CORPORATE MEMBERS:

Monthly Newsletter Issue 5/ October 2018

1 The IERP® Monthly Newsletter October 2018

CHAIRMAN'S MESSAGE

Dear readers, With German chancellor Angela Merkel steppingdown, the election of far-right candidate JairBalsonaro as Brazilian president, and the falloutfrom the murder of Saudi journalist JamalKashoggi, among other events, 2018 continues tobring major upheavals worldwide.

RAMESH PILLAIChairman of the Boardof Governors, IERP®

In Malaysia, the Pakatan Harapan government will table its first budget onthe 2nd of November. Its first few months in power has seen a long string ofpolicy reviews as well as fire-fighting initiatives as the government evaluatesthe issues it faces. Much discussion has been had on what should be thefocus of the budget, and it will be seen how the government is choosing tobalance short term concerns—including heavy public debt—and long termstability as well as the goal to become a high-income nation. Meanwhile, we haven’t seen the end of the US-China Trade War yet. Whilecompanies’ reported earnings aren’t seeing much of an impact yet, investorscontinue to worry about the future outlook as the war continues on. In spite of the unpredictability of Trump, the US economy has performedwell overall, with low unemployment rates and strong business confidence.Now, all eyes will be on the upcoming US midterm elections on November6, which could potentially have far-reaching implications for the globalfinancial market. While political changes do not necessarily have negative effects on themarkets, they are also symptomatic of wider social instability that couldindicate ever-greater, ever-connected risks for your business down the road.Again, proactive ERM is key - not just to identify and manage external risks,but also to enhance the capabilities of your organization to move withconfidence and cohesion towards its vision.

TABLE OF CONTENTSTABLE OF CONTENTS

Creating Value out of ERM Top Considerations for Cybersecurity Oversight in theBoardoom Wealth Inequality: Should Businesses Care? Training Calendar 2018-2019 Upcoming Events and Training Programs

3 6 8

The IERP® Monthly Newsletter October 2018 2

Tea Talk: Creating Value out of ERM

3 The IERP® Monthly Newsletter October 2018

At our Tea Talk session on 12th September, IERP® faculty member Zaffarin Zanalgave a featured talk on Creating Value out of ERM. Zaff started off by stating that—to strong murmurs of agreement across the room of risk practitioners—implementing ERM is hard. The typical difficulty with implementing ERM is thatwhile risk professionals understand the value for ERM, the top management (aswell as the rest of the organization) might not readily see its value. Zaff noted thatwhen something has perceived value, psychologically there is a ‘pull factor’ to it.It doesn’t require much forceful selling (the ‘push factor’). He shared that from the results of a 2017 ERM Benchmark Survey which showedthat whilst enterprise risk management is a ‘popular’ framework being implementedin organizations, management and line managers are still quite resistant to it. Thechallenge lies in establishing that pull factor when risk management is so oftenseen as tedious, bureaucratic, and expensive. To treat this particular ‘acceptancerisk’, it is important to understand the potential causes. The Negative Perception of ERM Zaff proposed the following two factors as the main causes of negative perceptionof ERM: 1. It is human nature or psychology to be resistant to things that we are forced todo. Case in point: if ERM was initiated due to external pressures (stakeholders,regulators, etc.) or worse still, initiated in response after disasters occur, ERMinadvertently becomes viewed as a reactive and defensive measure taken only outof necessity and ‘forgotten’ once the crisis is over. Referring to a result of the thebenchmark survey, he shared that the top four motivating factors for ERM effortswere: board directives, regulatory requirements, efforts from risk managers, andinternal audit. In other words, ERM initiatives often still rely on the ‘push factor’rather than the ‘pull factor.’

With Zaffarin Zanal, Senior GRC Professional

ERM initiatives often still rely on the ‘push factor’ rather than the ‘pull factor.’2. Companies often get stuck in the ‘awareness’ part of ERM, after which little follow-through or value creation activities take off. In his opinion, many risk officers,unintentionally or otherwise, end up spending too much of their time carrying outtraining. A risk-aware organizational culture is key to a successful ERM framework,but training should not be the be-all and end-all. From the top-down, ERM has to bealigned to the organization’s objective and tied directly to it. Otherwise, it will onlybe seen as a trivial, nice-sounding idea with little impact. Creating Value out of ERM Zaff’s top two tips for value creation in organizations: 1. Be more objective-centric. Typically, the risk management idea started out fromits foundation to reduce hazards, comply to regulations or audit requirements.Unfortunately, that also popularized the taxonomy approach, which tends to restrictorganizations to general risks unrelated to the achievement of organisationalobjectives. Although it works well for organisations operating in highly regulatedenvironments where there are ready literature and specific standards set, risks forcorporates in various industry tend to be more diverse and less constrained. Bysetting the risk register to focus on organization’s objective , the relevance (and thus,value) of enterprise risk management will be readily apparent to leaders and linemanagers, in both the short-term and long-term. 2. Be business-minded. Profitability i.e. increasing revenue and reducing costs) isthe primary objective of an organization. Risk managers should consider more of thebig picture as well as the organization’s long-term strategy and value creationinitiatives. They should not be than taking an auditing or operational approach toERM. Look outward for strategic opportunities rather than misguidedly focussing onsimply improving internal processes – which is not the responsibility of the risk

The IERP® Monthly Newsletter October 2018 4

Continued >

management function. After all, ERM should look towards the organization’s futuresustainability. He shared that the same benchmark survey showed that only 22% ofrespondents listed in their top 2 reasons for implementing ERM, “ERM’s value is inincreasing certainty in strategic and operational objectives.” This reflects the factthat organizations today are still not utilizing the ERM framework’s full capacity as astrategic management tool. One of the Tea Talk participants asked to clarify about the objective-centric approach:does that approach mean they have to be privy to strategic meetings? Zaff respondedwith a strong yes: since risk management is more strategic than operational thannature, then it should be natural that risk officers attend relevant strategy or businessmeetings in order to be able to provide the relevant input or in the least be able tounderstand what the organization is trying to do. This is where the risk officer mustbe ready to wear the hat as a business owner as well. The one primary issue is thatsome risk officers are not comfortable in business settings or worse, not regarded asa useful presence in business meetings. In his past experience, Zaff shared that he had made a point of proactively seekingchances to sit in on important meetings – going so far as to attend them uninvited ifneeded. But a good risk officer will not be able to do this without first establishingthe right relationships and being in tune with the business. Efforts must be made toremove the perception that risk officers are merely ‘police officers’ or rebrandedauditors who keep everyone’s hands tied. In his opinion, risk officers could benefitby striving towards more of a ‘rock star’ persona instead of just fading into thebackground. The Takeaway All in all, risk managers often face an uphill battle. Zaff notes that charisma, reputation,and social skills matter for a risk manager. The ability for risk officers to drive ERMeffectively largely depends on personal good will; a lack of popularity among staffand bosses could impede value creation and further perpetuate the negativeperception of ERM. In other words, to create value out of ERM can depend on yourability to first persuade others of the value of ERM itself. What Next? For more insights, learn more about our next Tea Talk session on 16 November ,"The Importance of Soft Skills and EQ in ERM."

5 The IERP® Monthly Newsletter October 2018

Cybersecurity Oversight in theBoardroom

The IERP® Monthly Newsletter October 2018 6

A little more than a year ago, Equifax disclosed to the public that it had experienced acyberattack, during which hackers stole the names, Social Security numbers, birthdates,and addresses of 147.7 million Americans – more than half the US population. Sincethen, other major data breach incidents have been reported worldwide, involving—among many other entities—Facebook, fitness tracking app Strava, Adidas, UnderArmour, and identification authority Aadhar (compromising the personal informationof all 1.1 billion Indian citizens registered under its service). By now, it should go without saying that cybersecurity is not just an IT issue. Cybersecurityrequires enterprise-wide awareness and effort. Cyberattacks hurt a company’sreputation and can lose your customers’ and suppliers’ trust: it can be difficult to shakeoff the public view that your organization is unreliable or inefficient. To a large extent, the success of your cybersecurity framework can be measured by howquickly you can detect and deal with breaches. If an organization is slow to respond toor detect a security breach, operational and legal costs will rapidly accumulate, not tomention costs related to crisis management. At the same time, employees are stuck withdealing with the problem instead of going about their usual responsibilities. Considering how much is at stake for a company, cyber risk needs to be near the top ofthe agenda during Board meetings. Some key considerations for cybersecurity oversight: 1. Defining board roles and responsibilities Establishing clear roles for senior management and board members is key to ensuringaccountability and ownership for cybersecurity oversight and cyber incident responses.Have the appropriate lines of communication been set up as part of a holisticcybersecurity framework?

2. Improving board knowledge Encouraging board education programs on cybersecurity can empower boardmembers with the confidence to be more proactive with cybersecurity. Boardmembers do not need to be technical experts, but armed with the requisiteknowledge, they can provide the perspective and knowhow on usingcybersecurity as a competitive advantage. 3. Communication effectiveness and frequency Organizations need to implement structures and processes that will enable aconsistent and reliable flow of information. Boards should consider whetherthe quality and frequency of meetings and reporting are sufficient for theorganization’s needs and objectives. Boards will not be able to make the rightstrategic decisions if they do not get relevant information in a timely manner. 4. Setting the tone at the top for organization-wide culture andcompetencies In this volatile business landscape, there are evolving expectations for boardson their duties, transparency, innovation, and so on. Depending on the maturityof the organization’s cybersecurity framework, Boards can set the tone at thetop for culture, review current capabilities and talent management, reviewresponse plans, and assess existing structures – so that senior management canmake improvement. What next? These considerations are the tip of the iceberg when it comes to cybersecurityoversight. As cybersecurity becomes ever-more complex as technologycontinues to evolve, Boards have the opportunity to lead their organizations inimplementing best practices as well as becoming a cybersecurity leader in theirindustry. Want to learn more? Deep-dive into this topic on in our Qualified Risk Director(QRD® ) certification program, designed to provide board directors with a holisticunderstanding of Enterprise Risk Management and Governance, Risk, andCompliance matters.

7 The IERP® Monthly Newsletter October 2018

The IERP®Monthly Newsletter October 2018 8

Earlier this month, Oxfam released the latest edition of its Reducing InequalityIndex, which ranks countries based on government spending on welfare and socialprotection and health, taxation policies, and labor rights and minimum wagepolicies. Denmark, Germany, Finland, and Austria ranked as the least unequal, whileNigeria, Uzbekistan, Haiti, Chad, and Sierra Leone ranked as the most. Critics of the index point out that it only measures inputs, and not the results ofthe measures. In particular, Singapore’s Minister for Social and Family Development,Desmond Lee, was seen to dismiss the nation’s poor score, stating that Singaporeseeks to achieve "real outcomes" in health, education, jobs, and housing ratherthan satisfy a “collection of ideologically driven indicators.”At the same time, government initiatives alone will not be able to curb growinginequality. With 85% of the world’s wealth concentrated in the hands of 10% ofthe population, there can be no doubt that the wealthy minority as well as corporateentities have disproportionate power—and arguably, responsibility—over thefates of the majority. Inequality breeding social instability Markets have recovered completely since the 2008 financial crisis. However, thecrisis had hit poorer households harder. In the US for example, those of a lower-income tended to have their wealth tied up in their homes, which plummeted inprices, while those of higher incomes held their wealth in stocks and bonds, whichhave since risen in value.

> continued

Wealth Inequality: Why Should Businesses Care?

>continued As we saw, Trump and the newly-elected Brazilian president came to poweron the current wave of anti-establishment populism. Brexit, similarly, playedon the discontent of the working class as well as societal divides. The averageperson no longer trusts the institutions meant to look out for their best interests,with the perception that they won’t be able to overcome the odds stackedagainst them in a system that makes the rich richer and the poor poorer. Trump and the US Republicans’ pro-business stance have supported USeconomic growth, but at what cost? Popular economic measures such as GDPor unemployment rate can mask still-existing divides on the lines of race, class,gender, etc., which will only further reinforce wealth gaps. With highereducation costs, slow wage growth, regressive tax laws benefiting higher-income households, and technology displacing jobs, social mobility is provingto be increasingly difficult for lower-income or marginalized groups. What does this mean for businesses? On a macro level, populist/nationalist sentiment stemming from social unrestseem to support protectionist policies, which, in a globalized age, could spelldisruptions to global supply chains. As geopolitical risks continue to ramp upand with no end in sight for the US-China Trade War, investors and economistscontinue to debate on whether we are approaching another global financialcrisis. At the same time, the implications of inequality could have a direct impact onthe financial market in the near future. According to Moody analysts, incomeinequality threatens to downgrade the US’ credit rating. Increasingly, there are calls for corporations to adopt sustainable, ethicalbusiness models that do not just focus on short-term profit. At the moment,however, businesses have little incentive to look out for any interests beyondthat of their stakeholders’. And what does ‘sustainable’ and ‘ethical’ mean?Each entity could have different definitions for what constitutes those ideasand how it applies to them. From diversity hires and higher wages to CSRinitiatives and professional development programs, are they effective if notcoupled with integrated, enterprise-wide effort and culture?

9 The IERP® Monthly Newsletter October 2018

From a business standpoint, there is value in being ‘ethical’, though it mightnot necessarily translate into short-term returns. In the long run, higherproductivity, employee satisfaction, a good reputation with customers, and soon can result. At the same time, we have seen the near-unstoppable rise of rapidly growingmega-corporations such as Amazon, whose founder, chairman, and CEO JeffBezos has a net worth of $147 billion. Its growth has not been impeded evenas there have been reports that its warehouse workers in various countriesare subject to appalling working conditions with minimum (or less than) wage.In short, while public outrage can spread like wildfire through social media inthis digital age, it is usually only the leaders who can hold themselves and thebusinesses they manage, accountable. At the bottomline, inequality doesn’t exist in a vacuum. It is related to otherrisks. It is perpetuated by globalization, the rise of technological automation,the concentration of power and resources in a small minority, socioculturalnorms. It breeds societal instability and divides, which can then feed intoinstability the arenas of politics, government regulation, international trade,financial markets. Now than ever before, corporations need to look towardslong-term sustainability – not just for their value-add and survival, but also toacknowledge the part they play in the wider ecosystem of societal wellbeing.

The IERP®Monthly Newsletter October 2018 10

IERP® Training Calendar

Topic Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec

Evolution of ERM Models and Standards 5 3

RCSAs and Internal Control Models 6 5

Corporate Ethics 7 4

Corporate Governance 8 6

Market Risk, Credit Risk and Operational Risk 2 1

Project Risk Management / CyberSecurity Risk Management 3 2

Investment Risk Management 4 3

Measuring Corporate Performance 5 4

Corporate Strategic Risk Management 7 12

Business Continuity Management 8 13

Implementing ERM as a Strategic Management Tool & Key Risk Indicators

(KRIs)10-11 14-15

ERM Models 22

Fraud Risk Management 23

Operational Risk Management 24

Enterprise Risk Management 25

Evaluating Risk and Internal Controls 13

Corporate Governance 14

Project Risk Management 15

Establishing a CyberSecurity Framework 16

(B) Risk Oversight Practices 15

(S) Corporate Culture and ERM 15

(S) Risk Appetite, Tolerance and Board Oversight 28

(B) Strategic ERM: A Primer for Directors 28

(S) Evolving Expectations for Boards 20

(S) The Role of Boards in Fraud Risk Management 20

(B) Establishing an empowered Board Risk Committee 13

(B) Directors Guide to ERM and ISO 31000 13

(B) Directors Guide to BCM and ISO 22301 27

(B) Directors Guide to Crisis Management and Leadership during crisis27

(B) Directors guide to Risk Maturity Frameworks 22

(B) Cybersecurity Oversight in the Boardroom 22

(S) Establishing an empowered Audit Committee 8

(S) Audit Committee’s guide to COSO 2013 and Internal Controls 8

(S) Directors guide to GRC (Governance, Risk, and Compliance) 22

(S) Governance and ERM, including MCCG 2017 Considerations 22

International ERM Models and Standards 2 26

Effective RCSAs 3 27

Ensuring effective ERM practices 4-5 28-29

Introduction to BCM and Standards 18

Strategies and Analysis 19

BCM Plans 20

Emergency Preparedness 12

Crisis Management 13

Audits and Response Plans 14

Enterprise Governance 28

Crisis Communication and Management 29

Fraud Risk Management 25-26

Operational Risk Management 8

Implementing ISO 31000 effectively 9

ERM Lab 10-11

Pre Conference, Conference and Post Conference 30 -31 1 - 2

IERP Global Conference

**Schedules are subject to change**

E

X

A

M

Enterprise Risk Professional

2018

Qualified Risk Director Programme

Qualified Risk Auditor Programme

Business Continuity Leader

Business Continuity Manager

Enterprise Risk Manager

Enterprise Risk Technician

Enterprise Risk Advisor

Singapore Online 16 July - 31 August, Face to Face 17 - 21 September

Bali 15 - 18 October (B)

Singapore 4 - 7 December (S)

+603-23811900enquiry@insterp.comwww.insterp.com

UPCOMING EVENTS

Risk ClinicNovember 9

Tea Talk: The Importance of EQ and Soft Skills in ERMFeatured Speaker: Ramesh Pillai

November 16 REGISTER NOW

Directors Networking Group (DiNG)November 30

Chief Risk Officers Networking Group (CRONG)December 3

For more information about our events and programs, emailenquiry@insterp.com or visit our website.

View IERP® Programs View IERP® Training Calendar 2018-2019

The IERP®Monthly Newsletter October 2018 12