Enterprise Risk Management ~ Inovastra


Published on

Concepts and principles of Enterprise Risks Management

Published in: Business, Technology
1 Comment
  • Implementing ERM can be a wonderful asset, but only if everyone understands its importance. If every employee does not buy into it and make it a part of the business culture, ERM will not reach its potential. For further details, refer here - http://bit.ly/2arnBmx
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Enterprise Risk Management ~ Inovastra

    1. 1. Enterprise Risk Management ~ The Pathway for Assuring the Achievement of Corporate Vision Nik Mohd Hasyudeen Yusoff Executive Chairman KHR Business Advisory Sdn. Bhd. 21 December 2006
    2. 2. Agenda <ul><li>Strategic Objectives and Risks </li></ul><ul><li>The Concept of Enterprise Risk Management (ERM) </li></ul><ul><li>Steps in Implementing ERM </li></ul><ul><li>The Role Play in making ERM works </li></ul>
    3. 3. <ul><li>The underlying premise of Enterprise Risk Management (ERM) is that every entity exists to provide value for its stakeholders . </li></ul><ul><li>Value is maximized when management sets strategy and objectives to strike an optimal balance between growth and return goals and related risks , and efficiently and effectively deploys resources in pursuit of the entity’s objectives. </li></ul>Strategic Objectives and Risks
    4. 4. <ul><li>For governmental agencies, the purpose of their creation goes beyond providing financial returns </li></ul><ul><li>The balancing between commercial aspects and people expectation makes realising strategic objectives more challenging </li></ul><ul><li>That’s why the GLCs need so many books! </li></ul>Strategic Objectives and Risks
    5. 5. Strategic Objectives and Risks Vision and Mission Strategic Objectives Programmes and Projects Outcome Cascading Strategy into Action Feedback Feedback Feedback
    6. 6. <ul><li>The next question then is, what is RISK? </li></ul><ul><li>Is “risk” all bad? </li></ul>Strategic Objectives and Risks
    7. 7. Strategic Objectives and Risks
    8. 8. Strategic Objectives and Risks Mark Beasley, North Carolina State University
    9. 9. Strategic Objectives and Risks Mark Beasley, North Carolina State University, 2004 Survey Disconnect
    10. 10. Strategic Objectives and Risks Inovastra Risk Model Potential Areas of Risks to Organisations
    11. 11. <ul><li>Some examples of Strategic Risks </li></ul><ul><ul><li>A property development company plans to develop link houses surrounding a beautiful natural lake (Demand risk) </li></ul></ul><ul><ul><li>A scientific research agency sets up an education institution offering business courses (Competition risk) </li></ul></ul><ul><ul><li>An agency enters into a business which it has no expertise (Capability risk) </li></ul></ul>Strategic Objectives and Risks
    12. 12. <ul><li>Some examples of Other Risks </li></ul><ul><ul><li>A deposit taking company promises fixed return to investors when its investment generates fluctuating returns (Financial ~ Market risk) </li></ul></ul><ul><ul><li>A company sets new strategy that requires people with different attitude and mindset (Operational ~ People risk) </li></ul></ul><ul><ul><li>An entity makes investment into new information technology infrastructure without considering potential changes in technology (Operational – Technology </li></ul></ul>Strategic Objectives and Risks
    13. 13. <ul><li>Some examples of Other Risks </li></ul><ul><ul><li>An agency entered into a joint venture and relied on the joint venture’s partner to draft the joint venture agreement (Compliance ~ Contractual risk) </li></ul></ul><ul><ul><li>A company has to provide a huge impairment losses as its fleet of vessels is no longer allowed to transport certain cargo due to changes in maritime rules (Compliance ~ Regulatory risk) </li></ul></ul><ul><ul><li>A company which certifies its products as HALAL is involved in corrupt practices (Compliance ~ Corporate values risk) </li></ul></ul>Strategic Objectives and Risks
    14. 14. Strategic Objectives and Risks <ul><li>Full service </li></ul><ul><li>Convenience </li></ul><ul><li>Full of legacy </li></ul><ul><li>Government linked company </li></ul><ul><li>Low cost </li></ul><ul><li>Price driven </li></ul><ul><li>New start-up (technically) </li></ul><ul><li>Privately controlled </li></ul>There are also situations where multiple of risks are involved:
    15. 15. Strategic Objectives and Risks Politics Economy Education Society Technology Environment Spirituality Global Regional National Organisation The world keeps on changing!
    16. 16. <ul><li>Technology </li></ul><ul><li>Keeps changing and changing very fast! </li></ul><ul><li>New products and services </li></ul><ul><li>New way of doing business </li></ul><ul><li>Increased production efficiency and effectiveness </li></ul><ul><li>New markets </li></ul><ul><li>New threats </li></ul>Strategic Objectives and Risks
    17. 17. <ul><li>Economy </li></ul><ul><li>More open and globalised economy </li></ul><ul><li>Movement from production based to service based economy, driven by knowledge capital </li></ul><ul><li>Intangible (Intellectual) assets are main value driver for business, not easily measured though </li></ul><ul><li>Companies becoming less “nation” based </li></ul><ul><li>9MP introduces the “regional” concept of development </li></ul>Strategic Objectives and Risks
    18. 18. <ul><li>Education </li></ul><ul><li>Driver of intellectual capital – Knowledge Workers </li></ul><ul><li>Global based education standards </li></ul><ul><li>Shorter lifespan of knowledge, 12 months for IT! </li></ul><ul><li>Continuous Re-education is the way forward </li></ul><ul><li>What matters is “What do you do with the knowledge you learned?” </li></ul>Strategic Objectives and Risks
    19. 19. <ul><li>Environment </li></ul><ul><li>Matters to a lot of people now – Corporate Responsibility Reporting </li></ul><ul><li>Environment based compliance standards – Eco Labelling </li></ul><ul><li>New “barrier” to trade </li></ul>Strategic Objectives and Risks
    20. 20. <ul><li>Society </li></ul><ul><li>Its all about people, remember Enron, WorldCom? </li></ul><ul><li>Public views are easily influenced through digital media </li></ul><ul><li>Society with global values? – War on terrorism, Freedom of expression </li></ul>Strategic Objectives and Risks
    21. 21. <ul><li>Politics </li></ul><ul><li>A shift in political direction would have impact on business environment </li></ul><ul><li>Globalisation of political issues? </li></ul><ul><li>Influence the level of transparency in business dealings </li></ul>Strategic Objectives and Risks
    22. 22. <ul><li>Spirituality </li></ul><ul><li>Islamic financial market is an example of influence of spirituality on business </li></ul><ul><li>Ethical funds </li></ul><ul><li>Cuts across borders, based on people’s belief </li></ul>Strategic Objectives and Risks
    23. 23. The Concept of Enterprise Risk Management How Organisations manage their risks? Risk management equals buying insurance Regulators are demanding risk management activities We need a sustainable Process to monitor all risks We need to know the Economic impact of our Largest risks Risks need to be quantified comprehensively Shareholders demand a risk/return framework Decision making across firm is linked to building economic value I III II VI V IV VII Mercer Oliver Wyman analysis (modified) Value add for organisations
    24. 24. The Concept of Enterprise Risk Management Source: Protoviti Inc.
    25. 25. The Concept of Enterprise Risk Management Strategic Market Risks Operations Risks Finance Risks Human Capital Risks IT Risks Reputation Risks Legal Risks Enterprise Focus On Risks Risks are managed in silos, each business unit or entity manage only theirs
    26. 26. The Concept of Enterprise Risk Management Strategic Market Risks Operations Risks Finance Risks Human Capital Risks IT Risks Reputation Risks Legal Risks Enterprise Focus On Risks Value Creation and Preservation Risks are managed on integrated basis
    27. 27. <ul><li>Enterprise risk management is a process , effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise , designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite , to provide reasonable assurance regarding the achievement of entity objectives . </li></ul>The Concept of Enterprise Risk Management Enterprise Risk Management – Integrated Framework, COSO
    28. 28. <ul><li>Enterprise – Not just selected “silo” of risks </li></ul><ul><li>Process – Ongoing, living, systematic </li></ul><ul><li>Consideration of risk on portfolio basis </li></ul><ul><ul><li>Collection of risks </li></ul></ul><ul><ul><li>Interactions of risks </li></ul></ul><ul><li>Done to enhance entity value </li></ul><ul><ul><li>Heavily integrated with business strategy </li></ul></ul>The Concept of Enterprise Risk Management
    29. 29. <ul><li>Focus is on coordinated programme for identification, measurement, assessment, and response to risks primarily across 2 dimensions </li></ul><ul><ul><li>Probability (Likelihood) </li></ul></ul><ul><ul><li>Criticality (Consequence) </li></ul></ul><ul><li>Key part of entity’s corporate governance </li></ul><ul><ul><li>Responsibility of senior management and board </li></ul></ul><ul><ul><li>Pushed down to key business segment management </li></ul></ul>The Concept of Enterprise Risk Management
    30. 30. <ul><li>How does ERM enhance Value? </li></ul><ul><ul><li>Aligning risk appetite and strategy ~ management considers the entity’s risk appetite in evaluating strategic alternatives, setting related objectives, and developing mechanism to manage related risks </li></ul></ul><ul><ul><li>Enhancing risk response decisions ~ ERM provides the rigor to identify and select among alternative risks responses – risk avoidance, reduction, sharing and acceptance </li></ul></ul>The Concept of Enterprise Risk Management
    31. 31. <ul><li>How does ERM enhance Value? </li></ul><ul><ul><li>Reducing operational surprises and loses ~ Entities gain enhanced capability to identify potential events and establish responses, reducing surprises and associated costs or losses </li></ul></ul><ul><ul><li>Identifying and managing multiple and across-enterprises risks ~ ERM facilitates effective response to the interrelated impacts, and integrate responses to multiple risks </li></ul></ul>The Concept of Enterprise Risk Management
    32. 32. <ul><li>How does ERM enhance Value? </li></ul><ul><ul><li>Seizing opportunities ~ By considering a full range of potential events, management is positioned to identify and proactively realise opportunities </li></ul></ul><ul><ul><li>Improving deployment of capital ~ Obtaining robust risk information allows management to effectively assessed overall capital needs and enhance capital allocation </li></ul></ul>The Concept of Enterprise Risk Management
    33. 33. Steps in Implementing ERM Eight components of ERM Considers all levels of the enterprise ERM helps entity to achieve Objectives across these categories
    34. 34. Steps in Implementing ERM Internal Environment Objective Setting Risk Response Risk Assessment Event Identification Control Activities Information & Communication Monitoring
    35. 35. <ul><li>Internal Environment </li></ul><ul><ul><li>Foundation of other components of ERM. Sets the management philosophy, risk appetite, the composition and role of the board, corporate values and culture. </li></ul></ul><ul><ul><li>Risk appetite is the amount of risk, on a broad level, an entity is willing to accept in pursuit of value. </li></ul></ul>Steps in Implementing ERM
    36. 36. <ul><li>Objective Setting </li></ul><ul><ul><li>Objectives must exist before management can identify potential events affecting their achievement. ERM ensures that management has in place a process to set objectives and that the chosen objectives support and align with the entity’s mission and are consistent with its risks appetite. </li></ul></ul><ul><ul><li>Risk tolerance is the acceptable level of variation to the achievement of objectives. </li></ul></ul>Steps in Implementing ERM
    37. 37. <ul><li>Event Identification </li></ul><ul><ul><li>Internal and external events affecting achievement of an entity’s objectives must be identified, distinguishing between risks and opportunities. Opportunities are channelled back to management’s strategy or objective-setting process </li></ul></ul>Steps in Implementing ERM
    38. 38. <ul><li>Risk Assessment </li></ul><ul><ul><li>Risks are analysed, considering likelihood and impact, as a basis for determining how they should be managed. Risks are assessed on an inherent and residual basis </li></ul></ul>Steps in Implementing ERM
    39. 39. <ul><li>Risk Response </li></ul><ul><ul><li>Management selects risk responses – avoiding, accepting, reducing or sharing – developing sets of actions to align risks with the entity’s risk tolerance and risk appetite </li></ul></ul>Steps in Implementing ERM
    40. 40. <ul><li>Control Activities </li></ul><ul><ul><li>These are policies and procedures that are developed to ensure the risk responses are carried out. These activities occur throughout the entity, at all levels and in all functions. They include approvals, authorisations, verification, reconciliation, review of performance, performance indicators and segregation of duties. </li></ul></ul>Steps in Implementing ERM
    41. 41. <ul><li>Information and Communication </li></ul><ul><ul><li>Relevant information is identified, captured and communication in a form and timeframe that enable people to carry out their responsibilities, flowing down, across and up the entity </li></ul></ul>Steps in Implementing ERM
    42. 42. <ul><li>Monitoring </li></ul><ul><ul><li>The entirety of ERM is monitored and modifications made as necessary. Monitoring is accomplished through ongoing management activities, separate evaluations or both </li></ul></ul>Steps in Implementing ERM
    43. 43. How a Risk Profile Matrix Works Likelihood of Occurrence of Risk Low High Low High Potential Impact of Risk <ul><li>Key Focus Area </li></ul><ul><li>Ensure actions are in place to mitigate the risk </li></ul><ul><li>Develop plans to allow a quicker recovery </li></ul><ul><li>Monitor progress of action plans </li></ul><ul><li>Monitor to ensure that </li></ul><ul><li>risk profile does not increase and that cost of mitigation is not excessive </li></ul>X X X X X X X X X X X X X X X X X <ul><li>Monitor changes to risks and evaluate implications </li></ul>Steps in Implementing ERM
    44. 44. <ul><li>Case Study I </li></ul><ul><ul><li>Strategic objective: Increase rate of research commercialisation </li></ul></ul><ul><ul><li>Risk: Research commissioned does not meet the need of industry </li></ul></ul><ul><ul><li>Assessment: High risk ~ no consideration of market demand in research approval </li></ul></ul><ul><ul><li>Response: Reduce risk by changing the process of research approval </li></ul></ul><ul><ul><li>Control: Head of business development included in research approval committee </li></ul></ul><ul><ul><li>Communication: Change of process communicated to all relevant parties, including potential customers </li></ul></ul><ul><ul><li>Monitoring: Nature and number of research and commercialised research monitored quarterly by the Board </li></ul></ul>Steps in Implementing ERM
    45. 45. <ul><li>Case Study II </li></ul><ul><ul><li>Strategic objective: Increase in market share of new product by increasing sales on credit </li></ul></ul><ul><ul><li>Risk: Increase in bad debts </li></ul></ul><ul><ul><li>Assessment: High risk ~ no data on consumer behaviour in view of new market </li></ul></ul><ul><ul><li>Response: Reduce risk by enhancing credit evaluation process * </li></ul></ul><ul><ul><li>Control: Only potential customer with income exceeding RM 2,000 will be given credit </li></ul></ul><ul><ul><li>Communication: Salesperson are required to inform potential customers of the conditions </li></ul></ul><ul><ul><li>Monitoring: Debts exceeding 30 days are reviewed by Head of Credit </li></ul></ul><ul><ul><li>* An entity with higher risk appetite may accept this risk </li></ul></ul>Steps in Implementing ERM
    46. 46. <ul><li>Implementing ERM – it is an evolution, not revolution! For example: </li></ul>Steps in Implementing ERM Phase 1 Assessing the current state Phase 2 Developing the ERM Framework Phase 3 Implementing ERM <ul><li>Risk identification </li></ul><ul><li>Risk assessment </li></ul><ul><li>Risk management </li></ul><ul><li>capabilities </li></ul><ul><li>Infrastructure </li></ul><ul><li>Risks policies and </li></ul><ul><li>procedures </li></ul><ul><li>Technology </li></ul><ul><li>Communication and </li></ul><ul><li>reporting </li></ul><ul><li>Integrate ERM into </li></ul><ul><li>existing risk management </li></ul><ul><li>process </li></ul><ul><li>Integrate risk management </li></ul><ul><li>into strategic planning, </li></ul><ul><li>budgeting, performance </li></ul><ul><li>measurement etc </li></ul><ul><li>Integrate risk management into </li></ul><ul><li>entity’s culture </li></ul><ul><li>ERM software integration </li></ul>
    47. 47. <ul><li>Key Success Factors </li></ul><ul><ul><li>Commitment from the leadership </li></ul></ul><ul><ul><li>Consensus of the vision for the future </li></ul></ul><ul><ul><li>Well defined and communicated plan </li></ul></ul><ul><ul><li>Realistic goals and timeframe </li></ul></ul><ul><ul><li>Quick early wins to gain support and confidence </li></ul></ul><ul><ul><li>Integration with key process: Strategic Planning, Investment, Performance appraisal </li></ul></ul>Steps in Implementing ERM
    48. 48. <ul><li>Pitfalls </li></ul><ul><ul><li>Implementing ERM without strategic plan </li></ul></ul><ul><ul><li>Lack of visible, active support, from CEO </li></ul></ul><ul><ul><li>Implementing ERM as a part time job </li></ul></ul><ul><ul><li>Treating ERM as a project rather than a long term journey </li></ul></ul><ul><ul><li>Lack of integration with strategic planning, budgeting etc </li></ul></ul><ul><ul><li>Failing to realise the need for change management </li></ul></ul><ul><ul><li>Lack of leadership and passion </li></ul></ul>Steps in Implementing ERM
    49. 49. The Role Play in Making ERM Works <ul><li>Board </li></ul><ul><ul><li>Provides important oversight of ERM by: </li></ul></ul><ul><ul><ul><li>Knowing the extent to which management has established effective ERM </li></ul></ul></ul><ul><ul><ul><li>Being aware of and concurring with the entity’s risk appetite </li></ul></ul></ul><ul><ul><ul><li>Reviewing the entity’s portfolio view of risk and considering it against the entity’s appetite </li></ul></ul></ul><ul><ul><ul><li>Being appraised of the most significant risks and whether management is responding appropriately </li></ul></ul></ul>
    50. 50. The Role Play in Making ERM Works <ul><li>Management </li></ul><ul><ul><li>The management is directly responsible for all activities of ERM and the CEO has the ultimate responsibility for the ERM </li></ul></ul><ul><ul><li>The CEO’s responsibilities include seeing that all components of ERM are in place through: </li></ul></ul><ul><ul><ul><li>Providing leadership and direction to senior managers </li></ul></ul></ul><ul><ul><ul><li>Meeting periodically with senior managers responsible for functional areas to review how they manage risks </li></ul></ul></ul>
    51. 51. The Role Play in Making ERM Works <ul><li>Management </li></ul><ul><ul><li>Senior managers is responsible for risks related to their units’ objectives, converts strategy into actions and guide application of ERM components within their spheres of responsibility </li></ul></ul><ul><ul><li>Specific ERM procedures are assigned to managers of specific processes, functions or departments. They also make recommendations on related control activities and provide feedback to the top management </li></ul></ul>
    52. 52. The Role Play in Making ERM Works <ul><li>Other key players </li></ul><ul><ul><li>Risk officer , if created, works with managers in establishing ERM in their areas of responsibilities </li></ul></ul><ul><ul><li>Financial executives are critical in managing the finance and controllership functions which cut across the entity. Important in the reporting function as well as linking budget to strategy </li></ul></ul><ul><ul><li>Internal auditors play key role in evaluating the effectiveness and provide recommendation for the improvement of ERM of the entity </li></ul></ul>
    53. 53. Key Points <ul><li>Risk is the possibility that an event will occur that and adversely affect the achievement of objectives of an organisation. </li></ul><ul><li>ERM is a structured way of managing the portfolio of risks across the organisation guided by its risk appetite. </li></ul><ul><li>Implementation of ERM could be done in phases depending on the readiness of the organisation, which normally already has some form of risk management process. </li></ul><ul><li>Everybody in the organisation is important in ERM, leadership by the CEO with the oversight of the Board is key in the success of the implementation of ERM </li></ul>
    54. 54. Thank You