Governance, Regulatory & Risk Management Restoring trust

Business risk is making headlines these days and no industry is immune. Whether the problem is a massive oil spill, a life-threatening automobile defect, fraudulent reporting, or financial investments that no one really understands, mishandled risks have tarnished the reputations of some of the worlds most respected companies. The costs can be counted in billions in lost revenue, reduced market value, and punitive damages. In response to the challenge, companies are taking a wide range of actions to calm nervous investors and restore public trust. They are shoring up their compliance efforts, assigning Chief Risk Officers, setting up board committees to oversee risk, and launching initiatives to identify problems and plug gaps in their operations. Yet these actions are often little more than window dressing that add layers of complexity and oversight without tackling the underlying issues that drive risk in the first place. Building a Risk Intelligent Enterprise Traditionally, companies have treated risk management as a separate activity assigned to the Internal Audit or Risk department. Moreover, business leaders due to indifference or lack of information have tended to ignore risks until they became actual problems. This narrow, reactive approach might have been good enough in the past, but not anymore. As recent crises have shown, even the worlds largest and most admired companies may not have the right processes, tools, and structures in place to manage risk effectively. To become a Risk Intelligent EnterpriseTM, a company must embed governance and risk management capabilities into everything it does and every decision it makes. The key is to focus not only on risk avoidance, but also on risk-taking as a way to create value. That means: developing business strategies that explicitly identify and mitigate potential risks; integrating risk management into day-to-day business processes; deploying technology to support risk analysis and informed decision-making; and educating employees about the risks associated with their specific jobs, establishing performance measures that reward them for managing risk, and holding them accountable for their actions. How we can help A comprehensive approach to governance, risk management and regulatory compliance requires a full range of experience. Deloitte offers knowledge and experience that no other firm with global resources can match. We help clients tackle the broad issues of enterprise risk management and effective corporate governance, while offering specialized assistance in high risk areas such as financial reporting, tax, information technology, human capital, anti-fraud and dispute consulting, and financial advisory services. Our professionals also have deep experience in every major industry, so we can provide guidance and insight that makes sense for your particular business. Whether the challenge is to design and build an effective risk management approach for the entire enterprise, or to identify, prioritize, and mitigate specfic risks in strategy, operations and regulatory compliance, Deloitte has the knowledge and experience to get the job done. Our consulting services include: Strategic risk consulting Regulatory risk consulting Human capital risk consulting Technology risk consulting Operations risk consulting

Bottom-line benefits There are tangible business reasons to invest in becoming a Risk Intelligent Enterprise. Common benefits include: Increased market value by strengthening the trust of investors, shareholders, and customers Improved business performance through robust business strategies that capitalize on upside risk while managing downside risk Enhanced public image and reputation by staying out of the headlines and addressing risks before they become problems Reduction in both costs and risk by making risk management an integral part of the business aligned with daily activities (rather than a separate layer that requires additional time and resources) Ways to get more value now Walk the talk. As a leader, your actions set the tone for the rest of the organization. No matter how much you talk about the importance of managing risk, if your actions dont align with your words, no one will listen. Get the right people involved. Effective risk management requires deep business knowledge. Yet all too often a companys risk strategies and policies are developed by a risk specialist who doesnt really understand the business. Interviewing experts from the front lines is not enough; people with hands-on experience need to be directly involved in designing your risk strategies and processes. Make it easy to do the right thing. Designing risk management as an extra layer of work discourages compliance. If you want people to do the right thing, you need to make it easier and more rewarding than doing the wrong thing. Monitor and adjust. Risk intelligence is an ongoing process, not a one-time event, and requires continuous monitoring. This not only helps ensure compliance, but also provides early visibility to new or changing risks that might warrant a shift in strategy.

Governance, Regulatory & Risk Management Strategies in action A large non-profit organization that provides essential community services needed to avoid service disruptions during times of critical need. Deloitte helped identify and analyze the organizations major operating risks including risk categories, risk definitions, impacts, and vulnerabilities and our findings and recommendations have been incorporated into future strategic plans. A Fortune 500 bank holding company specializing in credit cards, home loans, auto loans, banking, and savings products needed help with their organizations overall regulatory and compliance program. While the initial request was to inform the client about the relevant regulations impacting their business, we were able to enhance our offering by embedding the risk and compliance activities into their overall business process, and create a sustainable, ongoing learning and development program which included initial training and an ongoing compliance training program for over 4000+ employees, including executives. A large nationally ranked academic medical organization that integrates high-quality patient care, advanced medical education and translational research to provide a full spectrum of healthcare engaged Deloitte to develop and assess a comprehensive risk universe encompassing financial, strategic, operational, regulatory and reputational risk. By taking a cross-functional approach, bringing our industry, functional, and risk perspective, Deloitte was able to uncover some significant risks, as well as create short-term and long-term plans to identify, assess, and monitor risks to the enterprise.

Related insights The People Side of Risk Intelligence Risk Intelligent Governance Putting Risk in the Comfort Zone Surviving and Thriving in Uncertainty: Creating the Risk Intelligent Enterprise Risk Intelligence Whitepapers Series The Principles of Risk Intelligence Related case study Goodwill Industries Related offerings Human Capital Risk Assessment Secure Value Chain Sustaining Risk-Intelligence Talent and Risk Strategy and Risk Services

Contact Michael Fuchs Principal Deloitte Consulting LLP mfuchs@deloitte.com For additional information www.deloitte.com/us/grrs

This publication contains general information only and is based on the experiences and research of Deloitte practitioners. Deloitte is not, by means of this publication, rendering business, financial, investment, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte, its affiliates, and related entities shall not be responsible for any loss sustained by any person who relies on this publication. As used in this document, Deloitte means Deloitte & Touche LLP, which provides audit, assurance and risk management related services, Deloitte Consulting LLP, which provides strategy, operations, technology, systems, outsourcing and human capital consulting services, Deloitte Tax LLP, which provides tax services, and Deloitte Financial Advisory Services (FAS), which provides financial advisory services. These entities are separate subsidiaries of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Copyright 2010 Deloitte Development LLC. All rights reserved. Member of Deloitte Touche Tohmatsu LImited