1. Succinctly state an example of the “tipping point of a material consequence”

1. Succinctly state an example of the “tipping point of a material consequence” for a natural disaster impacting a manufacturing plant.
2. Explain why problem, risk, or opportunity impact to free cash flow as measured in net present value is a good primary measure for corporate decision-making regardless of industry.
3. The CEO of your company is concerned about cyber security and has asked you to perform a “breach of customer data” risk assessment. Beyond the costs of resolving the technical concerns, a breach of customer data will create potentially several unplanned costs such as: (1) forensic examination; (2) notification of customers and third parties; (3) increased call center costs; (4) public relations costs; (5) legal defense and potential settlements; and, (6) federal or state fines, penalties, and potential required future audits.
You worked with the Director of Security to perform the risk assessment and your summary of the risk assessment is the following. The Director of Security believes there is only a 5% chance over the next three years of a breach of customer data. However, if a breach of customer data occurs the 10-50-90 range of impact to the company as measured in net present value is -$100M, -180M, and -250M respectively.
The IT organization has suggested an intervention to reduce the likelihood of a breach of customer data that would cost $25M in capital ($15M in 2021 and $10M in 2022) and $600,000 in expense ($400,000 in 2021 and $200,000 in 2022). The Director of Security believes this would reduce the chance of a breach of customer data to as little as 1% over the next three years. Unfortunately, the range of impacts given the breach occurs remains the same. Adjusting for the cost of the IT intervention, the 10-50-90 range of impact to the company as measured in net present value is -$122.44M, -202.44M, and -272.44M. The company’s risk-free discount rate is 7%.
a) What is the expected NPV impact (expected risk liability) before implementing the IT intervention?
b) What is the expected NPV impact (expected risk liability) after implementing the IT intervention?
c) What is the present value of the IT intervention?
d) What is the investment productivity of pursuing the IT intervention?
e) Should they invest in the IT intervention? If yes, explain why?
4. You have completed an enterprise risk management (ERM) “First-Filter” risk assessment identifying 85 risks across the corporation. The Chief Risk Officer (CRO) requested three “Second-Filter” ROI analyses including: (1) Manufacturing Contamination Risk; (2) Geopolitical Risk; and, (3) Cyber Security Risk. You have performed the three “Second-Filter” analyses yielding the following table of results.
a) Sketch the Investment Productivity Curve (including the numerical values on the axes).
b) What recommendations do you provide the CRO regarding which risks to pursue with mitigation investments and the overall risk mitigation budget?