enterprise risk management in the telecom italia group · telecom italia – afc.risk management 5...

Trieste, March 14, 2013BILATERAL FORUM ANRA – SI.RISK

Telecom Italia - AFC.Risk ManagementPaolo Rubini

Enterprise Risk Management in the Telecom Italia Group


Enterprise Risk Management in Telecom Italia► Foreword

► What is ERM

► ERM Output

► The Interview

► Instruments for Risk Evaluation

Telecom Italia - AFC Risk Management 3

Now in the midst of “Great Recession” many of us still haveunanswered questions about how we arrived at our currentstate. The overall result is that a big magnifying lens hasbeen put on Companies questioning about their governance.Most has been done in terms of establishing rules (SOX,231, etc…) but mostly, the stakeholders started wonderingif the Companies were well aware about their risks and howthey were organized analyzing, measuring, treating them.



► What is ERM

► ERM Output

► The Interview


Telecom Italia – AFC.Risk Management 5

ERM Definition

► Enterprise risk management (ERM) is the framework and process finalized tominimize the effects of risk on the strategic goals in the organization, withthe consequential impact on capital and earnings.

► ERM Process is based on management’s risk profile self-assessment,considering potential impact on strategic objectives in a perspective ofinternal processes’s effectiveness.

► ERM allows:

► To spread through the Company risk awareness and culture

► To collect and to communicate in a common language to the CEO all theinformation concerning risks arising throughout the Company.

Telecom Italia – AFI.Risk Management 6

ERM Framework in Telecom Italia► ERM Framework identifies and defines:

► Mission

► Risk Architecture:

► Roles

► Responsibilities

► Communication/Risk Reporting

► Risk self-assessment

► Risk Identification

► Risk Valuation

► Risk Target (To Be)

► Risk Protocols

► Procedure

► GuidelineTI Functions/Directions

Manage the Risks

Subsidiary ReferentInterface between Subsidiary

and Holding RM function

Risk Management function(responding to CFO)

Supports the RM Committeeand Functions/Directions

Subsidiary Func./Direc.Manage the Risks

Group Risk Management Committee(chaired by CFO)

Coordinates and monitors Risks exceptCompliance ones

Executive DirectorsRisk Governance

Board of DirectorsInternal Control Policy

Group Compliance OfficerCoordinates and monitors

Compliance Risks

Internal Controland Corporate

Governance Committee

Vice President

Information

Internal Control

Board of Auditors

Information

TI Functions/DirectionsManage the Risks

Subsidiary ReferentInterface between Subsidiary

and Holding RM function

Risk Management function(responding to CFO)

Supports the RM Committeeand Functions/Directions

Subsidiary Func./Direc.Manage the Risks

Group Risk Management Committee(chaired by CFO)

Coordinates and monitors Risks exceptCompliance ones

Executive DirectorsRisk Governance

Board of DirectorsInternal Control Policy

Group Compliance OfficerCoordinates and monitors

Compliance Risks

Internal Controland Corporate

Governance Committee

Vice President

Information

Internal Control

Board of Auditors

Information


ERM Process

INTERVIEW AND RISK ANALYSIS

ANALYSIS PLANNING

GAP ANALYSIS &RISK MATURITY

INDEX

RISK VALUATION

The ERM process is a cycle made of four main phases:► Analysis; Valuation; Treatment; Reporting.

RISK ASSIGNMENTACTION PLAN

TREATMENT AND VERIFICATION

ANALYSIS EVALUATION TREATMENT

RISKREPORTING

REPORTING

Feedback

The main activities of those phases can be summarised in:►Risk mapping with the definition of Corporate Risk Profile (CRP)►Focus on most relevant risks: identification of TOP risks►Activities on TOP risks:

► GAP Analysis► Action Plan presentation

►Reporting activity concerning the results obtained in the previous steps.



► What is ERM

► ERM Output

► The Interview



ERM OUTPUT

► ERM process allows to define:

Corporate Risk Profile

RM Process Maturity Level

GAPAnalysis

Risk Treatment

Molto Probabile

Probabile

Possibile

Raro

ImprobabileTrascurabuile Contenuto Significativo Rilevante Catastrofico

MK2AC2

HR3AC1 ND02

AR1 HR1HR4

SBD1MK1

SBD2

HR2 MK4

ND08

ND07 ND06

MK3AR2ND03

ND05

58%

64%

64%

48%

55%

56%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Portafoglio Rischi TOP

Risk Governance

Risk Assessment

Risk Quantification

Risk Monitoring

Risk & Control Optimization

Livello di Maturità del Portafoglio Rischi TOPper Componente

Base Maturo Avanzato

Top Risks only

Top Risks only 11‐A29 Rischio Prova Impatto Probabilità Rating IQIIQIII IVQ

31303031/12/2011

5 4 20

4 3 12OwnerFocal P.

impatto GdLcluster

Sezione Action PlanIQ IIQ IIIQ IVQ YTD # # # # # # # # # #

CAI 24% 49% 75% 100%

20% 2.000 2 12 gen‐11 15% 45% 65% 95% 95%CAI 10% 40% 70% 100%

inserire CAI 30% 150 5 10 mar‐11 12% 40% 65% 100% 100%CAI ‐101% ‐26% 49% 100%

inserire CAI 50% 500 9 4 ago‐11 0% 5% 15% 60% 60%

100% 2.650 16 ‐43% 9% 61% 100%

79%

141 2 3 4 5 6 8 9 10 12 15 16 20 25

Sezione KRIIQ IIQ IIIQ IVQ YTD

1 On‐Off 40% >= 60% 0% 0% 50% 55% 65% 70% 70%

2 On‐Off 40% >= 40% 0% 0% 20% 25% 25% 30% 30%

3 On‐Off 20% >= 20% 0% 0% 40% 40% 50% 45% 45%

On‐Off 100% >= 60% 0% 0%

Action Plan ‐ 11‐A29:

causaPeriodo di rilevazione

Rischio Prova

Causa Prova 23/01/12Corrente

2011Anno di osservazione

Data Aggiornamento

Avanzamento Overall

Peso %

Azione 1

costi K€Descrizione Azione FTE (#)tempi (mesi)

Item

Avanzamento teorico Rating

Tipo Indicatore

Descrizione IndicatoreValore Soglia

VincoloValore Soglia II

InizioItem PdI

1

Note

2

3

Azione 2

60%

Valore Soglia III

% di avanzamento e Stato

Avanzamento NON Valido

OK

Non valido

Non valido

IVQ

avanzamento

Somma dei Pesi <> 100%

KRI ‐ Customer Base MOBILE

Peso %

Indicatore 3

Indicatore 1

Indicatore 2

Non valido

Stato

OK

KO

OK Non valido

Azione 3

To Be

Strategia

conseg. Conseguenza provaMR. BrownCFO

RMI 93% AvanzatoMr. ‐ Green; Mr. White

Market Share


ERM Corporate Risk Profile (CRP)

The preparatory information necessary to obtain the Corporate risk profile is:

► Company’s strategic objectives

► Company’s process structure

► Instruments for Risk Valuations:

► Parameters to measure Impact (see Annex 2 impact evaluation model)

► Parameters to define probability of an event to occur (see Annex 3 probability evaluation model);

► Source of risks (see Annex 1)

► A questionnaire to interview the management in order to get cause-risk-consequence descriptions, valuation and the indication of the risk owner for each risk.

The Corporate Risk Profile is the company risk portfolio; CRP identifies all risks byimpact and probability.

5Highly

Probable

4 Probable

3Likely

Probable

2Not Likely Probable

1Not

ProbableNeglegible Marginal Significative Remarkable Catastrophic

1 2 3 4 5

MK2AC2

HR3AC1 ND02

AR1 HR1HR4

SBD1MK1

SBD2

HR2 MK4

ND08

ND07 ND06

MK3AR2ND03

ND05

Impact

Prob

abili

ty

The combination of all Risk Registers constitutes theCorporate Risk Profile. Among all risks attention is focusedon most critical TOP Risks.

Heat Chart

For each risk detected by the management during theinterview, a Risk Register is filled, with all the informationabout description and valuation.


ERM Risk Process Maturity Level – GAP Analysis On Top Risks only, each Risk Owner is requested to self-assess the level of maturityof his risk management process, defining the Risk Maturity Index (RMI).The RMI measures the gap with respect to a standard defined by international bestpractices and is the results of an elaboration (weighted average) based on theanswers to questions on five main topics:

► Risk Governance: evaluates the approach indefining roles and responsibilities in the process ofrisk management;

► Risk Assessment: evaluates the procedures ofidentification, classification and valuation of risk.

► Risk Quantification & Aggregation: evaluatesthe method of quantification and consolidation/aggregation of the company ‘s risks.

► Risk Monitoring & Reporting: evaluates theactivities of monitoring, reporting and assurance.

► Risk & Control Optimization: evaluates howinformation on risks and on controls is used toimprove performance.

57%

64%

63%

48%

53%

54%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

TOP Risk Portfolio

Risk Governance

Risk Assessment

Risk Quantification

Risk Monitoring

Risk & Control Optimization

Top Risk Portfolio:Maturity Level by Component

Basic Mature Advanced


ERM Risk Treatment

The steps to implement the Action Plan on a Top Risk are:

► Define of the “Rating to be”: the expected results of the mitigation actions;

► Organize the team work

► Define the action necessary to mitigate the risk

► Define the weight of each action

► Define the deadline for each action

► Define the Key Risk Indicators (KRI) to monitor the risk level

► On each quarter the risk owner updates the results of the action plan, giving the percentage of implementation for each action and the KRI.

Risk Treatment identifies, for each TOP risk, the activities to select andimplement in accordance with the objective of reducing the risks within theacceptable limit, testing its effectiveness compared to the expected results.

11‐A29 Rischio Prova Impatto Probabilità Rating IQIIQIII IVQ31303031/12/2011

5 4 20

4 3 12OwnerFocal P.

impatto GdLcluster

Sezione Action PlanIQ IIQ IIIQ IVQ YTD # # # # # # # # # #

CAI 24% 49% 75% 100%

20% 2.000 2 12 gen‐11 15% 45% 65% 95% 95%CAI 10% 40% 70% 100%

inserire CAI 30% 150 5 10 mar‐11 12% 40% 65% 100% 100%CAI ‐101% ‐26% 49% 100%

inserire CAI 50% 500 9 4 ago‐11 0% 5% 15% 60% 60%

100% 2.650 16 ‐43% 9% 61% 100%

79%

141 2 3 4 5 6 8 9 10 12 15 16 20 25

Sezione KRIIQ IIQ IIIQ IVQ YTD

1 On‐Off 40% >= 60% 0% 0% 50% 55% 65% 70% 70%

2 On‐Off 40% >= 40% 0% 0% 20% 25% 25% 30% 30%

3 On‐Off 20% >= 20% 0% 0% 40% 40% 50% 45% 45%

On‐Off 100% >= 60% 0% 0%

Action Plan ‐ 11‐A29:

causaPeriodo di rilevazione

Rischio Prova

Causa Prova 23/01/12Corrente

2011Anno di osservazione

Data Aggiornamento

Avanzamento Overall

Peso %

Azione 1

costi K€Descrizione Azione FTE (#)tempi (mesi)

Item

Avanzamento teorico Rating

Tipo Indicatore

Descrizione IndicatoreValore Soglia

VincoloValore Soglia II

InizioItem PdI

1

Note

2

3

Azione 2

60%

Valore Soglia III

% di avanzamento e Stato

Avanzamento NON Valido

OK

Non valido

Non valido

IVQ

avanzamento

Somma dei Pesi <> 100%

KRI ‐ Customer Base MOBILE

Peso %

Indicatore 3

Indicatore 1

Indicatore 2

Non valido

Stato

OK

KO

OK Non valido

Azione 3

To Be

Strategia

conseg. Conseguenza provaMR. BrownCFO

RMI 93% AvanzatoMr. ‐ Green; Mr. White

Market Share



► What is ERM

► ERM Output

► The Interview



The Interviewer

The phase of the interview: Interviewer & Objective

The Interview is leaded by the components of the AFCDepartment as methodological support.

Interview Objective

The objective of the interview is to identify and valuatethose risks that potentially can prevent the interviewedprocess owner from achieving the assigned objectives.The overall Risks detected throughout the Companyconstitutes the Corporate Risk Profile


Risk Sources

RiskDescription

Risk Identification

Risk Map

RisksDetection and

description

CausesDetection and

description

ConsequencesDetection and

description


PROBABILITYValuation

RiskValuation

IMPACTValuation

Risk Valuation

RATING(Impact X Probability)

Each Risk Detected has to be valued.

Risk measure represents a judge given by the person interviewed and it is worked out asthe combination between:

The Probability that the Event occurs: minimum 1 (Not Probable) max 5 (Highly Probable);

The Impact: that the Event could generate: minimum 1 (Negligible) max 5 (Catastrophic).



► What is ERM

► ERM Output

► The Interview



The Source of Risk is the element that alone or in combination with others, has the intrinsic potential to originate risks (ISO 31000)

External Sources of Risks

FinancialStrategicOperational

Ethics

Technology

HumanCapital

ReportingProcess

Generate losses deriving from malfunction in:

Influence company liquidity and debt

structure

Influence the level of success of the

company strategies of higher

importance

Internal Sources of Risks.

Instruments for Risk Evaluation: sources of risk

Competitor, Customer Requirements, Macroeconomics, Financial Markets, Industry, Questions of Law, Natural Disaster, PublicRelations, Normative, Social Political, Technological Innovations, Terrorism, Electromagnetic Fields

Ex . Structure, resources allocation, strategic alliances, Capex, Business Model, Portfolio

Ex. Liquidity


Instruments for Risk Evaluation: Impact Evaluation Modeling

NEGLIGIBLE MARGINAL SIGNIFICATIVE REMARKABLE CATASTROPHIC

CATEGORYDESCRIPTION

Insignificant impact on theorganization. The impact canbe absorved throught theordinary activities.

Only impact within theorganization. The impact can beabsorbed, but requires an effortfrom management to minimizeit.

Significant impact onbusiness. Could hit customers.The impact is worring andrequires additional effort frommanagement.

Cosiderable impact onbusiness. Substantial damageon the ability to serve thecustomer. The impact iscritical and requires extraeffort from manangement.

Probably the company couldnot survive. The impact isdisastrous and could lead topotential collapse.

EBITDA - CAPEX

Market Share (Fixed & BB market)Market Share (Mobile Market)Customer Satisfaction Index (CSI)Service Interruption for large-scale

PAR

A

Security Sistems

Regulatory & Compliance

Image/Reputation

Human resources

Health & Safety

CATEGORY


Instruments for Risk Evaluation: Probability Evaluation Modeling

Categories Factors

Highly Probable >75% likelihood, or the event occured in the recent months, or the event is likely to happen in the following months

Probable <75% likelihood, orthe event occured in the last 12 months, orthe event is likely to happen in the next 12 months

Likely Probable <50% likelihood or the event occurred in the past 3 years, or the event is likely to happen in the next 3 years

Not likelyProbable

<25% likelihood, or the event occurred in the past 5 years , orthe event is likely to happen in the next 5 years

Not Probable <1% likelihood, or the event never occurred in the past or it occurred once in 10 years, or the event is not likely to happen in the future

enterprise risk management in the telecom italia group · telecom italia – afc.risk management 5...

Documents