Treasury & Risk 2011 Enterprise Risk Management Survey

	Very Confident	Somewhat Confident	Not Confident
Risk identification	Risk identification Very Confident	Risk identification Somewhat Confident	Risk identification Not Confident
Risk analysis and quantification	Risk analysis and quantification Very Confident	Risk analysis and quantification Somewhat Confident	Risk analysis and quantification Not Confident
Risk response/mitigation	Risk response/mitigation Very Confident	Risk response/mitigation Somewhat Confident	Risk response/mitigation Not Confident
Risk reporting and monitoring	Risk reporting and monitoring Very Confident	Risk reporting and monitoring Somewhat Confident	Risk reporting and monitoring Not Confident
Risk convergence	Risk convergence Very Confident	Risk convergence Somewhat Confident	Risk convergence Not Confident

Very Confident

Somewhat Confident

Not Confident

Risk identification

Risk identification Very Confident

Risk identification Somewhat Confident

Risk identification Not Confident

Risk analysis and quantification

Risk analysis and quantification Very Confident

Risk analysis and quantification Somewhat Confident

Risk analysis and quantification Not Confident

Risk response/mitigation

Risk response/mitigation Very Confident

Risk response/mitigation Somewhat Confident

Risk response/mitigation Not Confident

Risk reporting and monitoring

Risk reporting and monitoring Very Confident

Risk reporting and monitoring Somewhat Confident

Risk reporting and monitoring Not Confident

Risk convergence

Risk convergence Very Confident

Risk convergence Somewhat Confident

Risk convergence Not Confident

	A Great Deal	Somewhat	Not
Risk identification	Risk identification A Great Deal	Risk identification Somewhat	Risk identification Not
Risk analysis and quantification	Risk analysis and quantification A Great Deal	Risk analysis and quantification Somewhat	Risk analysis and quantification Not
Risk response/mitigation	Risk response/mitigation A Great Deal	Risk response/mitigation Somewhat	Risk response/mitigation Not
Risk reporting and monitoring	Risk reporting and monitoring A Great Deal	Risk reporting and monitoring Somewhat	Risk reporting and monitoring Not
Risk convergence	Risk convergence A Great Deal	Risk convergence Somewhat	Risk convergence Not

A Great Deal

Somewhat

Not

Risk identification

Risk identification A Great Deal

Risk identification Somewhat

Risk identification Not

Risk analysis and quantification

Risk analysis and quantification A Great Deal

Risk analysis and quantification Somewhat

Risk analysis and quantification Not

Risk response/mitigation

Risk response/mitigation A Great Deal

Risk response/mitigation Somewhat

Risk response/mitigation Not

Risk reporting and monitoring

Risk reporting and monitoring A Great Deal

Risk reporting and monitoring Somewhat

Risk reporting and monitoring Not

Risk convergence

Risk convergence A Great Deal

Risk convergence Somewhat

Risk convergence Not

	Very Confident	Somewhat Confident	Not Confident
Strategic/business risks (i.e., the external environment)	Strategic/business risks (i.e., the external environment) Very Confident	Strategic/business risks (i.e., the external environment) Somewhat Confident	Strategic/business risks (i.e., the external environment) Not Confident
Operational risks	Operational risks Very Confident	Operational risks Somewhat Confident	Operational risks Not Confident
Financial risks	Financial risks Very Confident	Financial risks Somewhat Confident	Financial risks Not Confident
Compliance risks	Compliance risks Very Confident	Compliance risks Somewhat Confident	Compliance risks Not Confident
Political risks	Political risks Very Confident	Political risks Somewhat Confident	Political risks Not Confident

Very Confident

Somewhat Confident

Not Confident

Strategic/business risks (i.e., the external environment)

Strategic/business risks (i.e., the external environment) Very Confident

Strategic/business risks (i.e., the external environment) Somewhat Confident

Strategic/business risks (i.e., the external environment) Not Confident

Operational risks

Operational risks Very Confident

Operational risks Somewhat Confident

Operational risks Not Confident

Financial risks

Financial risks Very Confident

Financial risks Somewhat Confident

Financial risks Not Confident

Compliance risks

Compliance risks Very Confident

Compliance risks Somewhat Confident

Compliance risks Not Confident

Political risks

Political risks Very Confident

Political risks Somewhat Confident

Political risks Not Confident

Question Title

* 4. In your opinion, do the capital markets reward sound risk management practice? (Please check one.)

Yes

Not certain

Question Title

* 5. Since implementing an ERM program, has your company:

Minimized the amount of risk it takes on

Taken on more risk

Made no change

We don’t have an ERM program

Question Title

* 6. Has slower economic growth led to changes in your ERM program over the last year? (Choose all that apply.)

Yes, we’re reinforcing the role of the senior executive in charge of risk management

Yes, we’re trying to get the board and senior executives more involved in risk management

Yes, we’re expanding our risk management strategy to types of risk not previously considered

Yes, we’re reassessing our risk culture

Yes, we’re trying to get all employees more involved in risk management

No, we’re not making any changes

	Very Important	Somewhat Important	Not Important
To respond to board inquiry/request/directive	To respond to board inquiry/request/directive Very Important	To respond to board inquiry/request/directive Somewhat Important	To respond to board inquiry/request/directive Not Important
To enhance governance procedures	To enhance governance procedures Very Important	To enhance governance procedures Somewhat Important	To enhance governance procedures Not Important
To achieve strategic objectives	To achieve strategic objectives Very Important	To achieve strategic objectives Somewhat Important	To achieve strategic objectives Not Important
To achieve competitive advantage	To achieve competitive advantage Very Important	To achieve competitive advantage Somewhat Important	To achieve competitive advantage Not Important
To minimize “surprises”	To minimize “surprises” Very Important	To minimize “surprises” Somewhat Important	To minimize “surprises” Not Important
To help create business value	To help create business value Very Important	To help create business value Somewhat Important	To help create business value Not Important
To monitor corporate performance	To monitor corporate performance Very Important	To monitor corporate performance Somewhat Important	To monitor corporate performance Not Important
To improve stakeholder/shareholder communication	To improve stakeholder/shareholder communication Very Important	To improve stakeholder/shareholder communication Somewhat Important	To improve stakeholder/shareholder communication Not Important
To improve organization-wide decision-making	To improve organization-wide decision-making Very Important	To improve organization-wide decision-making Somewhat Important	To improve organization-wide decision-making Not Important

Very Important

Somewhat Important

Not Important

To respond to board inquiry/request/directive

To respond to board inquiry/request/directive Very Important

To respond to board inquiry/request/directive Somewhat Important

To respond to board inquiry/request/directive Not Important

To enhance governance procedures

To enhance governance procedures Very Important

To enhance governance procedures Somewhat Important

To enhance governance procedures Not Important

To achieve strategic objectives

To achieve strategic objectives Very Important

To achieve strategic objectives Somewhat Important

To achieve strategic objectives Not Important

To achieve competitive advantage

To achieve competitive advantage Very Important

To achieve competitive advantage Somewhat Important

To achieve competitive advantage Not Important

To minimize “surprises”

To minimize “surprises” Very Important

To minimize “surprises” Somewhat Important

To minimize “surprises” Not Important

To help create business value

To help create business value Very Important

To help create business value Somewhat Important

To help create business value Not Important

To monitor corporate performance

To monitor corporate performance Very Important

To monitor corporate performance Somewhat Important

To monitor corporate performance Not Important

To improve stakeholder/shareholder communication

To improve stakeholder/shareholder communication Very Important

To improve stakeholder/shareholder communication Somewhat Important

To improve stakeholder/shareholder communication Not Important

To improve organization-wide decision-making

To improve organization-wide decision-making Very Important

To improve organization-wide decision-making Somewhat Important

To improve organization-wide decision-making Not Important

	Agree Strongly	Agree Somewhat	Disagree Somewhat	Disagree Strongly
We have all the information we need to manage risk at an enterprise-wide level	We have all the information we need to manage risk at an enterprise-wide level Agree Strongly	We have all the information we need to manage risk at an enterprise-wide level Agree Somewhat	We have all the information we need to manage risk at an enterprise-wide level Disagree Somewhat	We have all the information we need to manage risk at an enterprise-wide level Disagree Strongly
We have a common terminology and set of standards for managing risk	We have a common terminology and set of standards for managing risk Agree Strongly	We have a common terminology and set of standards for managing risk Agree Somewhat	We have a common terminology and set of standards for managing risk Disagree Somewhat	We have a common terminology and set of standards for managing risk Disagree Strongly
Company objectives and risk appetite/tolerance are clearly articulated	Company objectives and risk appetite/tolerance are clearly articulated Agree Strongly	Company objectives and risk appetite/tolerance are clearly articulated Agree Somewhat	Company objectives and risk appetite/tolerance are clearly articulated Disagree Somewhat	Company objectives and risk appetite/tolerance are clearly articulated Disagree Strongly
Risk management is fully integrated within our strategic planning process	Risk management is fully integrated within our strategic planning process Agree Strongly	Risk management is fully integrated within our strategic planning process Agree Somewhat	Risk management is fully integrated within our strategic planning process Disagree Somewhat	Risk management is fully integrated within our strategic planning process Disagree Strongly
Risks are quantified to the greatest possible extent	Risks are quantified to the greatest possible extent Agree Strongly	Risks are quantified to the greatest possible extent Agree Somewhat	Risks are quantified to the greatest possible extent Disagree Somewhat	Risks are quantified to the greatest possible extent Disagree Strongly
Risk management is fully integrated across all functions and business units	Risk management is fully integrated across all functions and business units Agree Strongly	Risk management is fully integrated across all functions and business units Agree Somewhat	Risk management is fully integrated across all functions and business units Disagree Somewhat	Risk management is fully integrated across all functions and business units Disagree Strongly
Everyone in the organization understands his/her level of accountability with respect to managing risk	Everyone in the organization understands his/her level of accountability with respect to managing risk Agree Strongly	Everyone in the organization understands his/her level of accountability with respect to managing risk Agree Somewhat	Everyone in the organization understands his/her level of accountability with respect to managing risk Disagree Somewhat	Everyone in the organization understands his/her level of accountability with respect to managing risk Disagree Strongly
We have a formal structure and process for monitoring risk and the effectiveness of risk response plans	We have a formal structure and process for monitoring risk and the effectiveness of risk response plans Agree Strongly	We have a formal structure and process for monitoring risk and the effectiveness of risk response plans Agree Somewhat	We have a formal structure and process for monitoring risk and the effectiveness of risk response plans Disagree Somewhat	We have a formal structure and process for monitoring risk and the effectiveness of risk response plans Disagree Strongly

Agree Strongly

Agree Somewhat

Disagree Somewhat

Disagree Strongly

We have all the information we need to manage risk at an enterprise-wide level

We have all the information we need to manage risk at an enterprise-wide level Agree Strongly

We have all the information we need to manage risk at an enterprise-wide level Agree Somewhat

We have all the information we need to manage risk at an enterprise-wide level Disagree Somewhat

We have all the information we need to manage risk at an enterprise-wide level Disagree Strongly

We have a common terminology and set of standards for managing risk

We have a common terminology and set of standards for managing risk Agree Strongly

We have a common terminology and set of standards for managing risk Agree Somewhat

We have a common terminology and set of standards for managing risk Disagree Somewhat

We have a common terminology and set of standards for managing risk Disagree Strongly

Company objectives and risk appetite/tolerance are clearly articulated

Company objectives and risk appetite/tolerance are clearly articulated Agree Strongly

Company objectives and risk appetite/tolerance are clearly articulated Agree Somewhat

Company objectives and risk appetite/tolerance are clearly articulated Disagree Somewhat

Company objectives and risk appetite/tolerance are clearly articulated Disagree Strongly

Risk management is fully integrated within our strategic planning process

Risk management is fully integrated within our strategic planning process Agree Strongly

Risk management is fully integrated within our strategic planning process Agree Somewhat

Risk management is fully integrated within our strategic planning process Disagree Somewhat

Risk management is fully integrated within our strategic planning process Disagree Strongly

Risks are quantified to the greatest possible extent

Risks are quantified to the greatest possible extent Agree Strongly

Risks are quantified to the greatest possible extent Agree Somewhat

Risks are quantified to the greatest possible extent Disagree Somewhat

Risks are quantified to the greatest possible extent Disagree Strongly

Risk management is fully integrated across all functions and business units

Risk management is fully integrated across all functions and business units Agree Strongly

Risk management is fully integrated across all functions and business units Agree Somewhat

Risk management is fully integrated across all functions and business units Disagree Somewhat

Risk management is fully integrated across all functions and business units Disagree Strongly

Everyone in the organization understands his/her level of accountability with respect to managing risk

Everyone in the organization understands his/her level of accountability with respect to managing risk Agree Strongly

Everyone in the organization understands his/her level of accountability with respect to managing risk Agree Somewhat

Everyone in the organization understands his/her level of accountability with respect to managing risk Disagree Somewhat

Everyone in the organization understands his/her level of accountability with respect to managing risk Disagree Strongly

We have a formal structure and process for monitoring risk and the effectiveness of risk response plans

We have a formal structure and process for monitoring risk and the effectiveness of risk response plans Agree Strongly

We have a formal structure and process for monitoring risk and the effectiveness of risk response plans Agree Somewhat

We have a formal structure and process for monitoring risk and the effectiveness of risk response plans Disagree Somewhat

We have a formal structure and process for monitoring risk and the effectiveness of risk response plans Disagree Strongly

Treasury & Risk 2011 Enterprise Risk Management Survey

1.

Question Title

* 1. How confident are you that your corporation effectively manages the following elements of the risk process?

Question Title

* 2. To what extent is technology used to enable the following elements of the risk management process?

Question Title

* 3. How confident are you that your company adequately identifies, assesses and manages the following types of risk?

Question Title

* 4. In your opinion, do the capital markets reward sound risk management practice? (Please check one.)

Question Title

* 5. Since implementing an ERM program, has your company:

Question Title

* 6. Has slower economic growth led to changes in your ERM program over the last year? (Choose all that apply.)

Question Title

* 7. How important are each of the following in driving improvements in your company’s risk management programs or initiatives?

Question Title

* 8. To what extent do you agree or disagree with each of the following statements regarding enterprise risk management?