Presentation: Quality Risk Management Purpose To safeguard the organisation, its customers, reputation, assets and the interests of stakeholders by identifying and managing all risks and to meet the achievement of its business objectives to ensure that growth is achieved in a controlled, responsible and sustainable manner.Peter D. Schellinck Antwerp, 6 June 2011
Risk Assessment?A strategic approach to planning, at all levels andacross all functions of an organization, thatidentifies exposures of activities and assists inmaking risk adjusted business decisions every day. GET RID OF SILOSRisk Appetite?• Risk appetite is the degree of uncertainty an organisation is willing to accept to reach its goals.• Risk appetite is a key factor in evaluating strategic options.• Risk Assessment helps management consider risk appetite when setting goals that align with overall company strategy, and managing risks related to that strategy.Work with the company’s management to decide:• What is your company’s risk tolerance?• How much or what are you willing to risk to accomplish the mission or activity?• How much can your company afford to lose in any one occurrence or in the aggregate?
Understanding the company and the activity What does the Does the Company do? activity fit the (Mission, Goals, Company’s Objectives) mission, goals, objectives? What could happen? Group Risk • Could there be bodily injury, property damage or Management other liability exposures Charter caused by this service or activity? • Is there any impact on What is Risk? workload? • Could there be any The danger or probability of loss. damage to the systems?
Risk Management ApproachDevelop a Group Risk Governance 1. Get a good understanding of the company’s risk profile 2. Manage and monitor the key risk within their tolerances 3. Get Organised: Organisation and Framework 4. Establish a process for assessing risk appetite taking into account: a) Current risk portfolio b) External stakeholders expectations: regulators, rating agencies, investors (long term / short term), employees, customers,… c) Economic cycles d) Board of DirectorsRisk Management: 1. Driven by strategy 2. Part of the management process of the company 3. Inherent to good governance
Risk Assessment: agree on a definitionThe conventional approach to risk defines it as being the chance, in quantifiableterms, of an accident occurrence.The process of risk assessment and management is generally based on three setsof sequenced and inter-related activities: – the assessment of risk in terms of what can go wrong, the probability of it going wrong, and the possible consequences; – the management of risk in terms of what can be done, the options and trade- offs available between the costs, benefits and risks; and – the impact of risk management decisions and policies on the future options and undertakings.Performing each set of activity requires multi-perspective analysis and modelling ofall conceivable sources and impacts of risks as well as viable options for decisionmaking and management.
Risk Assessment structureRisk Management for each activity consists of: – Data Model – Risk Management Processes – Application Development – RM Framework & Sub-process References • Definition of Scope and Framework • Monitor and Review • Operational Processes • Risk Acceptance • Risk Assessment • Risk Communication • Risk Treatment
Risk Management InfrastructureRisk Management infrastructure bridges organizational silos to help the organization in its efforts to: • Synchronize – coordinate risk management across institutional boundaries • Harmonize – help risk managers all speak the same language and define risk in the same manner • Rationalize – eliminate duplication of effortThe goals of a common risk management infrastructure include: • Get everyone “singing from the same song sheet” – Constrain, guide, or channel behaviours in ways that align with the goals, strategies, and tactics established by management and the board • Create the ability to manage risk exposures so that the organization can take enough of the right risks to pursue its strategic goals • Create “risk aware” thinking and decision making at all levels • Enable appropriate flows of risk information up, down, and across the organization • Enable and support management of risks at the appropriate level
Rules and Regulations: snap shot!• The framework to be established can be inspired from the recommendations of the Committee of Sponsoring Organisation of the Treadway Commission (COSO I and II), the Institute of Risk Management, based on AIRMIC (Association of Insurers and Risk Managers), ISO 31000, the Australia and New Zealand standard 4360 (AS/NZ 4360 - 1999), the AMRAE (Association pour le Management des Risques et des Assurances de l’Entreprise), the RIMS (Risk and Insurance Management Society), ECGI (European Corporate Governance Institute) and other internationally respected advisers on risk management.• The Occupational Health and Safety Assessment Series, OHSAS 18000, has been developed to help organizations control and minimize occupational health and safety risks. OHSAS 18001 is a specific standard for occupational health and safety management systems designed to eliminate or minimize the risk to employees and other interested parties who may be exposed to occupational health and safety risks associated with the business’ activities. OHSAS 18001 is compatible with ISO 9001 and ISO 14001 management systems. OHSAS 18001 represents a progression of a management system philosophy, from quality to environmental, continuing to occupational health and safety.• One of the main elements of the security amendment of the Community Customs Code ( Regulation (EC) 648/2005) is the creation of the AEO concept. On the basis of Article 5a of the security amendments, Member States can grant the AEO status to any economic operator meeting the following common criteria: customs compliance, appropriate record-keeping, financial solvency and, where relevant, security and safety standards.Regulatory context:In Belgium: as from April 6, 2010 a corporate governance statement is mandatory!
Risk Management Methodology Ongoing Risk Assessment Risk Identify Analyze Mitigation Mitigation Risk Risk Plan OptionIdentify risk by: • Assign owner • Level of effort required • Evaluate potential impact• Main assumptions of risk • Estimated cost• Brainstorm • Estimate probability • Schedule of risk reduction• Past Experience • Rank and Prioritise Risk activities• Potential sources Control • Program activities and milestones• Examine the context • Metrics for tracking & monitoring• Worst case scenario • Party responsible for managing Avoidance mitigation & avoidance • Escalation strategy Assumption Lessons Learned Transfer Implement Mitigation Plan Monthly Monitor • Review effectiveness Reporting Risk • Review risk approach • Confirm project/activity is within risk parameters
Risk Assessment Cycle Risk Decide how?Management Planning Find them Qualitative Risk Risk Identification Sift Analysis Act and measure Risk • Avoid, reduce, share, accept Quantitative Reporting: • Risks Monitoring & • Action plans linked to Risk • Incidents budget and planning Control Analysis Risk Measure Response Decide actions Planning
Board RecommendationsTo fulfil their responsibilities and to provide value, board members should: • Put risk on the agenda. Make time for risk before risk demands it. Every board meeting is not too often to discuss risk. • Inventory the current risk structure. How are risks managed? Are silos being bridged? • Summon the management team. Engage in periodic risk dialogue. Identify risks that will prevent the organization from executing on its key strategies. • Discuss risk scenarios. Where do the greatest opportunities lie? What could thwart the organization’s strategic objectives? • Check organizational appetite — and diet. Determine how much risk the organization is able to take on. How much is it willing to take on? And how much is it actually taking on? Are these in line? • Get reasonable assurance. Ask management: How confident are you? Why? • Get independent reassurance. Have internal audit or an outside consultant evaluate the effectiveness of the full risk management program. Can management’s assurances be relied upon?
Risk intelligentBooks have been written on what went wrong. But here’s a quick summary: 1) The potential interaction of multiple risks was underestimated or disregarded. 2) Probabilistic modelling was overemphasized; shortcuts were taken; scenario planning was underutilized; transparency into potential issues was absent. 3) Risk managers were isolated in silos. 4) Warnings were ignored; those who delivered them were dismissed as naysayers or criticized for not being team players. 5) A short-term perspective with a single-minded focus on making the quarterly numbers predominated. 6) Companies lacked a comprehensive approach to firm-wide risk management; authority and responsibility were poorly controlled and defined. 7) Risk management often focused on compliance rather than performance, leading to inadequate assessments and responses.In other words: It’s time to become Risk Intelligent with QRM.
QRM: Quality Risk Management 11. With QMR, a common definition of risk, which addresses both value preservation and value creation, is used consistently throughout the organization.2. With QMR, a common risk framework supported by appropriate standards is used throughout the organization to manage risks.3. With QRM, key roles, responsibilities, and authority relating to risk management are clearly defined and delineated within the organization.4. With QRM, a common risk management infrastructure is used to support the business units and functions in the performance of their risk responsibilities.5. With QRM, governing bodies (e.g., Boards, Audit Committees, etc.) have appropriate transparency and visibility into the organization’s risk management practices to discharge their responsibilities.
QRM: Quality Risk Management 26. With QRM, executive management is charged with primary responsibility for designing, implementing, and maintaining an effective risk program.7. With QRM, business units (departments, agencies, etc.) are responsible for the performance of their business and the management of risks they take within the risk framework established by executive management.8. With QRM, certain functions (e.g., HR, finance, IT, tax, legal etc.) have a pervasive impact on the business and provide support to the business units as it relates to the organization’s risk program.9. With QRM, certain functions (e.g., internal audit, risk management, compliance, etc.) provide objective assurance as well as monitor and report on the effectiveness of an organization’s risk program to governing bodies and executive management.
Matrix for Risk Reporting Loss of Cash FlowFinancial 50 mln € 20 mln € 10 mln € 5 mln € 1 mln € 0% 20% 40% 60% 80% 100% 0 mln €
Sustainability ReportingSocial performance Our employees Number of full time employees (FTE) Gender (female representation) % Employee engagement % Performance appraisals % Safety Lost time injury frequency (LTIF) frequency Fatalities numberEconomic performance Revenue Euro million Electricity cost Euro million
Sustainability ReportingEnvironmental performanceEnergy consumption Other air emissionsFuel oil 1,000 tonnes SOx 1,000 tonnesDiesel 1,000 tonnes NOx 1,000 tonnesNatural gas 1,000 tonnes VOCs 1,000 tonnesElectricity 1,000 MWh Particulate matters 1,000 tonnesEnergy consumption GJ Other resource consumption Steel consumption 1,000 tonnesGreenhouse gas (GHG) emissionsGHG emissions 1,000 tonnes CO2 Waste total e 1,000 tonnes – recycled (composting, reused, recycled) 1,000 tonnesDirect GHG emissions (Scope 1 GHG Protocol) – solid (landfill, on-site storage, incineration) 1,000 tonnesCO2 1,000 tonnes – hazardous (controlled deposit) 1,000 tonnesCH4 1,000 tonnesN2O 1,000 tonnes Water consumption 1,000 m3HFC 1,000 tonnes – surface water 1,000 m3 – ground water 1,000 m3PFC 1,000 tonnes – rain water 1,000 m3SF6 1,000 tonnes – municipal water supplies /water utilities 1,000 m3Indirect GHG emissions (Scope 2 GHG Spills m3Protocol)CO2 1,000 tonnesCH4 1,000 tonnesN2O 1,000 tonnes
Sustainability ReportingInjuries by activityActivity Total TotalEquipment Overhaul – Major Safety drill, trainingInsulation/Fire Proofing Maintenance - MinorShore leave Painting/BlastingWorking aloft (at heights) Crane OperationsAnchor handling Use Of Power ToolsSmall Craft OperationsFalling Object Mooring/UnmooringTowing OperationTank Cleaning Off-duty activitiesEquipment Overhaul – Minor Cargo OperationsUnknown DomesticGeneral Movement Manual Handling OtherBunker transfer operation Maintenance – MajorEnclosed space activitiesGangway/pilot operationsWelding/burning Totals