e-Risk Management

Rick

I spoke with Mr. Causey this morning and moved over here. We have been
working with your IT people on security but this is a new practice for
us that we are having great success in the energy companies. As we have
worked with more companies on the finance side of businesses we have had
to eliminate the IT terms so it makes a lot more sense to Risk Managers
now.

e-Risk Management starts with a way to manage the risks of e-commerce
such that these risks are understood from the technologists to the board
room and you can manage it.

Since this is such a new and radically different concept I have found
our literature confuses more often than it helps. It has some basic
tenants that are straight forward that can be presented and understood
but are not easy to write down. It is not a product.

First, we are going to define risk as the potential reduction in assets
from the threats of e-commerce. Now, you have more intangible assets
than tangible assets so that we have mastered. So this discussion is on
the asset management side and is a key concept to understand. Everything
else is based on that. Often we get in an income vs. balance sheet
discussion. In your case you have $11B in book value and $27B in market
value so you have $16B in intangible assets. There are two things to do
with these assets 1) protect them as you become e-commerce enabled and
2) figure out how to leverage and grow them with e-business. So this is
where we start.

On the protection side e-commerce threats will come two ways. Your
largest threats are going to be on transactions, like trading, asset
acquisition or payments. Other threats will come from vulnerabilities in
your network. So this is both in trading, business strategy and
Information technology. That is the e-Risk management side.

On the growth side once we and you allocate these $16B of intangible
assets to categories, strategies can be built to grow selected areas. Of
course, fixed IT assets have a high need to be leveraged also.
Approximately 25% of your IT budget is managing boxes ( fixed assets)
that has no competitive value. That is what we are doing at Chevron.

For protection you can throw an infinite amount of technology dollars at
the e-commerce security requirement and not eliminate the risk (if you
pin your technology people to the wall they will finally admit this).
However, once you have e-Risk Management you can manage the costs of
technology and risk to what we call "The Most Favored Case" investment.
Companies have found this e-Risk concept should be completed before a
security policy is developed because until you do understand the asset
risk you don't know what to write a security policy to do.

Let me know if you need more. Many energy companies, especially the
utilities, have added e-Risk to Risk Management. Many recognize e-Risk
as the biggest going forward. This is aimed at getting that elevated
Risk Management concept under way.

Normally we would like to come in for an introduction meeting ( 1 1/2
hours) to get the basic concepts covered and then talk about what our
e-Risk Practice does. We are at Keller Springs and the Tollway in North
Dallas if you wanted to come here.

Thanks.

Bill Reid
Director of Business Development
Office 972-770-7820, \Mobile 972-814-4678
www.us.syntegra.com