Enterprise Risk Management Group Project < Apple Inc. >
Team members:
Yuyang Cai Biying Zhuge Zheng Yan Hongfeng (Oliver) Guo Jiaqi Li Ziwei Zhu Xiaochen Ma Zixuan Wu
October 15, 2017
Index
Section
Section Reference
A. Reporting
ERM Summary Report
Main Body
B. Project Planning and Management
ERM Plan
Appendix 11
ERM Policy
Appendix 8
ERM Organization Chart
Appendix 9
C. Risk Management Documentation
Company Background
Appendix 1
Company Definition of Risk Appetite
Appendix 2
Business Objective Setting
Appendix 3
Risk Universe
Appendix 4
Risk Assessment Criteria
Appendix 5
Risk Scale
Appendix 6
Prioritized Risk Action Plan
Appendix 7
ERM Summary Report Drivers & Objectives:
Keep growing technology industry and increasing competition in technology industry drivers Apple to initiate enterprise risk management (ERM) plan. Implementation of ERM gradually becomes a new trend in the market, and many Apple’s competitors as a result have already started to establish their own risk management plan. It is c ritical for Apple to have one to keep its leading position.
ERM help Apple to analyze the potential risks as well as impacts of identified identified risks. Through implementing action plan Apple can effectively manage these potential risks by effectively allocate available resources and reinforce risk response decisions to reduce operational surprise and mitigate unnecessary losses. In the meantime, having ERM in place the company help Apple develop a risk aware culture and share common objectives and standard about risk management. ERM need to be developed and implemented within every level from top to bottom so as to be recognized by each person in the company. Beyond that, Apple’s strategy and culture tend to reflect on the unimaginable growth of technology industry in order that it can leverage the risks and returns continuously.
Process Employed
We first initiated a ERM group after selecting the most competitive team members from potential candidates. And then we implemented risk management based on COSO ERM framework issued in 2004. According to COSO, this framework framework aims to help business and other entities to enhance their risk management and internal control system. And this ERM framework
“has since been incorporated into policy, rule, and regulation, and used by thousands of enterprises to effectively control their activities in moving toward achievement of their established objectives.” The framework is divided into 8 steps which are internal environment, objective setting, event identification, risk assessment, information and communication, control activities and monitoring. We assigned 8 steps for the selected team members. After identified and assessed 5 key risks, we took actions to respond risks as described as well as set up control activities and monitoring to continuous growth. We took action to treat and transfer risks depends on different impacts, likelihood and cost. For rapid technology changes and fierce competition in industry, Apple need to increase their investment in R&D department to bring more innovative technology and products to be more competitive. Besides, it is necessary to protect their products under the law, to prevent products from being emulated by other competitors. In terms of Globalization and economic condition, con dition, the fluctuation of price on material and labor will affect Apple’s financials. Apple could d iverse their foreign currency holdings so as to remedy losses from one currency by the profit from another currency. Plus, Apple could buy different forward contracts to cover c over their losses from exchange risks. Dealing with outsourcing services, it is better to share their risks risks with other parties. Besides insurance, Apple need to require more priorities on their agreement in order to prevent them from predicating risks associated outsourcing. Considering with performance of distributors distributors and resellers, Apple need to take actions to share the risks when those carriers fail to sell Apple products due to financial problems. For example, Apple could offer financial assistance as exchange of specific returns from those carriers like actively a dvertise and sell to increase their sales.
Our team also developed ERM policy p olicy and organizational charts to identify the responsibilities at each level in Apple. To help every person recognize their position p osition under ERM will directly contribute to exposure risks and implemented ERM process p rocess timely. Finally, Apple need to develop and help managements to utilize the most effective way to communicate with either internal or external. As needed, neede d, implementing effective control activities and monitoring system help Apple evaluate the effectiveness of ERM to continuously mitigate the risks for achieving its objectives.
Milestones
The Milestones of our risk management process are mostly according the purpose of ERM and related deliverables. Essentially, Our purpose tends to expose, identify, and response potential risks prior to their happening. Thus, implementation of ERM intend to minimize the negative impacts on achieving objectives. There are five milestones for Apple’s ERM. We first set up an internal ERM project team by selecting capable professionals to focus on the ERM implementation. After that we formulated ERM plan (Appendix 11) and ERM project charter (Appendix 10)
including identifying project objectives, analyzing major stakeholders,
appointing the team leaders, scheduling routine meeting and assigning team members’ functions related to their competency. Then we completed ERM policy (Appendix 8)
and ERM
organization chart (Appendix 9) to define employee’s responsibility in the risk management. Accordingly, We started process with collecting information to understand the company background (Appendix 1) and business environment of Apple. Next, we planned and implemented ERM based on the COSO ERM framework. Each team member was assigned with one of eight components in the framework to work on. In this milestone, we completed risk
appetite consideration (Appendix 2), business objectives setting (Appendix 3), event identification (Appendix 3), risk universe identification and risk register (Appendix 4) and prioritized risk action plan (Appendix 7). Ultimately, we finalized ERM implementation plan and completed a final report of this project.
Key Risk Analysis
We first define Apple’s risk universe (Appendix 4) according to four categories, which are strategic risks, operational risks, compliance risks and financial risks. In order to prioritize these risks, we assessed them based on their impacts and likelihood. For the impacts, we categorized risks in three levels which are low, medium and a nd high. Each levels are differentiate in degree of their losses on multiple aspects. Take medium impacts for example, the financial losses reach to from $500M to $5000M with probably lawsuit and reputation damage will be medium impacts for Apple. To sort likelihood of risks, we rate risks from low to high by percentage which are less than 20%, 20-70% and more than 70% in accordance with their frequency and probability. (Appendix 5). According to this risk assessment criteria, we scaled most of risks (Appendix 6) and have prioritized six risks, which explained below.
Rapid technology changes Apple’s ability to compete successfully depends heavily on its ability to ensure a continuing and timely introduction of innovative new products, services and technologies to the marketplace. Any new innovative products will impact Apple deeply and deeply and will make Apple suffer significant loss on its financials and market share share if it couldn’t keep its leading position in technological changes. In the meantime, competitors like Samsung, Microsoft and Huawei are thriving in
making changes for technology world. Therefore, risk of of rapid technology changes is high in all its impacts, frequency and probability, which will be the most severe risks to be responded.
Fierce competition in market The competition in the industry is fierce. Apple’s competitors like Samsung, Huawei, and Microsoft enjoy great resources and ample experience to maintain high market share. Each of them is able to compete with Apple. For example, they are selling products with similar features at a lower price, this strategy helps them attract lots of price-sensitive customers. Also, Samsung nowadays is competitive from its diversity, sales and marketing. Huawei emerged rapidly in recent years and has a big market in China, which makes which makes Apple lost large amount market shares. If Apple fails to develop innovative products produc ts with attractive margins, or if it fails to expand its market share and win potential customers, it will lose competitive e dge in the market and suffer from huge financial loss. Therefore, the impact and likelihood of fierce fierce competition in market are high.
Global and regional economic conditions Uncertainty about global and regional economic conditions poses a risk to Apple. Consumers and businesses may postpone spending in response to low-speed global and local economic, tighter credit, higher unemployment, financial market volatility, government a usterity programs, negative financial news, declines in income or asset values and/or other factors. These worldwide and regional economic conditions could have a material adverse effect on demand for Apple’s products and services
Substantial inventory risk Since Apple is also a goods-consuming company, which means they will need to forecast the demand and production in advance. Because the Company’s markets are volatile, competitive co mpetitive and subject to rapid technology and price changes, there is a risk Apple will forecast incorrectly and order or produce excess e xcess or insufficient amounts of components or products, or not no t fully utilize firm purchase commitments. The incorrect forecast will bring redundant inventories with continuous depreciation. The ongoing depreciation will impacts financials especially cash flow in a deep.
Key personnel leave Much of the Apple’s future success depends on the continued availability and service of key personnel, including its Chief Executive Officer, executive team and other highly skilled employees. Experienced personnel in the technology industry are in high demand, and competition for these talents is intense, especially in Silicon Valley, wh ere most of the Company’s key personnel are located. Increasing number of of important senior employees, who stay in important position including technicians, management even CFO left with knowledge and information of Apple, which could cause significant intangible loss to Apple’s assets. The loss on intangible assets will delay development and management among Apple.
Outsourcing product manufacturing and logistical services Since substantially all of the Company’s manufacturing is performed in whole or in part by a few outsourcing partners located primarily in Asia, so Apple doesn’t have direct control over its product. Hence, the impact of this risk is high since it is hard for Apple to estimate estimate the product defect rate and the corresponding warranty expenses, but the likelihood of this risk is low as Apple still has high buying powers over these outsourcing partners because they are more likely
to maintain a long-term relationship with Apple. As for the logistical service risk part, its likelihood is low because most of the time it can be transferred timely, but due to the uncertainty existing in the transportation process, like the possibility of natural or man-made disaster, it is still possible that those components are failed to be delivered from outsourcing partners to the final destination as expected, consequently, customers dissatisfaction rate will be raised and Apple may lose customers.
Please see details details prioritized prioritized risk action plan plan in Appendix Appendix 7
Conclusion :
Our team firstly developed and categorized our objectives in four parts, which are strategic objective, operating objective, reporting objective and compliance objective. Upon our research, we created our assessment chart to identify the most severe risks which are technology changes, change s, competition, distribution, outsourcing and inventory. Moving forward, the risk responses was reinforced depends on different situations. Finally, the control a ctivities and monitoring system was developed associated with identified risks. Implemented our ERM will help Apple to identify risks and mitigate the impacts in advance. The control activities could reduce the probability of risks effectively as well as the monitoring monitoring system evaluate the effectiveness of ERM and transfer warnings prior to risks happening. Upon that, Apple could analyze the market with effective ERM and predict the trend in order that they can reflect changes c hanges timely and survive from huge changes. Along with implemented ERM, Apple could be more competitive to acquire market shares back and be prepared to adapt to the potential risks from globalization and economic condition. With effective internal control, Apple could bring more confidence to
stakeholders. By using cost-benefit method under ERM, Apple could leverage risks and returns to increase their revenue to push up their stock price.
Finally, our ERM tends to mitigate the impacts from risks by increasing the effectiveness and efficiency to react the potential risks either ongoing or future. ERM also assure Apple to achieve their objectives effectively.
Appendixes
Appendix 1 Company Background
Apple is an American multinational technology company, c ompany, and sells consumer electronics, computer software and online services. It was founded in 1976, Los Altos California where first apple computer was born. After Apple computer, it also introduced products like ipod, iphone and apple watch sequentially. By the year 2016, Apple has grown to be the leading technology company in the industry and first brand value company in the world with $170B brand value. In 2016, Apple’s global revenue has reached $214.2B. Apple has also been ranked No.1 admired company in the world. Its dominant position could not be replaced by other company in the world.
Appendix 2 Company Definition of Risk Appetite According to IRM (2011), the amount of risk that an organization is willing to seek or accept in the pursuit of long-term objectives. The board of directors of a company decides their risk appetite by considering risk capacity result from variety of factors such as capital structure, accesses to financial and non-financial resources, reputation, h uman resources and corporate governance. In this way, the risk appetite of an organization establishes a direct link between its strategies and risk management process at all levels with a consistent view of how to respond to risks.
The characteristics of Apple’s board define the characteristics ch aracteristics of entrepreneurial traits, where they have the ability to find opportunity and gather resources to take advantage of opportunities. Apple would never have existed without the vision of the board, since the board paid more attention on the potential in technology rather than only the money, which allowed Apple to take more risk on promising investment. In 2006, Apple’s stock gained 82%. Incidentally, it was also everyone’s favorite stock in 2007 (+136%), 2008 (-56%), 2009 (+132%), 2010 (+51%), and 2011 (+23%). This success greatly increased Apple’s risk capability and risk appetite. For ex ample, As we know, Apple designs and creates the iPhone, iPad, Mac notebooks and desktop computers, iOS 8, OS X, iPod and iTunes, and the new Apple Watch. A risk to having this mission completed has been the competitive pressures of Samsung’s Galaxy line of cell phones. With enhancements and integration of the entire iPhone platform to meet what consumers wanted and needed for their everyday use, the company embraced the competitive risks and has consequently flourished around the world. However, due to the special and spectacular period with Steve Jobs was over in 2011, the stock premium decreased and the price per share shrunk a lot. Although Apple’s revenues were high, its quarterly revenue growth has been shrinking somewhat dramatically for 2013. Also, Apple's cost of debt increased significantly signaling to investors that the company's risk premium has changed since its 2013 debt de bt raise. During this period, Apple started to take risk-averse strategy. As a result, Apple has recently been criticized for no longer innovating at the same pace it used to, which might be due to its declining little tolerance for risk. From internal environment perspective, high premium is also because be cause Apple had small number of strategies related to premium pricing, low cost, product segregated strategy, low focus on market share, low shareholder return policy and global cheaper marketing. Even though Apple’s internal environment has some room for criticism, it also sets the foundation for how risk is viewed and addressed by an entity’s people, including risk philosophy and risk appetite, integrity, ethical values, and the environment in which they operate.
Appendix 3 Business Objectives Setting
Globalization There are two globalization objectives apple is going to achieve. First, in order to focus on its core technology, Apple will keep outsourcing the manufacturing and logistical services to companies around the world, which lowers the operating costs and also increases operation efficiency. Apple will also obtain all components from limited suppliers with high quality to maintain its uniqueness. Because most of those suppliers are located loca ted in the foreign countries, Apple will spend more effort to maintain a sustainable relationship between business partners. Second, Apple will keep expanding global market through opening more chain of Apple stores globally, building more online stores in foreign countries and negotiating its third-party distribution network to effectively reach more customers and provide them with a high-quality sales and post-sales support experience. Product Innovation Without innovative hardware and supporting operation software, Apple cannot maintain a leading position in the market. Boston Consulting Group keeps ranking Apple as the world’s most innovative company. Considering the nature of technology industry and company’s competitive advantages, Apple will keep increasing R&D budget even during tough times to continue introducing new products and services, developing new product lines and improving product transitions. Apple will also work closely with customers customers to understand and analyzes their demand to bring them better product experience. Recent years Apple has experienced some quality issues, which have negative impacts on o n its brand. Therefore Apple will conduct more quality controls to make sure product quality can reinforce the product innovation. Reporting Apple as one of the largest public companies will maintain a good public relation through meet the requirement to fully disclose reliable reliable financial and non-financial information information to stakeholders inside and outside the company to help them better evaluate the company and make appropriate decisions. Apple will also establish a strict internal reporting policy to make sure information is reliable and is communicated effectively and timely. Compliance In order to successfully expand both domestic and global market, Apple will work close c lose with law and regulation experts to oversee areas such as intellectual property ownership and infringement, tax, import and export requirements, anti-corruption, foreign exchang e controls to make sure operations are comply with applicable laws and regulations. Apple will also prudently select business partners such as employees, suppliers and agents to make sure they are not violating any
laws. In addition, as we know Apple’s success partly rely on the third-party software developers. Therefore one of objectives for Apple is to oversee the intellectual property ownership and digital content of developers. Event identification
Economic events Apple’s globalization strategy makes it very sensitive to economic events happened all over the world. Events like new trade agreement, price movement, capital availability, financial crisis, and change of taxation policy are both potentially bring opportunities and risks for Apple. Natural environment events As we know components of Apple products are supplied by companies compa nies from different countries. Recent years the world has suffered from various natural na tural disasters like floods, fire, and earthquake. Some of our business partners and global market are located in areas experienced such natural disasters, which may adversely affect Apple’s operations. Political events Both domestic and foreign political events will affect Apple’s ope rations. Events like new present selections or new regulation and law will to some extent affect the organization. However, it is uncertain that whether these events ev ents will provide Apple with opportunities or risks. Social events Changing demographics, customer behaviors, income level and family structures will influence consumer purchase decisions. Again these social events may help Apple discovered new opportunities, but they could also negatively affect its operations. Technological events Apple is always the one who initiates the technology innovations. As the center ce nter of technological events, Apple enjoys many opportunities opp ortunities from its R&D. It is important for Apple to better control and anticipates the technology-changing trend to generate more benefits from the market.
Appendix 4
Risk Universe
Strategic Rapid technological changes and R&D development Fierce competition in market Global and regional economic changes Global operations management Customers loyalty consolidatio consolidation n and development
Operational Outsourcing product manufacturing and logistical services Performancee of distributors, carriers and other Performanc re-sellers Substantial inventory risk (obsolete or exceed anticipated demand) Product introduction and transition
Compliance Unfavorable results of legal proceedings
Revenue fluctuation
Labor laws
Stock price volatility
Regulations on media device worldwide
Substantial investment and resources
Product quality problems Information tech system Key personnel and labor cost Access to third-party digital content/intellectual content/intellectual property The availability of third-party software developers
Appendix 5
Risk Assessment Criteria Impact: High
Rating: 7-9
Medium Rating:4-6
Financial
Financial loss of 5000 M or more; Game-changing loss of market share; Demands far more than supply; Significant prosecution and fines related to patents; Key senior leaders & technology designers leave; Key operational problems such as information system break down; Global reputation damage: product quality problems, copyright violation... Financial loss of 500 M up to 5000M; Significant or regional loss of market share; Product tu turn ov over ca can’t me meet th the de demand re regionally; Laws violation; Experienced staff turnover; Some operational problems such as retail stores management problems; Local reputation damage;
Appendix 5
Risk Assessment Criteria Impact: High
Rating: 7-9
Medium Rating:4-6
Low Rating:1-3
Financial loss of 5000 M or more; Game-changing loss of market share; Demands far more than supply; Significant prosecution and fines related to patents; Key senior leaders & technology designers leave; Key operational problems such as information system break down; Global reputation damage: product quality problems, copyright violation... Financial loss of 500 M up to 5000M; Significant or regional loss of market share; Product tu turn ov over ca can’t me meet th the de demand re regionally; Laws violation; Experienced staff turnover; Some operational problems such as retail stores management problems; Local reputation damage; Financial loss of less than 500 M; Subtle decreasing market share regionally; Supply meets demand and high turnover; Not compliance to local laws such as labor laws; Employee turnover and morale problems; Small operational problems that can be fixed;
Likelihood:
High Medium Low
Frequency Up to once or more in one year Once or more in 5 years Once or more in 10 years
Probability (chance of occurrence) 0.7 - 1 0.2 - 0.7 0 - 0.2
Appendix 6
Risk Scale Major risks Rapid technological changes and R&D development Fierce competition in market Global and regional economic changes Substantial inventory risk (obsolete or exceed anticipated demand) Key personnel and labor cost Outsourcing product manufacturing and logistical services Minor risks Performance of distributors, carriers and other re-sellers inefficienc inefficiency y Product introduction and transition slow down Product quality problems International operational problems Information tech system break down Not access to third-party digital digital content/intellectual content/intellectual property property The non-availability of third-party software develope developers rs Unfavorable results of legal proceedings Labor laws and regulations on media device worldwide violation Revenue fluctuation Stock price volatility Lack of substantial investment and resources
Impa Im pact ct
Like Li keli liho hood od
9 8 8 7.5 7.2 9
0.95 0.9 0.85 0.8 0.75 0.5
7 7 7.5 6.8 8 5.5 4.5 6 4.3 2.3 2.4 2.6
0.45 0.3 0.27 0.45 0.2 0.4 0.3 0.2 0.25 0.2 0.33 0.15
Gros Gr osss Ri Risk sk=I =Imp mpac act* t*Li Like keli liho hood od >= 4.5 8.55 7.2 6.8 6 5.4 4.5 < 4.5 3.15 2.1 2.025 3.06 1.6 2.2 1.35 1.2 1.075 0.46 0.792 0.39
Appendix 7 Prioritized Risk Action Plan
Risk Response Technology change risk The risk response to the rapid technology change risk is to treat it. The risk brought by rapid technology change is that Apple may fail to bring innovative products or the higher product price with lower product differentiation differentiat ion as compared to its competitors, consequently, it will suffer from customer loss and profit shrink, and these impacts are severe. Additionally, the likelihood of the technology change risk is high since we are in a technology updating age. Though the amount of risk is highly over its risk appetite, Apple can do little to prevent the risk from happening, additionally, this risk is hard to be transferred into the insurance market,
Appendix 7 Prioritized Risk Action Plan
Risk Response Technology change risk The risk response to the rapid technology change risk is to treat it. The risk brought by rapid technology change is that Apple may fail to bring innovative products or the higher product price with lower product differentiation differentiat ion as compared to its competitors, consequently, it will suffer from customer loss and profit shrink, and these impacts are severe. Additionally, the likelihood of the technology change risk is high since we are in a technology updating age. Though the amount of risk is highly over its risk appetite, Apple can do little to prevent the risk from happening, additionally, this risk is hard to be transferred into the insurance market, so in response to it, Apple should take actions to reduce the likelihood of this risk. One of the main methods to reduce this risk is to invest its research and development department to keep pace with the instant technology update and bringing out the innovative products continuously to attract customers, besides, Apple can cooperate with a professional law firm to protect its intellectual products from infringing, thus, competitors will be discouraged to emulate its product feature. Fierce market competition The risk response to the fierce market competition is to treat it. Based on the risk assessment, the impact of
fierce market competition competition is high. Obviously, Obviously, the the impact is unacceptable to
Apple, and though Apple wishes to terminate the risk, it is hard for them to stop the continuous competition from its current and future competitors. Hence, what Apple can do now is to take any practicable actions to bring the risk to a tolerable level, and the methods to deal with this risk are similar to the ones in response to the technology change. Like the investment in its R&D department to improve its product function and bring the innovative design. Though the investment maybe costly, it is still worthful because the customers can be retained and Apple can enjoy its competitive edge in its ability to design featured products. Global and regional economic conditions The risk response to global and regional economic conditions is to treat it. The impacts of global and regional economic conditions are severe, like the loss from currency fluctuation, company’s inability to obtain credit to finance development, and the higher unemployment rate. Thus, the risk isn’t tolerable, besides, Apple is unavoidable to be exposed to this risk or to behave effectively to prevent the global or regional range risk, so what Apple is suggested
to respond to this risk is to treat it and bring the risk within its risk tolerance. For example, to reduce its loss from exchange rate risk, Apple can diversify its foreign currency holdings, so the decline in the value of one currency will not affect the overall dollar value of Apple. Substantial inventory risk The risk response to substantial inventory risk is to treat it. If Apple is short of inventory, it can’t ship its order on time, consequently, it will lose customers and have negative impact on customer loyalty, and if its inventory exceeds the demand amount, there will be an inventory overstock issue, which increases operating cost. All these impacts are significant, and the likelihood of this risk is medium because the differences between the budget inventory numbers and actual market needed numbers is common, moreover, the cost of preparing the budget plan is lower than the benefit of it. Hence, it is better for Apple to treat this risk. One of the ways to reduce the risk is that Apple can periodically set an inventory budget plan based on its history inventory data and a nd forecast on the future market needed quantity, so the budgeted order number can be located in a reasonable range, accordingly, the risks of overstock or stock shortage can be mitigated to an acceptable level. Key personal leave The risk response to the key personal leave is to treat it. The impact of this risk is high as large portion of Apple’s value reply on its human assets. Like Apple’s Apple’s
important strategic
and operational business decisions are made by its senior managers, if they leave the company, Apple will find it difficult to make significant decisions in a timely way. Also, the cost of recruiting successors is high, for example, it includes the cost to search potential candidates, train new hires, and handle the work handover. Luckily, Apple has a high employee retention rate because of its unique company culture, professional working environment and high compensation satisfaction. After considering the nature of technology industry, we believe the likelihood of of this risk is medium to low.
Therefore, facing the high
impact and medium likelihood and analyze the cost and benefit, Apple’s risk response is to reduce it. For example, Apple can conduct more recruitment assessment to hire people that are most suitable for its organization culture. Apple can also regularly have conversations with employees to understand their needs and concerns. Outsourcing product manufacturing and logistical services The risk response to product manufacturing and logistical services provided by outsourcing partners is to transfer after considering the high impact and the low likelihood according to the risk assessment. To discourage or prevent its partners from violating the materials regulation and producing products with low quality, Apple is recommended to set an
agreement with those partners that lists the specific terms on the tolerance of product defect rate, and once the rate is over a certain percentage, the partners should not only cover all the product warranty expenses but also shoulder the after-sale-service a fter-sale-service responsibility to repair the defects. Additionally, the term can list that when the defect rate is over a reasonable range, Apple can stop the cooperation relationship with the partner and ask for the compensation for loss. As for the logistical service risk part, taking the low likelihood and high impact into consideration. we recommend Apple to transfer this risk by signing a contract with an insurance company on the distribution conditions, thus, when components can’t be delivered timely, the insurance company will pay for the loss. By transferring risks, Apple can reduce the financial impact to a tolerable range.
Control Activities Due to the complexity and scope of the business area that Apple develops, our action plan will only give a brief description without detailed elaboration including quantitative and qualitative demands and standards. Besides, the action plan is aiming to specific risks which have been prioritized before in risk-assessment risk-assessment part. The action plan is consisting of two parts: control activities and monitoring.
Rapid technological change To mitigate the risk that Apple may be no longer competitive in markets due to rapid technological change, three related control activities are listed as below: a.
Sustainable R&D expenses should be invented in updating products including software, hardware, operating system and other services. To be detailed, invest Advanced Technology Laboratory to cultivate research in HighTech area and establish a group to help with elaborate the products the Labs designed, communicate with manufacturing department and collecting feedback information from various different ways.
b.
Exploring and hiring outstanding scientists and programmer in R&D department is also significant to the company. That includes attractive benefit and predictable career development design. Besides, regular training to employees in Human Resource Department is critical. The training content will include updated technology changes and science related to the company. In this way, potential high-quality candidates will not be neglected due to some rare but still existed reasons.
c.
Monitoring the apply process of patents, trademarks, copyrights and relevant intellectual properties. The process includes prepare to apply, keep those deliverables
confidential and notice that whether the competitors infringe on the company’s intellectual property. Fierce Competition in Market The company faces a fierce competitive global market where the usage of price-cutting method, the continuous introduction of new products, e volving industry standards and short product life cycle exist. To mitigate the risk, the company can carry out control activities as below: a.
Keeping invest in current operating system. Due to the fact that the company is the only authorized maker of hardware using macOS which competing with other operating system that, in Personal Commuter, the majority is Windows; in Smartphone, most Android, one of the best ways to hold a competitive position is to provide the best system service and
b.
related third-party service in the existing OS.
Keep and develop a close relationship with third-party which provides applications, software, and digital content based on this specific operating system(OS). Furthermore, invest in those suppliers which produce outstanding products but lack of enough funds funds to continue.
c.
Monitoring competitors’ technology developing trends therefore reasonably schedule the next step. Take an eye on competitors’ behavior and evaluating the current situation of the company is useful because it gives a chance to review whether the developing strategy is appropriate and whether the company will keep its competitive condition in the future.
Global and regional economic conditions Global and regional economic conditions greatly influence the company’s performance and operations since related economic policy and affairs are indirectly associated with the manufacture, inventory and sales. To mitigate this risk, a set of control activities combined with financial management and regulation monitoring will be implemented as below: a.
To mitigate the financial related risk, establishing a financial group is suggested. The financial group will use asset portfolio to make sure the risk is sustained in a predetermined extend. For example, currency forward contracts and foreign futures are two of the most popular financial instruments to hedge risks in currency fluctuation risk.
b.
Setting a group of experts to monitor and predict the related economic policies. Apple is a multinational company which subsidiaries are in numbers of countries where economic policies are different from U.S., compliance with local regulations and response in a correct way will be very important. The experts will analyze and
make predictions about economic policy beforehand and give suggestions to the financial group’s behavior afterwards to make sure the expectations are met. c.
Maintaining good and close relationship with outsourcing partners, vendors and suppliers. Not only Apple will face the financial related risks, the relevant stakeholders will be affected simultaneously. Keeping an eye on the three parties’ conditions will be helpful to project the company’s next step. For example, if a vendor is short of cash and cash equivalents due to some emerging economic policy, thus resulting in inability to meeting the material demand from Apple, a backup plan should be instructed long before the scheduled material demanding time. In this way, Apple’s inventory will not be affected. To make this process run smoothly, analysis about the three parties could not be avoided.
d.
Monitoring the conditions of customers including channel partners. Customers’ conditions determine the sales revenue. If customer is lack of ability to obtain credit to finance purchases of the product, undoubtedly the company will suffer a great loss.
Substantial Inventory Risk (obsolete or exceed anticipated demand) To reduce the risk that products manufacturing is not properly consistent with the market demands, the company should develop a monitor system of inventory. For the beginning of the system, market analysis about how large is the inventory at the specific period of time and how long will it take between purchasing orders from factory to customer receiving final products should be given. Considering Considering the life cycle of releasing a new product to customers, the second step is to purchase orders about projected manufacture, supplier contracts, and shipment contracts. The third step is new product announcement. Then the company is open to orders from customers. After collecting orders, shipment will be arranged. In the process of monitoring, each step should be confirmed with the scheduled time and record the existing problems and difficulties. At the end of the monitoring, value-added value-added feedback will be come up with about the differences between the reality and the analysis expectations. Key Personnel Leave Apple is headquartered in Silicon Valley where experienced employees and talents are in high demand therefore labor market is very competitive. Even though the HR department has employed a talent for the company, maintaining the talent is also important. To reduce this risk, the company can implement control activities as below: a.
Signing a win-win employing contract including terms that restricting a free job-hopping behavior.
b.
Develop a regular work shift and peer-training program. This combination behavior can reduce the risk that a critical position content can only be done by by a
specific person. Peer-training program is a project that employees share their working content and skills with other colleagues. c.
Providing a positive and creative working environment for employees. A competitive benefit package is not rare in Silicon Valley. One of the best ways for people maintain their position is to make people feel that working here is a satisfying thing and this kind soft strength of the company could not be learned or replaced by other competitors.
Outsourcing product manufacturing and logistical services a.
Evaluating and monitoring the current and future condition of outsourcing partners. Many critical components in manufacturing and majority part of logistical management have been outsourced in Asia and Europe where environments are different from U.S. Those environments include, but not limited to, nature, society, labor, regulation and finance. To mitigate the risks that outsourcing partners perform worse than expected or failed to perform as agreed in contracts, the company should closely observe the current condition of the outsourcing partners and properly predict the future state of partners based on the evaluation of local environment.
b.
Containing provisions for warranty expense reimbursement in contracts with outsourcing partners and sampling checking the quality and quantity of the products manufactured by the outsourced partners. Considering the customer may ask for warranty service due to the products defects, it is reasonable to share this risk with partners. Even though outsourcing outsourcing diminishes the direct control of the final products(for example, assembling work is outsourcing in Asia), Asia), sampling checking can still function in an indirectly way to mitigate the risk.
Information and Communication The success of ERM is highly dependent on the effectiveness and efficiency of Apple’s information and communication, which is one of the COSO elements. Our purpose is to make sure that all relevant information is identified, collected, and shared from both internal and external sources. Also, necessary information should flow up, down, and across the organization. Therefore, the ERM initiative goal in this phase is establishing and maintaining both internal and external communication channels to support support the Apple’s ERM project.
Information Requirement According to COSO ERM, risk communication starts with identifying stakeholders. Once the stakeholders have been identified, the nature, purpose, and methods of communication for different stakeholders could be decided. Management must consider Apple’s objectives and related risks to identify and gather relevant information for managing risks. COSO notes that information must be:
!
Appropriate and at the right level of detail;
!
Timely;
!
Current;
!
Accurate and reliable;
!
Accessible to those who need it.
Defined ERM Policy To make sure that all personnel receive a clear message from top management that ERM responsibilities must be taken seriously, the ERM branch should construct a defined ERM policy which includes objectives, scope, and approach of ERM, ERM, as well as responsibilities of each employee. The ERM policy will help to set the foundation of ERM and also guide employees to make appropriate actions and decisions in the management of uncertainty and opportunities. Appendix 8 is the ERM policy that our team establish for Apple. The ERM program is based on the COSO standard. The Chief Risk Officer (CRO) appointed by the Board of Directors will lead the ERM Branch and promote the implementation of ERM program, and the ERM Branch including Head of Department and key business unit leaders is responsible for supporting the CRO (See Appendix 9). In addition, the Board will oversee all risk management activities, and the CEO is essentially responsible for the ERM. Also, all employees are responsible for supporting the information and communication flows in the program. Communication throughout the Organization In addition to ERM policy, there are many different ways that Apple can choose for internal communication, such as manuals, memoranda, emails, websites, bulletin board notices, and face-to-face meetings. The ERM branch will help the management to select and develop the most appropriate methods of communication in consideration of audience, purpose, and cost. Also, the ERM branch and internal auditors will periodically evaluate the effectiveness and efficiency of established communication channels.
The ERM branch will help to establish Apple’s ERM website as a company resource for information on risk and control topics and best practices, so employees can refer to these guidelines anytime. To facilitate greater understanding of ERM, employee training is necessary. These training will focus on applying ERM to routine work in different departments. Emails, newsletters, and bulletin boards will also be used to advocate ERM and timely inform other risk and control issues. Upward communication is also important, and employees must have a means of reporting what is happening. Independent and anonymous reporting options, such as whistleblowing system and hotlines, should be established and continually monitored by internal auditors. Communication with External Stakeholders Apple also should have two-way communications with external parties, such as customers, suppliers, regulators, external auditors, and shareholders. Information exchanges can assist in achieving objectives, improving internal controls and reduce risks. They could take the form of hard copy documents, electronic format, or face-to-face meetings. For example, Apple should collect and analyze information from customer feedback to manage product and market risks. It is also helpful to give publicity to the progress of Apple’s ERM through annual or quarterly reports, Website postings and press conference, so that we could increase customers’ and shareholders’ confidence in Apple. Besides, the ERM branch and internal auditors will perform periodic evaluation on the external communication to make sure that we use the optimal method to exchange high-quality information timely.
Monitoring System Tone from the top
It is necessary for both employees and management to be aware of the importance of monitoring. Management’s behavior can influence how employees react to monitoring and the board’s behavior can impact the management’s attitudes toward monitoring. To successfully set the tone at the top, the company can establish a Risk Oversight Committee that specialized in monitoring the company’s operations. The Risk Oversight Committee can establish risk oversight policies, monitor internal controls that are designed to manage risks to decide whether they are effective, and ensure deficiencies can be identified and resolved timely. The establishment of ROC sends the signal to the entire company that the board pays attention to monitoring.
Organizational structure
The company should assign proper monitoring responsibilities among all levels of employees. For instance, in executive level, CFO is responsible for monitoring internal controls over financial reporting, Chief Design Officer is responsible for monitoring internal controls on product designing, and Chief Operating Officer is responsible for internal controls on business operations. Lower level management is responsible for ongoing monitoring that provides oversight on everyday control activities performed in specific units. The company should also have evaluators from the outside area to perform independent assessment such as internal auditors and other designed groups with specialized skills to focus on monitoring in one specific area.
Monitoring procedures procedures
Rapid technological changes The only way for the company to cope with rapid technological changes is to keep pace with the new technology and innovate its products. To ensure achievement of this object, the company should assess its process in Research & Development. The company can first develop a monitoring plan that list the goal and expectation, project scope and size, and project budget. Based on the monitoring plan, the project manager should have ongoing monitoring on status of the project and communicate with team members to ensure the project is implemented on time and within budget and expectations. It is normal that new situations appear during the project and the project manager should react quickly to situations, discuss with team members about options to take, and take actions to complete the project as expected. In addition, internal auditors can review the company’s periodic report to determine whether the capital allocated on Research & Development is properly used by R&D department and determine whether related R&D expenses are recorded properly. Fierce competition in market To maintain the company’s leading position in the competitive market, the company need to ensure the quality and safety of its product. When the product delivered from manufacturing outsourcing partners, the manager should ensure that employees have verified the products to meet government regulations and meet the company’s requirement. The manager can provide random and periodic inspection of verified products to determine the effectiveness of employees’ verifying process. Actions should be taken by the manager to improve the process if there are any deficiencies.
The company should also provide adequate monitoring of third-party activities to reduce risks of financial loss since it relies on the third-party for applications, software, and digital content. The company should review periodically about significant arrangements from the third-party, and assess if the third-party’s operations are consistent with the contract. A specialized group can be built to monitor the third-party’s financial condition, quality of service, relationship with the company, and analyze whether the third-party’s future growth coordinates with the company’s product development. The group should report results to the board periodically and communicate with the third-party about identified identified deficiencies timely. Global and regional economic conditions To ensure control activities in reducing financial risks effectively implemented, CFO in the company should monitor how credit risk, liquidity risk, investment risk, political risk, and currency risk are treated. For instance, assessing whether the portfolio works as expected, whether the policy regarding investment reasonable and effective, whether cash obligations be met timely, whether currency forward contracts effectively hedge risks in currency risk, and how will political or economic policies changes impact the company’s business. Internal auditors in the company should analyze financial data periodically to independently evaluate the company’s current financial risk controls, and provide insight and recommendation to improve the effectiveness of controls. Substantial Inventory Risk To reduce the inventory risk that inventory might be obsolete or might exceed anticipated demand, the company should first use the inventory management software that automatically keeps record of inventory comes in and out the company. The software also shows the pace of inventory items moving through the company, and inventory manager can analyze the trends based on data collected from the software and determine whether the pace between moving in and moving out inventory is appropriate for the current situation. To ensure receiving products manufactured by outsourcing partners timely, the company should closely monitor outsourcing partners’ activities. The inventory manager should pay attention to the promise delivery date, actual delivery date, the quantity ordered and received, and the quality of product received to determine the reliability of each outsourcing partner. If there are unreliable partners, the company should take actions to help them improve their performance , adjust quantity of product planed to be manufactured by them, or switch to other partners.
In addition, the company could have an independent inventory consultant to review the inventory management process in an unbiased way and improve the effectiveness of the process to keep up with demand. Key personnel leave Manager in HR department should evaluate the company’s contract with employees to ensure the contract includes competitive benefit package that satisfies employees’ needs, financial incentives that encourage employees to work, and clear descriptions for employees to know how they can get promoted. The manager should then verify whether all terms in contract are implemented for employees as expected. The manager could also monitor the effectiveness of the implementation by analyzing the turnover ratio. In addition, the company should oversee whether training projects are developed for employees to improve their comprehensive skills. Moreover, the HR manager can evaluate current hiring procedures to identify any deficiencies, and improve the procedures if necessary to hire more appropriate and qualified employees. Outsourcing product manufacturing and logistical services Establish acceptable services standard to determine outsourcing partners’ performance level and equip expertized monitoring group to oversee the outsourcing process. Design more frequent assessment and monitoring for outsourcing partners with higher risk and discuss with them about detected problems timely. Implement risk mitigation plans for higher risk partners if necessary, and conduct more strict monitoring for partners having financial, compliance and control issues. Establish procedures to monitor outsourcing partner’s financial conditions to ensure their ability to maintain their outsourcing business sustainably. The company can review their recent annual reports and financial statements, analyze trends in assets, debts, and incomes, and pay attention to any red flags that may impact partners’ future operations. Assess outsourcing partners’ compliance with local laws and regulations, list compensation for the company in advance in contracts if they fail to comply with related laws and regulations. Assessing and reporting results results
The company can develop a database that can be accessed by internal management, auditors, and external customers to report any issues they identified about control activities and products. These issues will be prioritized and reviewed by the board and executive
management, then traced back to management in specific areas to resolve them. The board and executive management will keep an eye on them until all issues are resolved. The board should pay attention to significant issues that affect the company’s operational or financial objectives, not only take actions to resolve such issues but also come up with effective and efficient control and monitoring activities to prevent issues occurring again. Internal auditors can be helpful in improving the company’s effectiveness of risk management, control, and monitoring processes.
Appendix 8: APPLE INC. ENTERPRISE RISK MANAGEMENT (ERM) POLICY 2011
Purpose Apple Inc. understands that its success is dependent upon the effective management of risk. Risk can either be transferred to third parties, through insurance, contracts or hedge; it can be mitigated by implementing internal risk management strategies; or it can be ignored. However, it is important to assess risks at all levels of the organization in order to effectively identify and appropriately address them. Risk management is everyone’s responsibility. Establishing the ERM Policy will guide employees in their actions and decisions to the management of the Apple’s portfolio of risks. It will improve the management of existing uncertainty and the approach to new opportunities, thereby helping Apple achieve its vision and mission and to maximize utilization of Apple’s available resources.
Scope and Approach The scope of the ERM Policy is enterprise wide and is applicable to the Board, Management and employees of Apple Inc. Apple Inc. has adopted an enterprise risk management (ERM) based on the COSO standard. An ERM Branch including Head of Department as well as key business unit leaders will ensure the ERM efforts are firmly embedded within Apple’s core business activities. The Chief Risk Officer (CRO) appointed by the Board will lead the ERM Branch and take responsibility for heading the ERM activities.
Responsibilities Board of Directors Overseeing the risk management activities of Apple. Knowing the extent to which management has established effective ERM in Apple. Being aware of and concurring with Apple’s risk appetite. Reviewing the organization’s portfolio view of risk and considering it against Apple’s risk appetite. Being apprised of the most significant risks and whether management is responding appropriately. Chief Executive Officer (CEO) Is the ultimate risk executive and is essentially responsible for ERM priorities, strategies, tolerances and policies. Aligning business objectives with risk strategies, action plans and policies. Settling conflicts with regards to ERM strategies and action plans. Must ensure that a sufficient resource of the organization is allocated in pursuing ERM initiatives, strategies and action plans. Reporting to the Board of Directors on a regular basis about ERM. • • • •
•
•
• • •
•
Chief Risk Officer (CRO)
Establishing ERM policies, including defining roles and responsibilities and participating in setting goals for implementation. Promoting a culture of risk management and risk awareness. Guiding integration of ERM with other business planning and management activities. Monitoring the risk exposure and risk management activities. Providing timely and consistent flow of risk information to the Board and CEO. Providing an annual ERM performance report to the Board. ERM Branch •
• • • • •
Is responsible for supporting the CRO with the development and implementation of the ERM Program. Developing, coordinating and communicating the ERM framework including training, and organizing the sharing of best practices across the company. Constantly reviewing and providing updates in the risk dictionary and ensuring that newly emerging risks are identified and included. Supervising the consistent execution and continuous improvement of the ERM process in their respective business functions. Internal Audit Division •
•
•
•
Assisting management and the board by examining, evaluating, reporting on, and recommending improvements to the adequacy and effectiveness of Apple’s ERM. Risk Owners •
Has the responsibility for and ownership of the assigned risks and other risks under the same functional area of responsibility. Identifying root causes of the significant risks, identifying and implementing relevant risk mitigation activities, and reporting on risk monitoring and management on an ongoing basis with the guidance and support of the ERM Branch. Overseeing the development of risk tolerances and risk management activities at the various operational units; monitoring these activities and compliance with established risk tolerances; and escalating any such instances where events could occur outside of risk tolerances to the CRO. All Employees Risk management is everyone’s responsibility. All employees are responsible for supporting the information and communication flows of ERM. •
•
•
•
Policy Review Schedule The Policy will be reviewed annually.
Appendix 9: Apple Inc. ERM Organization Chart
"#$%& #' ()%*+,#%./0&), 1#22)3**4
156
CRO ERM Branch (Head of Department and key business unit leaders)
7*8)#% 9)+* :%*-)&*8,-
1B)*' C)8$8+)$< 6D+*%
;*,$)<= 7#>?$%* 58@)8**%)8@= AAAAAA
1B)*' (*-)@8 6D+*%
1B)*' 6E*%$F8@ 6D+*%
9)+* :%*-)&*8,-
G-*% H8,*%'$+* (*-)@8= 1#2208)+$F#8-= H8&0-,%)$< (*-)@8= AAAAAA
Appendix 10
Apple Inc. ERM Project Charter Team members :
Yuyang Cai Biying Zhuge Zheng Yan Hongfeng (Oliver) Guo Jiaqi Li Ziwei Zhu Xiaochen Ma Zixuan Wu
PART 1: CREATING A CLEAR & ENGAGING DIRECTION Team Objectives and Goals 1.
What is the overall purpose of the team? Learn, develop, and apply ERM concepts, tools, and skills through simulation.
2.
What are the specific objectives and goals for the team? That is, what outcomes or results do you want to accomplish? Establish and implement the ERM function for Apple beginning from 2011 to present day. da y. Simulate the process of planning, implementing and operating the ERM for Apple. Predict the proposed future state and process after ERM functioning.
3.
Who are the major stakeholders for the team? That is, who are the primary primary groups of people outside your team that you must pay attention to, keep happy, influence, etc.? a. Audiences: other classmates listening to our presentation. b. The professor who evaluates our project c. Apple investors and employees
4.
What results are expected from the team by each of your major stakeholders? How will you keep each of these stakeholders informed about what you’re doing? a. Audience is willing to see some special features or a ttractive points which are different from common cases. To achieve this objective, we will give out a presentation which outstands from other groups. Besides, we will try to analyze the case in several perspectives so that audiences will gain some unique information. b. The professor would like to see a complete and competitive project report which h as an effective ERM. In addition, the professor wants to see our improvement in leadership skills as well as communication skills. Therefore, we will submit our detailed project plan and status report, and make an excellent presentation to show professor our progress. c. We will provide an comprehensive ERM project report to Apple’s investors and employees.
5.
How will you measure the success of your project? In other words, what tangible outcomes would you cite to indicate that your team accomplished its goals? The success of our project depends on whether we find out specific risks for Apple and the way we assess these risks. Also, it depends on how the ERM is structured, and whether whe ther the risks we found are successfully managed after the implementation of ERM. In addition, the grades gained from the professor for both presentation a nd report, feedback collected from other classmates after our presentation, and peer ev aluation from each other will indicate the performance of our team. Page 2
PART 2: UNDERSTANDING & EFFECTIVELY EFFECTIVELY USING MEMBERS’ MEMBERS’ STRENGTHS
Team Member Name
What project-relevant knowledge and experience does this person possess? Who or what w hat do they th ey know that will help the team?
What are the unique strengths of this person (as you know kno w them so far)?
How can our team best b est utilize utili ze this expertise and set of strengths?
She is familiar with the team leading, which helps team achieve each milestone, resolve any conflicts within the team,keep the group project work under an appropriate timeline, and ultimately present competitive deliverables.
She is familiar with collaborating with others and helping others.
She is responsible for leading the team through assigning different tasks controlling project process, keeping every team member updated, and controlling the deliverables quality.
She is skilled in business writing and familiar with ERM concepts.
She is good at listening to alternative ideas and perspectives and integrating the contributions of different team members.
She is responsible for clarifying our group objectives and integrating the ideas of others at group meeting. Also, she will summarize our group's discussions for each meeting and make conclusions in the report.
She is good at strategic planning, business process analysis and presentation.
She is detail-oriented and skilled in problem solving. She is good at giving constructive suggestions and integrating different ideas. Also, she is a good mediator and tries to seek consensus.
She is responsible for defining group mission, completing part of analysis, and reviewing the integrity of the final report. In addition, she will become the mediator of our team and deal with conflicts.
Yuyang Cai
,
Biying Zhuge
Zixuan Wu
Page 3
Ziwei Zhu She is familiar with the internal control framework good at collecting information and research material from different resources.
She is good at analyzing information and considering issues from various perspectives. She is good at listening to others and sharing her opinions with others.
She is responsible for collecting relevant information and material. Besides, she will help write the final report.
She is familiar with risk assessment knowledge and is good at searching project related information.
She is adept at making team members finishing tasks on a timely manner. She is good at properly adjusting the tasks in terms of team members’ constructive suggestions.
She can help apply searched information to the project, adjust task contents if needed, and write the report.
She is good at analyzing and identifying enterprise’s risks. In addition, she is good at sorting information and resources.
She is motivated to shoulder her responsibilities, and good at communicating and collaborating with other teammates to work toward the common goal.
She will help set up a detailed time frame for the team to finish the projects step by step, and she will help write the final report.
She is good at risk classification, which means she can find out the kind of risk in the project and find how the ERM frame can work with the risks.
She is good at communicating with group member and cooperating with each other.
She is responsible for finding risks in the project and finding how frame works with risks, and she will also write the final report with other team members.
Xiaochen Ma
Jiaqi Li
Zheng Yan
Page 4
Hongfeng (Oliver) Guo
He is good at problem solving and creating control activity, which means he is able to set up a new and efficient system to monitor those activities to mitigate the possibilities of risks.
He is good at providing new ideas, communicating and collaborating with other group members. He also pays attention to every details.
His responsibility is to identify each events to judge if those are opportunities or risks. Beyond, how those opportunities or risks will impact us to achieve objectives.
Page 5
PART 3: ESTABLISHING TEAM RESPONSIBILITIES, ROLES, & NORMS Team Responsibility Matrix
Action Items and Team Tasks
What roles & duties will be needed to complete this item? Which members will have responsibility for these roles/tasks? (It’s best to assign members responsibility based on unique strengths they bring to the team.)
What expectations will the team hold for the member(s) responsible for this item or task? (Be specific & include measurable expectations such as time frames for specified deliverab les)
Collect relevant information and determine milestones and ERM organization chart of the project.
Detail-oriented research skill is needed. Have a brief understanding of Every team member should gather background and current situation information and share research outcomes with of Apple. Have milestone timeline other team members. and ERM organization chart. Due date: Sep 15, 2017
Internal Environment
Understand the general culture, values and environment related to risk management Apple operates.
Establish Risk management philosophy, and risk appetite. Assign board of directors to oversight.
Zheng Yan will be responsible for this part.
Set business objectives and identify drivers of each objective.
This item is the whole picture of the projects. Identifying objectives will help the team find out Apple’s exposed enterprise-wide risks and conduct further analysis. Yuyang Cai will be responsible for this part.
Event identification
Identify events that either provide opportunities or pose risks to achieve objectives. Hongfeng (Oliver) Guo will be responsible for this part.
Strategic, operations, reporting and compliance objectives will be identified, and the drivers of objectives and risk tolerance will be determined. Due date: Sep 17, 2017
Five types of events should be given: a. economic events; b. natural environment events; c. political events; d. social events; e. technical events. Due date: Sep 24, 2017
Page 6
Conduct risk assessment, and identify priority risks.
Risk assessment involves the recognition of risks and the rating of them to determine de termine the significant risks facing the organization, project or strategy.
Identify the risk universe and establish the risk priority. Identify an appropriate risk model for Apple Due date: Sep 19, 2017
Zixuan Wu will be responsible for this part.
Plan risk response.
In this part, different response options are examined (accept, reduce, share, or avoid), cost-benefit analysis is performed, a response strategy is formulated, and risk response plans are developed.
Select appropriate responses based on impact and likelihood levels of the risks (avoid, share, reduce, accept) Due date: Sep 23, 2017
Jiaqi Li will be responsible for this part.
Determine control activities.
The team should design control activities ac tivities to achieve objectives and respond to risks. Control activities are performed at all levels of the company and at various stages within business processes. They may be preventive or detective.
Review control policies and procedures. Classified the control activities into different categories and give suggestions of improvement. Due date: Sep 24, 2017
Ziwei Zhu will be responsible for this part.
Information and communication
This part requires establishing both internal and external communication channels to support Apple’s enterprise risk management. Biying Zhuge will be responsible for this part.
Establish monitoring system
Establish appropriate communication process that ensure relevant, accurate, and timely information be available to individuals at all levels. Due date: Sep 26, 2017
Ongoing evaluations, separate evaluations, or Ongoing monitoring process is some combination of the two are used to conducted during analyzing ensure the ERM is functioning. process. The results of the process should be delivered. Xiaochen Ma will be responsible for this part. Due date: Sep 26, 2017
Page 7
Give out status report and presentation.
Everyone team member will be responsible for completing the status report before deadline and making the presentation.
Status report and presentation should be aligned with the requirements of Group Project Description. Description. Due date: Sep 27, 2017
Give out formal report and final presentation.
Every team member will contribute to the formal report and presentation.
Formal report and final presentation should be finished in a complete and well-organized way. Due date: Oct 10, 2017
Page 8
PART 4: TEAM NORMS Meeting Norms – Expectations in clude when, where, wh ere, and how often o ften to have team meetings. What is expected o f members with regard to attendance, timeliness, and advance preparation? What is the desired balance between work and fun during meeting times?
Meeting norms for team: 1. We will meet every Saturday/Sunday at a t McKeldin library. The meeting will be about abou t 2 hours, depending on the situation. 2. We will prepare for each meeting and come ready to engage. 3. We will begin and end our meetings on time and stay fully engaged throughout each meeting. 4. We will be patient when listening to others speak and do not interrupt them. 5. Everyone is responsible for helping to stay on topic. Speak up if you feel like we’re getting off track. Work Norms – Expectations in volve firmness an d explicitness o f standards & deadlines, how equally effort & work should be distributed, how & by whom work will be reviewed, and what consequences will result if members do not follow through on their commitments.
Working norms for team: 1. Everyone is responsible for observing the norms and meeting the deadlines. 2. The leader will assign task to team members as a s fairly as possible, and will review the results. 3. If there are problems or concerns about the work arrangement, team members can talk to the leader or mediator. Leadership Norms – Expectations in clude whether a leader is desired desir ed and who that th at will be, if i f and how leadership lea dership will be rotated or shared, responsibilities for leaders, and how to keep the leader from taking on too much responsibility.
Leadership norms for team: 1. Yuyang Cai is our team leader and responsible for the successful completion of our project. She will take responsibility for creating an inspiring team environment with an open communication culture. She will also clarify the team goals, goa ls, delegate tasks and set deadlines. In addition, she will ensure smooth team operations and effective collaboration. co llaboration. 2. To keep the leader from taking on too much responsibility, Jiaqi Li will become our timekeeper and will keep the group aware of time constraints and deadlines; the reco rder, Biying Zhuge, will take notes summarizing team discussions and keep all necessary records; the mediator, Zixuan Wu, will deal with conflicts and help to reach consensus. Communication Norms – Expectations cent er on when comm unication should sho uld take place (i. e., what issues issu es require full-team versus individual-members-only communication), who is responsible for initiating contact, preferences for h ow often and through what wha t media (phone, email, etc.) commu nication should shou ld occur as wel l as procedures for raising difficult diff icult issues or o r negative feeling s about the team tea m or members (in cluding how mid-term m id-term & final team mem ber evaluations will be handled). hand led).
Communication norms for team: 1. We will communicate by Wechat and email whenever we have questions. We can use the “Discussion Group” in Wechat to conduct both full-team and individual-members-only Page 9
communication. 2. The leader is primarily responsible for initiating contact, and eve ryone needs to actively participate in discussion. 3. If members feel they cannot talk about abo ut issues or concerns during group discussion, they can talk to the leader about their issues in private. Consideration Norms – Expectations cen ter on how much mu ch effort members will make to: express disagreem ents tactfully or diplomatically, respect or incorporate minority viewpoints, avoid inflammatory language or accusations, and share honest perspectives (even if these are unflattering). unflattering ). What procedures will be used to resolve disagreements (e.g., majority rules, consensus, flip a coin)? They also include the extent to which members will undertake positive efforts to congratulate each other and recognize each others’ accomplishments.
Consideration norms for team: 1. The leader will make sure all voices voice s are heard, and the mediator will help to deal with conflicts. 2. Everyone should be willing to support a team consensus. 3. Everyone should present in a positive manner and treat members with respect. 4. Don't make threats or rude comments to members. 5. If there are any problems or concerns, talk to the leader before or after the meeting and separate your own personal feelings from what’s best for the team. 6. Everyone will undertake positive efforts to congratulate each other and recognize each other’s accomplishments.
Page 10
We have all participated in developing deve loping our team’s charter and agree to adhere to the principles in this charter both individually and collectively. _____Yuyang Cai_________________________ Cai_________________ ________ Name
__ Yuyang Cai ____________________________ ___________________________ _ Signature
_____Zixuan Wu__________________________ Wu____________________ ______ ___ Zixuan Wu _________________________ ___________________________ __ Name Signature _____Jiaqi Li____________________________ Li___________________________ _ Name
___ Jiaqi Li _______________________________ _________________________ ______ Signature
____ Biying Zhuge_________________________ Zhuge__________________ _______ __ Biying Zhuge __________________________ ___________________________ _ Name Signature ____ Ziwei Zhu____________________________ Zhu_______________________ _____ _ _ Ziwei Zhu __________________________ ______________________________ ____ Name Signature ____Xiaochen Ma_________________________ Ma___________________ ______ Name
__ Xiaochen Ma __________________________ _____________________________ ___ Signature
____ Zheng Yan__________________________ Yan________________ __________ Name
__ Zheng Yan _________________________ _____________________________ ____ Signature
____ Hongfeng (Oliver) Guo_______________ Name
Hongfeng (Oliver) Guo ____________________ Signature
Page 11
Appendix 11 ERM Development Timeline Apple Corp 2011-2017 Phase
Ta sk # Task De scri pti on Information Gathering and Planning
Identify risk assessment and/or risk management activities currently in practice/use Identify an appropriate risk model for Apple Inc., develop ERM project plan, and define key deliverables (include risk assessment plan)
1
1
2
Identify leadership for ERM process, and define ERM organization Obtain Management and Board approval for risk model, 4 ERM organization, and ERM and risk assessment plans Risk Awareness and Assessment Establish risk language and develop risk assessment 1 documentation and training materials Conduct risk assessment interviews with key members of management - Identify relevant risks for risk 2 assessment. 3
4 5
6
Hold risk assessment training sessions with identified participants in in the risk assessment assessment Execute ririsk as assessment Review and revise risk priorities (with input from ERM management, risk assessment participants and executive management), and prepare presentation of the results to the Board and executive management.
7
3
Aug 2011
Sep 2011
Oct 2011
Nov 2011
Year One Dec 2011 Ja n 2012
Fe b 2012
Mar 2 012
Apr 2012
May 2012
Jun 2012
Jul y
August
Septe mbe r
Octobe r
Nove mber
Year Two - Six D ec ember Januar y
F ebruary
March
Apri l
May
J u ne
Risk Baseline info for organization Draft: Risk Model/Universe, ERM Plan, Risk Assessment Plan
ERM organization chart Approved: Risk Universe, ERM Organization, ERM Plan, Risk Assessment Plan
Risk listing with definitions, and risk awareness and assessment training materials List of risks for risk assessment (with linkage to objective(s))
Present the results of risk assessment, including associated action items and next steps, to the BoD.
Preliminary list of pr prio ritized ri risks Prioritized list of risks, linked to owner(s) in the Organization, identified actions required (Including goals for improving risk management for the top key business risks and risk response); and Risk assessment presentation Additional action items, if deemed appropriate, by the Board
Policy Setting and Initiating of Process Monitoring 1 Prepare, rev iew and approve ERM policy ERM Policy Review and incorporate results of internal control Risk prioritization data assessments and self-assessments, as well as the results of internal audits/evaluations/investigati audits/evaluat ions/investigations ons and other 2 reported observations (e.g. regulators, external auditors, etc.) in the risk assessment.
3
F ol oll ow ow- up up o pe pe n ac ti on on i tem s
S ta tatu s r ep or or t an d u pd pd at ed o pe pen ac tio n it ems .
Ri sk M on on ito ri rin g
A le ler ts an d Mo nt nt hl hly r ep or or ts ts o n o bs bse rv rv ed p er fo fo rm rm an ce /c on on di diti on on s v er su su s d ef in ed ed K ey Ris k Indicators (KRIs) and Key Performance Indicators (KPIs), with explanations for significant changes to prior month, misses on budget, etc.
4 Follwing years Ta sk # Reassess Risk Management process and policy, and 1 make changes, when/if appropriate. Execute risk assessment - Facilitated 2 sessions/workshops to identify, analyze, and prioritize key risks and RM techniques/strategies Review results and presentation with the Management 3 and internal audit, and revise as appropriate Present the results of risk assessment, including 4 associated action items and next steps, to the BoD.
4
Jul 2011
Hold risk awareness session(s) with Senior Management and the Audit & Finance Committee of the Board
3 2
De li verable s
5 6 7
8
Internal control assessments and self-assessments self-assessments Internal control self-assessments self-assessments Review and incorporate results of internal control assessments and self-assessments, as well as the results of internal audits/evaluations/investigati audits/evaluations/investigations ons and other reported observations in the risk assessment. F ol oll ow ow- up up o pe pe n ac ti on on i tem s Ri sk M on on ito ri rin g
9
Updated ERM Policy & Procedures Risk prioritization data
Risk assessment presentation Risk assessment presentation
Management assessment and Opportunities to improve controls Risk prioritization data
S ta tatu s r ep or or t an d u pd pd at ed o pe pen ac tio n it ems . A le ler ts an d Mo nt nt hl hly r ep or or ts ts o n o bs bse rv rv ed p er fo fo rm rm an ce /c on on di diti on on s v er su su s d ef in in ed K ey Ris k Indicators (KRIs) and Key Performance Indicators (KPIs), with explanations for significant changes to prior month, misses on budget, etc.
Legend: Enterprise Risk Committee Apple Inc. Controls Enterprise Risk Working Group Risk Owners
B-1