Enterprise Risk Management ERM By Ahmed Awlad Thani
Enterprise Risk Management (ERM) By: Ahmed Awlad. Thani Chief Internal Auditor- Oman LNG L. L. C 1
Agenda q. What is Risk? q. Why Risk Management? q. What is Risk Management? q. ERM framework q. Risk Examples 2
What is Risk? 3
4
Basic Concepts 5
What is Risk? ANYTHING that may affect the achievement of an organization’s objectives. It is the UNCERTAINTY that surrounds future events &outcomes. It is the expression of the likelihood and impact of an event with the potential to influence the achievement of an organization’s objectives. 6
Why Risk Management? 7
ERM Quotes “The only alternative to risk management is crisis management --- and crisis management is much more expensive, time consuming and embarrassing. ” JAMES LAM, Enterprise Risk Management, Wiley Finance © 2003 “Risk comes from not knowing what you`re doing. ” Warren Buffett “Risk is like fire: If controlled it will help you; if uncontrolled it will rise up and destroy you. ” Theodore Roosevelt “Risk management is about people and processes and not about models and technology. ” Trevor Levine “Even a correct decision is wrong when it was taken too late. ” Lee Iacocca “Good Risk Management fosters vigilance in times of calm and instills discipline in times of crisis. ” Dr. Michael Ong 8 Risk Management is a responsibility of ………………………. ?
Why Risk Management? • Increase risk Awareness: What could affect the achievement of objectives? • Increase understanding of risk Trend: What makes my risks increase/decrease/disappear? • Promote a “healthy” risk Culture: Talk about risk in an Open and transparent Environment. • Develop a common and consistent Approach across the organization. Not individual / group based. • Focuses Efforts: Helps prioritize Top Key Risks. • Is proactive…. not reactive Prepare for risks before they happen and risk mitigating strategies. • Improve outcomes Achievement of Objectives 9
What is Risk Management? 10
ERM Definition Committee of Sponsoring Organizations (COSO): “A process, effected by an entity’s board of directors, management and other personnel, applied in strategy-setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. ” ISO 31000: 2009 – Developed by the International Organization for Standardization (ISO): “A process that provides confidence that planned objectives will be achieved within an acceptable degree of residual risk. ” 11
What is ERM? (cont’d) To help assist with the implementation of the ERM process, COSO developed the ERM Integrated Framework (2004), also known as the COSO Cube. This cube is an update to the initial COSO I framework developed in 1992: 12
What is ERM? (cont’d) High level goals that are aligned with and support the Organisation’s mission. 13
What is ERM? (cont’d) Relate to the ongoing management process and daily activities of the organization. 14
What is ERM? (cont’d) Protection of the organization’s assets and quality of financial & non-financial reporting. 15
What is ERM? (cont’d) Organization’s adherence to applicable laws and regulations. 16
What is ERM? (cont’d) General culture, values and environment in which an organization or entity operates (Tone at the Top) 17
What is ERM? (cont’d) The process management uses to set its strategic goals and objectives. Establishes the organization’s risk appetite and risk tolerance. 18
What is ERM? (cont’d) Process by which an organization identifies events that influence strategy and objectives, or could affect an organization’s ability to achieve its objectives. 19
What is ERM? (cont’d) The process of evaluating the impact and likelihood of events, and prioritizing related risks. 20
What is ERM? (cont’d) Determining how management will respond to the risks an organization faces. 21
Typical Risk Responses Take, Treat, Transfer, or Terminate (4 T’s): Take: Accept the risk as estimated and proceed with the Activity. Treat: Take appropriate action to reduce likelihood or Consequences Transfer: Contractual re-allocation or the purchase of insurance Terminate: Avoid risk by cancelling the activity 22
Reducing impacts and likelihood Understanding the causes, controls and potential impacts of a risk is key to estimating the residual impact and likelihood Cause 1 Preventative controls Cause 2 Controls Cause 3 Controls Cause 4 Controls Corrective controls Risk Controls Impact 1 Impact 2 Impact 3 Most risks have a variety of possible Causes Preventative controls reduce the likelihood or impact from these causes Corrective controls reduce the impact if the risk event happens, they can’t reduce its likelihood 23
Selecting additional controls The wrong control strategy can be expensive and ineffective Decision on what risks to control is central to effective risk management Control: much Too little Just right Too Balance is very important: • Under control can lead to increased costs as risks materialise, and unacceptable risk exposure • Over control can also lead to increased cost through excessive mitigation, and reduced innovation 24
What is ERM? (cont’d) Policies and procedures that organisation implements to address the risks. 25
What is ERM? (cont’d) Practices that ensure that the right information is communicated at the right time to the right people. 26
What is ERM? (cont’d) Ongoing evaluations to ensure controls are functioning as designed, and taking corrective action to enhance control activities if needed. 27
Threats and opportunities Threat – a risk that may HINDER the achievement of objectives Opportunities - a risk that may HELP in the achievement of objectives ü Interest rates ü Foreign exchange rates ü Supply of service/product/resources ü Demand/uptake for service/product/resources ü The economy ü The weather ü The stock market 28
ERM Framework? 29
A Simple Framework Step 1 Establish Objectives Step 2 Identify Risks & Controls Step 3 Assess Risks & Controls Step 4 Evaluate & Take Action Step 5 Monitor & Report Communicate, learn, improve 30
Enterprise Risk Management Division Level Periodic Summary Analysis & Report Branch Level Periodic Summary Analysis & Report Unit or Project Level 31
Risk rating Combining impact and likelihood (Organisation Wise) 32 Slide 32
Risk Prioritization – likelihood and impact Likelihood of a risk event occurring Risk Impact: Level of damage that can occur when a risk event occurs • Very High: Is almost certain to occur • High: Is likely to occur • Very High: Threatens the success of the project • High: Substantial impact on time, cost or quality • Medium: Is as likely as not to occur • Low: May occur occasionally • Very Low: Unlikely to occur • Medium: Notable impact on time, cost or quality • Low: Minor impact on time, cost or quality • Very Low: Negligible impact 33 Slide 33
Risk Assessment Matrix (RAM) Example 34 Slide 34
Risk reporting and communications 35
Why Risk Management May Fail q Limitations of scope q Lack of top management support – Do Not See Added Value q Did not engage all stakeholders – Lack of Communication q Failure to share information q RM not embedded within planning & management system q Too Optimistic Program in a very short time q Quick Wins could not be realised 36
Risk Examples? 37
Strategic Risks Strategic Planning Resource Allocation Reputation Stakeholder Management Business plans are not driven by creative and intuitive input or not based on accurate assumptions. Resource allocation process does not establish and sustain competitive advantage or maximize returns for shareholders. Reputation and Image is not strong as perceived by one or more key stakeholders (public, suppliers, customers, media, employee, …etc). Organisation is not effective in managing key stakeholders in order to attain sustainable business. Political Adverse consequences through political actions in a country in which Organisation is operating. Unrest Organisation is susceptible to employee or external unrest affecting company operation and continuity. 38
Operational Risks Leadership Human Resources Quality Health & Safety Access Interfaces Management Leadership & management of critical business processes is not effective. Vacancies on critical resources to manage key business process or/and major competency gaps. Quality Management System is not effective to prevent major quality issues. Organisation is exposed to significant liabilities, financial loss & negative publicity due to Health & Safety incidents. Access to information or systems is inappropriately granted or used. Key and critical interfaces are not well identified, not managed sufficiently or/and significant miss-alignment between parties. 39
Financial Risks Cash Flow Organisation’s cash flow is not healthy and Organisation is unable to fund the operational or financial obligations. Currency Organisation is exposed to fluctuations in exchange rates as a result of activity in foreign markets or/and investment in foreign currency denominated securities. Budget & Planning Budgets and business plans are not realistic or/and based on inappropriate assumptions or cost drivers. Product/Service Pricing Organisation’s price is more than customers are willing to pay or does not cover production & distribution costs. Contract Commitment Contractual commitments outstanding data is not accurate or not up to date. Accounting Information Financial accounting information is not accurate or not up to date. 40
Compliance Risks Compliance Failure to conform with laws & regulations at the international, country, state and local level. Fraudulent activities perpetrated by management, employees, customers, suppliers and third-party against the organization for personal gain. Illegal Acts Managers and employees individually or in collusion commit illegal acts. Unauthorized Use Organisation’s employees (or others) use its physical and financial assets for unauthorized or unethical purposes. Ethical Behaviour The organization does not demonstrate its commitment to ethical and responsible business behavior. 41
Reporting Risks Financial Reporting Financial reports include material misstatements or omit material facts. Internal Control Taxation Pension Fund Regulatory Reporting Failure to accumulate sufficient relevant & reliable information to assess the design and operating effectiveness of internal control over financial reporting. Failure to comply with tax regulations or/and significant transactions have adverse tax consequences. Pension funds are not actuarially sound or insufficient to satisfy benefit obligations defined by the plan. Reports of operating and financial information required by regulatory agencies are incomplete, inaccurate or untimely, exposing the company to fines, penalties and sanctions. 42
Risk Register Example 43
Questions? 44
45
Backup Slides 46
ISO 31000 Framework Overview 47
ERM Maturity Model 48
ERM Maturity Model (Cont. ) 49
ERM Maturity Model (Cont. ) 50
ERM Maturity Model (Cont. ) 51
Management Discussion 1. Do we have an effective management strategy that supports the identification, assessment, and management of risk? Are the right people engaged and accountable for the results? 2. Are there suggestions for how we should better manage the high probability / high impact risks that we have identified? 3. Is the Governing Body satisfied that management is periodically monitoring changes in the environment to identify significant impacts on the assumptions and risk inherent in the strategy? 4. Do we have an effective “tone at the top” and “tone of the organization” with respect to ERM? 5. What should be our appetite for risk? 52
For further reading: A Wake-up Call: Enterprise Risk Management at Colleges and Universities Today, Association of Governing Boards of Universities and Colleges and United Educators, 2014. “Negative Outlook for US Higher Education Continues Even as Green Shoots of Stability Emerge, ” Moody’s Investors Service, July 11, 2014. Janice M. Abraham, Risk Management: An Accountability Guide for University and College Boards, AGB Press, 2013. “The Five Lines of Defense – A Shareholder’s Perspective, ” Board Perspectives: Risk Oversight, Issue 51, Protiviti, 2013. 53
- Slides: 53