Star wars secrets of the empire cinemark

Cinemark Holdings Inc.: Simulated ERM Program

Ben Li, Assistant Vice President of Compliance, is assigned the responsibility of developing an ERM

program at Cinemark Holdings Inc. (CHI). Over the past year, Ben has put in place the following ERM

activities:

Risk Identification and Assessment

The risk identification and assessment process steps are as follows:

1) Conduct online surveys of the heads of the 10 business segments and their 1-2 direct reports (15 people) and their mid-level managers (80 people). Exhibit 1 shows the instructions that are included in the online survey. Exhibit 2 shows samples of the information collected from the online survey.

2) Each of the 10 business segments separately organizes and compiles the results of the online survey. They typically compile a robust list of 70-80 potential key risks. Each business segment then prioritizes their top-5 risks and reports them to Ben Li, resulting in a total of 50 key risks (a partial sample of the top-50 risk list is shown in Exhibit 3).

3) A consensus meeting is conducted where the 50 risks are shared with the top 10 members of senior management in an open-group setting at an offsite one-day event. The 50 risks are each discussed one at a time, after which the facilitator has the group collectively discuss and score them for likelihood and severity. The risk ranking is calculated as the likelihood score plus the severity score; the control effectiveness score is used to determine if there is room to improve the controls and is used in the risk decision making process step. The top-20 risks are identified as the key risks to CHI and are selected for additional mitigation and advanced to the risk decision making stage. A Heat Map (see Exhibit 4) is provided to assist in this effort.

4) The 30 risks remaining from the 50 discussed at the consensus meeting are considered the non- key risks, and these are monitored with key risk indicators to see if, over time, either the likelihood and/or severity is increasing to the level which would result in one of these being elevated to a key risk.

Risk Decision Making

Ben Li formed a Risk Committee to look at the risk identification and assessment information and to

define CHI’s risk appetite and risk limits, which were defined as follows:

Risk Appetite

CHI will maintain its overall risk profile in a manner consistent with our mission and vision and with the

expectations of our shareholders.

Risk Limits

CHI will also avoid any individual risk exposures deemed excessive by its Risk Committee; the individual

risk exposures will be determined separately for each key risk. CHI has zero tolerance for risks related to

internal fraud or violations of the employee code of conduct.

2

Ben Li expanded the role of the Risk Committee to also select and implement the risk mitigation for each

of the 20 key risks, at the same time as the committee determines the risk limits. The committee defines

the risk limit for each key risk as the level that would lower the risk’s ranking to the level of a non-key

risk. In addition, the Risk Committee designates Executive Risk Owners for each of the 20 key risks,

whose role is to continue to report information on risk exposures to the Risk Committee and to lead

efforts to implement the risk mitigation determined by the Risk Committee.

Risk Reporting

The Risk Committee and the CHI Board of Directors periodically receive updates of the following items:

1) Heat Map (see Exhibit 4)

2) Definition of risk appetite and risk limits

3) Key Risk Dashboard; an example is shown below:

Key Risk Dashboard

Risk Description Employee turnover due to increased dissatisfaction with their work conditions (long shifts, low compensation, etc.) Executive Risk Owner: Natalie Turner (head of HR); Mike Bronner (head of Corporate Wellness)

Risk Mitigation-in-Place 1) Employee complaints hotline (document HR-

65) 2) Incentive compensation guidelines

(document HR-10-1.2) Control Effectiveness Score: 3 (Prior score N/A*)

Risk Identification and Assessment Business Segment: XD Theatres - Domestic Likelihood Score: 3 (Prior score N/A*) Severity Score: 2 (Prior score N/A*)

Key Risk Indicators: 1) Number of employees quitting yearly 2) Number of complaints received through

employee hotline 3) Salary of employees in same industry

* This is the first ERM process cycle, so no prior scores are yet available.

There are no other ERM-specific reports generated at CHI.

3

EXHIBIT 1: INSTRUCTIONS FOR RISK IDENTIFICATION AND ASSESSEMENT ONLINE SURVEY

1) Provide a list of all key risks to your area(s) of responsibility; in considering the risks, please include risks from any of the following types of risk: human resources; technology; disasters; compliance; reputation risk; process risk; litigation; external fraud; market risk; credit risk; and liquidity risk.

2) For each risk, please do the following:

a. Score the likelihood and severity using the L/S scoring criteria below

b. Identify the risk owner(s) responsible for assuring effective risk controls

c. List the controls or mitigation-in-place

d. Score the control effectiveness using the C/E scoring criteria below

e. Describe any post-risk-event action plans

f. List the internal historical events that have occurred related to this risk, their impact on CHI, and the effectiveness of controls at that time

L/S Scoring Criteria

Score Chance of Occurring

(within the coming year) Score

Severity Score

(Loss in Company Value*)

5 ≥20% 5 ≥ 10% ($440M)

4 ≥10% and <20% 4 ≥5% ($220M) but <10% ($440M)

3 ≥5% and <10% 3 ≥2% ($88M) but <5% ($220M)

2 ≥2% and <5 2 ≥1% ($44M) but <2% ($88M)

1 <2% 1 <1% ($44M)

* Assume CHI market cap is $4.4B and use this as a proxy for company value; company value is what we are worth if we achieve our baseline strategic plan.

4

C/E Scoring Criteria

Score Control Effectiveness Score

5 Optimized: Part of an integrated risk control framework with continual updates and dynamic ability to identify and remediate in real time

4 Monitored: Individual controls are in place with periodic updates, with most remediation needing to be done manually by management although there are some dynamic automation in place to identify and remediate

3 Standardized: Controls exist and are documented but there is no consistent system in place to identify and remediate when controls become ineffective

2 Informal: Controls exist but are not consistently documented and maintaining effective controls depends on informal or ad hoc actions by management

1 Unreliable: Controls do not exist

5

EXHIBIT 2: SAMPLE OF INFO COLLECTED FROM RISK ID & ASSESSEMENT ONLINE SURVEY

Example of one risk provided by one survey participant:

Business Segment XD Theatres - Domestic

Risk Employee turnover due to increased dissatisfaction with their work conditions (long shifts, low compensation, etc.)

Likelihood Score 3

Severity Score 2

Executive Risk Owner(s) Natalie Turner (head of HR); Mike Bronner (head of Corporate Wellness)

Controls in Place 3) Employee complaints hotline (document HR-65) 4) Incentive compensation guidelines (document HR-10-1.2)

C/E Score 3

Post-risk-event action plans

1) Employee Assistance Program (EAP) (document HR-81) 2) Employee health and wellness training (document HR-90) 3) Training procedures for new employees (document HR-98)

Past events, their impact, and control effectiveness

Summary and Detailed Reports available upon request (contact Risk Owners)

Total Qual Score 5 (3 + 2)

6

EXHIBIT 3: PARTIAL LIST FROM Top-50 RISK LIST

Risk # Description

1 Technology failure in displaying Star Wars: Secrets of the Empire at the Orlando VOID theatre, resulting in viral customer tweets discouraging people from trying out virtual reality theatres

2 Unexpected poor performance of a major film release, resulting in $20M revenue loss

3 Reputational damage resulting in $100M revenue loss

4 Worse-than-expected tornado season impacts Texas

5 Tampering with, and theft of, electronic data

6 Inability to meet CHI's long-term lease and debt obligations (which amount to approx. $1.8B)

7 Unexpected design flaw in the seats of D-Box theatres, resulting in $30M of repairs

8 Unexpected changes in foreign exchange rates

9 Unexpected increase in minimum wages

10 Unexpected lawsuit related to alleged violation of U.S. Food and Drug Administration requirements on nutrition labeling of certain menu items

11 Unexpected ransomware attack on advertising servers at 50 major theatres, resulting in devastating reputational impact

12 Unexpected rise of political instability in Latin America

13 Unexpected delay in the release of movie “Godzilla: King of the Monsters” (planned release: May, 2019)

14 Mass shooting in a major Cinemark theatre, resulting in a $15M loss in sales

15 Unexpected decrease in the production of new films

16 Unexpected innovation introduces disruptive alternative film distribution channel, lowering theatre demand by 20%

17 Unexpected changes in film rental fees, resulting in a $15M increase in expenses

18 Lawsuit stemming from alleged violation of ADA regulations

19 Unexpected turmoil in equity market, resulting in $50M loss

20 Disgruntled employee leaves CHI and steals personal customer information

Etc. Etc.

7

EXHIBIT 4: HEAT MAP

Risk 38

Risk 16

Risk 35

Risk 30

Risk 23

Risk 25

Risk 32

Risk 36

Risk 7

Risk 12

Risk 13

Risk 22

Risk 34

Risk 20 Risk 31

Risk 8

Risk 28

Risk 5

Risk 9

Risk 29

Risk 17

Risk 3

Risk 14

Risk 10

Risk 26

Risk 21

Risk 6

Risk 24

Risk 39

Risk 4

Risk 1

Risk 27

Risk 18

Risk 33

Risk 15

Risk 40 Risk 19

Risk 2

Risk 37

Risk 11

Risk 43

Risk 50

Risk 48

Risk 41

Risk 42

Risk 44

Risk 46

Risk 47

Risk 45

Risk 49

0

1

2

3

4

5

0 1 2 3 4 5

S e

ve ri

ty

Likelihood