enterprise risk management in the telecom italia group · telecom italia – afc.risk management 5...
TRANSCRIPT
Trieste, March 14, 2013BILATERAL FORUM ANRA – SI.RISK
Telecom Italia - AFC.Risk ManagementPaolo Rubini
Enterprise Risk Management in the Telecom Italia Group
Telecom Italia - AFC.Risk ManagementPaolo Rubini
Enterprise Risk Management in Telecom Italia► Foreword
► What is ERM
► ERM Output
► The Interview
► Instruments for Risk Evaluation
Telecom Italia - AFC Risk Management 3
Now in the midst of “Great Recession” many of us still haveunanswered questions about how we arrived at our currentstate. The overall result is that a big magnifying lens hasbeen put on Companies questioning about their governance.Most has been done in terms of establishing rules (SOX,231, etc…) but mostly, the stakeholders started wonderingif the Companies were well aware about their risks and howthey were organized analyzing, measuring, treating them.
Telecom Italia - AFC.Risk ManagementPaolo Rubini
Enterprise Risk Management in Telecom Italia► Foreword
► What is ERM
► ERM Output
► The Interview
► Instruments for Risk Evaluation
Telecom Italia – AFC.Risk Management 5
ERM Definition
► Enterprise risk management (ERM) is the framework and process finalized tominimize the effects of risk on the strategic goals in the organization, withthe consequential impact on capital and earnings.
► ERM Process is based on management’s risk profile self-assessment,considering potential impact on strategic objectives in a perspective ofinternal processes’s effectiveness.
► ERM allows:
► To spread through the Company risk awareness and culture
► To collect and to communicate in a common language to the CEO all theinformation concerning risks arising throughout the Company.
Telecom Italia – AFI.Risk Management 6
ERM Framework in Telecom Italia► ERM Framework identifies and defines:
► Mission
► Risk Architecture:
► Roles
► Responsibilities
► Communication/Risk Reporting
► Risk self-assessment
► Risk Identification
► Risk Valuation
► Risk Target (To Be)
► Risk Protocols
► Procedure
► GuidelineTI Functions/Directions
Manage the Risks
Subsidiary ReferentInterface between Subsidiary
and Holding RM function
Risk Management function(responding to CFO)
Supports the RM Committeeand Functions/Directions
Subsidiary Func./Direc.Manage the Risks
Group Risk Management Committee(chaired by CFO)
Coordinates and monitors Risks exceptCompliance ones
Executive DirectorsRisk Governance
Board of DirectorsInternal Control Policy
Group Compliance OfficerCoordinates and monitors
Compliance Risks
Internal Controland Corporate
Governance Committee
Vice President
Information
Internal Control
Board of Auditors
Information
TI Functions/DirectionsManage the Risks
Subsidiary ReferentInterface between Subsidiary
and Holding RM function
Risk Management function(responding to CFO)
Supports the RM Committeeand Functions/Directions
Subsidiary Func./Direc.Manage the Risks
Group Risk Management Committee(chaired by CFO)
Coordinates and monitors Risks exceptCompliance ones
Executive DirectorsRisk Governance
Board of DirectorsInternal Control Policy
Group Compliance OfficerCoordinates and monitors
Compliance Risks
Internal Controland Corporate
Governance Committee
Vice President
Information
Internal Control
Board of Auditors
Information
Telecom Italia – AFC.Risk Management 7
ERM Process
INTERVIEW AND RISK ANALYSIS
ANALYSIS PLANNING
GAP ANALYSIS &RISK MATURITY
INDEX
RISK VALUATION
The ERM process is a cycle made of four main phases:► Analysis; Valuation; Treatment; Reporting.
RISK ASSIGNMENTACTION PLAN
TREATMENT AND VERIFICATION
ANALYSIS EVALUATION TREATMENT
RISKREPORTING
REPORTING
Feedback
The main activities of those phases can be summarised in:►Risk mapping with the definition of Corporate Risk Profile (CRP)►Focus on most relevant risks: identification of TOP risks►Activities on TOP risks:
► GAP Analysis► Action Plan presentation
►Reporting activity concerning the results obtained in the previous steps.
Telecom Italia - AFC.Risk ManagementPaolo Rubini
Enterprise Risk Management in Telecom Italia► Foreword
► What is ERM
► ERM Output
► The Interview
► Instruments for Risk Evaluation
Telecom Italia – AFI.Risk Management 9
ERM OUTPUT
► ERM process allows to define:
Corporate Risk Profile
RM Process Maturity Level
GAPAnalysis
Risk Treatment
Molto Probabile
Probabile
Possibile
Raro
ImprobabileTrascurabuile Contenuto Significativo Rilevante Catastrofico
MK2AC2
HR3AC1 ND02
AR1 HR1HR4
SBD1MK1
SBD2
HR2 MK4
ND08
ND07 ND06
MK3AR2ND03
ND05
58%
64%
64%
48%
55%
56%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Portafoglio Rischi TOP
Risk Governance
Risk Assessment
Risk Quantification
Risk Monitoring
Risk & Control Optimization
Livello di Maturità del Portafoglio Rischi TOPper Componente
Base Maturo Avanzato
Top Risks only
Top Risks only 11‐A29 Rischio Prova Impatto Probabilità Rating IQIIQIII IVQ
31303031/12/2011
5 4 20
4 3 12OwnerFocal P.
impatto GdLcluster
Sezione Action PlanIQ IIQ IIIQ IVQ YTD # # # # # # # # # #
CAI 24% 49% 75% 100%
20% 2.000 2 12 gen‐11 15% 45% 65% 95% 95%CAI 10% 40% 70% 100%
inserire CAI 30% 150 5 10 mar‐11 12% 40% 65% 100% 100%CAI ‐101% ‐26% 49% 100%
inserire CAI 50% 500 9 4 ago‐11 0% 5% 15% 60% 60%
100% 2.650 16 ‐43% 9% 61% 100%
79%
141 2 3 4 5 6 8 9 10 12 15 16 20 25
Sezione KRIIQ IIQ IIIQ IVQ YTD
1 On‐Off 40% >= 60% 0% 0% 50% 55% 65% 70% 70%
2 On‐Off 40% >= 40% 0% 0% 20% 25% 25% 30% 30%
3 On‐Off 20% >= 20% 0% 0% 40% 40% 50% 45% 45%
On‐Off 100% >= 60% 0% 0%
Action Plan ‐ 11‐A29:
causaPeriodo di rilevazione
Rischio Prova
Causa Prova 23/01/12Corrente
2011Anno di osservazione
Data Aggiornamento
Avanzamento Overall
Peso %
Azione 1
costi K€Descrizione Azione FTE (#)tempi (mesi)
Item
Avanzamento teorico Rating
Tipo Indicatore
Descrizione IndicatoreValore Soglia
VincoloValore Soglia II
InizioItem PdI
1
Note
2
3
Azione 2
60%
Valore Soglia III
% di avanzamento e Stato
Avanzamento NON Valido
OK
Non valido
Non valido
IVQ
avanzamento
Somma dei Pesi <> 100%
KRI ‐ Customer Base MOBILE
Peso %
Indicatore 3
Indicatore 1
Indicatore 2
Non valido
Stato
OK
KO
OK Non valido
Azione 3
To Be
Strategia
conseg. Conseguenza provaMR. BrownCFO
RMI 93% AvanzatoMr. ‐ Green; Mr. White
Market Share
Telecom Italia – AFI.Risk Management 10
ERM Corporate Risk Profile (CRP)
The preparatory information necessary to obtain the Corporate risk profile is:
► Company’s strategic objectives
► Company’s process structure
► Instruments for Risk Valuations:
► Parameters to measure Impact (see Annex 2 impact evaluation model)
► Parameters to define probability of an event to occur (see Annex 3 probability evaluation model);
► Source of risks (see Annex 1)
► A questionnaire to interview the management in order to get cause-risk-consequence descriptions, valuation and the indication of the risk owner for each risk.
The Corporate Risk Profile is the company risk portfolio; CRP identifies all risks byimpact and probability.
5Highly
Probable
4 Probable
3Likely
Probable
2Not Likely Probable
1Not
ProbableNeglegible Marginal Significative Remarkable Catastrophic
1 2 3 4 5
MK2AC2
HR3AC1 ND02
AR1 HR1HR4
SBD1MK1
SBD2
HR2 MK4
ND08
ND07 ND06
MK3AR2ND03
ND05
Impact
Prob
abili
ty
The combination of all Risk Registers constitutes theCorporate Risk Profile. Among all risks attention is focusedon most critical TOP Risks.
Heat Chart
For each risk detected by the management during theinterview, a Risk Register is filled, with all the informationabout description and valuation.
Telecom Italia – AFI.Risk Management 11
ERM Risk Process Maturity Level – GAP Analysis On Top Risks only, each Risk Owner is requested to self-assess the level of maturityof his risk management process, defining the Risk Maturity Index (RMI).The RMI measures the gap with respect to a standard defined by international bestpractices and is the results of an elaboration (weighted average) based on theanswers to questions on five main topics:
► Risk Governance: evaluates the approach indefining roles and responsibilities in the process ofrisk management;
► Risk Assessment: evaluates the procedures ofidentification, classification and valuation of risk.
► Risk Quantification & Aggregation: evaluatesthe method of quantification and consolidation/aggregation of the company ‘s risks.
► Risk Monitoring & Reporting: evaluates theactivities of monitoring, reporting and assurance.
► Risk & Control Optimization: evaluates howinformation on risks and on controls is used toimprove performance.
57%
64%
63%
48%
53%
54%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
TOP Risk Portfolio
Risk Governance
Risk Assessment
Risk Quantification
Risk Monitoring
Risk & Control Optimization
Top Risk Portfolio:Maturity Level by Component
Basic Mature Advanced
Telecom Italia – AFI.Risk Management 12
ERM Risk Treatment
The steps to implement the Action Plan on a Top Risk are:
► Define of the “Rating to be”: the expected results of the mitigation actions;
► Organize the team work
► Define the action necessary to mitigate the risk
► Define the weight of each action
► Define the deadline for each action
► Define the Key Risk Indicators (KRI) to monitor the risk level
► On each quarter the risk owner updates the results of the action plan, giving the percentage of implementation for each action and the KRI.
Risk Treatment identifies, for each TOP risk, the activities to select andimplement in accordance with the objective of reducing the risks within theacceptable limit, testing its effectiveness compared to the expected results.
11‐A29 Rischio Prova Impatto Probabilità Rating IQIIQIII IVQ31303031/12/2011
5 4 20
4 3 12OwnerFocal P.
impatto GdLcluster
Sezione Action PlanIQ IIQ IIIQ IVQ YTD # # # # # # # # # #
CAI 24% 49% 75% 100%
20% 2.000 2 12 gen‐11 15% 45% 65% 95% 95%CAI 10% 40% 70% 100%
inserire CAI 30% 150 5 10 mar‐11 12% 40% 65% 100% 100%CAI ‐101% ‐26% 49% 100%
inserire CAI 50% 500 9 4 ago‐11 0% 5% 15% 60% 60%
100% 2.650 16 ‐43% 9% 61% 100%
79%
141 2 3 4 5 6 8 9 10 12 15 16 20 25
Sezione KRIIQ IIQ IIIQ IVQ YTD
1 On‐Off 40% >= 60% 0% 0% 50% 55% 65% 70% 70%
2 On‐Off 40% >= 40% 0% 0% 20% 25% 25% 30% 30%
3 On‐Off 20% >= 20% 0% 0% 40% 40% 50% 45% 45%
On‐Off 100% >= 60% 0% 0%
Action Plan ‐ 11‐A29:
causaPeriodo di rilevazione
Rischio Prova
Causa Prova 23/01/12Corrente
2011Anno di osservazione
Data Aggiornamento
Avanzamento Overall
Peso %
Azione 1
costi K€Descrizione Azione FTE (#)tempi (mesi)
Item
Avanzamento teorico Rating
Tipo Indicatore
Descrizione IndicatoreValore Soglia
VincoloValore Soglia II
InizioItem PdI
1
Note
2
3
Azione 2
60%
Valore Soglia III
% di avanzamento e Stato
Avanzamento NON Valido
OK
Non valido
Non valido
IVQ
avanzamento
Somma dei Pesi <> 100%
KRI ‐ Customer Base MOBILE
Peso %
Indicatore 3
Indicatore 1
Indicatore 2
Non valido
Stato
OK
KO
OK Non valido
Azione 3
To Be
Strategia
conseg. Conseguenza provaMR. BrownCFO
RMI 93% AvanzatoMr. ‐ Green; Mr. White
Market Share
Telecom Italia - AFC.Risk ManagementPaolo Rubini
Enterprise Risk Management in Telecom Italia► Foreword
► What is ERM
► ERM Output
► The Interview
► Instruments for Risk Evaluation
Telecom Italia – AFI.Risk Management 14
The Interviewer
The phase of the interview: Interviewer & Objective
The Interview is leaded by the components of the AFCDepartment as methodological support.
Interview Objective
The objective of the interview is to identify and valuatethose risks that potentially can prevent the interviewedprocess owner from achieving the assigned objectives.The overall Risks detected throughout the Companyconstitutes the Corporate Risk Profile
Telecom Italia – AFI.Risk Management 15
Risk Sources
RiskDescription
Risk Identification
Risk Map
RisksDetection and
description
CausesDetection and
description
ConsequencesDetection and
description
Telecom Italia – AFI.Risk Management 16
PROBABILITYValuation
RiskValuation
IMPACTValuation
Risk Valuation
RATING(Impact X Probability)
Each Risk Detected has to be valued.
Risk measure represents a judge given by the person interviewed and it is worked out asthe combination between:
The Probability that the Event occurs: minimum 1 (Not Probable) max 5 (Highly Probable);
The Impact: that the Event could generate: minimum 1 (Negligible) max 5 (Catastrophic).
Telecom Italia - AFC.Risk ManagementPaolo Rubini
Enterprise Risk Management in Telecom Italia► Foreword
► What is ERM
► ERM Output
► The Interview
► Instruments for Risk Evaluation
Telecom Italia – AFC.Risk Management 181818
The Source of Risk is the element that alone or in combination with others, has the intrinsic potential to originate risks (ISO 31000)
External Sources of Risks
FinancialStrategicOperational
Ethics
Technology
HumanCapital
ReportingProcess
Generate losses deriving from malfunction in:
Influence company liquidity and debt
structure
Influence the level of success of the
company strategies of higher
importance
Internal Sources of Risks.
Instruments for Risk Evaluation: sources of risk
Competitor, Customer Requirements, Macroeconomics, Financial Markets, Industry, Questions of Law, Natural Disaster, PublicRelations, Normative, Social Political, Technological Innovations, Terrorism, Electromagnetic Fields
Ex . Structure, resources allocation, strategic alliances, Capex, Business Model, Portfolio
Ex. Liquidity
Telecom Italia – AFC.Risk Management 1919
Instruments for Risk Evaluation: Impact Evaluation Modeling
NEGLIGIBLE MARGINAL SIGNIFICATIVE REMARKABLE CATASTROPHIC
CATEGORYDESCRIPTION
Insignificant impact on theorganization. The impact canbe absorved throught theordinary activities.
Only impact within theorganization. The impact can beabsorbed, but requires an effortfrom management to minimizeit.
Significant impact onbusiness. Could hit customers.The impact is worring andrequires additional effort frommanagement.
Cosiderable impact onbusiness. Substantial damageon the ability to serve thecustomer. The impact iscritical and requires extraeffort from manangement.
Probably the company couldnot survive. The impact isdisastrous and could lead topotential collapse.
EBITDA - CAPEX
Market Share (Fixed & BB market)Market Share (Mobile Market)Customer Satisfaction Index (CSI)Service Interruption for large-scale
PAR
A
Security Sistems
Regulatory & Compliance
Image/Reputation
Human resources
Health & Safety
CATEGORY
Telecom Italia – AFC.Risk Management 2020
Instruments for Risk Evaluation: Probability Evaluation Modeling
Categories Factors
Highly Probable >75% likelihood, or the event occured in the recent months, or the event is likely to happen in the following months
Probable <75% likelihood, orthe event occured in the last 12 months, orthe event is likely to happen in the next 12 months
Likely Probable <50% likelihood or the event occurred in the past 3 years, or the event is likely to happen in the next 3 years
Not likelyProbable
<25% likelihood, or the event occurred in the past 5 years , orthe event is likely to happen in the next 5 years
Not Probable <1% likelihood, or the event never occurred in the past or it occurred once in 10 years, or the event is not likely to happen in the future