agenda erm frame work: linking erm framework elements to strategic goals:- objectives setting: ...
TRANSCRIPT
Agenda
ERM Frame Work: linking ERM Framework elements to Strategic Goals:-
Objectives Setting:Determining ERM Strategy.Understanding Corporate Business Strategy.
Linking ERM Processes to Strategic Objectives.
Event identification and Assessment.
Setting Mitigation options.
Risk Monitoring & setting Key Risk indicators.
Achieving an Integrated ERM Approach
3
Objectives Setting:Determining ERM Strategy
Generally, risk is defined as “an uncertain event or condition that, if it occurs, has a positive or negative effect on objectives”
Threats and Opportunities are “the possibility that an event will occur and affect the achievement of the organization's (strategic) objectives”.
Enterprise Risk Management is defined as the systematic approach to identify, categorize, quantify, and proactively deal with all risks within an organization, in order to protect and enhance value.
It is necessary to set and clarify objectives and to define criteria to decide whether an objective has been reached or not, before trying to manage risk.
Risk is related to objectives
4
Internal Environment Internal Environment
Objectives SettingObjectives Setting
Do we have theright management information? How do we communicate to our employees?
Information & Communication
Information & Communication
Are our control activities carried
out properly and in a timely
manner?
Control Activities and Assurance
Control Activities and Assurance
How often do they occur and
what is their impact?
Risk AssessmentRisk Assessment
MonitoringMonitoring
Is our framework functioning? Do we have to reconsider steps?
Which events have an influence on
our objectives?
Event IdentificationEvent Identification
How do we respond? What are our possible
control activities?
Risk ResponseRisk Response
ERM Model Component – ERM Framework COSO ERM – a theoretical framework
The figure below depicts the theoretical framework as designed by the Committee Of Sponsoring Organizations of the Tread way Commission.
Objectives Setting:Determining ERM Strategy
5
“Risk Appetite” is one’s willingness to accept risks in pursuit of value. Risk appetite depends on an organization’s ERM Aspirations (or ambition level) with respect to managing the risk, which in turn depends on the company’s strategic objectives, priorities and current ability to take risks.
Expected net return
(revenues minus cost of risk control
measures)
Risk Optimizer
Risk Taker
Risk Minimizer
Return Maximizer
Manage risks at all cost, even if this means that potential profit is less
Optimize the balance between residual risk and costs to manage risks
Use all efforts to influence the positive outcome of events, even if this means a higher risks exposure
Level of Residual Risk Exposure
Risk Appetite
Objectives Setting:Determining ERM Strategy
6
Implicit Risk Appetite: Approach
The As-Is assessment captures each Department’s perception of
How much the Department is exposed to each risk sub-category.
How mature the corresponding risk management processes.
From this information, management will estimate the implicit (inherent) risk
appetite. This will be a starting point for setting organizational explicit (desired) risk
appetite, and translate it into a risk strategy.
Implicit risk appetite will be estimated by:
Calculate organization wide scores for each risk sub-category
Compare inherent risk to risk management maturity
Compare residual risk to the effectiveness of risk management
Objectives Setting:Determining ERM Strategy
7
Risk Appetite – Explicit Risk Appetite.
* Risk categories with low inherent risk are: Customer risk, K-Company risk, Volume risk, Price risk, Interest rate risk, Foreign exchange risk, Regulatory and Disaster risk
Level of Residual Risk Exposure
Health & Safety Risk
Information Systems Risk
HR Risk
Strategic Risk
Internal Process Risk
Technology Risk
Reputation Risk
Legal Risk
Model Risk
Supplier Risk
Environmental Risk
Risk Optimizer
Risk Taker
Risk Minimizer
Low inherent riskcategories *
Return Maximizer
[ NONE ]
Expected net return
(revenues minus cost of risk control
measures)
[ NONE ]
Political Risk
Objectives Setting:Determining ERM Strategy
Copyright @ARiMI 2009
Organization Group ObjectivesVision , Mission , values :
Drives Strategy
Drives Key Objectives
Key Performance Indicators (KPI’s)PERF
ORM
ANCE
MAN
AGEM
ENT
Financial Customer Internal Processes
HSE Learning & Innovation
Identify Critical Success Factors ( Key Function of Project (Key Process & Resources)
RISK IDENTIFICATION
TREATMENT PLANS
What factors Impact our objectives & ability to
succeed by disrupting key resources &processes
What controls we need to put in place to mitigate our risks
Key Risk Indicators (KRI’s)
Key Control Indicators (KCI’s)
Critical Success & failure causes /factors
RISK
MAN
AGEM
ENT
C
C
S
Determine Buss. ModelDefine stakeholders Value Creation :Value capturing :Value sustainability :
Knowledge Management
Financial Customer Internal Processes
HSE Learning & Innovation
Objectives Setting:Understanding Corporate Business Strategy
1
2
3
Business Model
How to create and grow value?
How to capture part of the Value ?
How to sustain the value over time?
Key activities, processes and resources
A process can be thought of a measurable interconnected group of activities that can flow across departments.
A Resource is the means available to a company which can be used (incorporated in the firm’s process structure) to accomplish a goal such as increasing production, revenue or profit, etc.
Think out of the Box.
• Identify your business objective
Objectives Setting:Understanding Corporate Business Strategy
Objectives Setting:Understanding Corporate Business Strategy :
Identify resource elements used in each step of process.
Example used from (HR BEST Project) – HR “To Be” Processes document
Draw department Business processes
Copyright @ARiMI 2009
Organization Group ObjectivesVision , Mission , values :
Drives Strategy
Drives Key Objectives
Key Performance Indicators (KPI’s)PERF
ORM
ANCE
MAN
AGEM
ENT
Financial Customer Internal Processes
HSE Learning & Innovation
Identify Critical Success Factors ( Key Function of Project (Key Process & Resources)
RISK IDENTIFICATION
TREATMENT PLANS
What factors Impact our objectives & ability to
succeed by disrupting key resources &processes
What controls we need to put in place to mitigate our risks
Key Risk Indicators (KRI’s)
Key Control Indicators (KCI’s)
Critical Success & failure causes /factors
RISK
MAN
AGEM
ENT
C
C
S
Determine Buss. ModelDefine stakeholders Value Creation :Value capturing :Value sustainability :
Knowledge Management
Financial Customer Internal Processes
HSE Learning & Innovation
Linking ERM Processes to Strategic Objectives.
Event Identification & Assessment
Internal Environment Internal Environment
Objectives SettingObjectives Setting
Do we have theright management information? How do we communicate to our employees?
Information & Communication
Information & Communication
Are our control activities carried
out properly and in a timely
manner?
Control Activities and Assurance
Control Activities and Assurance
How often do they occur and
what is their impact?
Risk AssessmentRisk Assessment
MonitoringMonitoring
Is our framework functioning? Do we have to reconsider steps?
Which events have an influence on
our objectives?
Event IdentificationEvent Identification
How do we respond? What are our possible
control activities?
Risk ResponseRisk Response
The figure below depicts the theoretical framework as designed by the Committee Of Sponsoring Organizations of the Tread way Commission.
ERM Framework : COSO ERM Framework
Linking ERM Processes to Strategic Objectives.
Event Identification & Assessment
Risk identification – Root Cause Analysis (RCA)Risk Tree Map
Crisis (Roots) CAUSES
DISRUPTION Crisis CONSEQUENCES
Event
Focus above to prevent Crisis
Focus above to manage Crisis
Key Process or Asset
tolerancetolerance
Linking ERM Processes to Strategic Objectives.
Event Identification & Assessment
Risk Dimensions
Risk Level
Frequency
Severity
Range of OutcomesTrigger /
Uncertain Events
Risk Drivers/Causes
Risk Drivers/Causes
KRI
KRIKey Risk Indicators (KRIs): relate to a specific risk and demonstrate a change in the likelihood or impact of the risk event occurring.
Linking ERM Processes to Strategic Objectives.
Event Identification & Assessment
Likelihood x Impact = risk degree (low, medium, high, very high)
Impact
Likelihood 1 - Incidental 2 - Minor 3 - Moderate 4 - Major 5 - Severe
1 - Frequent Medium High High Very High Very High
2 - Likely Medium High High Very High Very High
3 - Possible Medium Medium High High Very High
4 - Unlikely Low Medium High High High*
5 - Rare Low Low Medium Medium High*
6 - Very Rare Low Low Medium Medium High
* If health and safety or environmental impact is severe, then risk elevated to Group Risk Register.
** Where there is a societal risk (to people) the risk is to be designated VERY HIGH.
KNPC Risk Assessment Map
Linking ERM Processes to Strategic Objectives.
Event Identification & Assessment
Copyright @ARiMI 2009
Organization Group ObjectivesVision , Mission , values :
Drives Strategy
Drives Key Objectives
Key Performance Indicators (KPI’s)PERF
ORM
ANCE
MAN
AGEM
ENT
Financial Customer Internal Processes
HSE Learning & Innovation
Identify Critical Success Factors ( Key Function of Project (Key Process & Resources)
RISK IDENTIFICATION
TREATMENT PLANS
What factors Impact our objectives & ability to
succeed by disrupting key resources &processes
What controls we need to put in place to mitigate our risks
Key Risk Indicators (KRI’s)
Key Control Indicators (KCI’s)
Critical Success & failure causes /factors
RISK
MAN
AGEM
ENT
C
C
S
Determine Buss. ModelDefine stakeholders Value Creation :Value capturing :Value sustainability :
Knowledge Management
Financial Customer Internal Processes
HSE Learning & Innovation
Linking ERM Processes to Strategic Objectives.
Setting Mitigation Options
Internal Environment Internal Environment
Objectives SettingObjectives Setting
Do we have theright management information? How do we communicate to our employees?
Information & Communication
Information & Communication
Are our control activities carried
out properly and in a timely
manner?
Control Activities and Assurance
Control Activities and Assurance
How often do they occur and
what is their impact?
Risk AssessmentRisk Assessment
MonitoringMonitoring
Is our framework functioning? Do we have to reconsider steps?
Which events have an influence on
our objectives?
Event IdentificationEvent Identification
How do we respond? What are our possible
control activities?
Risk ResponseRisk Response
ERM Framework - COSO ERM Framework
Linking ERM Processes to Strategic Objectives.
Setting Mitigation Options
Proper Risk Decision Analysis
Risk Drivers / Causes
Risk Issues
Controls (Frequency)
Controls (Impact)
Decisions
//
Outcomes//
Uncertain Events
Prevent Threats
Minimize Negative impact
NowPlanning Horizon
Time Line
Linking ERM Processes to Strategic Objectives.
Setting Mitigation Options
Response to Risk.
Avoid downside potential of riskEliminate the risk by preventing exposure to future possible events from occurring
Accept risks cannot be treated Maintain the risk at its current level
Control downside potential of riskImplement policies and procedures to lower the risk to an acceptable level
Share down & up side potential of riskshare the risk with another party, (e.g. other K-company, contractors or joint venture)
Transfer downside potential of riskShift the impact of a threat to a third party (e.g. insurance)
Realize upside potential of risk work to ensure that the uncertain positive event happens. A management choice in circumstances when an exposure may have more value in the future depending how the future unfolds.
Linking ERM Processes to Strategic Objectives.
Setting Mitigation Options
Com
mun
icate & Con
sult
Mon
itor &
Review
Avoid
TreatRisk?
No
Yes
Transfer(all or in part)
ReduceConsequences
ReduceLikelihood
Consider feasibility costs and benefits
Recommend treatment strategies
Select treatment strategy
Prepare treatment plans
AvoidTransfer(all or in part)
ReduceConsequences
ReduceLikelihood
AcceptRisk?
Yes
No
Accept
Retain
IdentifyTreatmentOptions
AssessTreatmentOptions
PrepareTreatmentPlans
ImplementTreatmentPlans
Part transferredPart retained
Treat Risks Detailed Process View
Risk Mitigation: Taking action (control measures) in order to reduce the probability of occurrence and/or the impact of a risk to below an acceptable threshold.
Linking ERM Processes to Strategic Objectives.
Setting Mitigation Options
Risk monitoring consists of measuring the company’s objectives exposure to each risk, and in keeping track of how the exposure changes over time.
Will allow observing risk behaviour against Key Risk Indicators (KRI’s) which will provide an early warning of an increased risk of future losses. (Proactive measures).
After risks are identified, analysed and integrated into the company’s risk portfolio, the company can decide to:
• Monitor risk behaviour against Key Risk Indicators (KRI’s), which will allow to tune the initial Risk Assessment.
• Accept the risk as per the expected residual risk & Risk appetite then start monitoring against pre-set limits.
• Treat the risk then set limits in order to examine the effectiveness of implemented mitigation options and take corrective actions to improve future action plans.
Linking ERM Processes to Strategic Objectives.
Risk Monitoring & Setting Key Risk Indicators
Linking Key Risk Indicators to BSC.
Understand Vision, Values, Mission
Determine Business Model1. How do we create and grow VALUE for our customers ?2. How do we capture a fair share of the VALUE created ?3. How do we sustain VALUE creation process over time ?
Identify Critical Success Factors (CSF)
Key Performance Indicators
Key Risks Indicators
Linking ERM Processes to Strategic Objectives.
Risk Monitoring & Setting Key Risk Indicators
Different Types of Metrics / Indicators Indicators:
• Key Management Indicators (KMIs): monitor the evolution of achievement of specific business objectives (e.g. volumes of business, share price, revenue, earnings, etc.).
• Key performance Indicators (KPIs): monitor changes in performance of business / operational activities / processes that have an impact on specific business objectives.
• Key Risk Indicators (KRIs): relate to a specific risk and demonstrate a change in the likelihood or impact of the risk event occurring.
• Key Control Indicators (KCIs): relate to monitoring control’s application and effectiveness.
Metrics: • “An objective measure used to quantify an associated risk”
• something observed or calculated that is used to show the presence or state of a condition or trend; an instrument or gauge that measures something and registers the measurement; something such as a light, sign, or pointer that gives information.
Linking ERM Processes to Strategic Objectives.
Risk Monitoring & Setting Key Risk Indicators
Risk Dimensions
Risk Level
Frequency
Severity
Range of OutcomesTrigger /
Uncertain Events
Risk Drivers/Causes
Risk Drivers/Causes
Controls
Controls
KRI
KRI
KCI
KCI
KMI
KPI
Linking ERM Processes to Strategic Objectives.
Risk Monitoring & Setting Key Risk Indicators
Iterative risk Process at Every Level
INTEGRATED
Strategic Objectives and Measurements
FINANCIALCUSTOMER &
SOCIAL HS & E INTERNAL
LEARNING & INNOVATION
Business Unit Operational Plans and Measurements
Day to-day Operations and Decision Making
Risk Process
Risk Process• Identify• Assess• Develop Plan• Implement• Monitor
Vision Mission
Strategic Risk
Tactical Risk
TOP DOWN
BOTTOM UP
Achieving an Integrated ERM Approach
Sub-Category : Operational Risk
Operational Risk is the risk arising from (inadequate) physical infrastructure (asset failure), risk control measures and / or risk infrastructure (process failure)
Risk Sub-Category Definition
Health and safety risk the risk related to people’s health and safety
Human resources risk the risk arising from inadequate or inappropriate use of human resources
Internal Process risk the risk related to internal business process
Information systems risk the risk related to IT system and technology
Reputation risk the risk of change in public opinion that impact the organization
Model risk the risk arising from wrong assumptions used in forecasting and budgeting models
Legal risk the risk arising form lack of using enforceable laws in contracts or other arrangements
Environmental risk the risk arising from noncompliance with environmental laws
Technology risk risks of not capturing technology changes or failure to implement technology
Sub-Category : Credit Risk
Credit Risk is risk arising from the inability of a counterparty to meet a payment or delivery commitment
Risk Sub-Category Definition
Customer The risk arising from the inability of a customer to meet a payment commitment
K-Company the risk arising from the inability of a sister Company to meet a payment or delivery commitment
Supplier the risk arising from the inability of a supplier to meet a delivery commitment
Sub-Category : Market Risk
Market Risk is the risk arising from an unexpected change in market variables
Risk Sub-Category Definition
Volume risk The risk that quantity of goods sold or available for purchase, will not match original estimates
Price risk The risk arising from volatility of market prices
Foreign Exchange risk The risk arising from volatility of foreign exchange rates
Interest rate risk The risk arising from deviation of business financing costs from original estimates
Sub-Category : Business Risk
Business Risk is the risk arising from unexpected changes in the internal and external business environment
Risk Sub-Category Definition
Strategic risk The risk of inability to formulate or execute a successful business strategy in the organization
Political risk The risk arising from the actions of local, regional, or national governments or special interest groups
Regulatory risk The risk arising from unexpected changes to local, regional, or national law
Disaster risk The risk rising from (natural) catastrophic events (Earthquakes, Floods)
Before we identify and assess our risks:
Understand KNPC Objectives:
Critical success factors:Providing competitive advantage against other competitors
Organizational Strategy map
Customer and Social Prospective
Financial Prospective
Customer and Social Prospective
HSE prospective
Internal Prospective
Learning & Innovation Prospective
CORPORATE BALANCED SCORECARDProposed targets
FY FY FY Annual Target WEIGHT
PROPOSED MEASURES Lg/Ld Freq. 07/08 08/09 09/10Thresh.
GOAL/ Target
Stretch. %
Actual Actual Actual
FINANCIAL PERSPECTIVE
1 ROACE (%) Lg QTRCUSTOMER & SOCIAL PERSPECTIVE
2 Product Shipment Customer Satisfaction Index {PSCSI} (%) Lg QTR
3 Percentage of Kuwaitis in KNPC Lg QTR
4 Local Content Index (Share of Capex + Opex + Charity spending locally), MMKD(1) Lg QTR
H S & E PERSPECTIVE
5 Fatal Cases (KNPC+ Contractors), # Lg QTR
6 Lost Time Injuries Rate, #/200,000 hrs Lg QTR
7 Number of Environmental Incidents, # Lg QTR
INTERNAL PERSPECTIVE
8 Refineries EDC Utilization , (%) Ld QTR
9 Risk Index, # (Risks to be Augmented) Lg QTR
LEARNING & INNOVATION PERSPECTIVE
10 Annual Spent on R&T, 000 KD Ld QTR
Minimum=0 , Base=400 , Goal=800 , Maximum=1200 TOTAL WEIGHT
% =100.0%
What is Risk ?
Loss
Risk
? GAIN= =There are two sides of Risk…
Risk is an intrinsic part of BusinessWithout Risk ! No Business Opportunities
• Risk is the threat that an event or action will adversely affect an organization's ability to maximize shareholder value and achieve its business objectives.
• Risk arises as much from missed opportunities as it does from possible threats.
• The chance of something happening that will have an impact on objectives.
35
What is Risk? Definition & Components
• Risk can expressed as a probability distribution.• Risk = Variance in outcome from expected.• Risk = Catastrophic Downside.• Risk = Upside Opportunities.• Risk = Uncertainty.
36
Example: Risk of Car Accident
Car Accident
Controls on Causes:
• Always leave 15 – 30 min earlier.• Fix alarming system & speedometer.• Fix break system & oil leaks if any.• Check oil level once a week & car fluids.• Examine car breaks before driving.• Change break pads in regular basis.• Change car wheels regularly & check wheels condition before driving.• Clear the path between the accelerator & the mat.
Controls on consequences:
• Always fasten safety belt.• Check airbag system regularly.• Buy car insurance according to your
tolerance.• Buy life insurance.
Leaving late to work
Defect on alarming system
System oil leak
Bad Break pads
Injury
Death
Car damage
Why?
High speed
Bad Tire conditions
KRI = No. of speeding tickets received during the year
KCI = No. of time I left late during the month
KRI = No. of defects found during the month
KCI = No. of services delayed/postponed
KPI
= No. of accidents during the year
KCI
xxxxxxxxx
Defect on Break System
To be loaded in Avanon system
To be loaded in Avanon system
37
37
Treating Risks – Identifying Treatment Options
With respect to Causes:
Review guidelines to see if the risk is already treated or referenced by standard, guideline…(HSE, Construction, Finance, IT)
Understand immediate causes and look to understand underlying factors to (root causes)
Root causes could include beliefs, policies, practices.
Causes may be outside of the organization and therefore outside of the control of the organization
Stress test causes to see which is the main driver of risk
Causal Factors
1. One2. Two3. Three4. n
Consequences1. One2. Two3. Three4. n
Risk
Modify Likelihood Treat Consequences
Consequences:
What post-risk activity could be taken to alleviate the consequences?
Includes Practices – Contingency Planning, Business Continuity
How can financial losses be dealt with?
38
Understand Organization Business Models
Understand Mission, Vision, Values
Determine Business Model1. How do we create and grow VALUE for our customers ?2. How do we capture a fair share of the VALUE created ?3. How do we sustain VALUE creation process over time ?
Identify Critical Success Factors CSF
Diagnostic :Identify & Analyze Risks
Audit :Check it is working !
Treatment :Select & Implement Solution
Economic Environment
Physical Resources environment
Political Climate
Human & Social Factors