Enterprise Risk Management ~ Inovastra
-
Upload
nik-hasyudeen -
Category
Business
-
view
3.164 -
download
2
description
Transcript of Enterprise Risk Management ~ Inovastra
Enterprise Risk Management ~ The Pathway for Assuring the Achievement of Corporate Vision
Nik Mohd Hasyudeen YusoffExecutive ChairmanKHR Business Advisory Sdn. Bhd.21 December 2006
Agenda
• Strategic Objectives and Risks• The Concept of Enterprise Risk
Management (ERM) • Steps in Implementing ERM• The Role Play in making ERM works
• The underlying premise of Enterprise Risk Management (ERM) is that every entity exists to provide value for its stakeholders.
• Value is maximized when management sets strategy and objectives to strike an optimal balance between growth and return goals and related risks, and efficiently and effectively deploys resources in pursuit of the entity’s objectives.
Strategic Objectives and Risks
• For governmental agencies, the purpose of their creation goes beyond providing financial returns
• The balancing between commercial aspects and people expectation makes realising strategic objectives more challenging
• That’s why the GLCs need so many books!
Strategic Objectives and Risks
Strategic Objectives and Risks
Vision and Mission
StrategicObjectives
Programmesand
Projects
Outcome
Cascading Strategy into Action
Feedback Feedback Feedback
• The next question then is, what is RISK?
• Is “risk” all bad?
Strategic Objectives and Risks
Strategic Objectives and Risks
Strategic Objectives and Risks
Mark Beasley, North Carolina State University
Strategic Objectives and Risks
Mark Beasley, North Carolina State University, 2004 Survey
Disconnect
Strategic Objectives and Risks
Inovastra Risk Model
Potential Areas of Risks to Organisations
• Some examples of Strategic Risks– A property development company plans to
develop link houses surrounding a beautiful natural lake (Demand risk)
– A scientific research agency sets up an education institution offering business courses (Competition risk)
– An agency enters into a business which it has no expertise (Capability risk)
Strategic Objectives and Risks
• Some examples of Other Risks– A deposit taking company promises fixed return to
investors when its investment generates fluctuating returns (Financial ~ Market risk)
– A company sets new strategy that requires people with different attitude and mindset (Operational ~ People risk)
– An entity makes investment into new information technology infrastructure without considering potential changes in technology (Operational – Technology
Strategic Objectives and Risks
• Some examples of Other Risks– An agency entered into a joint venture and relied on
the joint venture’s partner to draft the joint venture agreement (Compliance ~ Contractual risk)
– A company has to provide a huge impairment losses as its fleet of vessels is no longer allowed to transport certain cargo due to changes in maritime rules (Compliance ~ Regulatory risk)
– A company which certifies its products as HALAL is involved in corrupt practices (Compliance ~ Corporate values risk)
Strategic Objectives and Risks
Strategic Objectives and Risks
• Full service• Convenience• Full of legacy• Government linked
company
• Low cost• Price driven• New start-up
(technically)• Privately controlled
There are also situations where multiple of risks are involved:
Politics
Economy
Education
Society
Technology
EnvironmentSpirituality
GlobalRegionalNational
Organisation
Strategic Objectives and Risks
The world keeps on changing!
Technology• Keeps changing and changing
very fast!• New products and services• New way of doing business• Increased production
efficiency and effectiveness• New markets• New threats
Strategic Objectives and Risks
Economy• More open and globalised economy• Movement from production based to
service based economy, driven by knowledge capital
• Intangible (Intellectual) assets are main value driver for business, not easily measured though
• Companies becoming less “nation” based
• 9MP introduces the “regional” concept of development
Strategic Objectives and Risks
Education• Driver of intellectual capital –
Knowledge Workers• Global based education
standards• Shorter lifespan of knowledge, 12
months for IT!• Continuous Re-education is the
way forward • What matters is “What do you do
with the knowledge you learned?”
Strategic Objectives and Risks
Environment• Matters to a lot of people now –
Corporate Responsibility Reporting
• Environment based compliance standards – Eco Labelling
• New “barrier” to trade
Strategic Objectives and Risks
Society• Its all about people, remember
Enron, WorldCom?• Public views are easily influenced
through digital media• Society with global values? – War
on terrorism, Freedom of expression
Strategic Objectives and Risks
Politics• A shift in political direction would
have impact on business environment
• Globalisation of political issues? • Influence the level of transparency in
business dealings
Strategic Objectives and Risks
Spirituality• Islamic financial market is
an example of influence of spirituality on business
• Ethical funds• Cuts across borders, based
on people’s belief
Strategic Objectives and Risks
The Concept of Enterprise Risk Management
How Organisations manage their risks?
Risk managementequals buying insurance
Regulators are demandingrisk management activities
We need a sustainableProcess to monitor all risks
We need to know theEconomic impact of ourLargest risks
Risks need to bequantified comprehensively
Shareholders demand arisk/return framework
Decision making acrossfirm is linked to buildingeconomic value
I
III
II
VI
V
IV
VII
Mercer Oliver Wyman analysis (modified)
Value add for organisations
The Concept of Enterprise Risk Management
Source: Protoviti Inc.
The Concept of Enterprise Risk Management
StrategicMarket Risks
Operations Risks
Finance Risks
HumanCapital Risks
ITRisks
Reputation Risks
Legal Risks
Enterprise Focus On Risks
Risks are managed in silos, each business unit or entity manage only theirs
The Concept of Enterprise Risk Management
StrategicMarket Risks
Operations Risks
Finance Risks
HumanCapital Risks
ITRisks
Reputation Risks
Legal Risks
Enterprise Focus On Risks
Value Creation and Preservation
Risks are managed on integrated basis
• Enterprise risk management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.
The Concept of Enterprise Risk Management
Enterprise Risk Management – Integrated Framework, COSO
• Enterprise – Not just selected “silo” of risks• Process – Ongoing, living, systematic• Consideration of risk on portfolio basis
– Collection of risks– Interactions of risks
• Done to enhance entity value– Heavily integrated with business
strategy
The Concept of Enterprise Risk Management
• Focus is on coordinated programme for identification, measurement, assessment, and response to risks primarily across 2 dimensions– Probability (Likelihood)– Criticality (Consequence)
• Key part of entity’s corporate governance– Responsibility of senior management and
board– Pushed down to key business segment
management
The Concept of Enterprise Risk Management
• How does ERM enhance Value?– Aligning risk appetite and strategy
~ management considers the entity’s risk appetite in evaluating strategic alternatives, setting related objectives, and developing mechanism to manage related risks
– Enhancing risk response decisions ~ ERM provides the rigor to identify and select among alternative risks responses – risk avoidance, reduction, sharing and acceptance
The Concept of Enterprise Risk Management
• How does ERM enhance Value?– Reducing operational surprises and
loses ~ Entities gain enhanced capability to identify potential events and establish responses, reducing surprises and associated costs or losses
– Identifying and managing multiple and across-enterprises risks ~ ERM facilitates effective response to the interrelated impacts, and integrate responses to multiple risks
The Concept of Enterprise Risk Management
• How does ERM enhance Value?– Seizing opportunities ~ By considering
a full range of potential events, management is positioned to identify and proactively realise opportunities
– Improving deployment of capital ~ Obtaining robust risk information allows management to effectively assessed overall capital needs and enhance capital allocation
The Concept of Enterprise Risk Management
Steps in Implementing ERM
Eight componentsof ERM
Considers alllevels of the enterprise
ERM helps entity to achieveObjectives across these categories
Steps in Implementing ERM
Internal Environment
Objective Setting
Risk Response
Risk Assessment
Event Identification
Control Activities
Info
rmatio
n &
Com
munica
tion
Mon
itorin
g
• Internal Environment– Foundation of other components of ERM.
Sets the management philosophy, risk appetite, the composition and role of the board, corporate values and culture.
– Risk appetite is the amount of risk, on a broad level, an entity is willing to accept in pursuit of value.
Steps in Implementing ERM
• Objective Setting– Objectives must exist before management
can identify potential events affecting their achievement. ERM ensures that management has in place a process to set objectives and that the chosen objectives support and align with the entity’s mission and are consistent with its risks appetite.
– Risk tolerance is the acceptable level of variation to the achievement of objectives.
Steps in Implementing ERM
• Event Identification– Internal and external events affecting
achievement of an entity’s objectives must be identified, distinguishing between risks and opportunities. Opportunities are channelled back to management’s strategy or objective-setting process
Steps in Implementing ERM
• Risk Assessment– Risks are analysed, considering likelihood
and impact, as a basis for determining how they should be managed. Risks are assessed on an inherent and residual basis
Steps in Implementing ERM
• Risk Response– Management selects risk responses –
avoiding, accepting, reducing or sharing – developing sets of actions to align risks with the entity’s risk tolerance and risk appetite
Steps in Implementing ERM
• Control Activities– These are policies and procedures that are
developed to ensure the risk responses are carried out. These activities occur throughout the entity, at all levels and in all functions. They include approvals, authorisations, verification, reconciliation, review of performance, performance indicators and segregation of duties.
Steps in Implementing ERM
• Information and Communication– Relevant information is identified, captured
and communication in a form and timeframe that enable people to carry out their responsibilities, flowing down, across and up the entity
Steps in Implementing ERM
• Monitoring– The entirety of ERM is monitored and
modifications made as necessary. Monitoring is accomplished through ongoing management activities, separate evaluations or both
Steps in Implementing ERM
How a Risk Profile Matrix Works
Likelihood of Occurrence of Risk
Low High
Low
High
Potential Impact of
Risk
• Key Focus AreaEnsure actions are in place
to mitigate the riskDevelop plans to allow
a quicker recoveryMonitor progress of action
plans
• Monitor to ensure that • risk profile does not
increase and that cost of
mitigation is not excessive
XX
X
X
X
X
X
X
XX
XX
X
X
X
X
X
• Monitor changes to risks and evaluate implications
Steps in Implementing ERM
• Case Study I– Strategic objective: Increase rate of research commercialisation– Risk: Research commissioned does not meet the need of
industry– Assessment: High risk ~ no consideration of market demand in
research approval– Response: Reduce risk by changing the process of research
approval– Control: Head of business development included in research
approval committee– Communication: Change of process communicated to all
relevant parties, including potential customers– Monitoring: Nature and number of research and commercialised
research monitored quarterly by the Board
Steps in Implementing ERM
• Case Study II– Strategic objective: Increase in market share of new product by
increasing sales on credit– Risk: Increase in bad debts– Assessment: High risk ~ no data on consumer behaviour in view
of new market– Response: Reduce risk by enhancing credit evaluation process*– Control: Only potential customer with income exceeding RM
2,000 will be given credit– Communication: Salesperson are required to inform potential
customers of the conditions– Monitoring: Debts exceeding 30 days are reviewed by Head of
Credit
* An entity with higher risk appetite may accept this risk
Steps in Implementing ERM
• Implementing ERM – it is an evolution, not revolution! For example:
Steps in Implementing ERM
Phase 1
Assessing the current state
Phase 2
Developing the ERM Framework
Phase 3
ImplementingERM
•Risk identification•Risk assessment•Risk management capabilities
•Infrastructure•Risks policies and procedures•Technology•Communication and reporting
•Integrate ERM into existing risk management process•Integrate risk management into strategic planning, budgeting, performance measurement etc•Integrate risk management into entity’s culture•ERM software integration
• Key Success Factors– Commitment from the leadership– Consensus of the vision for the future– Well defined and communicated plan– Realistic goals and timeframe– Quick early wins to gain support and
confidence– Integration with key process: Strategic
Planning, Investment, Performance appraisal
Steps in Implementing ERM
• Pitfalls– Implementing ERM without strategic plan– Lack of visible, active support, from CEO– Implementing ERM as a part time job– Treating ERM as a project rather than a long term
journey– Lack of integration with strategic planning, budgeting
etc– Failing to realise the need for change management– Lack of leadership and passion
Steps in Implementing ERM
The Role Play in Making ERM Works• Board
– Provides important oversight of ERM by:• Knowing the extent to which management has
established effective ERM• Being aware of and concurring with the entity’s risk
appetite• Reviewing the entity’s portfolio view of risk and
considering it against the entity’s appetite• Being appraised of the most significant risks and
whether management is responding appropriately
The Role Play in Making ERM Works• Management
– The management is directly responsible for all activities of ERM and the CEO has the ultimate responsibility for the ERM
– The CEO’s responsibilities include seeing that all components of ERM are in place through:
• Providing leadership and direction to senior managers
• Meeting periodically with senior managers responsible for functional areas to review how they manage risks
The Role Play in Making ERM Works• Management
– Senior managers is responsible for risks related to their units’ objectives, converts strategy into actions and guide application of ERM components within their spheres of responsibility
– Specific ERM procedures are assigned to managers of specific processes, functions or departments. They also make recommendations on related control activities and provide feedback to the top management
The Role Play in Making ERM Works• Other key players
– Risk officer, if created, works with managers in establishing ERM in their areas of responsibilities
– Financial executives are critical in managing the finance and controllership functions which cut across the entity. Important in the reporting function as well as linking budget to strategy
– Internal auditors play key role in evaluating the effectiveness and provide recommendation for the improvement of ERM of the entity
Key Points
• Risk is the possibility that an event will occur that and adversely affect the achievement of objectives of an organisation.
• ERM is a structured way of managing the portfolio of risks across the organisation guided by its risk appetite.
• Implementation of ERM could be done in phases depending on the readiness of the organisation, which normally already has some form of risk management process.
• Everybody in the organisation is important in ERM, leadership by the CEO with the oversight of the Board is key in the success of the implementation of ERM
Thank You