Stephen Vink Senior Vice President Group Risk Management and Internal Audit Lessons learned from...

Stephen Vink

Senior Vice President

Group Risk Management and Internal Audit

Lessons learned from ERM

2

Agenda

– Overview Setting the context What is ERM What is “not” ERM Visible impact of ERM

– ERM in the region Prior to global financial crisis Post global financial crisis

– Lessons learned from ERM implementations Key issues that obstruct ERM implementations How to overcome the key implementation issues

3

OverviewSetting the contextWhat is ERMWhat is not ERMVisible impact of ERM

4

Setting the context

– ERM in corporate world can be compared with making money in share market over a period of time Everyone wants to do it Many falsely claim to do it - it is just losses that they have made Those few who have done it, did it accidently and not over a period of time Only a handful knows how to do it and have done it well over a period of time People love to hear stories of it

– Quite often discussed topic in many board rooms and various conferences

“… a process, effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”Source: COSO Enterprise Risk Management – Integrated Framework. 2004

5

What is Enterprise Risk Management

– A process, ongoing and flowing through an entity– Effected by people at every level of an organization– Applied in strategy setting– Applied across the enterprise, at every level and unit, and includes taking an

entity level portfolio view of risk– Designed to identify potential events that, if they occur, will affect the entity and

to manage risk within its risk appetite– Able to provide reasonable assurance to an entity’s management and board of

directors– Geared to achievement of objectives in one or more separate but overlapping

categories

ImportantCOSO’s integrated framework is a guiding post and not the only approach to implement ERM, you can have your own approach customized to your requirements.

6

What is “NOT” Enterprise Risk Management

– NOT a one time activity– NOT the responsibility of your Risk Management Department / CEO / Board– NOT independent of business strategy / business– NOT to be run in silo– NOT applied to only part of the business– NOT about preparing heat map / bubble chart, a heat map is just the

beginning.– NOT a system to prevent the potential events– NOT something that can be implemented in days– NOT something that gives immediate results after implementation

7

Visible impact of ERM (1/2)

The impact comes over a period of time and is not a matter of overnight success

The impact comes in to phases depending on approach

8

Visible impact of ERM (2/2)

Kick-Start Accelerate Steady State

• Compliance with controls• Risk driven decisions• Improved communications on risk• Initiative to create awareness of

integrated risk approach

• Better utilization of capital• External communications on

risk management• Safeguard shareholder value

• Improving shareholder value

• Improving governance

9

ERM in Middle EastPrior to global financial crisisPost global financial crisis

10

ERM in Middle East - Prior to global financial crisis

– ERM as an integrated framework was issued by COSO in September 2004– Risk management was existing before COSO issued the framework

Mainly operated in silos Not viewed as enterprise wide Not linked with strategy Viewed as control function only

– The early adapters of ERM Companies having parents in US / Europe / Australia Public sector organizations more particularly in the energy sector A handful private sector organizations

– Key reasons for lower penetration of ERM in Middle East Excess liquidity available in the system Global boom - boom in real estate - boom in local businesses Absence of shareholder activism / stakeholder activism Family owned businesses - Corporate governance is nothing but as governed

by families

11

ERM in Middle East – The financial crisis

12

ERM in Middle East - Post global financial crisis

– Impact of global financial crisis that created need for ERM Liquidity constraints in the system Global recession – local real estate and local business – you know better Resulted in questions from shareholders / stakeholders regarding management

of various risks at the enterprise level, regarding good corporate governance– Many private sector organizations have, either willingly or forced by regulator

or forced by lenders, started taking various risk management initiatives– New awakening amongst regional central banks and other regulators

13

Lessons learned from ERM implementationsKey issues that impede ERM implementationsHow to overcome key implementation issues

14

Key issues that impede ERM implementation

– ERM objectives not aligned to corporate objectives– Creates friction / jeopardize the initiatives among groups / individuals

– No insight / Insufficient commitment from the top management– Failure to set clear risk appetite– Delays the implementation / Failed implementation, i.e., no benefit

– Inadequate conceptualization of ERM model / approach– Inadequate / Inappropriate model will not yield desired benefits suitable to “your”

business needs– Managerial decisions does not embed risk in the process

– Insufficient/inadequate risk management resources– Adequately knowledgeable resources needed for special jobs– Poor systems / Stone age tools will make implementation sub - optimal

– Cultural mismatch– ERM brings in change management– Your organizational culture will be changed– Change management is not easy and not at all in Middle East– Organization’s culture not aligned with risk strategy

15

How to overcome key implementation issues

Risk transparency and insight

Risk appetite and strategy

Risk related business processes

and decisions

Risk organization and governance

Risk culture

1

2

34

5

Best Practices * for ERM

implementations

*Source: McKinsey

16





and decisions


Risk culture

1

2

34

5

Best Practices for ERM

implementations

1. Prioritize risk heat map2. Board to provide insight

on big bets that really matter

3. Share information with risk management

17





and decisions


Risk culture

1

2

34

5


implementations1. Clear definition of risk

appetite approved by board, with matching operational levers

2. Risk strategy linked with insights provided by the Board

18





and decisions


Risk culture

1

2

34

5


implementations1. Managerial decisions

optimized by embedding risk considerations in the process

2. Strong links between RM function, key business units and other areas

19





and decisions


Risk culture

1

2

34

5


implementations1. Adequate changes in

governance to fit in the risk management process

2. Adequate knowledgeable resources

3. Adequate Technology

20





and decisions


Risk culture

1

2

34

5


implementations

1. Clear understanding of organization’s risk culture gaps

2. Alignment of culture with risk strategy

21

Ultimate Lesson Learnt

Enterprise risk management is a journey where you need to follow the direction provided by adequate knowledgeable resources and technology or else you could end up on the rocks

Stephen Vink Senior Vice President Group Risk Management and Internal Audit Lessons learned from...

Documents

Transcript of Stephen Vink Senior Vice President Group Risk Management and Internal Audit Lessons learned from...