Enterprise Risk Management 3 Kuwait ERM …kuwaiterm.com/ppt/21-Faisal_AlMaghribi.pdf3rd Kuwait ERM...

1

Enterprise Risk Management

3rd Kuwait ERM Conference

29th March 2015

McKinsey & Company |

“Enhancing ERM Performance Through Developing Key Risk Indicators”

3rd Kuwait ERM Conference

3

ERM- Risk Management

3 Mar. - 2015

MBA, Thesis: In Financial Risk Management (2011).

Chartered Operational Risk Management Specialist

certificate by “IABFM”, USA (2013)

CPRM Certificate, from ARiMI, Singapore (2014)

Joined KNPC in June, 2012.

Nearly 3 years in ERM/ Risk Management Dept.

With previous exposure to RM in Financial industry.

Speaker’s Background

Faisal Ahmad AlMaghribi Risk Analyst, ERM.

4


4 Mar. - 2015

The objective of this paper is to present an effective “risk tool” that is capable of assisting management in tracking the risk behavior of highly ranked organizational risks. This presentation aims at sharing the importance of setting Key Risk Indicators (KRIs) for monitoring risk behavior effectively. The presentation covers various areas: KRIs definition, types of KRIs, Linking KRIs to Strategy, “RCA” technique, Methods for identifying KRIs, the process of setting KRIs in KNPC, advantages & limitations of KRI, and, finally, risk reporting stage. In conclusion, developing Key Risk Indicators is a pro-active, value-adding tool for driving business performance in KNPC that accounts for risks and risk behaviors in compliance with Risk Appetite.

Abstract


Agenda

Introduction Time: 30 mnts

Risk definition Key Risk Indicators definition Types of KRIs Linking KRI to strategy Root Cause Analysis Techniques Thresholds & limits Example: Cyber Risk

5 Mar. - 2015

Methods for identifying KRIs The process for setting KRIs in KNPC Advantages & Limitations of KRIs

What happens if limits are crossed?

Risk Reporting

References


Risk Definition • It is a bout “Uncertainty of return”!

Risk is defined as:

“an uncertain event or condition that, if it occurs, has a positive or negative effect on objectives”(KNPC ERM Manual).

6 Mar. - 2015


Key Risk Indicators Definition

• KRIs –”relate to a specific risk and demonstrate a change in the likelihood or impact of the risk event occurring” (ARiMI,2009).

• KRIs - are metrics used by organizations to provide an early signal of increasing risk exposures in various areas of the enterprise (COSO, 2010).

• KRIs – can be regarded as “early-warning systems” for managers (ARiMI, 2009).

7 Mar. - 2015


Key Indicators- Definitions

8 Mar. - 2015

1 Key Management Indicators (KMIs) – monitor the evolution of achievement of specific business objectives (e.g. volumes of business, share price, revenue, earnings, etc).

2 Key Performance Indicators (KPIs) – monitor changes in performance of business/operational activities/processes that have an impact on specific business objectives.

3 Key Risk Indicators (KRIs) relate to a specific risk and demonstrate a change in the likelihood or impact of the risk event occurring.

4 Key Control Indicators (KCIs) – relate to monitoring control’s application and effectiveness.

Note: KPIs or Key Performance Measures (KPMs) drive KRIs in the following sense. KRIs includes many metrics used by KPMs (ARiMI,2009).


Types of KRIs

9 Mar. - 2015

Indicator type Description Examples

1) Leading indicators A metric that changes before the occurrence of risk (investopedia.com) . It is used to predict risk behavior.

On Job Training. No. of HSE Near misses. Re-order Point for inventory

2) Lagging indicators

A metric that changes after the occurrence of risk (investopedia.com). It is used to confirm long firm trend.

Employees Attendance No of HSE Incidents No., of power failures at refinery/ factory.


Linking KRI to Strategy

• Why KRI is applied in organizations?

• Why KRI is being implemented in KNPC?

11 Mar. - 2015


Linking KRI to Strategy

• Developing KRIs will provide early warning signals of increasing risk exposures in various areas of the enterprise, and allow the monitoring of risk behavior.

• Setting Key Risk indicators (KRIs) is one of the primary activities as per KPC ERM- 2030 strategy, and KNPC ERM strategic initiative :

Quick Hit Enhancements: Identify KRIs, develop monitoring plans, and implement in ERM IS Software (AVANON) across KNPC departments.

• Defining and using appropriate KRIs & measures typically comes with the maturity of an organization's ERM capability (Deloitte’s ERM Capability Maturity Model).

12 Mar. - 2015


Elements of Risk& KRIs

• A typical risk description includes the following elements:

• Identifying all risk elements enables better understanding of the risk & helps determine the relevant indicators to be used for measuring changing risk levels (ARiMI).

13 Mar. - 2015

Cause → Event → Impact


Root Cause Analysis (RCA) Techniques

“understanding the root causes of key risks is at the heart of preventive KRI identification” (Dr. Chapelle, 2015).

1) Risk Tree Map:

A diagram that map outs the causes and consequences of a risk event from an analytical approach.

Note: This is the technique utilized by KNPC ERM Team.

2) Fish Diagram: It is also called a fish bone diagram.

3) Bow Tie: It resembles the “tie” shape.

14 Mar. - 2015

إحدى شركات مؤسسة البترول الكويتيةA Subsidiary of Kuwait Petroleum Corporation

15

DEFINING RISK ELEMENTS: RISK TREE MAP

Crisis (Roots)

CAUSES

DISRUPTION

Crisis

CONSEQUENCES

Event

Focus above to prevent Crisis Focus above to manage Crisis

Key Process

or Asset


Thresholds & Limits

• In order to monitor risks effectively, it is important to measure them to determine the quantitative amounts of risk the company is exposed to.

• “KRI thresholds are one way of expressing Risk Appetite throughout the organizations operations, with lower thresholds typically linked to lower risk appetite” (Dr. Chapelle, 2015).

16 Mar.- 2015

Value Description

Threshold Value (Alarm. Point # 1)

Minimal value a certain risk indicator may have (Key word: Monitor).

Limit Value (Alarm. Point # 2)

Maximum tolerable value a certain risk indicator may have (Key word: Act).


Example: Cyber Risk

The Risk of Insufficient Security- IT Online Threat:

17 Mar. - 2015

Risk # Risk Name Risk Description

KNPC195 SS IT Inefficient Security -

Online Threats

The risk of online threats (e.g. viruses, intruders) due to

inadequacy of technology-centric security of IT environment,

potentially affecting data integrity and/or business continuity.

Risk ID KRIs Name KRIs

Description Threshold

Value Limit Value

No. of Actual Incidents

2013 (Q4)

2014 (Q1)

2014 (Q2)

2014 (Q3)

2014 (Q4)

KNPC195

1) No. of critical incidents

Monitor number of critical IT security incidents

4 per Day (4*30*3)= 360/qtr.

7 per Day (7*30*3)= 630/qtr.

X X X X X

2) No. of emergency incidents

Monitor number of emergency IT security incidents

2 in a Month (2*3) = 6/qtr.

3 in a Month (3*3)= 9/qtr.

X X X X X

3) No. of open vulnerabilities

Monitor the number and severity of vulnerabilities

2 per IP Address per

Qtr.

4 per IP Address per

Qtr. X X X X X


Methods for identifying KRIs

What is the source of information when developing KRIs?

18 Mar. - 2015

Workshop (KNPC) Focus groups

Interviews Surveys

Courtesy visits

Other sources

(i.e., market/industry

reports “Solomon

Studies”).

The Process of Setting KRIs in KNPC

Extract Very High & High Risks

from Department’s Risk Register

Develop proposed K.R.Is for

corresponding risks by ERM

analysts.

Circulate for consultation within

ERM Team.

Send proposed KRIs to WTM for

review/modify & approval from Dept.

Repeat the same process for

Departments with similar activity &

Conduct Workshop for “Aggregation”

purposes.

Issue a Memo to responsible Dept. to

confirm KRIs & request ERM IS,

Software “Avanon” data uploading.

Monitor updating KRIs periodically

during the year.


1) Risk Appetite

2) Risk and Opportunity

Identification

3) Risk Treatment

4) Risk Reporting

26 Mar.- 2015

Advantages of KRIs

5) Compliance Efforts

6) Improved Performance

7) Improved Processes

8) Improved Workplace

Environment

• Effective KRIs can provide value to the company in various ways:


1) Risk Appetite:

“By mapping KRI measures to identified risk appetite and tolerance levels, KRIs can be a useful tool for better articulating the risk appetite that best represents the organizational mindset” (COSO).

2) Risk and Opportunity Identification:

“KRIs can be designed to alert management to trends that may adversely affect the achievement of organizational objectives or may indicate the presence of new opportunities”.

3) Risk Treatment:

KRIs can initiate action to mitigate developing risks by serving as “triggering mechanisms” for organizations.

27 Mar. - 2015

Advantages of KRIs


4) Risk Reporting:

KRIs can provide measurable data conducive to aggregation and useful to management after reporting.

28 Mar. - 2015

Advantages of KRIs

5) Compliance Efforts:

KRIs may be useful in demonstrating compliance with established requirements in areas such as reserve levels, environmental regulations (K-EPA), and other stakeholders.

6) Improved Performance :

The use of KRIs to anticipate emerging risks and changes in risks over time can decrease losses, identify opportunities for strategic manipulations, and potentially reduce the cost of capital by mitigating perceptions of risk that lending parties may face.


7) Improved Processes:

KRIs can help reduce service disruptions, improve supply chain management, and enhance customer satisfaction by potentially avoiding certain decisions that may unknowingly create risks affiliated with these processes (i.e., the risk of long life project cycle).

8) Improved Workplace Environment:

The use of KRIs can lead to less utilization of crisis management, and maybe faster business recovery to deal with critical or emergency incidents. (i.e., Risk of HSE events, & Risk of Labor Strike).

29 Mar. - 2015

Advantages of KRIs


• Can be costly to implement and update (Frequently).

• Can be hard to measure in some cases.

• Requires a good understanding of risk cause (for

likelihood drivers), and consequence (for impact

drivers).

• Level of usefulness vary from risk to risk.

• Depends on organizational maturity and risk culture.

30 Mar.- 2015

The followings are some of the shortfalls of KRIs:

Limitations of KRIs



• Crossing the Limit means that the Risk Appetite has been breached!

• Senior Management monitors the activity of risks by monitoring the changing levels of thresholds & limits. Once the limit is crossed, top management would: 1) Analyze the new situation, and 2) Determine the best ways to deal with it.

• The company is expected to take corrective actions (to decreases the likelihood and/or impact of the event).

31 Mar. - 2015



• Modifying the Risk Category (elevate from High to Very High).

• Reviewing controls (MCSs).

• Treating risks immediately by implementing risk mitigation plans.

32 Mar. - 2015

Potential solutions vary based on management’s assessment of the intensity of emerging risk. It include:


Risk Reporting

• You can’t manage what you cannot measure &

monitor!

33 Mar. - 2015


Why Risk Reporting is Important?

Code of Corporate Governance:

• “Key Principle: Organizations should implement a process to regularly monitor their risk profiles, and material exposures to losses. There should be regular reporting of pertinent information to senior management, and the board of directors that supports the proactive management of risk” (ARiMI).

• The main elements that should be in any executive risk report: (1) Losses, (2)Incidents, (3) Management assessments, and (4) KRIs.

34 Mar.- 2015


Reporting to KPC

• KNPC reports to KPC annually as part of the ERM Cycle.

• This is achieved by updating ERM IS software, Avanon periodically.

• KNPC –ERM utilizes “Avanon” system for monitoring & reporting KRIs for management purposes.

35 Mar. - 2015


References • KNPC ERM Manual (2015).

• McKinsey (2013).

• Deloitte (2013).

• COSO (2010).

• ARiMI training material for CPRM Certificate (2009).

• Investopedia.com (2015), viewed 10 January 2015 <Investopedia.com>.

• “Root cause analysis” training material by Bureau Veritas (2013).

• Dr. Chapelle, A 2015, Six Steps for preventive KRIs, viewed 10 March 2015, <Risk.net>.

36 Mar.- 2015

ERM– Risk Management

Thank You

37 Mar. - 2015

Enterprise Risk Management 3 Kuwait ERM …kuwaiterm.com/ppt/21-Faisal_AlMaghribi.pdf3rd Kuwait ERM...

Documents

Transcript of Enterprise Risk Management 3 Kuwait ERM …kuwaiterm.com/ppt/21-Faisal_AlMaghribi.pdf3rd Kuwait ERM...