Agenda ERM Frame Work: linking ERM Framework elements to Strategic Goals:- Objectives Setting: ...

ERM Role in Achieving Corporate Strategy

Agenda

ERM Frame Work: linking ERM Framework elements to Strategic Goals:-

Objectives Setting:Determining ERM Strategy.Understanding Corporate Business Strategy.

Linking ERM Processes to Strategic Objectives.

Event identification and Assessment.

Setting Mitigation options.

Risk Monitoring & setting Key Risk indicators.

Achieving an Integrated ERM Approach

3

Objectives Setting:Determining ERM Strategy

Generally, risk is defined as “an uncertain event or condition that, if it occurs, has a positive or negative effect on objectives”

Threats and Opportunities are “the possibility that an event will occur and affect the achievement of the organization's (strategic) objectives”.

Enterprise Risk Management is defined as the systematic approach to identify, categorize, quantify, and proactively deal with all risks within an organization, in order to protect and enhance value.

It is necessary to set and clarify objectives and to define criteria to decide whether an objective has been reached or not, before trying to manage risk.

Risk is related to objectives

4

Internal Environment Internal Environment

Objectives SettingObjectives Setting

Do we have theright management information? How do we communicate to our employees?

Information & Communication


Are our control activities carried

out properly and in a timely

manner?

Control Activities and Assurance


How often do they occur and

what is their impact?

Risk AssessmentRisk Assessment

MonitoringMonitoring

Is our framework functioning? Do we have to reconsider steps?

Which events have an influence on

our objectives?

Event IdentificationEvent Identification

How do we respond? What are our possible

control activities?

Risk ResponseRisk Response

ERM Model Component – ERM Framework COSO ERM – a theoretical framework

The figure below depicts the theoretical framework as designed by the Committee Of Sponsoring Organizations of the Tread way Commission.


5

“Risk Appetite” is one’s willingness to accept risks in pursuit of value. Risk appetite depends on an organization’s ERM Aspirations (or ambition level) with respect to managing the risk, which in turn depends on the company’s strategic objectives, priorities and current ability to take risks.

Expected net return

(revenues minus cost of risk control

measures)

Risk Optimizer

Risk Taker

Risk Minimizer

Return Maximizer

Manage risks at all cost, even if this means that potential profit is less

Optimize the balance between residual risk and costs to manage risks

Use all efforts to influence the positive outcome of events, even if this means a higher risks exposure

Level of Residual Risk Exposure

Risk Appetite


6

Implicit Risk Appetite: Approach

The As-Is assessment captures each Department’s perception of

How much the Department is exposed to each risk sub-category.

How mature the corresponding risk management processes.

From this information, management will estimate the implicit (inherent) risk

appetite. This will be a starting point for setting organizational explicit (desired) risk

appetite, and translate it into a risk strategy.

Implicit risk appetite will be estimated by:

Calculate organization wide scores for each risk sub-category

Compare inherent risk to risk management maturity

Compare residual risk to the effectiveness of risk management


7

Risk Appetite – Explicit Risk Appetite.

* Risk categories with low inherent risk are: Customer risk, K-Company risk, Volume risk, Price risk, Interest rate risk, Foreign exchange risk, Regulatory and Disaster risk

Level of Residual Risk Exposure

Health & Safety Risk

Information Systems Risk

HR Risk

Strategic Risk

Internal Process Risk

Technology Risk

Reputation Risk

Legal Risk

Model Risk

Supplier Risk

Environmental Risk

Risk Optimizer

Risk Taker

Risk Minimizer

Low inherent riskcategories *

Return Maximizer

[ NONE ]

Expected net return

(revenues minus cost of risk control

measures)

[ NONE ]

Political Risk


Copyright @ARiMI 2009

Organization Group ObjectivesVision , Mission , values :

Drives Strategy

Drives Key Objectives

Key Performance Indicators (KPI’s)PERF

ORM

ANCE

MAN

AGEM

ENT

Financial Customer Internal Processes

HSE Learning & Innovation

Identify Critical Success Factors ( Key Function of Project (Key Process & Resources)

RISK IDENTIFICATION

TREATMENT PLANS

What factors Impact our objectives & ability to

succeed by disrupting key resources &processes

What controls we need to put in place to mitigate our risks

Key Risk Indicators (KRI’s)

Key Control Indicators (KCI’s)

Critical Success & failure causes /factors

RISK

MAN

AGEM

ENT

C

C

S

Determine Buss. ModelDefine stakeholders Value Creation :Value capturing :Value sustainability :

Knowledge Management



Objectives Setting:Understanding Corporate Business Strategy

1

2

3

Business Model

How to create and grow value?

How to capture part of the Value ?

How to sustain the value over time?

Key activities, processes and resources

A process can be thought of a measurable interconnected group of activities that can flow across departments.

A Resource is the means available to a company which can be used (incorporated in the firm’s process structure) to accomplish a goal such as increasing production, revenue or profit, etc.

Think out of the Box.

• Identify your business objective

Objectives Setting:Understanding Corporate Business Strategy

Objectives Setting:Understanding Corporate Business Strategy :

Identify resource elements used in each step of process.

Example used from (HR BEST Project) – HR “To Be” Processes document

Draw department Business processes



Drives Strategy



ORM

ANCE

MAN

AGEM

ENT




RISK IDENTIFICATION

TREATMENT PLANS







RISK

MAN

AGEM

ENT

C

C

S






Event Identification & Assessment








manner?









our objectives?



control activities?


The figure below depicts the theoretical framework as designed by the Committee Of Sponsoring Organizations of the Tread way Commission.

ERM Framework : COSO ERM Framework



Risk identification – Root Cause Analysis (RCA)Risk Tree Map

Crisis (Roots) CAUSES

DISRUPTION Crisis CONSEQUENCES

Event

Focus above to prevent Crisis

Focus above to manage Crisis

Key Process or Asset

tolerancetolerance



Risk Dimensions

Risk Level

Frequency

Severity

Range of OutcomesTrigger /

Uncertain Events

Risk Drivers/Causes

Risk Drivers/Causes

KRI

KRIKey Risk Indicators (KRIs): relate to a specific risk and demonstrate a change in the likelihood or impact of the risk event occurring.



Likelihood x Impact = risk degree (low, medium, high, very high)

Impact

Likelihood 1 - Incidental 2 - Minor 3 - Moderate 4 - Major 5 - Severe

1 - Frequent Medium High High Very High Very High

2 - Likely Medium High High Very High Very High

3 - Possible Medium Medium High High Very High

4 - Unlikely Low Medium High High High*

5 - Rare Low Low Medium Medium High*

6 - Very Rare Low Low Medium Medium High

* If health and safety or environmental impact is severe, then risk elevated to Group Risk Register.

** Where there is a societal risk (to people) the risk is to be designated VERY HIGH.

KNPC Risk Assessment Map





Drives Strategy



ORM

ANCE

MAN

AGEM

ENT




RISK IDENTIFICATION

TREATMENT PLANS







RISK

MAN

AGEM

ENT

C

C

S






Setting Mitigation Options








manner?









our objectives?



control activities?


ERM Framework - COSO ERM Framework



Proper Risk Decision Analysis

Risk Drivers / Causes

Risk Issues

Controls (Frequency)

Controls (Impact)

Decisions

//

Outcomes//

Uncertain Events

Prevent Threats

Minimize Negative impact

NowPlanning Horizon

Time Line



Response to Risk.

Avoid downside potential of riskEliminate the risk by preventing exposure to future possible events from occurring

Accept risks cannot be treated Maintain the risk at its current level

Control downside potential of riskImplement policies and procedures to lower the risk to an acceptable level

Share down & up side potential of riskshare the risk with another party, (e.g. other K-company, contractors or joint venture)

Transfer downside potential of riskShift the impact of a threat to a third party (e.g. insurance)

Realize upside potential of risk work to ensure that the uncertain positive event happens. A management choice in circumstances when an exposure may have more value in the future depending how the future unfolds.



Com

mun

icate & Con

sult

Mon

itor &

Review

Avoid

TreatRisk?

No

Yes

Transfer(all or in part)

ReduceConsequences

ReduceLikelihood

Consider feasibility costs and benefits

Recommend treatment strategies

Select treatment strategy

Prepare treatment plans

AvoidTransfer(all or in part)

ReduceConsequences

ReduceLikelihood

AcceptRisk?

Yes

No

Accept

Retain

IdentifyTreatmentOptions

AssessTreatmentOptions

PrepareTreatmentPlans

ImplementTreatmentPlans

Part transferredPart retained

Treat Risks Detailed Process View

Risk Mitigation: Taking action (control measures) in order to reduce the probability of occurrence and/or the impact of a risk to below an acceptable threshold.



Risk monitoring consists of measuring the company’s objectives exposure to each risk, and in keeping track of how the exposure changes over time.

Will allow observing risk behaviour against Key Risk Indicators (KRI’s) which will provide an early warning of an increased risk of future losses. (Proactive measures).

After risks are identified, analysed and integrated into the company’s risk portfolio, the company can decide to:

• Monitor risk behaviour against Key Risk Indicators (KRI’s), which will allow to tune the initial Risk Assessment.

• Accept the risk as per the expected residual risk & Risk appetite then start monitoring against pre-set limits.

• Treat the risk then set limits in order to examine the effectiveness of implemented mitigation options and take corrective actions to improve future action plans.


Risk Monitoring & Setting Key Risk Indicators

Linking Key Risk Indicators to BSC.

Understand Vision, Values, Mission

Determine Business Model1. How do we create and grow VALUE for our customers ?2. How do we capture a fair share of the VALUE created ?3. How do we sustain VALUE creation process over time ?

Identify Critical Success Factors (CSF)

Key Performance Indicators

Key Risks Indicators



Different Types of Metrics / Indicators Indicators:

• Key Management Indicators (KMIs): monitor the evolution of achievement of specific business objectives (e.g. volumes of business, share price, revenue, earnings, etc.).

• Key performance Indicators (KPIs): monitor changes in performance of business / operational activities / processes that have an impact on specific business objectives.

• Key Risk Indicators (KRIs): relate to a specific risk and demonstrate a change in the likelihood or impact of the risk event occurring.

• Key Control Indicators (KCIs): relate to monitoring control’s application and effectiveness.

Metrics: • “An objective measure used to quantify an associated risk”

• something observed or calculated that is used to show the presence or state of a condition or trend; an instrument or gauge that measures something and registers the measurement; something such as a light, sign, or pointer that gives information.



Risk Dimensions

Risk Level

Frequency

Severity

Range of OutcomesTrigger /

Uncertain Events

Risk Drivers/Causes

Risk Drivers/Causes

Controls

Controls

KRI

KRI

KCI

KCI

KMI

KPI



Iterative risk Process at Every Level

INTEGRATED

Strategic Objectives and Measurements

FINANCIALCUSTOMER &

SOCIAL HS & E INTERNAL

LEARNING & INNOVATION

Business Unit Operational Plans and Measurements

Day to-day Operations and Decision Making

Risk Process

Risk Process• Identify• Assess• Develop Plan• Implement• Monitor

Vision Mission

Strategic Risk

Tactical Risk

TOP DOWN

BOTTOM UP

Achieving an Integrated ERM Approach

Thanks Questions ?

Sub-Category : Operational Risk

Operational Risk is the risk arising from (inadequate) physical infrastructure (asset failure), risk control measures and / or risk infrastructure (process failure)

Risk Sub-Category Definition

Health and safety risk the risk related to people’s health and safety

Human resources risk the risk arising from inadequate or inappropriate use of human resources

Internal Process risk the risk related to internal business process

Information systems risk the risk related to IT system and technology

Reputation risk the risk of change in public opinion that impact the organization

Model risk the risk arising from wrong assumptions used in forecasting and budgeting models

Legal risk the risk arising form lack of using enforceable laws in contracts or other arrangements

Environmental risk the risk arising from noncompliance with environmental laws

Technology risk risks of not capturing technology changes or failure to implement technology

Sub-Category : Credit Risk

Credit Risk is risk arising from the inability of a counterparty to meet a payment or delivery commitment


Customer The risk arising from the inability of a customer to meet a payment commitment

K-Company the risk arising from the inability of a sister Company to meet a payment or delivery commitment

Supplier the risk arising from the inability of a supplier to meet a delivery commitment

Sub-Category : Market Risk

Market Risk is the risk arising from an unexpected change in market variables


Volume risk The risk that quantity of goods sold or available for purchase, will not match original estimates

Price risk The risk arising from volatility of market prices

Foreign Exchange risk The risk arising from volatility of foreign exchange rates

Interest rate risk The risk arising from deviation of business financing costs from original estimates

Sub-Category : Business Risk

Business Risk is the risk arising from unexpected changes in the internal and external business environment


Strategic risk The risk of inability to formulate or execute a successful business strategy in the organization

Political risk The risk arising from the actions of local, regional, or national governments or special interest groups

Regulatory risk The risk arising from unexpected changes to local, regional, or national law

Disaster risk The risk rising from (natural) catastrophic events (Earthquakes, Floods)

Before we identify and assess our risks:

Understand KNPC Objectives:

Critical success factors:Providing competitive advantage against other competitors

Organizational Strategy map

Customer and Social Prospective

Financial Prospective

Customer and Social Prospective

HSE prospective

Internal Prospective

Learning & Innovation Prospective

CORPORATE BALANCED SCORECARDProposed targets

FY FY FY Annual Target WEIGHT

PROPOSED MEASURES Lg/Ld Freq. 07/08 08/09 09/10Thresh.

GOAL/ Target

Stretch. %

Actual Actual Actual

FINANCIAL PERSPECTIVE

1 ROACE (%) Lg QTRCUSTOMER & SOCIAL PERSPECTIVE

2 Product Shipment Customer Satisfaction Index {PSCSI} (%) Lg QTR

3 Percentage of Kuwaitis in KNPC Lg QTR

4 Local Content Index (Share of Capex + Opex + Charity spending locally), MMKD(1) Lg QTR

H S & E PERSPECTIVE

5 Fatal Cases (KNPC+ Contractors), # Lg QTR

6 Lost Time Injuries Rate, #/200,000 hrs Lg QTR

7 Number of Environmental Incidents, # Lg QTR

INTERNAL PERSPECTIVE

8 Refineries EDC Utilization , (%) Ld QTR

9 Risk Index, # (Risks to be Augmented) Lg QTR

LEARNING & INNOVATION PERSPECTIVE

10 Annual Spent on R&T, 000 KD Ld QTR

Minimum=0 , Base=400 , Goal=800 , Maximum=1200 TOTAL WEIGHT

% =100.0%

What is Risk ?

Loss

Risk

? GAIN= =There are two sides of Risk…

Risk is an intrinsic part of BusinessWithout Risk ! No Business Opportunities

• Risk is the threat that an event or action will adversely affect an organization's ability to maximize shareholder value and achieve its business objectives.

• Risk arises as much from missed opportunities as it does from possible threats.

• The chance of something happening that will have an impact on objectives.

35

What is Risk? Definition & Components

• Risk can expressed as a probability distribution.• Risk = Variance in outcome from expected.• Risk = Catastrophic Downside.• Risk = Upside Opportunities.• Risk = Uncertainty.

36

Example: Risk of Car Accident

Car Accident

Controls on Causes:

• Always leave 15 – 30 min earlier.• Fix alarming system & speedometer.• Fix break system & oil leaks if any.• Check oil level once a week & car fluids.• Examine car breaks before driving.• Change break pads in regular basis.• Change car wheels regularly & check wheels condition before driving.• Clear the path between the accelerator & the mat.

Controls on consequences:

• Always fasten safety belt.• Check airbag system regularly.• Buy car insurance according to your

tolerance.• Buy life insurance.

Leaving late to work

Defect on alarming system

System oil leak

Bad Break pads

Injury

Death

Car damage

Why?

High speed

Bad Tire conditions

KRI = No. of speeding tickets received during the year

KCI = No. of time I left late during the month

KRI = No. of defects found during the month

KCI = No. of services delayed/postponed

KPI

= No. of accidents during the year

KCI

xxxxxxxxx

Defect on Break System

To be loaded in Avanon system

To be loaded in Avanon system

37

37

Treating Risks – Identifying Treatment Options

With respect to Causes:

Review guidelines to see if the risk is already treated or referenced by standard, guideline…(HSE, Construction, Finance, IT)

Understand immediate causes and look to understand underlying factors to (root causes)

Root causes could include beliefs, policies, practices.

Causes may be outside of the organization and therefore outside of the control of the organization

Stress test causes to see which is the main driver of risk

Causal Factors

1. One2. Two3. Three4. n

Consequences1. One2. Two3. Three4. n

Risk

Modify Likelihood Treat Consequences

Consequences:

What post-risk activity could be taken to alleviate the consequences?

Includes Practices – Contingency Planning, Business Continuity

How can financial losses be dealt with?

38

Understand Organization Business Models

Understand Mission, Vision, Values

Determine Business Model1. How do we create and grow VALUE for our customers ?2. How do we capture a fair share of the VALUE created ?3. How do we sustain VALUE creation process over time ?

Identify Critical Success Factors CSF

Diagnostic :Identify & Analyze Risks

Audit :Check it is working !

Treatment :Select & Implement Solution

Economic Environment

Physical Resources environment

Political Climate

Human & Social Factors

Agenda ERM Frame Work: linking ERM Framework elements to Strategic Goals:- Objectives Setting: ...

Documents

Transcript of Agenda ERM Frame Work: linking ERM Framework elements to Strategic Goals:- Objectives Setting: ...