Mitigating Risk in the Airline Industry with an ERM Approach The free market dynamics of the domestic airline industry are driving business model changes at an unprecedented pace Deregulation of the industry introduced new competitors in the 1980s that challenged the traditional “spoke and hub” networks of the time The use of regional jets and brand loyalty programs further necessitated management’s balancing of the need for change with existing business models However, of all the changes to the airline industry, the attacks of September 11, 2001 had the greatest material impact on the business The introduction of new security provisions, combined with escalating fuel costs, consumer uncertainty, and static labor and aircraft costs, are forcing radical adjustments in the airline industry As a result, many airlines have sought the protection of bankruptcy to identify and remediate business issues in their organizations; this has forced some airlines to explore business restructurings and mergers as an alternative This business climate requires the consideration of how to balance risk and reward, while integrating new businesses, processes and operations Importance of Risk Management Mismanaging risk can be very costly, and it is impossible to avoid all risk The only solution, therefore, is effective risk management The essence of risk management lies in maximizing the areas where we have some control over the outcome while minimizing the areas where we have absolutely no control over the outcome and the linkage between effect and cause is hidden from us.* The underpinning of an effective risk management program is a thorough understanding of the risks, or the uncertainties, that a business faces, and where and how they arise, as shown below * Bernstein, Peter, L., Against the Gods: The Remarkable Story of Risk, 1996, published by John Wiley & Sons, Inc., New York, p 197 Environment risks are uncertainties arising externally that affect the viability of the enterprise’s business model These external forces include the actions of competitors and regulators, shifts in market prices, technological innovation, changes in industry fundamentals, the availability of capital, or other factors outside the company’s direct ability to control Process risks are uncertainties affecting the execution of the business model, and therefore often arise internally within the organization’s business processes Process risks arise when internal processes not realize the objectives they were designed to achieve in supporting the entity’s business model For example, characteristics of poorly performing processes, or process risks, include poor alignment with business objectives and strategies, dissatisfied customers and inefficient operations They also include diluting (instead of creating or preserving) enterprise value and failing to protect significant financial, physical, customer, employee/supplier, knowledge and information assets from unacceptable losses, risk taking, misappropriation or misuse Information for decision-making risks are uncertainties affecting the relevance and reliability of information supporting management’s decisions to protect and enhance enterprise value These risks arise when information used to support business decisions is incomplete, out-of-date, inaccurate, late or simply irrelevant to the decision-making process This framework of three broad, interrelated categories of risk can, and should be, customized, to address specific industry risks The following model categorizes the typical risks faced by airline organizations into the three broad groupings discussed above Each of the risks included in the model is defined to promote consistent interpretation across the organization, providing a common risk language PROTIVITI RISK MODELSM FOR THE AIRLINE INDUSTRY protiviti Implementing ERM The Protiviti Risk ModelSM is designed to help airline management move beyond traditional risk management to enterprise risk management (ERM) Traditional risk management focuses on managing uncertainties around physical and financial assets In comparison, with ERM, risk also may be viewed as a positive, as the objective of a risk management program is not only to protect, but also to create, enterprise value With this approach, risk management is embedded in the company’s strategy and is managed at the top of the organization The airline industry is among the more complicated industries for implementing ERM Very few companies have implemented a truly enterprisewide approach across all of their operations Adopting a common risk language is key to implementing and sustaining ERM, but it is just the first step Other important steps include: • Articulating the risk management vision, goals and objectives, along with a persuasive value proposition for an ERM program • Establishing an oversight and risk management structure • Conducting an enterprise risk assessment to identify and prioritize the company’s critical risks • Performing a gap analysis of the current and desired capabilities around managing the critical risks protiviti • Developing actionable plans for moving toward desired capabilities • Designing and implementing risk response plans for managing specific risks • Continuously assessing and improving capabilities The level of effort to implement ERM is significant, and no two ERM solutions are alike Companies have different objectives, strategies, structures, cultures, risk appetites and financial resources Thus, the specific approaches, processes, methodologies, systems and metrics that define the solution will differ from company to company For most companies, however, ERM will require a cultural change Our Point of View on ERM Companies often cannot get beyond the theory and concepts of ERM to understand how to implement it tactically At Protiviti, we believe that the tenets of an effective ERM implementation are as follows: • Leverage what you have • Integrate with what you • Keep the process simple About Protiviti Protiviti (www.protiviti.com) is a leading provider of independent risk consulting and internal audit services We provide consulting and advisory services to help clients identify, assess, measure and manage financial, operational and technology-related risks encountered in their industries, and assist in the implementation of the processes and controls to enable their continued monitoring We also offer a full spectrum of internal audit services to assist management and directors with their internal audit functions, including full outsourcing, cosourcing, technology and tool implementation, and quality assessment and readiness reviews Protiviti, which has more than 50 locations in the Americas, Asia-Pacific and Europe, is a wholly owned subsidiary of Robert Half International Inc (NYSE symbol: RHI) Founded in 1948, Robert Half International is a member of the S&P 500 index Our Media, Hospitality and Services Practice Protiviti’s dedicated Media, Hospitality and Services practice includes professionals with deep industry experience in the print, broadcast, cable, online, hotel, casino, airline and professional service sectors These professionals can work with you to find approaches to improve and establish strategies for your business as changes in the industry and regulatory environment impact your organization For further information about the issues reviewed in this white paper or Protiviti’s services, please contact: Brian Christensen Managing Director 602.273.8020 brian.christensen@protiviti.com Ignacio Martinez Managing Director 602.273.8021 ignacio.martinez@protiviti.com protiviti In October 2005, The Forrester Wave™: Enterprise Risk Management Consultants, 4th Quarter, 2005, was released The research identified Protiviti as a “Leader” in the field According to the study: • Protiviti has strong methodologies and was rated well by clients In the “client reference” category, Protiviti received a perfect score of out of • Protiviti’s service is an especially good fit for buyers that are looking for a strong source of ERM thought leadership and shared knowledge and are looking for operational implementation of an ERM program • Protiviti’s “well-developed risk taxonomy” is a key differentiator from the other leading firms Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services ©2007 Protiviti Inc An Equal Opportunity Employer ... implementing ERM Very few companies have implemented a truly enterprisewide approach across all of their operations Adopting a common risk language is key to implementing and sustaining ERM, but... implement ERM is significant, and no two ERM solutions are alike Companies have different objectives, strategies, structures, cultures, risk appetites and financial resources Thus, the specific approaches,... company For most companies, however, ERM will require a cultural change Our Point of View on ERM Companies often cannot get beyond the theory and concepts of ERM to understand how to implement