1、HKK 8/8/20221Nokia Mikko RouttiMikko RouttiDirector,Risk ManagementNokia CorporationRisk ManagementHKK 8/8/20222Nokia Mikko RouttiMain Themes of Presentationlscope of presentation:business risk(widely)lour philosophy about risk managementlwhere we are today on the journey of ERMlhow to do this in ou
2、r organisationlbalance between practical,value-based and analytical,fact-based thinkinglwhat kind of methods and tools we use(e.g)lhow do we and others communicate about thisHKK 8/8/20223Nokia Mikko Routti It is one thing to set up a mathematical model that appears to explain everything.But when we
3、face the struggle of daily life,of constant trial and error,the abiguity of the facts as well as the power of the human heartbeat can obliterate the model in short order.Peter L.Bernstein:Against the GodsPeter L.Bernstein:Against the Gods-The Remarkable story of Risk-The Remarkable story of RiskHKK
4、8/8/20224Nokia Mikko Routti“We are not just adding all of these risks together.We are creating a probabilistic view of how much capital is actually necessary.”-Rick Buy,Chief Risk Officer,Enron“We review how good it can get,we review how bad it can get,and every place in between.”-Rick Causey,EVP an
5、d Chief Accounting Officer,Enron HKK 8/8/20225Nokia Mikko RouttiWhat does risk appetite mean in practice?Are we focusing on opportunity?Is there a clear view of the appetite for risk?Is there balance in risks and rewards?(i.e.high risks vs low rewards)Where should most of managements effort be direc
6、ted?A Generic Business Risk ContinuumOpportunityUncertaintyHazardCompliance And PreventionOperating PerformanceStrategic InitiativesKey Questions to Consider.EnvironmentHealth&safetySupply chainSoftwareProduct creationHKK 8/8/20226Nokia Mikko RouttiE Ex xt te er rn na al l l l y y d dr ri i v ve en
7、nF Fi i n na an nc ci i a al l R Ri i s sk k S So ou ur rc ce es sH Ha az za ar rd d R Ri i s sk k S So ou ur rc ce es sS St tr ra at te eg gi i c c R Ri i s sk k S So ou ur rc ce es sO Op pe er ra at ti i o on na al l R Ri i s sk k S So ou ur rc ce es sCurrency/forei gnexchangeI nterest ratesCredi
8、tCom m odi ty pri cesCounterparti esLi qui di ty and cash fl owI I n nt te er rn na al l l l y y d dr ri i v ve en nCustom er dem andCustom er/i ndustrychangesCom peti ti vePressureI ntel l ectual capi talResearch&devel opm entM ergers&Acqui si ti onsContractsGeneral Publ i cEm pl oyeesConsum ersPro
9、perti esProducts andServi cesNatural eventsVendors andSuppl i ersProcess Control sI nform ati on system sRegul ati onsAccounti ng/control sSuppl y chai nTal ent Acqui si ti onTal ent M angem entBoardCom posi ti onRISK UNIVERSEHKK 8/8/20227Nokia Mikko Routti15 NOKI A FI LENAM s.PPT/DATE/NN2 2 0 00 01
10、 11 19 99 99 91 19 99 97 71 19 99 95 51Loss of Reputati on Busi ness I nterrupti onFi reFi re2Fai l ure to ChangePhysi calBusi ness I nterrupti onEm pl oyersLi abi l i ty3Busi ness I nterrupti onProduct Li abi l i tyEm pol yee Ri sksHeal th&Safety4Product Li abi l i tyReputati onEnvi ronm entalBusi
11、ness I nterrupti on5Com puter Cri m eGeneral Li abi l i ti esCom puter Cri m eProduct Li abi l i ty6General Li abi l i tyEm pl oyee Ri sksProduct Li abi l i ty,Tam per,Brand Protecti onEnvi ronm ental7Physi cal Dam ageProfessi onal I ndem ni tyOther Cri m e,Fraud,TheftFl ood8Em pl oyee Recrui tm ent
12、/Retenti onCom puter Cri m eTerrori smTerrori sm9D&O Li abi l i ti esPol i ti cal Ri skD&O Li abi l i ti esProfessi onal I ndem ni ty10Em pl oyee Acci dentsOther Cri m eProfessi onal I ndem ni tyOther Cri m e,Fraud,TheftW W h ha at t a ar re e t th he e T To op p 1 10 0 g gr re ea at te es st t r ri
13、 i s sk ks s f fa ac ci i n ng g y yo ou ur r o or rg ga an ni i s sa at ti i o on n?W W h ha at t a ar re e t th he e T To op p 1 10 0 g gr re ea at te es st t r ri i s sk ks s f fa ac ci i n ng g y yo ou ur r o or rg ga an ni i s sa at ti i o on n?AON Biennial Risk Management and Risk Financing Su
14、rveyHKK 8/8/20228Nokia Mikko RouttiHow does risk manifest itself?Fortune 1000 Group AnalysisOne hundred(10%)of the Fortune 1000 companies suffered a loss of over 25%of shareholder value within one month2412764211111776321000510152025Cost OverrunsAccounting irregularitiesManagement ineffective-nessSu
15、pply Chain IssuesCompetitive PressureM&A Integration ProblemsMis-aligned ProductsCustomer Pricing PressureLoss of Key CustomerSupplier ProblemsR&D DelaysCustomer Demand Shortfall%of top 100Regulatory ProblemsStrategicOperationalFinancialHazardForeign Macro-Economic IssuesInterest Rate Fluct-uationHi
16、gh Input Comm-odity PriceLaw-suitsNatural Disasters58%31%6%0%Primary Cause of Stock Drop(#of Companies)Source:Compustat,Mercer Management Consulting analysisNote:There were also 5 stock drops for which the primary cause could not reliably be determined.These 5 stock drops are not depicted.Mercer Man
17、agement ConsultingHKK 8/8/20229Nokia Mikko RouttiRisk Management Vision to take such risks that will enable company to profitably grow the business have a thorough understanding of those risks and responses required for success aim is to systematically capitalise on,control and manage risk in busine
18、ss rather than eliminate it.Ensure risks are properly analysed,prioritised and managed when taking major business decisions.Ensure that key risks have a responsible ownerTo manage events that may affect customers,employees,the financial position of Nokia and its brand.Comply with regulatory and lega
19、l requirementsHKK 8/8/202210Nokia Mikko RouttiDrivers for increased risk awareness business needs stakeholder awareness recent crisis(Worldcom,Enron,Tyco etc)compliance issues Turnbull/UK KontraG/Germany Netherlands Sarbanes-Oxley:USAfood for thought:do investors appreciate systematic risk managemen
20、t they penalize you if you miss!HKK 8/8/202211Nokia Mikko RouttiBuilding up a Risk Management SystemPeople and competenciesProcessMethodsToolsPeople and competencies form the foundation of risk managementProcess helps ensure their skills are applied consistently Methods assure that risk management i
21、s done well Tools increase productivity and can sometimes direct people and processesHKK 8/8/202212Nokia Mikko RouttiObjectives of Risk ManagementlControlAll projects have risks and some risks will occurRM is an investment into the future:It is often cheaper to avoid a potential problem than fix an
22、occurred oneIf you only fix problems as they surface,the flow of future problems will continue to keep you busy RM improves predictability and control of projectslUnderstandingKnow where the risks are and focus on essential risk areasConsistent understanding of risks throughout the organizationLearn
23、 from the risks that occurredHKK 8/8/202213Nokia Mikko RouttiWhat is Risk?“We dont have a lot of experience in graphical user interface”“Requirements are unstable”Things that contribute to risk Risk factors“Excessive time may be spent on user interface development”“Requirements may change”Things tha
24、t happen Risk events“We may have to rework the user interface”“Extra development effort may need to be spent due to requirements change”Consequences of things that happened Risk outcomes“Project may be late and over budget”Effects of things that happen on valued characteristics Risk effects on goals
25、“There is a 50%risk that Joe will quit before system testing phase”Probabilities of things that could happen Risk event probability“The use of CASE tool XYZ is a risk in the project”“It would be a risk to deliver the prototype too early”Anything associated with risk Action,person or object that is a
26、ssociated to risk HKK 8/8/202214Nokia Mikko RouttiRisk is a many-faceted Conceptlslippery driving conditions(rain,snow)la car accidentluntreated personal injuries,damaged vehiclesltreatment of injuries,purchase of a new carlmedical costs,permanent injury effects,higher insurance premiumslThe net eff
27、ect of pain,lost time and expenses as felt by individuals Risk factor:something that influences risksRisk event:occurrence of the riskRisk outcome:immediate impact of risk eventRisk Reaction:reaction to the riskRisk effects:effects of riskUtility loss:perceived value of effects by stakeholdersHKK 8/
28、8/202215Nokia Mikko RouttiWhat is RiskAre these risks?Frequent,but uncertain small problems(e.g.,some days will be lost to sick leave)Almost certain events(e.g.,some requirements will change)Risks that do not effect your project(e.g.,HW budget is exceeded)Technically yes,but.7Too minor to receive sp
29、ecial focus,to be managed by“normal”management7consider them problems7delegate them to someone elseHKK 8/8/202216Nokia Mikko RouttiProject view:falling short of goalsScope of Risk ManagementFinancial view:varianceRiskManagementPain(Risk)Gain(Opportunity)UncertaintyImpactHKK 8/8/202217Nokia Mikko Rou
30、ttiDefinitions of ProbabilitylClassic probabilityFuture outcomes are decomposed into atomic,equally probable componentslFrequency-based probabilityRatio of a certain event in an infinite series of identical trialslSubjective probabilityA persons subjective belief of the likelihood of an event occurr
31、enceHKK 8/8/202218Nokia Mikko RouttiTimeframe and RisklTimeframe(or urgency)actually an attribute of risk and controlling actionlPeople have strong biases for near-term riskslWaiting may buy information and new solutionstimePresentRisk eventoccurencerisk controlling actionimpact delayRisk controllin
32、g actionimplementation margin(=urgency)HKK 8/8/202219Nokia Mikko RouttiDefinition of RisklRisk is a fuzzy concept:be clear on what you meanlRisk is not the same as a problem:probability=1problem solving too late lRisk is relative to stakeholders and their expectationslThe right-level of abstraction
33、is critical and it depends on the situationVOCABULARY:exampleG-Goal and stakeholder review A process step in risk management.The stated goals of the working entity(Business Unit,Product program,Business Group,Function etc.)are reviewed and refined.Stakeholders associations with the goals are analyze
34、dM-Mitigation Strategy A strategy that is used to lower the probability and/or utility loss of risk scenariosO-Objective-A goal that has an achievable,well-defined target level of achievement.R-Risk Any uncertainty that affects the objectives and achievement of optimum result.A possibility(probabili
35、ty of less than 1)of loss,the loss itself,or any characteristic,object or action that is associated with that possibility.HKK 8/8/202220Nokia Mikko RouttiRisk ManagementlRisk management refers to a systematic and explicit approach used for identifying,analyzing and controlling risk.lThe risk managem
36、ent process produces two main outputs:Understanding about risksControlling actionsRisk mgmt processUnderstanding of risksControlling actionsInformation aboutthe situationRisk mgmtmethodsProject context,goals,and plansHKK 8/8/202221Nokia Mikko RouttiRisk Management ProcessRisk ManagementMandateGoal&S
37、takeholder ReviewRisk IdentificationRisk Control&control planningRisk MonitoringRisk Analysisgoals andstake-holdersresponsibilities and scopefor risk mgmtlist ofpotentialrisksdocumented,prioritized risksselectedcontrollingactionsNeed for new riskmgmt cycleHKK 8/8/202222Nokia Mikko RouttiRisk Mgmt Pr
38、ocess-outputsRiskit step Description Output Define Risk Management Mandate Define the scope and frequency of risk management.Risk management mandate.Review Stakeholders and goals Review the stated goals for the project,refine them and define implicit goals and constraints explicitly.Recognize all re
39、levant stakeholders and their associations with the goals.Explicit goal definitions Stakeholders recognized.Identify Risks Identify potential threats to the project using multiple approaches.A list of“raw”risks.Analyze Risks Classify identified risks into risk factors and risk events.Complete risk s
40、cenarios for all risk events.Estimate risk effects for all risk scenarios Estimate probabilities and utility losses of risk scenarios.Completed Riskit analysis graphs for all analyzed risks.Ranked risk scenarios.Plan Risk Control Select the most important risks for risk control planning.Propose risk
41、 controlling actions for most important risks.Select the risk controlling actions to be implemented.Selected risk controlling actions.Control Risks Implement the risk controlling actions.Reduced risks.Monitor Risks Monitor the risk situation.Risk status information.HKK 8/8/202223Nokia Mikko RouttiRi
42、sk Management MandatelDefine the scope,detail,authority and frequency of risk management in a specific projectlScope and detail:what risks must be managed and at what level of detaillAuthority:who is responsible,who participates,what resources are availablelFrequency:how often should it be donelStak
43、eholders:whose risks will be managedHKK 8/8/202224Nokia Mikko RouttiCommunicating Risk InformationTopManagementBusiness UnitsProjectsMANDATERISKSHKK 8/8/202225Nokia Mikko RouttiSummarylMandate is used to clarify the roles and responsibilities in risk managementlMandate is given by the project owners
44、 to the project managerlWhen the risk management infrastructure is in place,many aspects of the risk management mandate are easy to defineHKK 8/8/202226Nokia Mikko RouttiGoal Review:Definition of RisklUncertainty associated with reaching the objectives.lRisk has two main attributes:Impact:some damag
45、e(“pain”)uncertainty:there is uncertainty about whether the loss will occurRiskUncertaintyImpactHKK 8/8/202227Nokia Mikko RouttiDefinition of RisklUncertainty associated with reaching the objectives.lProbabilitylImpactgoals or expectations:without them the definition of loss is vague or does not exi
46、ststakeholder:goals and expectations are associated to some interested party,a person or an organizationRiskUncertaintyImpactGoalStakeholderHKK 8/8/202228Nokia Mikko RouttiStakeholders and GoalslStakeholder is any individual,group,or organization who can affect,or be affected by,the process or its r
47、esultslStakeholders can be,e.g.,Line managementCustomer(s)Partners,suppliers and vendorsOther programs or unitsPersonnelSocietylIt is important to know the main stakeholders and their interestslGoals can be found usually in the following areas:schedule;resources used,most often personnel time;cost o
48、f development;product requirements,which can include both functional and other quality characteristics;resource utilization;and technical constraints,such as hardware platforms,operating systems and use of particular software tools.HKK 8/8/202229Nokia Mikko RouttiGoal and Stakeholder PrioritieslPrio
49、rities for goals and stakeholders are definedlApproximate priorities are adequateStakeholders:Goals:Customerpriority:1Projectpersonnelpriority:2Uppermanagementpriority:1Schedule131Cost242Quality214Functionality323HKK 8/8/202230Nokia Mikko RouttiRisk IdentificationlRisk identification requires an ope
50、n mindlTeamwork and effective meeting techniques are criticallThere are several checklists available but are they good for you?lIdentification of potential threatslNeeds to be done frequentlylRequires a different mental attitude:not problem solving but free associationTechniques:brainstorming,checkl
