The Monitor and Review Step – Focus of AOL's ERM
As mentioned, the monitor and review step is focused on the effective implementation of AOL's ERM Framework. Once the investment has been made, AOL seeks to work with management to adopt and integrate AOL's ERM Framework quickly.
To that effect, AOL has instituted a number of key measures to ensure not only that ERM is implemented quickly and effectively, but in addition, it seeks to have the ERM framework adopted by the business for the long term. The key measures put in place to ensure those results are achieved include:
• A risk key performance indicator (KPI) (with an estimated weight of 10 percent tied to the compensation package) is assigned to the business heads of each investment to ensure that they are vigilant in managing their risks and implementing the necessary mitigation strategies.
• Risk management performance is monitored on a quarterly basis, after which a report card is developed outlining the areas of compliance and areas where gaps have been identified (i.e., the proportion of their risk management actions that are on target).
• Results are consolidated on an annual basis for review by the Remuneration Committee of the board of directors.
• To further inculcate the ERM culture, an "Introduction to ERM" course has been included as part of the core syllabus for induction training.
AOL is sufficiently experienced at implementing ERM that it rolls out its Framework using typically 60 person-days of its own ERM Team over a three- to four-month period. However, as mentioned earlier, the plan can only materialize if there is full support from the board and audit committee of the investee company, and there is management commitment in ensuring the program meets its objectives.
Shortly after AOL has completed the investment, AOL's ERM Team identifies two or three persons from the investee company who will be trained into AOL's ERM approach and brought on board as soon as the implementation project starts. We will collectively refer to them as the Joint ERM Team (JET). The overall ERM implementation process is illustrated in Exhibit 35.6. It will culminate in the investee company having an up-to-date risk profile consisting of a risk map, a risk register, and details for each risk identified (causes, treatments, controls, action plans, and steps required to complete each action plan).
This process is performed in three steps: Planning, Rollout, and Sustainability.
At the Planning step, the JET starts the stakeholder management activity, first engaging with the investee company's senior management team (SMT) to explain the process, reach mutual understanding, and obtain buy-in. A risk champion is determined among the SMT members. This senior executive will be the sponsor of the ERM implementation process. A Risk Committee, which also constitutes the ERM steering committee during the implementation stage, is also formed. It will include the CFO, other senior executives, and their direct reports.
Then, the implementation project plan is devised, including its scope, time line, the project team membership, and delegation structure (number "1" in Exhibit 35.6).
As mentioned earlier, the Rollout step is performed in three phases over the aforementioned three- to four-month period, using most of the 60 person-days of AOL's ERM Team.
Phase I uses approximately 30 person-days of AOL's ERM Team and starts with awareness training sessions. The JET enters into the information gathering activity
Exhibit 35.6 Typical ERM Implementation Process for Operating Entities
(number "2" in Exhibit 35.6), organizing the first risk workshop with the SMT. This part of Phase I Lises a top-down approach. The JET members discuss the industry and business challenges of the company with the SMT. The workshop will produce a laundry list of risks, and they ask the SMT, as an initial assessment, to rank them simply, using their best judgment, as low, medium, or high.
This is then followed by the interviews stage. They may interview up to one- third of the organization (for example, 100 out of a total of 300 employees) from the bottom Lip. Based on the company's objectives, they ask participants what their objectives and targets are, what may impede them from meeting their objectives (these become their risks), their causes, and the risk treatments and/or controls that are already in place. The JET also uses the high-level risk list from the SMT workshop to prompt and facilitate discussions if necessary. The AOL ERM Team calls this the Level 1, or ground level, risk identification. At this level, risks are neither screened nor validated (they are not yet what they call "sanitized").
Then, the JET interviews Level 2 managers, who are the direct supervisors of Level 1 interviewees. As with the previous stage, they perform first a zero-based risk identification discussion with Level 2 managers. This is followed by discussions on the list of risks and causes as identified during the Level 1 analysis/results. The JET looks for agreements and disagreements and tries to balance them out.
Based on Level 1 and Level 2 results, the JET "sanitizes" the risks and causes, which means that they regroup some risks and eliminate others that seem out of place based on the JET's business judgment and experience in risk management. They then bring the "sanitized" and prioritized risk list to the company's SMT. At this point, the risk register is constituted of only a one-dimensional rating (low, medium, or high), together with the causes of risks and treatments and controls in place.
This is the end of Phase I, and the AOL ERM Team gives the investee company a period to consider, analyze, and think about both the top-down risk list and the bottom-up one, before starting Phase II.
Phase II uses approximately 20 person-days of AOL's ERM Team. Combining the top-down and bottom-up results, the JET typically finds that 75 percent of the risks are common and 25 percent may be different. The JET and SMT reconcile them through what AOL calls a "dispute/validation" workshop. The investee company's risk register is then agreed to. Next, the JET asks the SMT to assign, among themselves, a risk owner for each of the identified risks.
Depending on the nature and size of the business, there may be between 10 to 20 risks for each investee company. Those risks are managed by the investee company, and AOL has oversight of the process. The JET and SMT use the overall rating of low, medium, and high to determine the company's top 10 risks.
The JET then commences the risk profile development activity (number "3" in Exhibit 35.6). The team members discuss each risk with its owner individually. During the meeting, they address the risk's causes, its probability of occurrence, and the impact (or "consequence" in ISO 31000 terminology) if it materializes, taking into consideration the existing risk treatments and controls already in place as the case may be. To identify the root causes of the risk, the team drills down to a reasonable depth. This process requires judgment and experience. As an indication, they may go as far back as three years in terms of data history, but not much more, as they find that drilling further down tends to bring diminishing returns compared to the expense and effort involved. The JET and risk owner also look at the strength of each of the controls in place, asking themselves: "Is it sufficient or not?" In other words, they use a binary decision method. If the JET and risk owner find that control is lacking, the JET works with the risk owner to determine what should be done and to establish action plans to treat the risk accordingly. This is the end of Phase II.
The JET populates the risk profile, including the risk map, and sends them back to risk owners with their action plans. Following the end of this phase, the JET and risk owners enter a two-week period of follow-up and challenges. The JET encourages risk owners to think outside the box while also considering the costs of their existing treatments, controls, and key action plans.
Phase III uses approximately 10 person-days of AOL's ERM Team. This phase starts with a third SMT risk workshop. The company's risk profile, including the risk map and the key risk action plans, are reviewed collectively and challenged. Again, this is a validation workshop. The validation process allows the SMT, for instance, to ensure that one action plan does not duplicate or contradict another action plan or existing treatment and/or control. Once the key risk action plans have been validated by the SMT, the JET meets again with risk owners individually to revise those action plans and reassess their cost/benefit analyses as required. The JET returns to the SMT with the risk map and action plans, including their cost/benefit analyses. The SMT provides final validation of the risk profile, including risk map, action plans, costs or budgets needed, and the time line to implement the action plans.
Finally, the Sustainability step is performed on a continuous basis (number "4" in Exhibit 35.6). It consists of monitoring the risk profile of the investee company and reporting it to the board (see Exhibit 35.7).
Exhibit 35.7 Reporting and Monitoring Structure
The risk owners selected by the investee company will then implement key action plans by project-managing the deliverables. The action plans are broken down into key action steps and target dates for completion. The ERM Framework (see Exhibit 35.8) is handed over to the local ERM Team, which consists of the local members of the JET and must include at least two persons who have been trained by AOL's ERM Team.
The Vice President of Enterprise Risk Management (VPERM) of AOL's ERM Team, serves as a liaison between the operating company's ERM Team and the SMT to ensure that everyone is on the same page in understanding what is expected in terms of risk management. AOL's VPERM undertakes reviews with the investee company (and all other companies in the portfolio) every six months by meeting and discussing with the CEO, the SMT, and the local ERM team, to monitor the risk management process at a high level.
In between those reviews, there are monthly meetings and a comprehensive formal quarterly review by a representative of the AOL's ERM Team, the local ERM team, and the risk owners to monitor the execution of the action plans, revisions required for the risk profile, and reporting on risks.
Once action plans for a risk have been completed, they become treatments or controls. The ERM team monitors the effectiveness of these controls and if they are working effectively, it contributes to the establishment of the risk's trend in ranking – stable, up, or down – as part of the regular reporting process.
Emerging risks are also considered regularly. Once a key emerging risk has been identified and considered significant, an assessment process similar to the rollout described earlier, including phases I, II, and III, is performed for that risk.
Exhibit 35.8 AOL's Risk Management Process