Organisational risk managementAnton Usher19 March 2014
2
Overview A whistle stop risk review Risk in Australian corporate governance The benefits of organisational risk maturity Risk management and in-house counsel
� The evolution of in-house counsel’s role
� In-house counsel’s contribution to risk management
Integrating risk management within your organisation� Using an enterprise risk management framework
� Using a compliance framework
� Using a risk based internal auditing approach
Key takeaways
3
A whistle stop risk review
4
A global view: top risks in 2013Aon global Lloyds global Deloitte global Aon Asia-Pac
Economic slowdown / slow recovery
High taxation Economic trends
Brand & image
Regulatory / legislative changes
Loss of customers / cancelled orders
Business model
Market environment (economic slowdown)
Increasing competition
Cyber risk Reputation Regulative / legislative changes
Damage to reputation / brand
Price of material inputs
Competition Business interruption
Failure to attract or retain top talent
Excessively strict regulation
Human resources
Failure to innovate Changing legislation Lack of innovation
5
A selected industry view: top risks in 2013
Industry 1st risk concern 2nd risk concern 3rd risk concern
Banks, Insurance, Investment & Finance
Regulatory / legislative changes
Economic slowdown Brand & image
Education & not for profit
Regulatory / legislative changes
Brand & image Human resources
Government Political risk & uncertainties
Human resources Business interruption
Utilities Political risk & uncertainties
Regulatory / legislative changes
Natural disasters
Natural resources Property damage Environmental risk Commodity price risk
Non-aviation Transport Services
Economic slowdown
Human resources Injury to workers
6
Risk in Australian Corporate
Governance
7
Increasing risk management prominence (1)
(Proposed) third edition of ASX Corporate Governance Principles and Recommendations
Increases risk management prominence by recommending listed entities:� establish a risk committee� undertake risk management reviews at board / board
committee level at least annually
� disclose whether, and if so how, they have regard to economic, environmental and social sustainability risks
8
Increasing risk management prominence (2)
New APRA risk governance measures:
• New Risk Management standard - CPS 220
• Revised Governance standard - CPS 510
Increases risk management prominence by requiring:
� a separate board risk committee & designated CRO� a risk management framework that:
• includes a risk management appetite and strategy
• addresses material risk (financial, operational, strategic)
• adopts a ‘three lines of defence’ risk governance model
� annual risk management declarations and three yearly risk management reviews at board risk committee level
9
Risk governance: three lines of defence model
Source: Draft Prudential Practice Guide CPG 220 Risk Management, APRA, January 2014, p19.
10
The benefits of organisational risk maturity
11
Prosperity is connected to risk maturity
Lacking
Basic
Defined
OperationalAdvanced
Risk management maturity
Prosperity
12
Some characteristics of risk maturityBoard set risk management strategy & commit to it being critical in decision making
A senior executive drives & facilitates implementation of risk management
Transparency of risk communication
Risk culture encourages full engagement & accountability at all levels
Risk identification uses internal & external information
Operational & financial risk information included in decision making processes
Risk & risk management options are leveraged to extract value
13
Risk management &
in-house counsel
14
Evolution of in-house counsel’s roleAn Australian in-house counsel survey % response
What does your executive team expect from you? Contributions to risk management Help in making commercial decisions
75%51%
What recent development has most impacted your role? Technological developments Increased regulations
66%53%
What is the greatest challenge for in-house counsel? Maintaining a work/life balance Keeping pace with legislative changes
32%32%
15
In-house counsel’s contribution to risk management
HELP your Executive/Board answer these questions:� Do we have a handle on critical organisation risks and our ability to respond?
� Is the top-down strategic view of critical organisation risks right?
� Is the effort being put into risk processes aligned with the risk priorities?
� Are our systems and people capable of responding to these risks?
� Is risk management “built into” the way we do business or is it “added-on”?
USE an enterprise risk management approach that is:� Consistent with ISO AS/NZS 31000
� Tailored to your organisation
� Practical and value adding
16
Integrating risk management
17
Enterprise risk management framework
18
Identifying risks that matter
Successfully achieved corporate objectives
Risks that
matter
Risks that don’t
matter
19
A risk to successful delivery of objective
Objective
Critical success factor 1
Critical success factor 2
Risk
2020
Using sources of risk to identify risk• Stakeholders
• Community• Political / Government• Clients• Suppliers• Competitors
• Reputation• Regulatory / contractual
External
• Stakeholders• Strategic and business• Budgetary• Governance• Legal• IT• Human resources and skills• Knowledge management• Change management
Internal
21
An example risk
Objective Critical success factors
Reduce workers compensation premium by 10% by FY14/15 renewal
Existing claims liability reserves are reduced
Systemic claim causes are mitigated Risk: poor incident data
quality
22
Use a heat map to assess and report risk
23
Using a compliance framework A compliance framework defines what you:
�HAVE to do (legal and regulatory obligations)
�WANT to do (organisational requirements)
�VOLUNTARILY do (organisational commitments)
24
An empowering compliance framework Compliance = achieving business objectives safely
GOVERNING BODY
Guidance Enablement Reinforcement
CHANGE MANAGEMENT & CONTINUOUS IMPROVEMENT
Management Direction
Key Performance
Indicators
Empowered Accountable
Employees/Agents/ Service Providers
EXTE
RN
AL
OB
LIG
ATI
ON
S (L
aw, r
egul
atio
ns, g
uide
lines
, cod
es e
tc)
LEADERSHIP, PEOPLE,
ACCOUNTABILITIES
Core Business Functions
Policies
Processes / Procedures /
Training
POLICIES, PROCEDURES,
TRAINING
Measurement Reporting & Risk
Profiling
Controls Self-
Assessment (CSA)
External Audit & Reviews
MONITORING & REPORTING
25
Prioritising legislative compliance obligations
26
Why use a risk based internal auditing approach
Risk based internal auditing (RBIA):
� is independent and objective
�evaluates and improves risk management effectiveness
�helps achieve corporate objectives
27
RBIA adds value RBIA is linked to the risk assessment process
RBIA focusses on:
�areas of high risk
� key control systems for high risk areas, testing:• control design – operational effectiveness • control operation – operational compliance
28
Use risk based internal audit ratingsInternal audits should be given overall risk ratings reflecting the level of inherent risk associated with the activity within the audit scope and the effectiveness of internal controls
29
Key takeaways Risk management is becoming more prominent in
Australian corporate governance
Risk mature organisations do better
In-house counsel has a key role in contributing to effective organisational risk management
Enterprise risk management adds value by:� prioritising risk mitigation effort� prioritising and helping to ensure compliance obligations are met� helping to ensure risk mitigation effectiveness� helping to achieve corporate objectives
Thank you