11 Embedding Risk Culture in your Organization’s DNA.

11

Embedding Risk Culture in your Organization’s

DNA

22

Could you use a crystal ball for risk management (1).flv

33

About KNPC

What is ERM?

Why is ERM important?

What do we mean by : Risk Culture

Embedding

How to embed ERM in your organization A- Assess your As-Is situation

B- Plan for Embedding

C- Implementation of plans

Key success factors

Agenda

44

About KNPC

KNPC established in Oct. 1960 as joint venture between the government & private sector

In 1975 State of Kuwait acquired full ownership of KNPC

In 1980 Kuwait Petroleum Corporation (KPC) was established as the state owned asset & mother company

for all oil companies in Kuwait

KNPC is one of KPC’s subsidiaries is responsible for all domestic Crude Oil Refining & Gas Processing

along with fuels retailing for the local market in Kuwait.

KNPC has 3 operating refineries working as a refining complex has a total capacity of 936,000 Bbls/day

KPC started an Enterprise Risk Management (ERM) Program in late 2005, After the approval of the KPC Enterprise Risk Management Policy, all subsidiaries were required to set up

their own ERM capability On December 2007 KNPC decided ERM implementation project to define and implement an ERM

framework in order to improve management of the risks that could affect the company’s objectives

Refinery Date of Establishment Date of Major Expansion Current Capacity ‘000 Bbls / Day

Mina Al-Ahmadi Refinery 1949 1984-1986 466

Mina Abdulla Refinery 1958 1988 270

Shuaiba Refinery 1968 1975 200

55

The Committee of Sponsoring Organizations (COSO) points out that ERM, among other things:

Is an ongoing process

Is designed to identify & manage potential events that, may affect the enterprise objectives

ISO 31000 states that risk management is an integral part of organizational processes as well as a part of decision making.

We believe Enterprise Risk Management (ERM) can be summed up as follows:

What is ERM?

ERM is systematic approach to identify, categorize, quantify, and proactively deal with all risks within an organization, that may effect achieving your strategic goals in order to protect and enhance value.

ERM provides performance and compliance to optimize decision-making across the organization.

66


In his book,

The Upside, Adrian J. Slywotzky

Presents a profound case for ERM and preparedness:

Unmanaged risk is the greatest source of waste in your business and in our economy as a whole. -Major projects fail; -Customer shifts make our offers irrelevant; -Billion-dollar brands erode, then collapse; -Entire industries stop making money; -Technology shifts -Companies deteriorate needlessly.

When these risk events happen, -Thousands of jobs get lost, - Brilliant organizations are disassembled, - Expertise gets lost, and assets are destroyed.

Yet all of these risks can be understood, identified, anticipated,

mitigated, or reversed, thereby averting hundreds of billions of

dollars in unnecessary losses

77

Proactively deal with all threats & opportunities to protect & enhance value

Optimizes the balance between risk and return

Enables organization to prioritize and allocate resources against those risks

Enhances value creation opportunities

Optimizes capital allocation of risk

Provides confidence on external & internal compliance (polices& procedures)

Enables a company to make intelligent risk-based decisions

Prevention hundreds of billions of dollars in unnecessary losses


88

Risk culture is complex and multidimensional

Simply, it is how ‘risk management’ is factored into decision making

How management is rewarded for taking appropriate risks

How senior management encourage communication on risk and respond to bad news

What do we mean by:

Risk culture

A common definition of risk culture is:

'an organization's system of ethics, values and risk-based behaviors ,from the beliefs of the chair of the board, to the attitudes of the most junior staff

members'.

99

ERM is an integral or natural part of the organizational processes and procedures

fundamental part of business planning and decision making;

done at all levels (strategic, tactical and operational)

seen and understood in the organization as a value enhancing

What do we mean by:

Embedding

As a conclusion embedding means : - Making a fundamental part of the day-to-day activities of the business , Or - under Solvency II more accurately… Providing evidence of embedding and demonstrating ‘it’ is happening

1010

AAssess your As –Is-

situation

Embedding Risk Culture

B Plan for

Embedding

CImplementation

of plans

How to embed ERM in your organization

1111

To determine the steps to be taken in moving from :

a current ERM Maturity level to a desired ERM future-level

"Where are we?“ TO "Where do we want to be?"

Use known techniques to evaluate risk management implementation and identify gaps related to ERM embedding in your organization such as:

1- Assess adequacy of ERM using ISO 31000

2-Maturity Model Approach

3-Consider best practices


A

Risk Culture

BC

A- Assess your As-Is situation

1212


1- Institute of Internal Auditors issued a paper December 2010 – “Assessing the adequacy of risk management using ISO 31000.”

A

Risk Culture

BC

1- Assess adequacy of ERM using ISO 31000

1313

Maturity Description Commentary

Level 5Strategic

Risk management is built into decision-making. The organization selectively seizes opportunities because of its special ability to exploit risks.

• Focus on value creation and preservation• Institutionalized • Confidence in ability to manage risks based

on track record

Level 4Integrated

Risks are treated as a portfolio at the enterprise level and are correlated and aggregated across risk types and business units.

• Calculation of risk measures that can be aggregated

• Risk treatment integrated and costs optimized

Level 3Comprehensive

Risk management is enterprise-wide and encompasses all risk types including strategic and operational.

• Risks clearly linked to strategic objectives• Defined and documented• Forward looking• Clear accountability

Level 2Fragmented

Risk management functions independently within business units. Risk types managed are limited to hazard, financial, and compliance.

• Capabilities vary across BUs• No cross-BU coordination• Some expertise within limited number of risk

types such as market, credit, or hazard

Level 1Initial/Ad Hoc

Risk management activities are ad hoc. No overarching risk management philosophy or objectives are defined.

• Success depends on individuals• People are unaware of risks• Risks managed reactively

By Embedding ERM

2-Maturity Model Approach

A

Risk Culture

BC


1414

Score each department against key element of a framework or ‘culture tests’A

Risk Culture

BC

Activity

Summary of scope

Dept. 1

Dept. 2

Dept. 3

Dept. 4

Dept. 5

Target end

2012

Average

Risk Strategy

Risk Management Framework understood & communicated. Policy direction championed actively.

3

3

2

2

3

4

2.5

Risk Standards

Risk Standards are adopted, gap analysis completed and improvement plan agreed.

2

2

2

2

2

4

2.0

Risk Appetite & Tolerances Risk appetites and tolerances are agreed and risks are monitored against these.

3

3

2

2

3

4

2.7

Accountabilities andOwnership

Accountabilities within the risk process are understood, agreed and acted upon.

3

3

3

2

4

4

2.9

Risk identification&assessment methodology

Risks are proactively identified, discussed and evaluated using the risk system to capture conclusions.

3

2

2

2

4

4

2.5

Risk Response

Improvement plans are agreed and acted upon where necessary to address deficiencies or risk events.

3

2

2

2

2

4

2.0

Risk Reporting

Risks, including emerging risks and risk events are proactively reported by coordinators with limited input from the risk function.

2

2

1

1

3

4

2.1

Risk Review & Governance

Governance arrangements are clearly defined and acted upon. Management and Boards review & challenge risk data.

3

3

1

2

3

4

2.7

ERM IS Software -friendliness Confidence level of WTM and interacting with “Avanon”

Awareness /communication Awareness of departments’ middle management on ERM

ERM value & benefits Added values to the department by implementing ERM

ERM Team performance Department manpower perception on ERM team co-operation

Average2.8 2.5 1.9 1.9 3.0 4.0 2.4

5 4 3 2 1

Strongly agree

agree Somehow agree

disagree Strongly disagree

A- Assess your As-Is situation 3-Consider best practices

EXAMPLE 1

1515

The 7 embedding ‘tests

Test Is Risk Management…

Meaning

1 Sponsored Leadership clearly sponsor and challenge activity.

2 Owned Ownership accepted and acted upon at all levels.

3 Decisive Influences key decisions.

4 Communicated Outcomes are visible and actively discussed.

5 Integrated Part of day-to-day core processes and procedures

6 Valued Pride and commitment drives continuous improvement

7 Sustained Robust, reproducible and not dependent on single individuals

A- Measure & assess your As-Is situation

A

Risk Culture

BC

3-Consider best practices

EXAMPLE 2

1616


situation


B Plan for

Embedding

CImplementation

of plans


1717

List out effective Key elements to be in your plan for risk culture embedding

Describe each key element & define the ‘embedding’ plans per element

Break the plans down into action plans (activities)

Define what is most important to the organization & prioritize the quick wins

Schedule the activities in a timeline and get management buy-in

Make it visible and link delivery to Key performance management targets

Track progress and provide support

Report progress and address issues that arise

A

Risk Culture

BC



1818

Directors

Responsibility & accountability in org. risk governance

Scorecards, JD’s & appraisals

1

Strategic Intent

ERM process & Risk reporting

5Lessons learnt Lessons learnt Benefits of good risk

management Benefits of good risk management

2 3

674

KEY ELEMENTS FOR EMBEDDING RISK CULTURE

List out effective Key elements

Describe each key element

Break the plans down into action plans



1919


situation


B Plan for

Embedding

CImplementation

of plans


2020

A

Risk Culture

BC


Key Element 1

Directors on your side

Leadership are the real driver of change

They set the right tone and provide support

They practice risk management by example

They participate in the annual risk assessment & give

sufficient time to risk management (new & emerging

risks ,upside and downside risks ) associated with the

business

Are well prepared for risk committee meetings with healthy

challenge & discussions

They have a real aspiration to practice good risk management

C- Implementation of Embedding Plans

Description 1. Develop training plan to grow & sharpen director’s overall knowledge set

to explain how risk management is built into decision-making

2. To include a member of the directors in risk committee who is passionate

about proper and effective risk management

3. Put risk on agenda of directors at least quarterly

4. Design and roll-out risk reporting and dashboards for the directors.

5. Define direct communication channel between the risk functions and BOD

6. Invite representatives from all departments to Risk Oversight Committee

7. Restructure ROC meetings to focus on detailed analysis of Top Risks

Element -1- Action plans :

2121

A

Risk Culture

BC


Key Element 2

Scorecards, Job descriptions and appraisals

Risk management is a component of each staff members job

profile and scorecard

Accountabilities for risk management understood at all

levels in the organization and written in their appraisal

Training offered particularly where evolving risk

requirements specific in nature to all levels(directors & staff )

C- Implementation - Embedding plans

Description

1. Update job descriptions with risk management roles and responsibilities

2. Implement risk management performance metrics for Directors &

management line and staff

3. Develop recruiting and training plans to support job requirements

4. Develop necessary performance standard

5. Develop ERM function resourcing plan & implement

6. Provide special risk management training including certified training by

known institutes

Element – 2-Action plans :

2222

A

Risk Culture

BC


Key Element 3

Establish clear ERM process with Regular reporting

Risks identified, assessed, monitored, managed and

reported in an easily understood and effective manner

ERM process & reports facilitate decision making and

management actions/ remedies

Risk transparently reported and Staff fearless to report

A whistle blowing line and whistleblowers are protected


Description

1. Prepare and distribute clear & simple ERM processes & procedures

2. Update department business processes and procedures documentation

with risk management activities

3. Propose uniform risk categories, sub categories, and risk names

4. Update company assessment scales to reflect risk appetite and tolerance

statement

5. Identify Key Risk Indicators, develop monitoring plans, and Implement risk

treatment plans

6. Design and roll-out loss event tracking system

7. Establish easy link for transparent risk reporting (Risk Proposal System)


2323


Key Element 4

Selling the benefits of good, solid and robust risk management

ERM team in place who are energetic to create awareness

and understanding

ERM must be live in your organization not just a case that

the boxes can be ticked

A

Risk Culture

BC


Description 1. Develop hiring plan to match required knowledge and skill set in ERM team

2. Develop training plans to support job requirements

3. Develop competency model with HR to include knowledge, skills and

abilities mapped to different levels for different types of positions

4. Develop a catalog of risk expertise [pool model (Internal & External)]

5. ERM team to provide training & awareness sessions for all company staff

6. Conduct ERM survey / audit on departments to measure ERM awareness

7. Conduct ERM events , campaigns & celebrations , send emails & quizzes

through webmaster, distribute booklets ,flyers , posters ,…


2424

Key Element 5

Responsibilities and accountabilities are clearly defined in a well described governance

- Setting up strategy, vision, mission- Responsible for strategic decision making & responses- Setting up Risk Appetite and ERM policy

- Provides guidelines, directives, policies for ERM process - Act as advisor to top management- Implement risk responses on behalf of management

- Carrying out day to day risk management activities- Executive ERM processes & procedures- Prepare Risk related reports

- Implement ERM processes & procedures- Collect data, identify & Assess risks- Implement treatment plans & ensure controls in place- Report to ERM on ERM performance

Strategic Level

Tactical Level

Operational level

Business Level

Role

s &

Res

pons

ibili

ties

Departments & Business unit

ERM Team

CRO & ROC

Internal Audit

BOD

A

Risk Culture

BC



Description 1. Develop necessary performance standard & ROC charter

2. Review & Update Risk Governance Structure

3. ERM meet with BOD quarterly ,for communication & decision making

4. Update ERM policies with risk governance changes

5. Internal & External Audits to review ERM strategy implementation


2525

A

Risk Culture

BC


Key Element 6

Strategic Intent

To include risk management in the main strategic focus

areas


Description 1. Focus on strategic risks in ROC , Leadership and Board meetings

2. Include Strategic Planning manager as a member in the risk oversight

committee (ROC)

3. Link risks with performance and achievement of strategic objectives &

strategic projects execution


2626

A

Risk Culture

BC


Key Element 7

Lessons learnt

To heightened awareness of what can go wrong and does

go wrong so as to widen the knowledge of potential risks

To demonstrate reflection by management and BOD of

emerging/evolving risk


Description 1. Knowledge-sharing sessions

2. Training for BOD, top management and ERM team

3. Conduct meetings & risk discussions with other companies of similar industry

4. Attend ERM related conferences , workshops ,training sessions

5. Write papers ,articles in ERM magazines

6. Participate as a case study in one of the universities

Element - 7 -Action plans :

2727


situation


B Plan for

Embedding

CImplementation

of plans


Repeat the process when it is necessary

2828

Key Success factors

Top management & BOD support

• Dedication, buy in & alignment with the plans

• all strategic and operational goals are linked to appropriate risk management

• commitment to the plans & completion of tasks within the timeframe

Clear processes & Single ownership • Risk management processes are understood by all (simplicity)

• Everyone in the company is risk aware and everyone recognizes his/her responsibility for risk

Detailed execution plan

• Carry out detail planning and scheduling for the ERM embedding implementation

Budget estimate and approval

• Proper budget estimation and required approval for implementing plans

Effective communication plan

• Assuring timely and accurate communication plans with stakeholders in placeQualified manpower

• Attract/Retain skilled manpower and experts for the implementation stage

Risk Management department

• There are structures to support risk management e.g risk department

• All departments own risk management and only seek guidance from specialist departments such as risk management, internal audit ,etc;

• Key issues should be solved by a single entity with clear decisions for specific milestones

2929

THANK YOU

3030

Questions ?

11 Embedding Risk Culture in your Organization’s DNA.

Documents

Transcript of 11 Embedding Risk Culture in your Organization’s DNA.