1.
A VALUE BASED APPROACH TO ENTEPRISE RISK MANAGEMENT
IN THE ENGINEERING AND CONSTRUCTION INDUSTRY
by
Dr Sean Paul de la Rosa
Compiled in LaTeX, Version 3.1415926-2.5-1.40.14, with pdfTeX 1.40.14.
5. SUMMARY
A VALUE BASED APPROACH TO ENTEPRISE RISK MANAGEMENT IN THE ENGINEERING
AND CONSTRUCTION INDUSTRY
From its insurance origins, risk management has developed into a stand-alone business process. As
a unique discipline, risk management is industry agnostic and applicable to both public and private
sectors. In basic terms, risk management is concerned with the consequences of future events whose
exact outcome is yet unknown. Risk management is then the art and science of contextualising,
assessing, treating and monitoring future events to ensure objectives are achieved.
The engineering and construction industry faces various high risk scenarios that if not well understood
and managed could result in significant loss to stakeholders. These scenarios include a combination
of negative markets, protracted strike action, labour unions unable to reach settlements amicably,
loss of life due to poor safety standards and delays and cost overruns on major projects.
Although most organisations in the industry utilise some form of risk management framework based
on best practices such as the COSO or ISO31000 framework, many still only utilise a qualitative
approach. Relying on the techniques developed by Sim Segal in his book, Corporate Value of
Enterprise Risk Management, the purpose of the study was to develop a more quantitative approach
to linking risk exposures to company value.
To be able to apply Segal’s value based approach, the risk analyst needed to grasp the concepts
of stochastic simulation, discounting cash flows and failure modes and effects analysis. These were
discussed in the study.
The study ended with a case study on how to apply Segal’s approach to an organisation in the
engineering and construction industry.
6
6. Chapter 1
Introduction
1.1. Background
From its insurance origins, risk management (RM) has developed into a stand-alone business
process. As a unique discipline, RM is industry agnostic and applicable to both public and
private sectors.
RM’s primary aim is to improve organisational decision making through the application of
a structured approach to risk identification, evaluation, treatment and ongoing monitoring
[COS04].
In all of today’s leading corporate governance literature, significant emphasis is being placed
on RM as a process, which if well implemented and executed, can add significant business
value [KIN09].
In basic terms, RM is concerned with the consequences of future events whose exact outcome
is yet unknown. In general, outcomes are categorised as favorable or unfavorable. RM is then
the art and science of contextualising, assessing, treating and monitoring future events to
ensure objectives are achieved. A good RM process is proactive in nature, and fundamentally
different than crisis or business continuity management. For our purposes, RM will be defined
as process used to identify, evaluate, treat, monitor and report risks to ensure the achievement
of objectives [ISO09].
Some advantages of implementing a RM process include [COS04]:
• RM allows organisations to focus on the major events that can significantly reduce
the chances of it achieving its objectives. Formally adopting the process allows for a
more forward thinking approach to management as opposed to addressing threats and
opportunities on a haphazard or ad-hoc basis.
• RM is a core component of good corporate governance. If well practiced, it ensures
increased transparency and stakeholder involvement. This ultimately improves the
reputation of the organisation.
7
7. • The RM process can result in significant value by simply implementing elements of the core
RM process. Just by focusing on the major top 20 risk events, substantial business value
can be realised.
• In more advanced RM processes, provisions, contingencies and even capital allotment can
be supported by quantitative RM approaches.
1.2. Challenges facing the engineering and construction industry
The engineering and construction industry faces various high risk scenarios that if not well
understood andmanaged can result in significant loss to stakeholders. These scenarios
include a combination of negative markets, protracted strike action, labour unions unable to
reach settlements amicably, loss of life due to poor safety standards and delays and cost
overruns on major projects. Some current South African projects facing such challenges
include Eskom’s Medupi and Kusile power projects.
Of all the factors noted by
KPMG in ensuring successful
engineering and construction
practices, 81% cited the need
for a robust and consistent RM
process as vital [KPM13].
In KPMG’s annual construction report of 2013, the
firm found that RM remains high on the agenda
[KPM13]. Although 79% of respondents believed
that their investment in establishing a consistent RM
process had paid off, 77% reported under performance
due to poor estimating practices, delays and failed RM
processes. Figure 1.1 below from KPMG’s construction
report, highlights some of the main reasons cited by
respondents for poor performance.
1.3. Purpose and reason for study
Although most organisations in the engineering and construction industry utilise some form of
RM framework based on best practices such as the COSO or ISO31000 framework [COS04;
ISO09], many still only utilise a qualitative approach to the measurement of organisational
risk probability and impact. Relying on the techniques developed by Sim Segal in his book,
Corporate Value of Enterprise Risk Management [SEG11], the purpose of this study will be
to develop a more quantitative approach that seeks to link risk exposures to organisational
value.
1.4. Research methodology
The study will include an introduction to RM, explanation on traditional RM frameworks and
the value based approach developed by Segal. The study will then present a case study
8
8. Figure 1.1: Causes of under performing projects [KPM13]
applying Segal’s approach to a company in the industry and end with a summary, conclusion
and further areas of research.
1.5. Conclusion
RM is an important skill that can be applied to any business. In an era of downsizing, project
failures, social unrest, increasing technological sophistication, and shorter development times,
RM can provide valuable insights to help plan for risk events and alert business of emerging
risks. The engineering and construction industry is most definitely one where these exposures
are prevalent and the need for a more quantitative RM process evident.
9
9. Chapter 2
Enterprise risk management (ERM)
2.1. Introduction
To better understand and categorise the various levels of RM by complexity, maturity models
have been developed and are applied frequently [RIM06].
Financial services are often seen as the leaders with regards to RM practices. This is due to
the public importance of such services within society and that the buying and selling of basic
instruments are some of their primary offerings. As a result, legislation from regulators such as
the Bank of International Settlements with its Basel Committee, are an important driver of RM
complexity. Financial services’ RM models are at the forefront since they apply an integrated
approach to managing risk.
For corporates outside of financial services however, the risk horizon is not the same because
they mostly focus on stability of earnings and cash flows instead of market values. In
addition, they are not affected as much by external regulations on RM. Although regulation
is increasing, scandals have been the most important driver for RM development outside of
financial services.
A number of international bodies have written various standards and codes requiring
organisations to implement customised frameworks that specifically address RM. Some of
the more noteworthy guidelines are listed in table 2.1 below.
2.2. Maturity modelling
The RM maturity model depicted in figure 2.1 below puts forward elements and characteristics
that reflect the migration path towards more advanced RM practices, often termed enterprise
risk management (ERM). The assessment outlines six attributes on a scale of five maturity
levels, viz. Ad-hoc (initialisation), initial (risk specialisation), repeatable (enterprise wide
risk awareness), manageable (integration) and optimised (ERM). Attributes according to
10
10. Year issued Standard Reason established
International
2002 UK: Institute of Risk Management Full set of RM standards.
2004 USA: COSO ERM framework for NYSE listings.
2004 Australia: AS-NZS-4360 Principles and concepts for the
management of risk.
2010 International: ISO31000 Principles and concepts for the
management of risk. It is the
first international standard on risk
management.
South African specific
2002 King II Promote the highest standards of
corporate governance in South
Africa.
2009 King III New revision due to new Companies
Act and corporate governance
changes in the world.
Table 2.1: RM frameworks
which the organisation will assess its positioning and future expectations of the RM process
include: culture, people, involvement in strategy setting, RM policy setting, RM process and
performance measurement.
As organisations migrate from level 1 (Ad-hoc) to 5 (optimised), the RM initiative will transform
from an initial RM approach to an optimised capability. For our purposes, the definition of
ERM will encompass the standard definition for RM mentioned under section 1.1. of chapter
1, and the following additional requirements [COS04]:
• A process applied in strategy setting.
• Provides assurance to the board that strategic objectives will be achieved.
• Manages risks to be within the approved appetite.
• Takes a portfolio view of risk.
• Is an ongoing process flowing throughout the organisation.
• Is effected by people at every level in the organisation.
11
11. Figure 2.1: RM maturity model1
Some benefits in utilising a RM maturity model include [RIM06]:
• Builds consensus and establishes milestones.
• Benchmarking against best practices.
• Integrates RM into the fibre of the decision-making process.
• Communicates clearly to the board, regulators, rating agencies and executive
management key risk status.
• Streamlines the RM process, eliminating duplication of effort and the measurement
of RM value.
Figure 2.2 below shows the level of quantitative sophistication relative to each stage
of the maturity model depicted in figure 2.1.
For non-financial services organisations wanting to adopt a more optimised RM
framework similar to that depicted under level four or five of the maturity model, a
value based ERM framework would be a suitable approach.
1
Adapted from RIM06, ISO09 and COS04.
12
12. Figure 2.2: Quantitative methods linked to the maturity model [PRO06]
2.3. A value-based ERM framework
In his book, Corporate Value of Enterprise Risk Management, Segal criticises less
complex RM frameworks in that they are unable to quantify strategic and operational
risks well, do not articulate the organisations risk appetite effectively in terms of
company value and are not integrated into organisational decision making [SEG11].
To address this, he proposes a more advanced framework that is linked to company
value. To achieve practicality, the framework needs to be reliable, can be executed
speedily, allows for transparency and is adjustable for degrees of precision required.
There however needs to be a strong focus on preventing the framework becoming
overly complex with no related increase in value.
Figure 2.3 depicts the various phases of the value based-ERM framework that will be
expanded on in Chapter 3.
To be able to apply Segal’s value based approach, the risk analyst needs to grasp the
concepts of stochastic simulation, discounting cash flows (DCF) and Failure Modes
and Effects Analysis (FMEA). These concepts are discussed below.
2.3.1 Company valuation techniques
According to McKinsey in their book, Valuation - Measuring and Managing the
Value of Companies, value is defined as the key measure in a market economy
13
13. Figure 2.3: Value-based ERM framework [adapted from SEG11]
[MCK10]. In such economies, a company’s ability to create value for its stakeholders
and the amount of value it can create are the chief measures by which it will be
judged. Alternative measures such as accounting earnings assess only short term
performance and are rather limited in their usage [SEG11].
Creating sustainable value should be a long term endeavour of an organisation.
This is primarily achieved by having a clear understanding of the business’s
competitive advantage. Organisations must continually seek and exploit new sources
of competitive advantage if they want to create and sustain value [MCK10].
Necessary for determining the value of an organisation, the discount rate (usually
represented by d) or cost of capital needs to be known. This rate reflects the amount
investors want to be paid for the use of their capital. It is called the discount rate
since future cash flows are discounted at this rate when calculating the present value
of an investment. Segal indicates that this rate is not difficult to determine since it
forms one of the basic components of corporate finance and should be well known
by the financially literate of the management team [SEG11]. McKinsey indicate that
the average discount rate for large non-financial companies in late 2009 was roughly
between 8 to 10 percent [MCK10].
14
14. Model Measure Discount measure Assessment
1. Enterprise DCF
Free cash flow Weighted average
cost of capital
Works best for projects,
business units and
companies that manage
their capital structure to a
target level.
2. Discounted eco-
nomic profit
Economic profit Weighted average
cost of capital
Explicitly highlights when a
company creates value.
3. Adjusted present
value
Free cash flow Unlevered cost of
equity
Highlights changing capital
structure more easily than
WACC-based models.
4. Capital cash flow Capital cash flow Unlevered cost of
equity
Compresses free cash
flow and the interest tax
shield into one number
making it difficult to compare
operating performance
among companies and over
time.
5. Equity cash flow Cash flow to equity Levered cost of
equity
Difficult to implement correctly
because capital structure is
embedded within the cash
flow. Best used when valuing
financial institutions.
Table 2.2: Cash flow models prevalent today [MCK10]
“The guiding principle of value
creation is that companies
create value by investing
capital they raise from investors
to generate future cash flows
at rates of return exceeding the
cost of capital.” [MCK10]
Also necessary for determining the value of
an organisation, is the growth rate (usually
represented by g). Achieving the right balance
between the need for growth and the rate of
return that investors require is vitally important
to value creation.
McKinsey identify five valuation techniques
for companies but favour 2 specifically, viz.
enterprise DCF and discounted economic
profit. Of the 2 approaches, practioners and academics favour DCF because it relies
exclusively on the flow of cash in and out of the organisation rather than on accounting
based contributions. Table 2.2 briefly outlines the five approaches.
15
15. For the purposes of this study we will utilise the DCF technique in re-performing
Segal’s value based ERM framework.
To arrive at the combined cash flow (CFn) value for the company, equation 2.1 applies
[SEG11].
CFn = Net income(n) + Depreciation and amortisation(n)
− increase in working capital(n) − capital expenditures(n). (2.1)
The company value method agrees with the generally accepted DCF formula shown
in equation 2.2 below.
NPV = −C0 +
C1
1 + d
+
C2
(1 + d)2
+ · · · +
Cn
(1 + d)n
(2.2)
where
• −C0 = Initial investment
• C = Cash flow
• d = Discount rate
• T = Time.
In addition to this, a terminal value (TVN ) must be included to limit the projection to n
years. Equation 2.3 refers.
Company value =
DistCF1
(1 + d)1
+
DistCF2
(1 + d)2
+ · · · +
DistCFN
(1 + d)N
+
TVN
(1 + d)N
(2.3)
where
• DistCFn = distributable cash flow for period n
• TVN = terminal value at end of period N
• d = discount rate
• N = final year of projection.
The terminal value reflects the value remaining at the end of the projection period.
A common approach utilised is to assume that the DCF from the final year of the
projection, year n, continues to grow annually, in perpetuity, at a constant growth rate.
The formula is listed under equation 2.4.
TVN =
DistCFN × (1 + g)
(d − g)
(2.4)
where
16
16. • TVN = terminal value at end of period N
• CFn = distributable cash flow for period n
• g = growth rate
• d = discount rate
• N = final year of projection.
For reasonableness, model calculations must include a reasonability check. This may
include comparing the company’s baseline value with its market capitalisation. The
reasonability check is included under equation 2.5.
Market capitalisation = outstanding shares ∗ stock price per share. (2.5)
As a rule of thumb, the baseline value may be 5 to 15% higher than the market
capitalisation. This delta should seem reasonable taking into account the company’s
unique situation and market conditions.
2.3.2 Stochastic simulations
There exist two main approaches that a risk analyst can apply in model development.
These are either deterministic or simulation methods. The decision on which method
to apply is influenced by a number of factors. These include [DEN12]:
• Complexity: simulation methods provide the analyst with better visibility of a
complex system as opposed to a set of deterministic equations.
• Accuracy: deterministic models usually require a far greater number of simplifying
assumptions to make the model more manageable.
• Future enhancements: if it is expected that the model will need to be expanded or
further refined, it is probably better to start with a simulation technique.
• Application: for quick analysis, deterministic models might be preferred over
simulations that can take much longer to execute.
Table 2.3 below outlines some of the advantages and disadvantages of the two main
approaches.
17
17. Model approach
Deterministic Simulation
Advantages
• Results are exact.
• Once developed,
output is obtained
quickly.
• Computer resources
are not always
required.
• Flexible option.
Empirical distributions
can also be handled.
• Can be extended to
cater for future
enhancements.
• Approach is easily
understood by
non-mathematicians.
Disadvantages
• Far greater number of
simplifying
assumptions needed
to make the model
more manageable.
• Ability to extend the
model, especially
when not performed
on a computer, is
limited.
• Model may only be
understood by the
mathematically savvy.
This could cause
credibility concerns.
• Computer resources
are required.
• Calculations can take
much longer to
execute.
• Solutions are not
exact, especially when
a low number of
iterations are
performed (e.g.
<100).
Table 2.3: Advantages and disadvantages of different modelling approaches [DEN12]
Winston states that simulations are a technique that imitate the operation of a
real-world system as it evolves over time. This is achieved by developing a stochastic
simulation model. Such models take the form of a set of assumptions about the
system and expresses them as mathematical relations between objects of interest in
the system [WIN04].
Monte Carlo simulation is a type of simulation technique that provides approximate
outputs to a variety of quantitative problems by performing statistical sampling
experiments [WIK14a]. The Monte Carlo method was invented in the late 1940’s by
Stanislaw Ulam, while he was working on nuclear weapon projects at the Los Alamos
National Laboratory. It was named by Nicholas Metropolis, after the Monte Carlo
Casino, where Ulam’s uncle often gambled.
18
18. Monte Carlo simulations offers a number of advantages. These include [VOS08]:
• Monte Carlo simulation is recognised as a valid and effective technique, so its
results will be more readily accepted.
• The simulation can be adjusted to cater for interdependencies and correlations.
• These types of simulations are relatively easy to perform and don’t require major
mathematical experience.
• Complex mathematics can be incorporated with relative ease.
• Software is commercially available to automate most of the tasks involved in a
simulation.
• Variations in the model can be made quickly and results compared.
Pengelly lists as one of the main reasons why Monte Carlo techniques should be used
over other techniques as its ability to approximate an answer relatively quickly without
the need for tedious calculations that can be time consuming [PEN02].
Although the approach to Monte Carlo simulations may vary slightly, they tend to follow
a number of common steps. These are [WIK14a]:
• Define the set of assumptions and inputs.
• Generate inputs randomly from appropriate statistical distributions.
• Perform a deterministic computation on the outputs to verify reasonability.
• Aggregate the stochastic results and interpret.
The probability distributions applied in a Monte Carlo simulation fall into two groups:
parametric and non-parametric distributions. Whereas parametric distributions are
based on a mathematical function whose shape and range is defined by one or
more distribution parameters, non-parametric distributions have their shape and range
determined by their parameters directly. It is generally accepted that non-parametric
distributions are far more useful in modelling expert opinion.
Some of the more common distributions applied in modelling subject matter expert
opinion include the following [VOS08]:
• Bernoulli: modelling a risk event that may or may not occur.
• Discrete: combining two or more conflicting expert opinions.
• Bradford: similar to a Pareto distribution that has been truncated on the right, the
theory has a lot of implications in researching and investment in periodicals and
web browser usage.
19
19. • Cumulative (ascending): the expert provides a minimum, maximum and a few
percentiles (e.g. 25%, 50% and 75%).
• Beta: a useful distribution one can rescale and shift to create other distributions with
a wide variety of shapes over a finite range.
• Johnson bounded: combined with its flexibility in shape, it makes a viable alternative
to the PERT, Triangle and Uniform distributions.
• Kumaraswamy: a very useful and simple formed distribution that is flexible like the
Beta distribution.
• Program evaluation and review technique (PERT): a form of Beta distribution which
is widely used for modelling expert estimates where one is given minimum, most
likely and maximum guesses.
• Relative: the most flexible of all the continuous distribution functions, it allows the
risk analyst to tailor the shape of the distribution to reflect, as closely as possible,
the opinion of the expert.
• Split triangle: from a three point estimate provided by the subject matter expert, the
distribution then extrapolates from these values to create a distribution composed
of 2 triangles.
• Uniform: used as a very approximate model where there are very few or no available
data.
The various probability mass and density functions of the distributions above, are
included in table 2.4 below.
20
20. Bernoulli Discrete Bradford
f(k; p) = pk
(1 − p)1−k
for k ∈ {0, 1}
where
0 < p < 1, p ∈ R.
f(xi) = pi
where
pi > 0, n > 0,
n
i=1
pi > 0.
f(x) =
θ
(θ(x − min) + max − min) log(θ + 1)
where
0 < θ, min < max.
Cumulative (Ascending) Beta Johnson bounded
f(x) =
Pi+1 − P
xi+1 − xi
for
xi ≤ x < xi+1
i ∈ {0, 1, . . . , n + 1}
where
x0 = min, xn+1 = max, P0 = 0, Pn+1 = 1
0 ≤ Pi ≤ 1, Pi ≤ Pi+1, xi < xi+1, n > 0.
f(x) =
(x)α−1(1 − x)β−1
B(α, β)
where
B(α, β) is a Beta function α > 0, β > 0.
f(x) =
α2(max − min)
(x − min)(max − x)
√
2π
∗ exp −
1
2
α1 + α2 ln
x − min
max − x
2
where
α2 > 0, max > min.
Kumaraswamy PERT Relative
f(x) = αβxα−1
(1−xα
)β−1
where
α > 0, β > 0.
f(x) =
(x − min)α1−1(max − x)α2−1
B(α1, α2)(max − min)α1+α2−1
where
α1 = 6
µ − min
max − min
, α2 = 6
max − µ
max − min
.
f(x) =
x − xi
xi+1 − xi
(pi+1 − pi) + pi if xi ≤ x < xi+1
where
pi ≥ 0, xi < xi+1, n > 0,
n
i=1
pi > 0.
Split triangle Uniform
f(x) =
Height1(x − Min)
(Mode − Min)
if Min ≤ x ≤ Mode
f(x) =
Height2(Max − x)
(Max − Mode)
if Mode < x ≤ Max
where
Height1 =
2 ∗ MediumP
Mode − Min
,
Height2 =
2 ∗ (1 − MediumP)
Max − Mode
, Mode = Medium,
Min =
(Low − Mode ∗ LowP/MediumP)
(1 − LowP/MediumP)
,
Max =
(Mode − High ∗ 1 − MediumP/1HighP)
(1 − 1 − MediumP/1 − HighP)
Min ≤ Mode ≤ Max, Min < Max.
f(x) =
1
max − min
where
min < max.
Table 2.4: Subject matter expert probability mass and density functions [adapted from VOS08]
21. A final note on some factors that may impact the use of subject matter experts:
• Inexpert expert: to be helpful, nominated persons with limited knowledge provide
input as if they were experts [VOS08].
• Culture of the organisation: the analyst needs to consider whether the culture of
the organisation promotes over or under estimation.
• Conflicting agendas: sometimes experts will have vested interests in the values
that are submitted for a model.
• Unwillingness to consider extremes: frequently, experts will find it difficult to
envisage circumstances that would cause a variable to be extremely high or low.
• Eagerness to say the right thing during the interview.
• The subject matter expert is not au fait with the unit measure being applied in the
model.
• The expert is too busy to assist.
• Unrealistic belief that the expert should be certain about the estimates they
provide.
Many times when obtaining inputs from subject matter experts, differences of opinion
may arise. In such instances, Vose recommends that the risk analyst not pick the most
pessimistic estimate or take the average between the two inputs received. Rather, she
should take the weighted average of the cumulative percentiles or model together the
probability densities at each of the range values.
2.3.3 Failure Modes and Effects Analysis (FMEA)
“A facilitator is one who
contributes structure and
process to interactions so
groups are able to function
effectively and make high
quality decisions.” [CAR12]
FMEA was first applied in the 1950’s to study
problems that might arise from malfunctions of
military systems. Since then, it has become one
of the most important techniques applied in failure
analysis [WIK14b]. Broadly speaking, the primary
aims of the process are to reduce costs, promote
faster development times and ensure that high
customer expectations for reliable products and
processes are met [CAR12]. There exist three main types of FMEA’s. These are:
• System FMEA: The highest level of analysis of a complete system. The system is
made up of many sub-systems. The focus here is on system-related deficiencies
and interfaces between various sub-systems.
22
22. • Design FMEA: The focus is on product design at the sub-system level. Attention is
given to design-related deficiencies with an emphasis on improving the design and
ensuring that product operations are safe and reliable during the product’s lifetime.
• Process FMEA: The focus here in on manufacturing and assembly processes, with
emphasis on how the process can be improved to ensure a product is built to design
requirements in a safe manner with minimal interruption, scrap and modification.
For our purposes, the focus will be on FMEA guidelines on how to facilitate a
successful project. These guidelines are applied in effectively retrieving input from
subject matter experts:
• Appoint a qualified facilitator to conduct the interview process.
• Sessions are structured for success. Some success factors include starting and
ending on time, keeping the focus on the objectives and providing minutes and
follow-up actions.
• Attendees are prepared for the sessions, respect each other’s opinions, maintain a
focus on the agenda and debate differences of opinion calmly.
• If brainstorming is used as a method of initiating discussions, the facilitator must
ensure that everyone participates, that the discussion is kept moving, creativity is
nurtured and debates arise.
• Ask probing questions, avoiding yes and no answers.
• Encourage participation by means of an open and safe environment where
participants can speak their minds.
• Apply active listening followed by clarifying questions to ensure a full understanding
of the other person’s intentions.
• Time management is practiced to ensure all items on the agenda are addressed.
• Decisions are achieved through consensus. This means that many ideas are
shared, discussions are based on facts and no one person pushes a predetermined
solution or agenda.
• Conflict will arise during the session. The facilitator must not fear conflict but see
the value in healthy debate. This means that the facilitator must be open to hearing
ideas from other people, staying objective and focused on the facts.
23
23. 2.4. Conclusion
Maturity models are a quick and effective means of determining the level of RM
sophistication in an organisation. For most organisations outside non-financial
services, the existence of less sophisticated approaches that only assess risk
exposure on a qualitative basis are common. For those organisations seeking a more
sophisticated approach with increased quantification of exposures, the value based
ERM framework is an alternative.
The concepts of stochastic simulation, DCF’s and FMEA were introduced and briefly
explained. These will be relied upon in the discussion of the said framework in
chapter 3.
24
24. Chapter 3
The core ERM process
3.1. Introduction
Organisations of all types and sizes face internal and external events that make it
uncertain whether they will achieve their objectives. The effect this uncertainty has
on an organisation’s objectives is risk. Organisations manage risk by identifying it,
analysing it and then evaluating whether the risk should be modified by risk treatment
in order to satisfy predefined risk criteria. Throughout this process, persons must
communicate and consult with stakeholders and monitor and review the risks and
controls. In this chapter we introduce the core ERM process outlined in Segal’s value
based approach.
3.2. The core EM process
3.2.1 Context
The first phase of the process requires an understanding of the context in which the
ERM process will be exercised [COS04 and SEG11]. By establishing the context, the
organisation articulates its objectives, defines the external and internal parameters
to be taken into account when managing risk, and sets the scope and risk criteria for
the remaining process.
The external context is the external environment in which the organisation seeks to
achieve its objectives. The external context can include, but is not limited to the social
and cultural, political, regulatory and competitive environment, whether international
or national. The internal context on the other hand includes, but is not limited to
governance, organisational structures and strategies that are in place to achieve its
objectives.
25
25. To ensure a successful ERM process, it is also important that there is a common
understanding of risk terminology across the organisation. Below is a selection of
additional risk terms that will be applied throughout the remainder of this study2
:
• Risk: an uncertain event that can affect the achievement of objectives. Risks can
have either negative or positive consequences.
• ERM framework: the set of components that provide the foundations and
organisational arrangements for designing, implementing, monitoring, reviewing
and continually improving ERM throughout the organisation.
• Inherent risk: the maximum risk exposure before considering current controls.
• Risk owner: person or entity with the accountability and authority to manage a risk.
• Stakeholder: person or organisation that can affect, be affected by, or perceive
themselves to be affected by a decision or activity.
• Risk assessment: overall process of risk identification, analysis and evaluation.
• Risk identification: process of finding, recognising and describing risks.
• Risk analysis: process to comprehend the nature of the risk.
• Risk evaluation: process of comparing the results of risk analysis with risk criteria
to determine whether the risk and/or its magnitude is acceptable or tolerable.
• Risk treatment: the process of modifying the risk. This can involve changing the
likelihood and consequences of the risk or even retaining the risk by informed
decision.
• Control: a process, affected by an entity’s executive, management and other
personnel, designed to provide reasonable assurance regarding the achievement
of objectives.
• Residual risk: the risk remaining after current controls.
• Monitoring: continual checking, supervising, critically observing or determining the
status of risks in order to identify change from the performance level required or
expected.
The various functions within the organisation have generic roles and responsibilities
when it comes to ERM. Briefly, these roles will be responsible for the following ERM
activities:
• Board: approve the risk appetite, tolerances and profile.
• Audit and risk committee: ensure that the organisation’s ERM framework is
efficiently implemented and maintained.
2
Adapted from ISO09 and COS04.
26
26. • CEO: ultimate responsibility for ERM.
• Chief Risk Officer (CRO): establishing and communicating the ERM vision.
• ERM division: creating, implementing and maintaining the ERM framework.
• Audit functions: auditing the ERM process as part of their assurance plans.
• Business units: aligning their risk priorities, tolerances and strategies with
organisational wide policies and procedures.
Elements that need to be in place before initiating the risk identification component
of the process are [COS04]:
• An overall ERM policy.
• A formalised risk appetite statement.
• An oversight structure in which functions having a clear understanding of their
respective roles.
• Integrity and ethical values.
• Know what the strategic and tactical objectives are.
• Agreement on standard risk terminology that will be used across the organisation.
Risk identification techniques
1. Interview/focus group discussions
3. Audit or physical inspections
5. Brainstorming
7. Surveys, questionnaires and
Delphi technique
9. Examination of local and
or/overseas experience
11. Networking with peers, industry
groups and professional
associations
13. SWOT analysis
15. Work breakdown structure
analysis
2. Judgmental - speculative,
conjectural and intuitive
4. History, failure analysis and
lessons learnt
6. Examination of personal
experience or past department or
public entity experience
8. Database of risk events which
have materialised
10. Scenario analysis
12. Decision tress
14. Flow charting, and system design
reviews
16. Operational modelling
Table 3.1: Some risk identification techniques [COS04]
27
27. 3.2.2 Risk identification
The second step in the core process is to generate a comprehensive list of risks
based on those events that might prevent the achievement of the organisation’s
objectives [SEG11]. Comprehensive identification of risks is critical, because a risk
that is not identified will not be included in further analysis.
Identification should include risks whether or not their source is under the control of
the organisation. As well as identifying the risk event, it is necessary to consider the
related causes and consequences. Table 3.1 above outlines some of the techniques
that can be applied in identifying risks.
Some common pitfalls that could arise during the risk identification phase include:
• Lack of clarification and common understanding of key risk terms.
• Not including all stakeholders.
• Setting unclear or unrealistic objectives.
• Failing to structure the meeting agenda for success.
• Placing too little emphasis on discussion.
• Letting technology glitches distract the process.
• Not creating a safe and open environment.
• Failing to clarity roles and responsibilities.
• Poor facilities.
• Confusion over the time horizon.
• Overlooking external environment events because of a perception that they are
outside of management’s control.
• Ignoring the interrelationship among risks.
Description Qualitative likelihood score
Highly likely 1-in-5 or greater chance of occurring
Likely 1-in-10 chance of occurring
Possible 1-in-20 chance of occurring
Unlikely 1-in-50 chance of occurring
Highly unlikely 1-in-100 or less chance of occurring
Table 3.2: Likelihood scales [SEG11]
28
28. Description Qualitative impact score
Catastrophic >R200 million loss in company value
Major R50-R200 million loss in company value
Moderate R20million-R50million loss in company value
Minor R10million-R20million loss in company value
Insignificant <R10million loss in company value
Table 3.3: Impact scales [SEG11]
3.2.3 Risk quantification
Once the organisation’s risks have been identified, it is necessary to conduct a
qualitative risk assessment [SEG11]. The goal in conducting aqualitative assessment
is to reduce the total number of risks down to 10 or so key risks. These top risks will
then be taken through the rest of the ERM process for further analysis. Scoring
criteria that can be used to determine the top risks are included in tables 3.2 and 3.3.
As with the risk identification phase, the risk analyst can adopt various techniques in
obtaining scores from the various participants. This will not be discussed in detail
here, but in most cases the techniques of facilitated workshops and one-on-one
interviews are used.
Once a sorted list of the top risks by inherent and residual ranking has been compiled,
the quantitative assessment can begin.This assessment comprises three main steps,
viz. the calculation of the baseline company value, quantification of the individual risk
exposures and then the quantification of the enterprise risk exposure [SEG11].
3.2.3.1 Baseline company value
The baseline company value is an internal valuation based on the organisation
achieving its business plan. Inputs required to initiate this phase, include financial
projections from the business plan, the most recent financial statements and an
agreement on a suitable discount rate or cost of equity capital.
The financial projections should extend out to the end of the organisation’s formal
planning period. Normalised financial statements form the second input into
the calculation of the baseline company value. These statements include the
assumptions that were relied upon in generating the final values. These could
include, rates of return, tax rates, etc.
Utilising the valuation approach of DCF’s discussed in section 2.3.1 of chapter 2, the
29
29. following three steps are applied in developing the model:
• Develop a dynamic reproduction of the business plan’s financial projections to the
end of the formal planning period.
• As best as possible, project the distributable cash flows beyond the formal planning
periods and then add a terminal value.
• Applying the discount rate, determine the present value of all cash flows back to
time zero.
Up to this point, the valuation has been based on an equity analysis or market
capitalisation as a substitute for company value. The businesses management team
must now attempt to validate the estimate based on their knowledge of strategy
execution and activities within the business. It is generally accepted that management
have a much better appreciation of the effectiveness of business activities then exter-
nal market analysts. In addition to being more realistic, management’s estimate will
be far less volatile than that of the market. This is primarily driven by the fact that the
market overreacts to new information in both directions.
3.2.3.2 Quantifying individual risk exposures
The next phase of risk quantification requires an assessment of multiple deterministic
scenarios for each key risk and its impact on the baseline company value [SEG11].
Three attributes that need to be considered here are the input of data and
assumptions, model calculations and the output of results.
According to Segal, the use of deterministic scenarios in this case has a number of
advantages over the use of stochastic methods. These include:
• Stochastic models involve fewer persons from the business and limit the amount
of robust discussion in coming up with the underlying assumptions. This stifles the
development of a risk culture across functions in the business.
• Risk results may change every time the stochastic model is run due to the random
generator. For non-mathematicians, this can create suspicion that the model is
flawed and that the results cannot be relied upon.
• Stochastic models apply the technique of interpolation to generate scenarios. This
is especially true when there is limited historical data on the type of risk being
evaluated. Such models tend to generate some unrealistic scenarios that should
have been avoided.
• One of the major causes of the 2007 US financial crises was that stochastic models
were very poor in generating plausible tail events. In many cases, some of the tail
30
30. events that were considered very unlikely were actually occurring rather frequently.
This highlighted the risk of blindly following formula fitting to historical data which
had very few data points in their tails.
All of the discrete risk scenarios that will be developed will have a downside, whereas
only some might have an upside. Segal lists five potential scenarios that could apply
to each risk:
• Extremely pessimistic;
• moderately pessimistic;
• baseline (risk does not materialise and baseline company value is achieved);
• moderately optimistic; and
• extremely optimistic.
The potential scenarios will be based on either objective or subjective criteria. In the
case of objective criteria, richly detailed distributions of historical data would exist to
support the various discrete measures. The more difficult task is agreeing on the
subjective criteria since there is a lack of credible data. This relates predominately
to strategic and operational risks. The FMEA technique described in section 2.3.3 of
chapter 2 is most suited to developing such scenarios.
Once the scenarios have been developed, the risk analyst will need to quantify the
potential impact of each of the major risks on the baseline company value. For this,
a stochastic model utilising an appropriate statistical distribution for obtaining subject
matter expert input, will be applied. Segal refers to this as "shocking" the baseline
value [SEG11].
Outputs from the quantification of the individual risk exposures will be the first time
that senior management are able to see a listing of top risks that have a direct impact
on company value.
3.2.3.3 Quantifying enterprise risk exposure
After the exposure of each individual risk event on the company’s baseline value has
been determined, it is necessary to calculate the full range of possible outcomes
on the value [SEG11]. The distribution generated from the simulations reflects
the impact on the baseline company value while the vertical axis represents the
likelihood. The factors impacting the likelihood value are the likelihood of the
individual risk scenarios and the correlation between them. For the likelihood
of individual risk scenarios, percentages reflecting the likelihood of the scenario
occurring was determined during the FMEA process. For the objective scenarios,
31
31. a host of historical data should exist to provide a reasonable estimate regarding
likelihood.
Regarding correlation, Segal recommends that a correlation factor be derived for
each pair of risk scenarios. Although this might seem an overwhelming task, most
scenarios will be independent of each other. This is mostly due to the fact that risk
scenarios are of a strategic or operational nature. In the case where correlations
do exist, an informed estimate from a suitably qualified subject matter expert will
be required. If the risks are of a financial nature however,historical data should be
available to quantify the correlation factor more objectively.
We are now ready to select the simulations, and calculate the impact and likelihood
on the baseline company value. For our purposes, every simulation will represent a
possible future outcome for the business. This is best visualised as a mathematical
vector, whose length is equal to the number of key risks, and where each vector
location indicates the scenario for that risk. Equation 3.1 below refers.
Simulationi = {Risk1Sceni, Risk2Sceni, . . . , RisknSceni} (3.1)
where
• i = the simulation number
• RiskxSceni = the risk scenario from key risk x that was selected in simulation i;
this can include one of the pessimistic scenarios, one of the optimistic scenarios (if
any exist), or the baseline scenario for this key risk.
Segal comments that the number of simulations can become rather large very quickly
and that steps will need to be taken to keep the model realistic by limiting the
combinations to an optimal number. Some practical considerations include:
• Defining a maximum run time: ideally, the enterprise risk exposure calculation
should take between six to eight hours and should not exceed twelve or even 24
hours. Here, practicality must rule and the model must be able to generate reliable
results that can inform decisions within the required timeframe.
• Define a maximum number of reasonable simulations: based on the maximum
runtime, the risk analyst must determine the maximum number of iterations that
will be run and decide whether this is appropriate.
• Determining the number of simulations needed to achieve stability: the aim here is
to determine the number of minimal simulations required to achieve a reasonable
estimate of the enterprise risk exposure.
Determining the risk impact, requires that each simulation be run through the model
to calculate the impact on the baseline company value. If a simulation has more than
32
32. one risk scenario occurring concurrently the shock values will be grouped together.
This provides valuable information on the impact on the baseline company value
when multiple risk scenarios manifest at the same time.
The likelihood of a simulation is determined by multiplying the likelihood of each
individual risk scenario in the vector. Initially, it is assumed that events take place
independently and then incorporate a correlation adjustment factor as in equation
3.2 below.
P(Simi) = P(Risk1Sceni) × P(Risk2Sceni) . . . × P(RisknSceni) × CAF (3.2)
where
• P(x) = probability of x
• Sim = simulation
• i = the simulation number
• RiskkSceni = the risk scenario, from key risk x, that was selected in simulation i;
this can include one of the pessimistic scenarios, one of the optimistic scenarios (if
any exist), or the baseline scenario for this key risk
• n = the number of key risks
• CAF = correlation adjustment factor.
The correlation adjustment factor is simply a multiplicative product of individual
pairwise correlation factors. Therefore, if a model includes more than one pair of
risk scenarios that are correlated, each pair’s correlation adjustment factor is applied
multiplicatively to the simulation probability as in equation 3.3 below.
CAF = IPCAFRiskx Sceni ;Riskx Sceni × IPCAFRiskx Sceni ;Riskx Sceni ×··· (3.3)
where
• CAF = correlation adjustment factor
• IPCAFRiskxSceni;RiskxSceni
= individual pair-wise correlation adjustment factor, for the
combination of risk x scenario i occurring simultaneously with risk y scenario i.
Outputs of this phase of the model involve graphical and tabular forms of the
enterprise risk exposure as well as the downside standard deviation calculations.
Important information that can be gleaned from the enterprise risk exposure outputs
include the likelihood that the business will experience a decrease in value of X
percent or more; the likelihood that company value falls between a pre-defined range;
the likelihood of an increase in company value of X percent or more or the impact of
33
33. each risk scenario on value. In tabular form, areas of interest from the graph are laid
out for closer scrutiny.
σ =
1
n
n
x=1
(x − ¯x)2 (3.4)
where
• σ = standard deviation
• n = number of data points in the distribution
• x = a data point in the distribution
• ¯x = mean of distribution (note that if the metric used here is company value, this is
the probabilistic expectation of company value).
Standard deviation is commonly accepted to be a measure of volatility that is simple
to calculate if a given distribution is known. Equation 3.4 includes the traditional
formula. Generally, the greater the dispersion from the mean value the greater the
volatility. Segal indicates that this metric however does not suite the value based
approach under investigation here. Rather, he distinguishes between upside and
downside volatility and proposes only taking into account the downside component
due to enterprise risk exposure distributions not being symmetrical and usually
displaying fat tails. Whereas upside volatility shows scenarios where the results
of the business plan were exceeded, downside volatility considers instances where
business plan expectations were not met. The proposed downside volatility metric is
indicated in equation 3.5.
σdownside =
1
m
m
j=1
(y − ¯¯x)2 (3.5)
where
• σdownside = downside standard deviation
• m = number of data points in the distribution that corresponds to a result that falls
short of baseline expectations
• y = a data point in the distribution that corresponds to a result that falls short of
baseline expectations
• ¯¯x = baseline, or strategic plan expectations.
Advantages of applying this new metric is that it is a single value; it incorporates all
the downside risk; is readily available and can be easily recalculated. It can also be
used as a means to adjust the discount rate to achieve reasonability. Generally, an
34
34. increase in a firm’s riskiness will result in an increased discount rate while a decrease
in riskiness results in a reduced rate.
3.2.4 Risk decision making
As mentioned previously, the main purpose of ERM is to improve decision making
within the organisation [SEG11]. This is achieved by defining the risk appetite and
limits for the organisation and integrating ERM into the core decision making process.
3.2.4.1 Risk appetite and limits
“If you are not acting differently,
making different choices, as a result
of implementing an ERM program,
then you have misspent a good deal
of time and energy.” [SEG11]
Defining or adjusting the risk appetite
allows for a maximum limit to be
set on the enterprise’s risk exposure
which stakeholders are comfortable
with. Segal is of the opinion that the risk
appetite is not only a set of quantitative
measures but judgemental estimates.
The setting of the risk appetite should be an iterative process that requires debate and
should ultimately result in consensus among the members of senior management.
Table 3.4 provides an example of a risk appetite statement including soft and hard
limits. Whereas hard limits show the maximum levels of risk exposure which should
never be exceeded, the soft limits may be exceeded for temporary durations with
suitable explanations provided. Exceeding the soft limits should act as an early
warning sign that the hard limits may be exceeded in the foreseeable future.
Decomposing the risk appetite statement into tangible limits that will form the
responsibility of the various functions and activities within the organisation is the next
step. This acts to spread the risk exposure across the business thereby preventing
excessive risk concentration.
3.2.4.2 Integrating ERM into decision making
The power of the value based approach to ERM is that the simulation model
described under section 3.2.3, can be applied to conduct what-if scenarios. Potential
what-if scenarios could include mergers and acquisitions, changes in strategic
approach, entering into new markets, new tactical techniques employed, etc. In
reference to the simulation model, there are five areas that can be adjusted to take
into account the impact of the various what-if scenarios. These are the DCF’s,
35
35. Enterprise risk exposure Risk appetite
Pain point Likelihood Likelihood – soft limit Likelihood – hard limit
1. Decrease in company
value of more than
15%.
8.5% 10.5% 15%
2. Falling short of this
years planned
revenue by more than
200 basis points.
13.2% 15% 25%
3. Falling short of this
years planned
earnings by more than
2 cents a share.
10.4% 10% 15%
4. Ratings downgrade of
one level.
7.6% 5% 10%
Table 3.4: Sample risk appetite statement [SEG11]
discount and growth rates, revised baseline values, revised risk scenarios and a
revised enterprise risk exposure value.
3.2.5 Communication
Communication and consultation with external and internal stakeholders should take
place during all stages of the ERM process to ensure they understand the basis on
which decisions are made, and the reasons why particular actions were taken [ISO09
and SEG11]. Plans for communication and consultation should be developed at an
early stage. These plans should address issues relating to the risks themselves, their
causes, consequences, and measures being taken to treat them.
Communication to internal stakeholders involves providing feedback at each phase of
the core process on all significant decisions taken (this was discussed under section
3.2.4.1 above).
Examples of external stakeholders could include shareholders, stock analysts, rating
agencies and regulators. Examples of types of disclosures are included under Table
3.5 below.
3.2.6 Monitoring and evaluation
An entity’s ERM process changes over time. In the face of such changes,
management needs to determine whether the functioning of ERM continues to be
36
36. Risk disclosure
Voluntary Mandatory
1. Explanation on the ERM framework
applied.
1. Disclosure on the risk assessment
process adopted in coming up with
the top risks.
2. Explanation on the risk scenarios
evaluated as part of the simulation.
2. Risk governance - Who is ultimately
responsible for the ERM initiative on a
strategic and day-to-day basis.
3. Management’s use of risk metrics and
techniques to stay within the risk
appetite.
3. Disclosure on risky incentive
compensation schemes (if any).
4. How ERM has created a competitive
advantage for the organisation.
5. How business performance analysis
has been enhanced using ERM.
6. How management incentives are
linked to ERM.
Table 3.5: Examples of external stakeholder communication [SEG11]
effective [COS04 and ISO09]. Monitoring of the ERM process can be done in two
ways: self-evaluations or external evaluations by third parties. The greater the degree
and effectiveness of self evaluations, the less the need for external evaluations.
In making that determination, consideration is given to the nature and degree of
changes occurring and the competence and experience of personnel implementing
the methodology.
3.3. Conclusion
The major advantage of the value based approach to ERM is that it presents the
organisation’s top risks in a measure that is understandable to the internal and
external stakeholder. This allows for increased buy-in into the ERM process and
more rigorous and informed decision making.
The core process of the value based approach to ERM, involves a number of
quantitative techniques that include deterministic and stochastic methods. Applying
these techniques to DCF calculations allows for more realistic risk scenarios that
stakeholders can relate to.
37
37. Chapter 4
Case study
4.1. Introduction
As outlined in the research methodology in section 1.4, we will apply Segal’s value
based approach to an engineering and construction firm. The structure of the case
study will follow the process depicted in figure 2.3 of chapter 2. Relevant outputs are
included in figures, tables and supporting annexures under the relevant headings.
4.2. Case study
4.2.1 Requirements: Set the context
• An overall ERM policy: annexure A includes an example of such a policy.
• A formalised risk appetite statement: for our purposes, the business has not
formalised its risk appetite statement. One of management’s key expectations in
going through the value based approach is that a first cut risk appetite statement
will be produced.
• An ERM oversight structure: figure 4.1 refers.
• Integrity and ethical values statement: table 4.1 refers.
• Strategic and tactical objectives: table 4.2 refers.
• Agreement on standard risk terminology: terminology defined under 3.2.1 of
chapter 3 has been adopted as the organisation’s common language.
38
38. Figure 4.1: An ERM oversight structure
Integrity and ethical values
1. The company will continue to embed a morally and ethically sound performance culture.
2. The company will conduct its business within a framework set by the regulatory requirements
applicable to its industry in all territories in which it operates.
3. The company will endeavor to comply with legal and regulatory laws as well as all governing
principles.
4. The company rejects anti-competitive or collusive conduct on all jurisdictions in which it
operates, whether or not there are anti-competitive or anti-collusive laws in place.
5. The company encourages concerned employees to report unethical behaviour within any of
its operations, including discrimination, theft, fraud and corruption.
6. The company respects the rights of indigenous people and where appropriate, partners with
indigenous and local communities.
7. Discrimination of any form is viewed in a very serious light by the company and appropriate
disciplinary action will be taken against offenders.
Table 4.1: An integrity and ethical values statement [adapted from MUR14]
Strategic objectives Related tactical objectives
1. Become a more diversified engineering and
construction company.
• Reduction in risk profile through market and
geography diversification.
Focus on South African infrastructure
programmes as a main area of growth.
2. Achieve financial targets with a growth rate
meeting stakeholder expectations.
• Maintain satisfied shareholders through value
creation.
• Achieve EBIT, cash flow and specific
performance metric targets.
3. Be recognised as a diverse high performance
and responsible company.
• Brand excellence is achieved.
• Deliver our projects on time, on budget and at
the required level of quality.
• Promote diversification in the workforce
working closely withlabour unions and
supporting structures.
Table 4.2: Strategic and tactical objectives [adapted from MUR14]
39
39. Number Risk Risk owner Impact Likelihood Inherent risk rating Impact Likelihood Residual risk rating
1 Delay in the South African government
infrastructure programme
Executive committee Highly likely Major Extreme Highly likely Major Extreme
2 Depressed global economy impacts markets and
increases competition
CEO Likely Major Extreme Likely Moderate High
3 Global economic stagnation impacts the
various business commodity driven markets
and increases competition
Platform executives Possible Major Extreme Unlikely Major High
4 Deteriorating SA business environment impacts
business performance
Executive committee Likely Major Extreme Likely Moderate High
5 Heightened industrial action in the South African
environment
CEO Likely Major Extreme Likely Moderate High
6 Health, safety and environmental exposures Group HSE director Possible Major Extreme Likely Major High
7 State procurement process CEO Possible Major Extreme Possible Moderate High
8 Projects in distress Executive committee Possible Major Extreme Possible Moderate High
9 Repeat collusive acts may lead to catastrophic
outcomes
Commercial Director Likely Moderate High Likely Moderate High
10 Lack of transformation impacts current and future
business in South Africa and potentially in Africa
Group HSE director Possible Moderate High Possible Moderate High
11 Group liquidity constraints CEO Unlikely Major High Unlikely Major High
12 Delay in entering East Africa growth markets Executive committee Likely Moderate High Likely Moderate High
13 Consequences of collusive cases against the
company
CEO Likely Moderate High Likely Moderate High
14 Negative impact of scope reduction and low bid
strike rates on order book
Executive committee Likely Moderate High Likely Moderate High
15 A focus on the public sector infrastructure has
resulted in poor market penetration
Executive committee Possible Moderate High Possible Moderate High
16 Lack of formalised project management discipline Executive committee Possible Moderate High Possible Moderate High
17 Non-recovery of uncertified revenues on high risk
projects may result in write-backs
Commercial Director Unlikely Catastrophic High Unlikely Major High
18 Lack of sufficient commercial astuteness Commercial Director Possible Moderate High Possible Moderate High
19 Poor financial performance of major clients CEO Possible Moderate High Possible Moderate High
20 Leadership capacity to support growth strategy Group HR director Unlikely Major High Unlikely Moderate Moderate
21 Successful integration of recent acquisitions CEO Highly unlikely Major High Highly unlikely Moderate Moderate
22 Attraction and retention of key skills Executive committee Possible Moderate High Unlikely Moderate Moderate
23 Risk at tender stage and commercial close Commercial Director Unlikely Moderate Moderate Possible Moderate Moderate
24 Possible hostile take-over CEO Unlikely Moderate Moderate Unlikely Moderate Moderate
Table 4.3: Qualitative risk assessment
41. Construction and engineering business
2015 2016 2017 2018
Net value (Profit before tax) 1 500 000 000 1 590 000 000 1 685 400 000 1 719 108 000
Add: Depreciation and amortisation 700 000 000 742 000 000 786 520 000 802 250 400
Less: Increase in working capital (100 000 000) (106 000 000) (112 360 000) (114 607 000)
Less: Capital expenditure (900 000 000) (954 000 000) (1 011 240 000) (1 031 464 800)
Less: Tax paid (420 000 000) (445 200 000) (471 912 000) (481 350 240)
Distributable cash flow 780 000 000 826 800 000 876 408 000 893 936 160
Discount factor 0.88 0.78 0.69 0.61
Yearly NPV 690 265 487 647 505 678 607 394 707 548 267 788
Total NPV (years 2015–2018) 2 493 433 659
Add: Terminal value 12 784 902 891
Baseline company value 15 278 336 551
Key assumptions
1. Assumed years 2015 to 2018 are based on budgeted forecast representing a full
business cycle.
2. Assumed the average for years 2015 to 2018 to represent the average profitability
though the business cycle - this was used for calculating the terminal value.
3. The growth rate applied in the terminal value was assumed to be conservatively 6%
(expectations of infrastructure spend by government and private sector of between
6 to 8%)
4. Wear and tear allowance for tax is equal to depreciation and amortisation.
Discounted cash flow coefficients
Period (n) n 1 2 3 4
Discount rate applied (d) 13.0% 13.0% 13.0% 13.0% 13.0%
Growth rate for terminal value (g) 6.0% 6.0% 6.0% 6.0% 6.0%
Reasonability check
Issued shares 500 000 000
Stock price per share 27.00
Market capitalisation 13 500 000 000
Variance between market capitalisation and baseline company value 13%
Table 4.4: Baseline company value calculation
4.2.2 Requirements: Identify the risks
Generate a list of risks relevant to the strategic and tactical objectives: table 4.2
refers.
42
42. Risk 1 2 3 4 5 6 7 8
1 1 .20 .20 .60 .10 0 .10 0
2 .20 1 .80 .20 0 0 0 0
3 .20 .80 1 .20 0 0 0 0
4 .60 .20 .20 1 .20 0 0 0
5 .10 0 0 .20 1 0 0 0
6 0 0 0 0 0 1 0 0
7 .10 0 0 0 0 0 1 0
8 0 0 0 0 0 0 0 1
Table 4.5: Correlation matrix
Risk # Inherent risk impact Residual risk impacte
on base value on base value
1 −4.95% −3.29%
2 −3.09% −1.68%
6 −2.85% −1.84%
3 −2.58% −1.73%
4 −2.23% −2.08%
8 −2.16% −1.16%
7 −0.42% −0.38%
5 1.21% 1.47%
In Rands (Rm) % change
Baseline company value 15 300
Total impact of inherent risks −3 508 −22.93%
Total impact of residual risks −1 989 −13.00%
Table 4.6: Individual and combined risk quantification
4.2.3 Requirements: Conduct risk quantification
• Perform a qualitative assessment based on inherent and residual scoring: table
4.3 refers.
• Identify a risk owner for each risk: table 4.3 refers.
43
43. Figure 4.3: Graphical ranking of individual risks
• Sort the qualitative assessment by inherent and residual scoring: table 4.3 and
figure 4.2 refers.
• Calculate the baseline company value: table 4.4 refers.
• Develop deterministic risk scenarios for each of the top risks by conducting FMEA
sessions with subject matter experts: annexure B refers.
• Obtain estimates for impact on revenue, costs and cash flow for each of the risk
scenarios identified: annexure B refers.
44
44. Figure 4.4: Enterprise risk exposure graph
• Considering the mitigation actions in place, estimate the improvement in cash flow:
annexure B refers.
• Consider the impact of correlation between the top risks and quantify: table 4.5
refers.
• Quantify the individual risk exposures and report: figure 4.3, table 4.6 refers and
annexure C refers.
• Quantify the enterprise risk exposure: figure 4.4 and table 4.7 refers.
• Determine the upside and downside volatility measures: table 4.7 refers.
45
45. 9000
10000
11000
12000
13000
14000
15000
16000
11500
12000
12500
13000
13500
14000
14500
15000
15500
Figure 4.5: Sensitivity analysis graphs
Pain point Likelihood (Inherent risk) Likelihood (Residual risk)
Change in value ≤ 10% 62% 49%
Change in value ≤ 20% 41% 25%
Standard deviation 2 976 2 156
Downside standard deviation 2 743 0
Table 4.7: Enterprise reporting measures
4.2.4 Requirements: Improve decision making
• Risk appetite statement relating to company value is developed/revised: table 4.8
refers.
46
46. Enterprise risk exposure Risk appetite
Pain point (Residual risk based) Likelihood Likelihood - soft limit Likelihood - hard limit
1. Decrease in company value of
more than 20%.
25% 25% 30%
2. Loses from projects in distress
exceed 10% of a company
value.
0% 10% 15%
3. Impact from health, safety
and environmental exposures
exceed 10% of a company
value.
12% 10% 15%
Table 4.8: Risk appetite statement
• Running of what-if scenarios: this will be on a case by case basis utilising the
techniques applied here.
4.2.5 Requirements: Effect communication
Stakeholder communication standards: Standards for the communication with
internal and external stakeholders are developed. These will incorporate the
recommendations included under table 3.5.
4.2.6 Requirements: Monitor and evaluate
• Self-evaluations: these should be conducted by the ERM division to ensure they
are complying with the requirements outlined in the framework.
• External valuations: conducted by internal or external auditors and consulting
firms.
4.3. Conclusion
Segal’s approach provides quantified estimates that can be used to measure the
severity of organisational risk. This allows for improved decision making, the ability to
run what-if scenarios and the allocation of funds to provisions or contingencies should
risks materialise.
Areas of further research include understanding the impact of changes made to
distributions used to model subject matter expert opinion and the impact of applying
different valuation techniques outlined by McKinsey.
47
47. Annexures
A. SAMPLE ERM POLICY3
We proactively take initiative in grasping opportunities and developing solutions in line
with our strategic and business objectives. We recognise that in doing so, we accept
risks in order to create value for our shareholders, employees and customers. In order
to ensure business success we have adopted an enterprise-wide integrated approach
to the management of risk.
In this context, risk is defined as uncertain future events that could adversely influence
the achievement of our strategic and business objectives. Therefore, enterprise risk
management is defined as the process which is used by executive management to
identify, evaluate, treat, monitor and report risks to ensure the achievement of its
objectives.
The enterprise-wide approach to risk management is a dynamic process that will
be implemented and improved over time and that will permeate every aspect of
our organisation. By embedding the risk management process into key business
processes such as planning, operations and new projects, we will be better equipped
to identify events affecting our objectives and to manage risks in ways that are
consistent with the approved risk appetite.
As the chief executive officer, I and the board are responsible for ensuring that a
comprehensive risk management framework is established consisting of policies,
procedures, methodologies and processes. To enhance our corporate governance
internally and to ensure that appropriate focus is placed on this important task, I
have delegated this role to the chief risk officer who will ensure that the framework is
implemented and that the executive committee and the board receive the appropriate
reporting on the organisation’s risk profile and risk management process.
3
Adapted from COS04 and ISO09.
48
48. B. Deterministic risk scenarios
Risk 1. Delay in the South African government infrastructure programme
Description
Delays in the planned rollout of the government’s infrastructure plan in South Africa is
impacting negatively on a number of areas within the company. Rating agencies have
downgraded South Africa’s sovereign credit rating following the continued unprotected
industrial action in the mining sector. The BBB rating with a negative outlook will make
it more difficult and more expensive for the South African government to raise debt to
fund it’s R800 billion infrastructure development programme. This is likely to cause
additional delays in bringing the infrastructure plans to market.
Related objective
Focus on South African Infrastructure programmes as a main area of growth.
Subject matter expert/s consulted
CEO and company economist
Scenarios described
For low road, a negative market with a severe lack of competitiveness by the
company. For the baseline scenario, expectations and assumptions outlined in
the company strategy materialise according to plan with no significant variations.
Highroad indicative of a positive market for the company with a strong competitive
advantage.
Inherent risk score (qualitative)
Extreme
Inherent risk (quantitative inputs)
Scenarios Likelihood of Impact on Impact on Impact on Comments on
occurrence revenue costs cash flow assumptions
Scenario 1 (low road) 60% (9 000) (50) (9 500) Refer lessons learned from 2009.
Scenario 2 (baseline) 30% 0 0 0 –
Scenario 3 (high road) 10% 600 (100) 500 –
Residual risk score (qualitative)
Extreme
Mitigations in place
49
49. 1. Encouraging signs that government may be rolling out parts of the infrastructure
plan with increased activity in the buildings market. Certain initiatives through
SAFCFC are underway, but no formal engagement as yet. There is disagreement
between SAFCEC members on tactics to employ.
2. The business is focused on diversifying its offering into east and west Africa. This
will include a greater focus on power, gas processing and oil refining facilities. The
new offering will also include operations and maintenance services through joint
venture arrangements.
Based on mitigations in place, residual risk (quantitative inputs)
Scenarios Improvement in Comments on
cash flow (%) assumptions
Scenario 1 (low road) 30% –
Scenario 2 (baseline) 0% –
Scenario 3 (high road) 10% –
50
50. Risk 2. Depressed global economy impacts markets and increases competition
Description
Global demand for commodities is primarily driven by economic growth in China and
India. A slowdown in the Chinese and Indian economies could dampen the commodity
run. The company is currently experiencing a declining order book due to a slowdown
in commodities. Contraction in the European economy is also impacting demand
for imported finished goods, which in turn is putting pressure on these economies.
Europe’s stagnation has forced European based contractors into new markets, with
an increased appetite for risk in Africa and the Middle East.
Related objective
Reduction in risk profile and through market and geography diversification.
Subject matter expert/s consulted
CEO and company economist
Scenarios described
For low road, a negative market with a severe lack of competitiveness by the
company. For the baseline scenario, expectations and assumptions outlined in
the company strategy materialise according to plan with no significant variations.
Highroad indicative of a positive market for the company with a strong competitive
advantage.
Inherent risk score (qualitative)
Extreme
Inherent risk (quantitative inputs)
Scenarios Likelihood of Impact on Impact on Impact on Comments on
occurrence revenue costs cash flow assumptions
Scenario 1 (low road) 60% (7 350) (150) (7 500) –
Scenario 2 (baseline) 30% 0 0 0 –
Scenario 3 (high road) 10% 1 150 (150) 1 000 –
Residual risk score (qualitative)
High
Mitigations in place
1. Non-organic growth through the acquisition of foreign based entities.
51
51. 2. Opening of satellite offices in Zambia, Kenya and Congo to identify new
opportunities.
3. Right sizing of under performing business units with emphasis on the Gauteng
based entities.
Based on mitigations in place, residual risk (quantitative inputs)
Scenarios Improvement in Comments on
cash flow (%) assumptions
Scenario 1 (low road) 40% –
Scenario 2 (baseline) 0% –
Scenario 3 (high road) 30% –
52
52. Risk 3. Global economic stagnation impacts the various business commodity
driven markets and increases competition
Description
Demand for commodities is driven significantly by economic growth in China and India
with demand now under pressure. This is putting the company under pressure in
North America. Contraction in the European economy is also impacting demand for
imported finished goods. The market’s reluctance to finance capital expenditure plans
also affects the project pipeline which might result in a decline in the market.
Related objective
Reduction in risk profile and through market and geography diversification.
Subject matter experts consulted
CEO and company economist
Scenarios described
For low road, a negative market with a severe lack of competitiveness by the
company. For the baseline scenario, expectations and assumptions outlined in
the company strategy materialise according to plan with no significant variations.
Highroad indicative of a positive market for the company with a strong competitive
advantage.
Inherent risk score (qualitative)
Extreme
Inherent risk (quantitative inputs)
Scenarios Likelihood of Impact on Impact on Impact on Comments on
occurrence revenue costs cash flow assumptions
Scenario 1 (low road) 60% (5 850) (150) (6 000) –
Scenario 2 (baseline) 30% 0 0 0 –
Scenario 3 (high road) 10% 950 (250) 100 –
Residual risk score (qualitative)
High
Mitigations in place
1. The first project awarded in the Philippines with a joint venture agreement
signed with local partner has gone live. All business units continue to explore
opportunities in Europe.
53
53. 2. Business units are quoting on jobs in Russia and Greece and finishing projects
in Spain. Business units have also formed joint ventures with local firms in South
America to explore opportunities.
3. The following African markets are focus areas: Ghana, Zambia, Mozambique,
Kenya and Uganda. The Zambian office was officially opened on 1 November
2014. Facilitated by the non-executive director of the Zambia office, a company
delegation met with senior Zambian members of government to discuss project
opportunities. Several building and construction opportunities were highlighted.
Based on mitigations in place, residual risk (quantitative inputs)
Scenarios Improvement in Comments on
cash flow (%) assumptions
Scenario 1 (low road) 30% –
Scenario 2 (baseline) 0% –
Scenario 3 (high road) 20% –
54
54. Risk 4. Deteriorating SA business environment impacts business performance
Description
Declining business confidence in South Africa, as a result of the political and mining
environment is leading to reduced foreign investment and will further constrain
opportunities in the local infrastructure and mining markets.
Related objective
Focus on South Africa infrastructure programmes as a main area of growth.
Subject matter expert/s consulted
CEO and company economist
Scenarios described
For low road, a negative market with a severe lack of competitiveness by the
company. For the baseline scenario, expectations and assumptions outlined in
the company strategy materialise according to plan with no significant variations.
Highroad indicative of a positive market for the company with a strong competitive
advantage.
Inherent risk score (qualitative)
Extreme
Inherent risk (quantitative inputs)
Scenarios Likelihood of Impact on Impact on Impact on Comments on
occurrence revenue costs cash flow assumptions
Scenario 1 (low road) 60% (5 235) (275) (5 500) –
Scenario 2 (baseline) 20% 0 0 0 –
Scenario 3 (high road) 20% 580 (80) 500 –
Residual risk score (qualitative)
High
Mitigations in place
1. The risk has partially materialised with project cancellations, terminations and
reductions in project scope.
2. Outlook has marginally improved in the Dubai market. Namibia prospects remain
strong. Formal partnerships with EPCM firms are being established to accelerate
the business entry into the operations and maintenance space.
55
55. Based on mitigations in place, residual risk (quantitative inputs)
Scenarios Improvement in Comments on
cash flow (%) assumptions
Scenario 1 (low road) 5% –
Scenario 2 (baseline) 0% –
Scenario 3 (high road) 5% –
56
56. Risk 5. Heightened industrial action in the South African environment
Description
Industrial unrest at various projects is indicating the potential for a structural shift in
South Africa’s labour market which will negatively impact both project and business
performance. The pre-existing organised union structures are no longer effective in
reaching negotiated settlements.
Related objective
Promote diversification in the workforce working closely with labour unions and
supporting structures.
Subject matter expert/s consulted
CEO, company economist and human resources executive
Scenarios described
For low road, protracted strike action with a severe impact on business continuity.
Unions are also unable to reach settlements amicably with an increased potential of
loss of life. For the baseline scenario, strike action is limited to historical durations
with injuries to staff but no loss of life. Highroad indicative of a positive labour market
reaching consens on labour matters amicably and in short time spans.
Inherent risk score (qualitative)
Extreme
Inherent risk (quantitative inputs)
Scenarios Likelihood of Impact on Impact on Impact on Comments on
occurrence revenue costs cash flow assumptions
Scenario 1 (low road) 30% (4 100) (200) (4 300) –
Scenario 2 (baseline) 50% 0 0 0 –
Scenario 3 (high road) 20% 1 500 (10) 1 500 –
Residual risk score (qualitative)
High
Mitigations in place
1. The company is playing a lead role in facilitating the framework agreement
between major clients, contractors and unions. Work has commenced on the
development of an employee relations framework that will be applied on all project
sites.
57
57. 2. The establishment of an IR forum to develop a consistent IR approach is underway.
Based on mitigations in place, residual risk (quantitative inputs)
Scenarios Improvement in Comments on
cash flow (%) assumptions
Scenario 1 (low road) 25% –
Scenario 2 (baseline) 0% –
Scenario 3 (high road) 5% –
58
58. Risk 6. Health, safety and environmental exposures
Description
The company has made significant progress in managing safety risk, with a record
LTIFR achieved in recent times. However, the occurrence of fatal incidents indicates
that key factors underpinning the safety culture have not been adequately addressed.
Related objective
Brand excellence is achieved.
Subject matter expert/s consulted
CEO, HSE and human resources executive
Scenarios described
For low road, excessively poor safety behaviours resulting in loss of life. This includes
a significant increase in preventable diseases with a reduced focus on environmental
matters. For the baseline scenario, existing safety trends are maintained with injuries
to staff but no loss of life. The prevalence of preventable diseases is in line with
government predictions and environmental matters continue to receive attention.
Highroad indicative of safety behaviours exceeding international standards, resulting
in a healthy workforce. Environmental matters also remain at the top of the agenda.
Inherent risk score (qualitative)
Extreme
Inherent risk (quantitative inputs)
Scenarios Likelihood of Impact on Impact on Impact on Comments on
occurrence revenue costs cash flow assumptions
Scenario 1 (low road) 60% (6 750) (750) (7 500) –
Scenario 2 (baseline) 20% 0 0 0 –
Scenario 3 (high road) 20% 750 0 750 –
Residual risk score (qualitative)
High
Mitigations in place
1. Good progress made in implementing the Zero Harm through Effective Leadership
(VFL) programme. The Stop. Think Act. 24/7 programme was successfully rolled
out to all operations. Middle and senior leaders have been trained on VFL and
59
59. are engaging employees at operations. Current focus is on implementing lead
indicators.
2. Environmental reporting standards have been implemented across all operations.
Qualitative environmental targets have been established at group level. The
environmental framework has been finalised. Work in progress to implement
energy, carbon and waste management standards as well as establishing,
quantitative environmental targets for the company.
Based on mitigations in place, residual risk (quantitative inputs)
Scenarios Improvement in Comments on
cash flow (%) assumptions
Scenario 1 (low road) 25% –
Scenario 2 (baseline) 0% –
Scenario 3 (high road) 5% –
60
60. Risk 7. State procurement process
Description
Recent bid adjudications by some state entities and departments have not been in
line with the Request for Proposal (RFP) evaluation criteria. This has raised concerns
around the state’s procurement process.
Related objective
Focus on South African infrastructure programmes as a main area of growth.
Subject matter expert/s consulted
CEO and commercial executive
Scenarios described
For low road, a negative market with a severe lack of competitiveness by the
company. For the baseline scenario, expectations and assumptions outlined in
the company strategy materialise according to plan with no significant variations.
Highroad indicative of a positive market for the company with a strong competitive
advantage.
Inherent risk score (qualitative)
Extreme
Inherent risk (quantitative inputs)
Scenarios Likelihood of Impact on Impact on Impact on Comments on
occurrence revenue costs cash flow assumptions
Scenario 1 (low road) 60% (2 650) (150) (2 800) –
Scenario 2 (baseline) 20% 0 0 0 –
Scenario 3 (high road) 20% 650 (50) 600 –
Residual risk score (qualitative)
High
Mitigations in place
1. Initiatives are underway between the CEO’s of large engineering companies,
Safeco and the BBC. At this stage, indications are that government prefers the
discussion being about addressing transformation and not collusion.
61
61. Based on mitigations in place, residual risk (quantitative inputs)
Scenarios Improvement in Comments on
cash flow (%) assumptions
Scenario 1 (low road) 10% –
Scenario 2 (baseline) 0% –
Scenario 3 (high road) 10% –
62
62. Risk 8. Projects in distress
Description
Delays in identifying projects in distress resulting in losses both financial and
reputational.
Related objective
Deliver our projects on time, on budget and at the required level of quality.
Subject matter expert/s consulted
CEO, commercial and financial executive
Scenarios described
For low road, highly ineffective project management resulting in excessive delays,
poor quality, and project losses. For the baseline scenario, projects are delivered
on time, according to client specifications with forecasted margins being achieved.
Highroad indicative of strong project delivery with client’s expectations being
exceeded and healthy profit margins >10% of forecast.
Inherent risk score (qualitative)
Extreme
Inherent risk (quantitative inputs)
Scenarios Likelihood of Impact on Impact on Impact on Comments on
occurrence revenue costs cash flow assumptions
Scenario 1 (low road) 75% (3 100) (100) (3 200) –
Scenario 2 (baseline) 10% 0 0 0 –
Scenario 3 (high road) 15% (300) 0 100 –
Residual risk score (qualitative)
High
Mitigations in place
1. Proactive monitoring of project margins and other key indicators on a monthly
basis to identify potential projects in distress.
2. Projects flagged as in distress to be discussed at a special meeting of the group’s
risk committee. A formal mandate to be issued on the future of the project
subsequent to the meeting.
63
63. Based on mitigations in place, residual risk (quantitative inputs)
Scenarios Improvement in Comments on
cash flow (%) assumptions
Scenario 1 (low road) 25% –
Scenario 2 (baseline) 0% –
Scenario 3 (high road) 20% –
64
64. C. @RISK OUTPUTS
A B C D E F G H I
1 Inherent risk (Pre-mitigation)
2 Probability of occurrence Scenario selected Cash flow values Cash value
3 Low road Baseline High road Simulation result Low road Baseline High road Simulation result
4 Risk 1: Delay in the South African
government infrastructure programme
60% 30% 10% 1 -9 500 0 500 -1 333
5 Risk 2: Depressed global economy impacts
markets and increases competition
60% 30% 10% 1 -7 500 0 1000 -942
6 Risk 3: Global economic stagnation impacts
the various business driven markets and
increases competition
60% 30% 10% 1 -6 000 0 700 -772
7 Risk 4: Deteriorating SA business
environment impacts business performance
60% 20% 20% 2 -5 500 0 500 0
8 Risk 5: Heightened industrial action in the
South African environment
30% 60% 20% 2 -4 300 0 1500 0
9 Risk 6: Health, safety and environmental
exposures
60% 20% 20% 2 -7 500 0 750 0
10 Risk 7: State procurement process 60% 20% 20% 2 -2 800 0 600 0
11 Risk 8: Projects in distress 75% 10% 15% 1 -3 200 0 100 -462
12
13 Total risk impact -3 500
14 Baseline value (rounded) 15 300
15 Net baseline value 11792
16 Risk mean 12699
17
A B C D
18 Improvements in cash flow due to mitigation actions
19 Low road Baseline High road
20 Risk 1: Delay in the South African government infrastructure programme 30% 0% 10%
21 Risk 2: Depressed global economy impacts markets and increases competition 40% 0% 30%
22 Risk 3: Global economic stagnation impacts the various business driven markets and increases competition 30% 0% 20%
23 Risk 4: Deteriorating SA business environment impacts business performance 5% 0% 5%
24 Risk 5: Heightened industrial action in the South African environment 25% 0% 5%
25 Risk 6: Health, safety and environmental exposures 25% 0% 5%
26 Risk 7: State procurement process 10% 0% 10%
27 Risk 8: Projects in distress 25% 0% 20%
65. A B C D E F G H I
30 Residual risk (Post-mitigation)
31 Probability of occurrence Scenario selected Cash flow values Cash value
32 Low road Baseline High road Simulation result Low road Baseline High road Simulation result
33 Risk 1: Delay in the South African
government infrastructure programme
60% 30% 10% 1 -6 650 0 450 -915
34 Risk 2: Depressed global economy impacts
markets and increases competition
60% 30% 10% 1 -4 500 0 700 -547
35 Risk 3: Global economic stagnation impacts
the various business driven markets and
increases competition
60% 30% 10% 1 -4 200 0 560 -527
36 Risk 4: Deteriorating SA business
environment impacts business performance
60% 20% 20% 2 -5 225 0 475 0
37 Risk 5: Heightened industrial action in the
South African environment
30% 50% 20% 2 -3 225 0 1 425 0
38 Risk 6: Health, safety and environmental
exposures
60% 20% 20% 2 -5 625 0 713 0
39 Risk 7: State procurement process 60% 20% 20% 2 -2 520 0 540 0
40 Risk 8: Projects in distress 75% 65% 5% 2 -2 400 0 80 0
41
42 Total risk impact -1 989
43 Baseline value (rounded) 15 300
44 Net baseline value 13 311
45 Risk mean 13 644
66. A B C D E F G
45
46 Risk reporting measures and appetite calculations
47
48 Baseline value 15 300
49 30% -4 590
50 20% -3 060
51 10% -1 530
52 5% -765
53
54 Pain point Likelihood (inherent risk) Likelihood (residual risk)
55 Change in value <= 20% 41% 25%
56 Change in value <= 10% 62% 49%
57
58 41% Decrease in company value of more than 20% (inherent risk based)
59 25% Decrease in company value of more than 20% (residual risk based)
60 2% Losses from projects in distress exceed 10% of net enterprise value (inherent risk) - risk #8
61 0% Losses from projects in distress exceed 10% of net enterprise value (residual risk) - risk #8
62 19% Impact from health safety and environmental exposures exceed 10% of net enterprise value (inherent risk) - risk #6
63 12% Impact from health safety and environmental exposures exceed 10% of net enterprise value (residual risk) - risk #6
64
Key cell formulas
Cell reference Input value
E4 =RiskDiscrete({1,2,3},B4:D4,RiskCorrmat(NewMatrix1,1,"Inherent risk"))
I4 =RiskMakeInput(IF(E4=1,RiskPert(F4*0.9,G4,H4*1.1),IF(E4=2,0,IF(E4=3,RiskPert(H4*0.9,H4,H4*1.1)))),RiskName(LEFT(A4,8)&$I$2))
I16 =RiskMean(I15)
E33 =RiskDiscrete({1,2,3},B33:D33,RiskCorrmat(NewMatrix2,1,1))
F33 =F4-F4*B20
I33 =RiskMakeInput(IF(E33=1,RiskPert(F33*0.9,G33,H33*1.1),IF(E33=2,0,IF(E33=3,RiskPert(H33*0.9,H33,H33*1.1)))),RiskName(LEFT(A33,8)&$I$2))
B55 =RiskTarget(I13,B50)
C55 =RiskTarget(I42,B50)
A58 =RiskTarget(I13,B50)
A59 =RiskTarget(I42,B50)
A60 =RiskTarget(I11,B51)
A61 =RiskTarget(I40,B51)
67. Index of key terms
Enterprise risk management (abbreviated as ERM) 10
Risk management (abbreviated as RM) 6
Simulation:
Deterministic 18
Stochastic 18
Monte Carlo 18
Failure modes and effects analysis (abbreviated as FMEA) 13
@Risk 63
Qualitative 28
Quantitative 13
Subject matter expert 21
Correlation 48
Risk appetite 35
Baseline company value 29
Maturity model 10
Discounting cash flows (abbreviated as DCF) 13
Source references
[CAR12] C. Carlson. Effective FMEAs: Achieving Safe, Reliable, and Economical Products and
Processes using Failure Mode and Effects Analysis. 1st edition. Wiley., 2012.
[COS04] COSO. Enterprise Risk Management - Integrated Framework. Committee of Sponsoring
Organisations of the Treadway Commission. 2004.
[DEN12] Denning, R. Applied R&M manual for defence systems. Chapter 4. 2012. URL: http:
//www.sars.org.uk/old- site- archive/BOK/Applied%20R&M%20Manual%20for%
20Defence%20Systems%20(GR-77)/p4c04.pdf. p. 3-4.
[ISO09] ISO31000. ISO guideline on principles and implementation of risk management
(ISO/TMB/RMWG). 2009.
[KIN09] King. King Report III on Corporate Governance in SA. 2009. Institute of Directors South
Africa., 2009.
[KPM13] KPMG. Global construction Survey 2013 - Ready for the next big wave? KPMG
International. 2013. URL: www.kpmg.com/building.
68
68. [MCK10] T. Goedhart M. Wessels D. McKinsey & Company Inc. Koller. Valuation: Measuring and
Managing the Value of Companies. 5th edition. Wiley, 2010.
[PEN02] J. Pengelly. Monte Carlo methods. 2002. URL: http://www.cs.otago.ac.nz/cosc453/
student_tutorials/monte_carlo.pdf. Page: 2-13.
[RIM06] RIMS. RIMS Risk management maturity model (RMM) for Enterprise Risk Management.
2006. URL: (www.RIMS.org/RMM).
[SEG11] S. Segal. Corporate Value of Enterprise Risk Management. John Wiley & Sons, Inc.,
2011.
[VOS08] D. Vose. Risk analysis. A quantitative guide. Third edition. John Wiley & Sons, Ltd., 2008.
[WIK14a] Wikipedia. Monte Carlo method. 2014. URL: http://en.wikipedia.org/wiki/Monte_
Carlo_method. URL last modified: 22 June 2014 at 02:40.
[WIK14b] Wikipedia. Failure mode and effects analysis. 2014. URL: http://en.wikipedia.org/
wiki/Failure_mode_and_effects_analysis. URL last modified: 26 August 2014 at
07:26.
[WIN04] Winston, WL. Operations and research – applications and algorithms. Thomson
Brooks/Cole, 2004. p. 53.
69
