2. The Dot Com Scandal
(2000)
Corporate collapses and massive
bankruptcies (early 2000s)
2008 -2009 Credit Crisis
“Failure in Risk Management”
2010 BP Deepwater Horizon
catastrophe
3. All organisations exist to achieve their objectives.
The purpose of risk management is to manage the barriers to achieving these
objectives.
Today
Identify & Manage
Organization’s vision,
Aims, Objectives
4. Enterprise Risk Management: The identification,
assessment and management of those risks which may have
either a positive or negative impact on the organisation’s assets,
reputation or ability to meet objectives.
5. • 5
Achieve
objectives
Less risk
averse
Improve & enhance
Reputation
Corporate
Governance
Country / Industry Regulation
Better decision
making
Improved
business planning
Improve
Quality &
Efficiency
Demonstrates
improvement
6. Early 2000’s - Computer Companies in the States faced a labour strike closing ports
along the West Coast of America.
While rivals floundered, perceptive risk management and around-the-clock
communication with its Asian suppliers (Partnerships) and U.S. shippers meant that
Dell had identified the potential problem six months earlier.
18 jumbo jets were chartered early resulting in a relatively undisrupted supply-chain
and a massive boost to Dell’s reputation for reliability and customer service (not to
mention subsequent profits!)
7. • 7
“Risk Management is not just about insurance”
THIS IS REACTIVE RISK
MANAGEMENT!!!!
80%
of risks faced byof risks faced by
organisations areorganisations are
notnot insurable!insurable!
‘‘Chance orchoice’ - SOLACE/ZMMSChance orchoice’ - SOLACE/ZMMS
8. Risk Management can :
Protect brand and reputation
Provide protection should your current controls fail
Provides more than just monetary recovery (insurance – remember 80% uninsurable)
REACTIVE RISK MANAGEMENT :
Loss of
information
needed for
strategic
operational
decisions
Loss of customer
goodwill
Loss of market
share
Reduced cash
flow control
Negative publicity
Loss of
employees to
competition
Cost of winning
back lost
customers
Missed business
opportunities
Loss of employee
knowledge
Loss of vital and
critical paper
records
9. • Slide 9
Strategic
Business
Departmental Business
Operational
cross cutting issues affecting the
achievement of organizational
objectives
Issues affecting the achievement of
departmental objectives
Issues affecting the achievement of
operational objectives
Partnerships
Projects
11. Assess probability of occurrence and resulting impact for each risk against individual objectives based
on defined scales
Rank risks using a probability-impact matrix where the position in the matrix suggest risk management
strategy
Agree on how to Monitor risks – Ongoing Meetings etc.
HighMediumLow
Low Medium High
IMPACT
PROBABILITY
Critical (high priority)
Significant (medium priority)
Negligible (low priority)
2
1
3 4
Assess
probability
and impact
1
2 3
4
Individual risk
Rank
individual
risks
RISK CRITICALITY ACTION
1 Critical Not accept,
initiate actions
4 Critical Not accept,
initiate actions
3 Significant Accep and
monitor
2 Negligible Accept
Risk RankingRisk Matrix
Organization
Obectives
14. 1. HR related Risks
2. Cyber Risks
3. Political Risks
4. Oil Price Fluctuation
5. FX Fluctuation
6. Supply Chain Risk
7. Failure of Acquisitions/JV’s
8. Major Fraud
15. Global Financial Meltdown
Strong Risk Management in Silo’s without an overarching view
(ERM)
Bearings Bank – Nick Leeson
Major fraud
Nick Leeson preaching Risk Management
ENRON
Failure of ERM
Major Fraud exposed
ALL REACTIVE RISK MANAGEMENT
17. Impact (severity)
How bad is it when it does happen?
Likelihood (frequency / probability)
how likely is it?
How often does it happen?
Ideally this should be done in a group environment and not in isolation. EVERYONE
has information and experiences to contribute. This is not a science.
18. Likelihood
Impact
5
3
1
2
4
ECA B D
Likelihood: (in the next 12 months)
A Almost Impossible
B Low
C Medium
D High
E Almost Certain
Impact:
I Negligible
II Marginal
III Moderate
IV Major
V Catastrophic
19. Scale Description
Service Levels /
Objectives
Reputation
Financial (%-age
of annual
operating
budget)
1 Negligible
Insignificant fall in service
levels, insignificant effect
on objectives, i.e.
resource stretch
Public concern
restricted to local
complaints
< 20%
2 Marginal
Marginal fall in service
levels,some objectives not
met
Minor negative local/
public/ media attention
and complaints
20% - 40%
3 Moderate
Moderate fall in service
levels,several key
objectives not met
Adverse national
media public attention
40% - 60%
4 Major
Major fall in service levels,
majority of key objectives
not met.
Serious negative
nationlal or regional
criticism
60% - 80%
5 Catastrophic
Catastrophic fall in service
quality, complete failure of
objectives.
Prolonged
international, regional
and national
condemnation
> 80%
Scale Description
1 Almost Impossible
2 Low
3 Medium
4 High
5 Almost Certain
21. Action/controls
already in place
Adequacy of
action/control to
address risk
Required management
action/control
Responsibility
for action
Critical
success factors
& KPI’s
Review
frequency
Key
dates
[actions/controls
already being done
that relate to this
risk/cluster]
[how effective are the
actions/controls
already in place?]
[new actions/controls required to
manage the risk down to its
target score]
[the person
responsible for this
action plan being
carried out]
[what will success
look like?
How will
performance
indicators have
improved]
[frequency of
reviewing this
action plan]
[Milestones/deadlines]
]
22. The use of Internal Controls protects not only the employer, but also the employee.
If departmental internal controls are weak and poorly monitored, it increases the
chance that fraud or errors could be overlooked.
ERM helps identify which internal controls should be established to minimize the
identified risks. Internal Controls are everyone’s responsibility to:
Prevent loss of resources
Ensure reliable financial information
Ensure compliance with governing laws and regulations
Ensure efficiency and effectiveness of operations
23. How can companies proactively manage the risk
of Fraud?
24. Financial services
Call centres at banks
Etc.
Fraud Reporting
Via Risk Committee to Management Committee
IT Security and Fraud
HR
Recruitment checks (history of fraud?)
Supply Chain requirements
Vetting 3rd
party staff based on pre agreed requirements
Educating customers
banks emails etc.
Major JV or Acquisition Due Diligence
– Partners, Country of operation, ethical or environmental history etc.
Editor's Notes
Every wave of business failures leaves a legacy of lessons learned. For example,
the dot.com bubble in the late 1990s highlighted the need to look for solid business fundamentals and growth strategies, and not just fictitious market driven gains.
The Enron era emphasized the importance of financial reporting integrity, transparency and accountability.
[CLICK]
The 2008 credit crisis and the latest BP Oil Spill highlighted a key root cause related to the lack of an effective early detection systems, however, more fundamentally in all these cases, is the need to strike a balance between value creation and value preservation.
[CLICK]
Achievement of objectives by identifying the barriers to achievement
become less risk averse in innovation
improve business planning through a risk based decision making process
focus on outcomes not processes
focus on doing what makes a difference
demonstrates commitment to continuous improvement
better governance - and demonstration of it to stakeholders
CLICK
Some may ask, doesn’t Saudi Aramco already have ERM in place?
CLICK
In these coming slides, I will be describing some of the specifics of an ERM program. To start with, an ERM process is far more comprehensive as it analyzes a wider universe, such as, Strategic and Market risks, Financial, Legal, HR, Safety and Environmental, IT, Projects and Operational risks throughout the entire company.
An ERM process seeks to identify, quantify and manage those risks and align business decisions with the risk tolerances.
[CLICK]
CLICK
Some may ask, doesn’t Saudi Aramco already have ERM in place?
CLICK
CLICK
Some may ask, doesn’t Saudi Aramco already have ERM in place?
CLICK
In the past, fraud management was driven at the product level. Major firms are now beginning to consider fraud at a strategic level. These strategies and plans were typically developed by heads of risk, financial crime or fraud functions. And they were monitored by senior executive committees, such as risk or security groups, or fraud ‘steering groups’ which were relatively new bodies set up to look at fraud on a more holistic basis. These groups were typically chaired by heads of risk, financial crime, audit or, at an insurer, claims.