• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
FORUM 2013 Entreprise risk management: fact or fiction
 

FORUM 2013 Entreprise risk management: fact or fiction

on

  • 480 views

 

Statistics

Views

Total Views
480
Views on SlideShare
480
Embed Views
0

Actions

Likes
0
Downloads
4
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    FORUM 2013 Entreprise risk management: fact or fiction FORUM 2013 Entreprise risk management: fact or fiction Presentation Transcript

    • ERM: Fact or Fiction? Monday 30 September 2013 •1
    • Speakers Edwin Meyer – General Manager Risk & Insurance, ArcelorMittal Dr Grant Foster – Head of Enterprise Risk Management, Aon Risk Solutions Mark Harman – CEO Continental Europe, Middle East & Africa, Crawford & Company
    • Agenda        Evolution of risk management What risks are facing global companies facing? 10 Hallmarks of Best Practice in Risk Management What skills does insurance bring to ERM? What should Risk Managers be better at? Where are we on the journey to risk maturity? Can we identify value?
    • Risk Management 1993  Executive management barely thinking about it  Finance as “the conscience of the business”  Non-executive directors – the great and the good, informal  Auditors focused only on financial statements  In house insurance manager focuses on procuring insurance  Legal department reactive  Overall – low importance, disparate, trusting
    • Risk Management 2003 Post Enron, Sox – executive management climate of fear Finance – louder voice, more centralised control More professional NEDs with formal roles – audit committees Requirement to report on risk and controls Auditors signing off on controls More internal audit, big increase in certification Insurance manager morphing into risk manager – better trained, focus extended to uninsured risks, more linkage to other functions  More widespread use of ERM models and risk maps  Overall – higher profile, more joined up, less trust, focus on compliance       
    • Risk Management 2013         Executive management ownership and engagement Embedded within governance structures and processes Linked to strategy Risk managers – higher calibre, central role, at top table Board of Directors driving governance Compliance embedded and now BAU Auditors and internal audit becoming risk consultants Overall – moving from compliance driven to value driven
    • ERM – A basic business principle Business HSE Product / Service / Operations Compliance ERM Market Finance Insurance
    • Results from the 2013 Aon Global Risk Management Survey What Are Companies Worried About? 1 Economic slowdown / slow recovery Insurance is a useful tool… but business risk is much wider 2 4 Regulatory / Legislative changes 5 3 Increasing competition Damage to reputation / brand 6 7 8 9 Business interruption Commodity price risk Cash flow / liquidity risk 13 14 15 Failure to attract or Failure to innovate/ retain top talent meet customer needs 10 Increasing competition 17 Property damage 11 Exchange rate fluctuation 18 19 Computer crime / Growing burden & hacking /viruses / consequences of malicious codes Corp. Governance / 12 Technology failure Third-party liability Distribution or Capital availability / system failure supply chain failure /credit risk 20 21 22 Counter party credit risk Lack of technology / infrastructure to support business Inadequate succession planning 23 16 Weather / natural disasters 24 Failure of disaster Crime / theft / recovery plan / fraud / employee business continuity dishonesty 25 Injury to workers
    • Aon Risk Maturity Index All Organizations (870+Participants Globally) • Developing capabilities to identify, assess and prioritize risks across the organization • Developing capabilities to analyze risk consistently, but approach may be primarily qualitative • Developing capabilities for monitoring existing risk exposure across the organization • Informal and inconsistent consideration of risk and risk management information in decision making • Developing understanding of Enterprise Risk Management (ERM) and its application Professional Services Industry Average (35 Participants Globally) • Inconsistency in risk management practices or approaches across the organization (i.e., “silos”) • Limited capabilities for monitoring existing risk exposure across the organization • Informal and inconsistent consideration of risk and risk management information in decision making • Current Aon Risk Maturity Index Dataset (September 2013) Developing capabilities to identify, assess and prioritize risks across the organization • Developing understanding of Enterprise Risk Management (ERM) and its application CILENT X Risk Maturity Rating Organizations Represented: 650+ Countries Represented: 20 Industries Represented: 30+ The Index will continue to capture global data throughout 2013 and beyond • Developed capabilities to identify, assess and prioritize risks across the organization • Developing capabilities to analyze risk consistently, using qualitative and quantitative techniques • • • • Developing set of loss and / or tolerance guidelines for key risks • Developed capabilities for monitoring existing risk exposure across the organization • Explicit consideration of risk and risk management information in decision making
    • 10 Hallmarks Of Good Risk Management 1. 2. 3. 4. 5. 6. 7. 8. 9. Board Understanding & Commitment to Risk Management Executive Level Risk Management Stewardship Risk Communication Risk Culture: Engagement & Accountability Risk Identification Stakeholder Participation in Risk Management Risk Information & Decision Making Processes Integrating Risk Management & Human Capital Processes Risk Analysis & Quantification to Understand Risk & Demonstrate Value 10. Risk Management Focus on Value Creation
    • What Skills Do Insurance Risk Managers Bring? 1. 2. 3. 4. 5. 6. 7. 8. 9. Board Understanding & Commitment to Risk Management Executive Level Risk Management Stewardship Risk Communication Risk Culture: Engagement & Accountability Risk Identification Stakeholder Participation in Risk Management Risk Information & Decision Making Processes Integrating Risk Management & Human Capital Processes Risk Analysis & Quantification to Understand Risk & Demonstrate Value 10. Risk Management Focus on Value Creation
    • Risk Analysis       Risk register Scoring risks Risk prevention measures Balanced business scorecard Heat map Communicating risk
    • Risk Register 2008 Risk Register Risk No. Report Dated: Status of Mitigation (RAG) Country Specific/EM EA Amber UK Martin Weinthrop Retention of key clients. Top 25 clients account for 70% of revenue. EMEA Martin Weinthrop Serious reputational issue Could seriously impact our EMEA reputation and competitive arises anywhere in the position world. Owner Description of Risk Impact if it occurs Impact (Critical, Major, Manageable) Probability (High, Medium, Low) Major Medium Major Low Current Control Activities Market MKT01 - General erosion of Reputation in the marketplace - Potential for A domino EFFECT - Financial Loss of revenue Key Account Management (KAM) team Reputational REP01 Green Country Managers pack sets out the standard to be adopted. Media Policy sets out the structure of our external communications Regulation REG01 Amber UK Stephen Pearsall Lose FSA authority to conduct regulated business Severe direct impact upon the regulated business. There would also be a severe reputational impact the nonregulated parts of our business. Amber EMEA Stephen Pearsall Top 25 Client organisation Would impact upon the EMEA revenue and margin heavily, fails Amber UK Nicola Fu Key staff leave or are otherwise unavailable. Could seriously impact the ability of the EMEA to achieve its corporate objectives. Loss of key staff or revenue could result in collapse of business within that country, e.g Greece. Plus loss of team culture. Also have a country manager without a contract. UK Sam Friend Lack of adequate disaster recovery provision in the event of the total loss of key IT infrastructure Inability to trade effectively. Specifically inability to:- Update claim systems - Raise Invoices - Review electronic claim files - send/receive e-mail Major Low Peter J Ward has advisory role Critical Low Appoint a designated client relationship manager who would be expected to identify early warning signs. Monthly credit control reports detailing status of current debt and identify adverse trends. Major Low Informal Critical Low Cobit Controls (Framework used for SOX compliance) in place to ensure integrity of data. Financial FIN01 People PP01 Operational OPS01 Projects Amber
    • Present Risk Register 14
    • Simple Axis 15
    • 4 Quadrants
    • 4 quadrants with risks plotted
    • 4 quadrants applied to a risk (‘heat’) map
    • Risk dots coloured to reflect risk management effectiveness
    • What Could Insurance RMs Be Doing Better? 1. 2. 3. 4. 5. 6. 7. 8. 9. Board Understanding & Commitment to Risk Management Executive Level Risk Management Stewardship Risk Communication Risk Culture: Engagement & Accountability Risk Identification Stakeholder Participation in Risk Management Risk Information & Decision Making Processes Integrating Risk Management & Human Capital Processes Risk Analysis & Quantification to Understand Risk & Demonstrate Value 10. Risk Management Focus on Value Creation
    • A Journey To Risk Maturity
    • Hallmark 10. Risk Management Focus on Value Creation Stumbling blocks… Best Practice No recognizing ‘value’ Balancing short term gains with long term sustainability Corporate culture views risk management as a staff function, not a source of added value. The upside of risk is acknowledged in risk assessments  Employees are not encouraged to optimise risk-reward activities. Assuming lasting value will be maintained through single iterations of risk management assessments. 8/10/2013 Processing trends versus events Project risk profile is taken into account when making capital investment decisions. Insurance portfolio optimised through robust analysis of risk exposures and tolerances. These combine to drive decision making. 23
    • Conclusions        Evolution of risk management What risks are facing global companies facing? 10 Hallmarks of Best Practice in Risk Management What skills does insurance bring to ERM? What should Risk Managers be better at? Where are we on the journey to risk maturity? Can we identify value? 8/10/2013 24
    • 1 Board Understanding & Commitment to Risk Management Stumbling blocks… Best Practice…  ‘Intuitive management’ means decisions are not based on a clear understanding of the organization’s risk exposure and appetite.  Key risk exposures, risk appetite and controls are consistent and embedded into corporate strategy. Board maintains a onedimensional attitude to risk – effective risk taking is avoided. Coordinated reporting cycles that are conducted frequently for full Board and its committees. Risk is managed purely to meet compliance requirements.  Alignment of agreed risk management strategy with the firm’s overall strategic direction. 8/10/2013 25
    • 2. Executive Level Risk Management Stewardship Stumbling blocks… “It’ll never happen to us...”  Demoting risk management function to that of administrator.  Risk management competency not valued as an important invisible asset. Best Practice… Formal assignment of executivelevel risk champion  Risk Management leader’s full involvement in strategic decisions and overall RM strategy.  “Walk the Talk”  Management temptation to avoid bureaucracy by not tying down accountabilities. 8/10/2013 26
    • 3. Risk Communication Stumbling blocks…  External and internal risk factors around decisions are not formally justified and documented. Bearers of ‘bad news’ are deemed unwelcome and negative disclose swept under the rug. No formal sanctions for failure to disclose negative risk information. Best Practice… Consistent and coordinated content reported on a routine basis. Risk disclosures are expressed in both quantitative and qualitative terms.  Enterprise-wide use of risk terminology, encouraging open dialogue and centralised tools to facilitate this. Active sharing of war stories and subsequent lessons learned. Full disclosure of negative feedback facilitated via formal and informal channels. As simple as possible; but no simpler 8/10/2013 27
    • 4. Risk Culture: Engagement & Accountability Stumbling blocks… Best Practice…  Leadership sends ambiguous signals regarding management-level engagement and accountability.  Managers take ownership of risks and how this fits with the organization’s RM strategy.  Corporate culture which assumes everyone knows how to manage risks without appropriate training. Risk management expectations are articulated in executives’ job descriptions and updated periodically.  People are not rewarded for effectively managing their ascribed risk portfolio.  Performance metrics are embedded and implemented consistently, driving behaviour and communicating results. Accountability is not assigned to a single risk owner.  Risk management results are formally incorporated into incentive structures. Innovation not supported Work on shared risks… not just my risks 8/10/2013 28
    • 5. Risk Identification Stumbling blocks…  Lack of resources leading to a low risk awareness. Failure to prioritise the organization’s Crown Jewels: critical processes and key revenue generators. Extensive risk mapping to the detriment of its practical use. Failing to realise risk identification is a dynamic process and subject to change at any given moment. Best Practice…  External information is integrated into strategic planning, supplementing identification of actual/ emerging risks. Defined channels facilitate collaboration between the organization and strategic partners to identify and address its risks. Internal subject matter experts are consistently privy to all risk identification, validation and response discussions. Risk drivers (causes) are well understood & analysed. Risk metrics are identified and objectively track a number of key risk indicators. 8/10/2013 29
    • 6. Stakeholder Participation in Risk Management Stumbling blocks… Best Practice… Failing to incorporate a range of stakeholder positions into decision making process.  Forums at executive and management levels seek consensus to address crossfunctional risk. No developed stakeholder communication plan and no common understanding of risk tolerance between parties. Demonstrate that stakeholder expectations are analysed and incorporated into the organization’s risk and compliance management processes. Withholding key risk information from stakeholders Ensure effective communication channels to optimise information sharing and strategy development. Cross function approach to risk 8/10/2013 30
    • 7. Risk Information & Decision Making Processes Stumbling blocks…  Risk information disconnected from strategic and operational decisions. Inconsistent benchmarking and use of risk information across business units.  No measurable comparisons developed across time and business units. Failure to benchmark and review the process on a periodical basis. “Something needs to be done….. And this is something” “Decide in haste – repent at leisure” Best Practice…  Formal collection and incorporation of risk information into decision-making and governance processes. Risk identification / assessment activities follow given methodologies and are considered in project /investment decisions.  Budget allocations incorporate risk assessment plans and considers risk-return expectations for each business unit. Review systems make reference to RM results and are formally communicated to group and stakeholders. BI exposures independently valued at predetermined intervals, with set triggers to prompt emergency valuations. 8/10/2013 31
    • 8. Integrating Risk Management & Human Capital Processes Stumbling blocks… Best Practice… “Any one person can bring a company down” - Failure to realise the value of risk management in the HR space today.  Monitoring of key HR processes are part of a complete review process, and explicitly linked to RM processes. Cost-cutting dictates external support to help manage HR risks is outlawed by the organization. Employee engagement is valued by executives, quantitative in nature and maintained on a periodic basis. Managing numbers to the detriment of employee satisfaction.  Talent management is aligned with the organization’s future needs. Leadership development plans are consistent and in place for critical positions. Retirement plan risks are managed and reviewed quarterly and supported externally. 8/10/2013 32
    • 9. Risk Analysis & Quantification to Understand Risk & Demonstrate Value Stumbling blocks…  Link between reward and appropriate risk taking not considered. Historical data not incorporated into risk management decisions. Best Practice  Quantitative and qualitative analysis aligned to risk appetite and supported by additional evaluations. Common risk drivers are formally identified and relationships between risks analysed. Risk KPIs are measured quantitatively and documentation includes qualitative commentary and quantitative evidence.  Self-insured valuations are conducted annually and are developed by actuaries. Market assumptions are documented consistently and organizational projects developed through complex modelling techniques. 8/10/2013 33
    • ERM Process Standards  ERM process standards and guidance are available (e.g. COSO, ISO 31000)  But these are generally implemented in different ways by different companies  So, from all this risk management activity… what really gives value to companies?