JT Fisher, CFO, Austin Industries Jeff Fritts, SVP, Willis Group

Moderator: Todd Hickerson

Risk Management Overview

Risk Planning
Enterprise Risk Management Mapping Risk

Risk Mitigation
Financing Risk Control Operational Separation Segregation Avoidance Contractual

Loss Mitigation
Claims Management Secondary Impact Management

The Cost of Risk Process

Feedback to Risk Planning

Risk Management Why?

Stuff Happens!

What Is Risk Management?

Speculative Positive and Negative Outcomes Typically Uninsurable Sometimes Hedged Pure Negative Outcomes (almost always) Often Insurable Not Hedged

ERM

Management of risks that can take your company down

COSO Risk Cube

ERM Components: Corporate Tone: philosophy, integrity and ethics Risk Strategy, risk appetite & risk tolerance Entity Units: Differentiates risk and opportunities Potential events might impact objectives Evaluates cost/benefit of potential risk responses

Policies & Procedures

Communicates pertinent information that allows people to carry out their responsibilities Ongoing monitoring and separate evaluations

Who Does Risk Management

Highly Interdisciplinary Chief Risk Officer/Risk Management/ER Manager Operations Supply Chain Management HR Finance Legal Across Entities Holding Co., Subsidiaries, Stakeholders Cultural Aspect everyone can contribute

The Risk Management Process

Identify Risks - Enterprise Risks
- Operational Risks

Review Effectiveness
- Periodically -Internal Audit

Strategic Planning Initiatives - Identify Risks

Assess Risks
- Identify - Evaluate - Prioritize

Monitor Risk - Name risk owners

- Risk owners monitor and report on risk

Implement Risk Mitigation Strategy

Define Risk Mitigation Strategy

- Avoid Reduce - Share Accept

Role of US Corporate Boards1

Evolving legal developments make robust ERM oversight prudent Revised NYSE listing standards require risk assessment and risk management policies SEC endorses COSO 1992 Internal Control Integrated Framework to manage financial risk Rating Agencies more attuned to companys ERM system Increasing number of directors acknowledge they must oversee business risk as part of strategy setting role

The Conference Board 2006 Report R-1390-06-RR

Mercers Grouping of Causes

The implied causes behind the stock drops were grouped into four different areas: hazard, financial, operational, and strategic risks.

HAZARD
Lawsuits Lawsuits that are not related to accounting practices Natural Disaster Act of God and other natural phenomena

FINANCIAL
Foreign Macro-economic Changes in foreign interest rates and/or currency exchange rates which affects a companys earnings High input commodity price Significant increase in commodity price of a major input causing an earnings decrease Interest rate fluctuation - Changes in interest rates negatively affect companys earnings

OPERATIONAL
Accounting irregularities Misrepresentation of financial statements and/or fraud Cost overruns Higher than expected overhead or other operating costs, extraordinary charges, and/or heavy investment Ineffective Management Poor operating decisions made by executives within the company leading to an earnings shortfall Supply chain issues Problems with the inventory and delivery systems leading to revenue shortfalls or cost overruns

STRATEGIC
Competitive pressure Loss of revenue due to pricing and/or volume pressures from competitors Customer demand shortfall Lower than expected industry-wide demand from customers Customer pricing pressure Strong customers negotiate price discounts Loss of key customer Loss or major reduction of business from key customers Misaligned Products/Channels Product selection/design does not meet customer requirements M&A integration problems M&A activities viewed unsound by investors; cost savings and/or synergies from M&A not achieved Regulatory problems Regulatory changes affect long-term earnings potential R&D Delays Problems with research and development Supplier Problems Suppliers oppose companys strategy

Heat Map/Risk Map

Major Catastrophic Insignificant Minor Moderate

Impact

Remote

Unlikely

Possible

Likely

Almost Certain

Probability

10

Responses to Risk Categories

One company initially defined Risk Categories:
Declaration under SEC Form 8K required and likely warrants immediate calls to key stakeholders, an immediate press release and comments to reassure media and stakeholders that Management is aware of the situation and is taking appropriate action. Key stakeholders include analysts, investors, key business partners, employees, etc.

HIGH

MEDIUM

Declaration under SEC Form 8K required and likely merits a press statement to be available to reporters upon request and possible calls to key stakeholders. Below SEC Form 8K filing requirement, but may merit a press statement to be available to reporters and key stakeholders upon request

LOW

ERM Definitions
COSO (2004)
Enterprise risk management is a process, effected by an entitys board if directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.

Enterprise Risk Management (ERM)

What is ERM, and what is it NOT? ERM is: Managing the risks that can kill your company ERM isnt: Managing all the sundry risks encountered in operating your business

The amount of E risks already within your business describes your Erisk tolerance What is the smallest $ size of risk event could cripple or kill your organization? How many of risks of that size or larger already exist in your business today? a (sizes of those) x b (number of those) = your real risk tolerance

Enterprise Risk Management (ERM)

How can an organization really benefit from ERM beyond checking the box? Clearly define the E risks Get buy-in on definition from management & board Inventory those within your business today Utilize multiple sets of eyes looking for potential new E-risks on the horizon, Have a clear process for how/where to bring those to managements attention Define go/no go criteria & managements responsibilities for reviewing, disposing, and periodically reporting to the board Do it Examples

Risk Mitigation (Pre-Loss)

Financing Insurance Hedge (currency, commodity) Captive/SelfFunding Buy-Outs Risk Control
Supply Chain Management Safety

Avoidance Outsourcing Divestiture Product or Service Limitations Distribution Partners

Customer/Business Diversification
Trading (commodity, currency)

Training
Emergency/Conting ency Planning

Risk Mitigation (Pre-Loss)

Physical Protection Separation of Exposure Units Segregation of Exposure Units Interdependency Management Contractual Transfer to contract counterparties (other than insurers) Generally risk carried by party controlling the risk

Can be carried by party most capable to withstand the risk

Risk Control (Post-Loss)

Direct Loss Emergency Response Business Continuity Management Indirect Loss Brand Protection/ Management Litigation Prevention Interdependency Management

Feedback to RM Process-Identification
Identify Risks - Enterprise Risks
- Operational Risks

Review Effectiveness
- Periodically -Internal Audit

Strategic Planning Initiatives - Identify Risks

Assess Risks
- Identify - Evaluate - Prioritize

Monitor Risk - Name risk owners

- Risk owners monitor and report on risk

Implement Risk Mitigation Strategy

Define Risk Mitigation Strategy

- Avoid Reduce - Share Accept

18