building enterprise risk management - sas

Copyright © 2015, SAS Institute Inc. All right reserved.

Building Enterprise Risk

Management

in industrial company

Copyright © 2015, SAS Institute Inc. All right reserved.

Integrated Risk Management Model

GOAL:

Key elements:

Increased spread of

risk management into

business processes

Comprehensive

view of business

risks

Strengthening the

culture of risk

management

Risk Governance Risk ReportingProcess

Copyright © 2015, SAS Institute Inc. All right reserved.

Risk governance

Definition of risk management guidelines

Second Level

Risk Control

Functions

First Level

Management

– risk owner

Third Level

Independent

assurance

provider

General frameworks

By-lawsCode of

ethics

Code of

conduct

COSO

Report

Framework

Regulatory

systemetc.

Copyright © 2015, SAS Institute Inc. All right reserved.

Risk governance (continued)

Board of

Directors

CEO

Integrated Risk

ManagementInternal Audit

CFO Staff Function

P&C and Focal Point

RMI Business Corp

Control and Risk

Committee

Risk Committee

Risk Specialist Chief business

…

P&C Focal Point RMI Business Function …

Risk Specialist

…

1

2

3

4

5

Control and Risk Committee1

Risk Committee2

Integrated Risk Management (IRM) 3

Planning & Control Functions 4

Risk Specialists5

Copyright © 2015, SAS Institute Inc. All right reserved.

RMI Process

Risk Assessment & Treatment

Monitoring & Reporting

Guidance for risk

management

Copyright © 2015, SAS Institute Inc. All right reserved.

Risk Assessment & Treatment

Copyright © 2015, SAS Institute Inc. All right reserved.

Risk Assessment & Treatment

Specific treatment plans are defined for “top

risks”, should they require additional

mitigation. The treatment plan provides

detailed information on:

1. treatment strategy;

2. treatment action(s) to be adopted;

3. timing of implementation;

3. responsibilities for the implementation;

4. possible key indicators to monitor the risk

and the status of implementation of treatment

actions.

Copyright © 2015, SAS Institute Inc. All right reserved.

Monitoring and Reporting

The RMI function, with the support of corporate and

business area Planning and Control functions,

defines Key Indicators (KRIs, KCIs, KPIs) to:

• monitor eni Top Risks (e.g. trends, emerging risks,

etc.);

• supervise degree of implementation or Treatment

Plans;

• detect any improvement areas.

Risk Register

Monitoring Dashboard

Copyright © 2015, SAS Institute Inc. All right reserved.

Monitoring and Reporting

BoD

Control and risk committee/

Board of statutory auditors

CEO

Risk Committee

Management (as risk owner or risk specialist)

Risk examination

Risk sharing

Risk identification

and evaluation

Copyright © 2015, SAS Institute Inc. All right reserved.

PLANNING AND CREATION OF BUSINESS OBJECTIVES

Copyright © 2015, SAS Institute Inc. All right reserved.

ASSOCIATING THE STRATEGY TO THE RISKS AND

RELATED OBJECTIVES

Drill Strategy

Drill to related risks

Copyright © 2015, SAS Institute Inc. All right reserved.

VISUALISATION OF STRATEGY (INCLUDING OBJECTIVE

AND SUBOBJECTIVES RELATED)

Drill to view Objective details

Drill sub-objective

Copyright © 2015, SAS Institute Inc. All right reserved.

Drill to objective

RISK REGISTER

Copyright © 2015, SAS Institute Inc. All right reserved.

Drill graphical Link Analysis

RISK REGISTER DETAIL

Copyright © 2015, SAS Institute Inc. All right reserved.

LINK ANALYSIS

Copyright © 2015, SAS Institute Inc. All right reserved.

ASSESSMENT PLANNING

Copyright © 2015, SAS Institute Inc. All right reserved.

DETAILED ASSESSMENT

Copyright © 2015, SAS Institute Inc. All right reserved.

Identified issues

Drill related KRIS

Drill linked causes

DETAILED ASSESSMENT

Copyright © 2015, SAS Institute Inc. All right reserved.

TREND KRIS RELATED TO THE RISK REGISTER

Copyright © 2015, SAS Institute Inc. All right reserved.

ISSUES DETAIL VIEW

Copyright © 2015, SAS Institute Inc. All right reserved.

CORRECTIVE

ACTION PLANS