Risk Management And Internal Control In The Changing Econmic Landscape

RISK MANAGEMENT AND INTERNAL CONTROL IN CHANGING ECONOMIC LANDSCAPE
Nik Mohd Hasyudeen Yusoff
Finance Function Excellence
12 October 2009
Competitiveness Through Innovation and Strategy

Agenda
Attaining business sustainability through risk management
Changing business landscape and risk profile
Linking risks to internal control
Good governance factor in risk management
Mindset and culture in strengthening risk management

A business:
Needs to serve customers
Needs to compete
Operates in business environment that keeps on changing
Is affected by global developments
Has stakeholders beyond shareholders
Generates profit through risk taking (uncertainty)

Value Creation Facets of BHP Billiton
Value creation is multi-facet and could be viewed from internal dimension as well as external dimension
Balancing the value proposition to shareholders and stakeholders would be key to business sustainability

Inovastra’s view of value creation
Leadership
Strategy
Values
Value proposition
Internal resources
Value creation
Customers
People
Processes
Functionality
Platform
Intellectual assets
Feelings
Physical resources
Financials
Protocol
External network
Business partners
Institutional partners

Enterprise risk management encompasses:
Aligning risk appetite and strategy
Enhancing risk response decisions
Reducing operational surprises and losses
Identifying and managing multiple and cross-enterprise risks
Seizing opportunities
Improving deployment of capital

In ensuring business sustainability, the appreciation of risks and mitigation of risks at the strategic level is very important
Key strategic risks are:
Demand risk
Competitive risk
Capability risk

The business landscape should not only be view from a single dimension such as between a business and its customers only
The drivers that change the landscape and the effect on all players should also be understood

Politics
Your
Competitors
Your
Competitors
Economy
Your
Customers
Your
Customers
Your
Customers
Society
Technology
Your
Business
Your
Suppliers
Your
Network
Partners
Environment

Politics drive government policies which would affect the economy and business climate
Global and regional political developments add to the complications of local politics
How far would the G-20 initiatives would affect you?

The inter-linkages between economies could not be denied anymore and any changes in other places would affect the local economic conditions
The globalisation and regionalisation of business require businesses be involved in more than one economic regions
Do you think the AEC 2015 will affect you industry and your business?

Rights
Health
Education
Security
Distribution of wealth
New lifestyles
Demography
Which one of these elements would affect you business most?

Technology has been one of the factors that levels economies and markets
Enables new business
Destroy existing business
Allows different ways of running businesses
Would Web 2.0 makes your business model obsolete?

The Green Economy would be more visible in the years to come
Rules and regulation, domestically and in the market you serve, would require businesses to assess the business models
Is your business already affected by environmental issues?

Don’t be caught like a frog in the boiling pot!

Some turbulence could be detectable some are not
Spurts of prosperity
Chaotic
Continuum
Spurts of downturn
Adapted from The Chaotics Model – Kotler and Caslione

Turbulence is the unpredictable and swift changes in an organisational internal or external environment that affects its performance
A business arrives at a strategic inflection point when its old strategy no longer works and must be replaced by new one if it want to ascend to new heights
Strategic Inflection Point
Level
Of
Chaos
Time

Internal control is broadly defined as a process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
Effectiveness and efficiency of operations.
Reliability of financial reporting.
Compliance with applicable laws and regulations.

Policies and procedures to ensure management directives are carried out effectively
Approvals and authorisations
Verification and reconciliation
Review of operations
Security of assets
Segregation of duties
To bring down the risks to the level within the
risk appetite set by the Board

Giving up the illusion that you could predict the future is a very liberating moment. All you can do is to give yourself the capacity to respond to the only certainty of life – which is uncertainty. The creation of that capability is strategy.
Lord John Browne, Group Chief Executive of BP

Understanding and responding to changes is not really rocket science, however a lot of organisation fail to put in place a framework to understand and responding to changes

Greed!
Unmitigated excessive risk taking
Independent directors turn dependent
Executive incentives linked to short-term performance
Auditors putting business interests above professional values

The global financial crisis had surfaced governance lapses at various levels
As key outcome of good governance is business sustainability, the roles played by the board and management are critical
Strategy setting and risk appetite
Risks assessment and mitigation
Getting risk management functioning across organisation and across formal and informal structures

A recent research by Northern Carolina State University discovered that:
Over 60% of respondents believe that the volume and complexity of risks have changed “Extensively” or “A Great Deal” in the last five years
Just over a third of respondents (36%) note that they were caught off guard by an operational surprise “Extensively” or “A Great Deal” in the last five years

44% of respondents have no enterprise-wide risk management process in place and have no plans to implement one. An additional 18% without ERM processes in place indicate that they are currently investigating the concept, but have made no decisions about implementing ERM
Forty-three percent do not have their business functions establishing or updating assessments of risk exposures on any formal basis. Over 75% indicate that key risks are being communicated merely on an ad hoc basis at management meetings

For those audit committees formally monitoring risks for the board, 19% only monitor financial risks, 63% monitor operational and compliance risks in addition to financial risks. Only 18% monitor all entity risks, including strategic risks
Despite strong interest in improving senior executive leadership in risk oversight, very few organizations (18%) have created a chief risk officer (CRO) position to lead and coordinate the organization’s risk oversight processes

Standards and Poor progress report of adoption of ERM in its rated companies:

there have been few instances of a firm’s ability to articulate a risk tolerance or risk appetite that has been defined for the organization
firms’ focus on managing downside risks with little, if any, attention paid to the opportunities
that most risk management activities remain “silo-based” and at the operational managers’ level

Would reporting failure occur again?
Is there another way of guiding people to perform?
MIA published a monograph on human governance which focuses on the inside-out approach instead of parameter-driven rule-based governance
Spiritual aspect is recognised

Mindset and culture in strengthening risk management
Tone from the boardroom
Indicate board’s priority
Adequate oversight over management implementation of risk management and internal control
Linking compensation packages to risk management
Would encourage the right culture and mindset
Balance between business sustainability and short term performance expectations

Moving Forward Thoughts
Taking risk in natural in attaining corporate objectives
Given the dynamic environment, risks profile changes and corresponding response is necessary
Risk management goes beyond ticking the box and need to be embrace holistically
An inside-out approach would encourage the “doing the right thing” culture