malaysia institute of accountants (mia) regional ... · attest & tax services • focus on core...
TRANSCRIPT
Malaysia Institute of Accountants (MIA)Regional Conference 2009
Creating and Sustaining Enterprise Value –the ERM Journey
10 10 --11 August 200911 August 2009
Presenter: Jomar Nieva (ERM and Consulting Lead, Protiviti South East Asia)
1© 2009 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
How much do you know about How much do you know about
Enterprise Risk Management (ERM)?Enterprise Risk Management (ERM)?
1.“What’s that?...”
2.“I’ve heard/read about it…”
3.“I know the basics, but…”
4.“I know enough to implement it in my company…”
2© 2009 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Exploring Opportunities, Inspiring Exploring Opportunities, Inspiring
Growth Towards SustainabilityGrowth Towards Sustainability
Enterprise Risk ManagementEnterprise Risk Management
Our Conference is All about Managing RiskOur Conference is All about Managing Risk
for Sustainable Growthfor Sustainable Growth
3© 2009 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Our AgendaOur Agenda
• The ERM Journey – Moving from Theory to Practice
• Common Failures of Risk Management
• A Capability Maturity Perspective for ERM
• Embedding Risk Management within Your
Organisation
• Question and Answer
4© 2009 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Key TakeKey Take--AwaysAways
• Why care about risk management?
• What are the risks that you face?
• What risks are you accountable for?
• How effective is your organisation in managing risk?
• Do you know your role in effective risk management?
5© 2009 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
About ProtivitiAbout Protiviti
6© 2009 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Quick Facts about ProtivitiQuick Facts about Protiviti
• Protiviti is a global business, risk consulting and internal auditorganization
• Approximately 3,000 professionals in 60 offices in 17 countries.
• The organisation currently serves approximately 25 percent of both FORTUNE® 500 and Global 1000 corporations
• One of the largest and most significant risk consultancies in the world.
• Kennedy Information cited Protiviti as the sixth-largest risk consulting firm, behind the Big Four accounting firms and IBM.
• In Kennedy’s study, Protiviti was named the “leading so-called pure play risk consultant.”
7© 2009 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Risk Consulting is our BusinessRisk Consulting is our Business
The Protiviti “Difference”
Boutique:• Responsive client
service• Free from SEC
restrictions• Better teaming with
external auditors• Independent from
attest & tax services• Focus on core offerings
Big Four / Andersen:• Methodologies & tools• Experienced
professionals• Depth of risk consulting
services• Financial &
management stability• Recognized• Global presence
Protiviti combines the strengths of the large
consulting companies and independent
alternatives…without compromise
8© 2009 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Quick Facts About MyselfQuick Facts About Myself
• Business Risk and Corporate Governance Consultant
• Leads the ERM practice for Protiviti in South East Asia
• 15 years of international work experience in Asia
• Career Experience: Uniden (Japan), SGV Consulting (Phil), Andersen Business Consulting (Australia), KPMG Consulting (Singapore)
• Industrial Engineer / MBA (AGSM -UNSW)
• First time in Sarawak (Great Place!)
9© 2009 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Advancing Risk Management Capability Using ORM and ERM Frameworks
Risk Barometer
Protiviti ERM Special Report -
Strategic Risk Magazine:
Guide to Enterprise Risk Management: Frequently Asked Questions
Building Enterprise Risk Management on the Foundation Laid by
Sarbanes-Oxley:
“Which Comes First…Managing Risk
or Strategy Setting? Both!”:
Protiviti’s Enterprise Risk Management in Practice: Profiles of Companies Building Effective ERM Programs
Our Thought LeadershipOur Thought Leadership
10© 2009 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
11© 2009 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
KnowledgeLeaderKnowledgeLeaderTMTM
KnowledgeLeader is a subscription website with tools, best practices, white papers, risk models, and other materials that you can use on a daily basis to manage risk and improve your company's business processes. KnowledgeLeader will help you save time, stay abreast of business and technology risks, and improve your internal controls.
The website is a one-stop-shop for internal audit and risk management information. Information is updated weekly and offers access to hundreds of tools, samples and templates including:Audit work programs Policies and proceduresRisk assessment tools Process auditing methodologiesInformation technology guidance Pre-formatted questionnaires/surveys
Topics addressed by KnowledgeLeader include:Internal audit best practices Corporate governance Audit committeesFraud and business ethics Technology audit Security and privacyControl self assessment Risk assessment Business continuity
30-day free trials are available. Subscription discounts are given to Protiviti clients.
12© 2009 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Enterprise Risk Management:Enterprise Risk Management:
Moving From Theory to PracticeMoving From Theory to Practice
13© 2009 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Risk Never SleepsRisk Never Sleeps
14© 2009 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
What is your understanding of What is your understanding of ““RiskRisk””??
1. “Something that results in monetary loss…”
2. “It’s out there, but we don’t know what it is…”
3. “Anything that can happen in the future…”
4. “It is part and parcel of running a business/ organisation…”
5. “Something adverse and negative…”
15© 2009 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
We Live In An Increasingly Risky WorldWe Live In An Increasingly Risky World……
Rapidly changing risk profiles due to:
• Scale, pace and impact of globalization
• New competitive threats
• Operating Complexity
• Recessionary pressures
• Toughening regulatory environment
• Too Big to Fail Companies
• Others: Pandemic Flu, Terrorism, Rogue States
16© 2009 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Combined Code of Corporate Governance
(UK)Sarbanes-Oxley Act
2002
ASX Principles of Good Corporate Governance and
Best Practice Recommendations
Code of Corporate Governance 2001 (Revised July 2005)CVM Recommendations
of Corporate Governance (Brazil)
Guidelines on Corporate
Governance Practices by Public Listed Companies
(Kenya)
Corporate Governance Initiative for Economic Democracy in
Romania: Corporate Governance Code
Global Codes of Corporate GovernanceGlobal Codes of Corporate Governance
17© 2009 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Requirements for risk management in SingaporeRequirements for risk management in SingaporeThe need for risk management is implied in…
Companies Act
• Focus on internal accounting controls and safeguarding of assets
• Role of AC in evaluating the effectiveness of internal control systems
SGX Listing Manual
• Focus on disclosure of prospectus-type risk information
• Explanations of deviations from Code of Corporate Governance
• Additional requirements in the Proposed Amendments to Listing Manual
Risk management is recommended as good
practice in …
MAS Guidelines on Sound Risk Management Practices
• Applicable to financial institutions
• Best practice guidelines for managing credit, market and liquidity risks
Code of Corporate Governance
• Good practice principles and guidelines in corporate governance
• Board’s roles and responsibilities for internal controls and risk management
Workplace Safety & Health Act
• Risk management is mandated as part of MOM’s Safety & Health Management System.
• Focus is on identification, assessment and control of risks at workplace.
PSCOE Public Sector ERM Guide
• Project initiated by PSCOE to promote the adoption and implementation of ERM in the Public Service.
• A good practice guide, containing case studies and methodology guidance has been published for the public sector.
18© 2009 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
19© 2009 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Change Makes Risk Management a Change Makes Risk Management a
Valuable Strategic ToolValuable Strategic Tool
CHANGES IN THEOPERATING
ENVIRONMENTRisk
Time
Exposure to Risk
Risk Appetite
Existing Risk Management Activities
Comprehensive and Holistic Risk
Management
Strategic Management choices and actions
Tactical activities to reduce exposure to acceptable level
$
2008 2011
20© 2009 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Focus
Objective
Scope
Emphasis
Risk Management
Financial and hazard risks and internal controls
Protect enterprise value
Treasury, insurance and operations involved
Financial and operations
Selected risk areas, units and processes
“CURRENT STATE” CAPABILITIES “FUTURE STATE” VISION
Application
Business risk and internal controls, taking an entity-level portfolio view of risk
Protect and enhanceenterprise value
Applied across the enterprise, at every level and unit
Strategy-setting
Enterprise-wide to all sources of value
Enterprise Risk Management
Business Risk Management
Business risk and internal controls, taking a risk-by-risk approach
Protect enterprise value
Business managers accountable
Management
Selected risk areas, units and processes
ERM Builds on Existing CapabilitiesERM Builds on Existing Capabilities
21© 2009 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
ProtivitiProtiviti’’s Point of View s Point of View
ERM is about establishing the oversight,
control and discipline to drive continuous
improvement of an organization’s risk
management capabilities in a constantly changing operating environment.
Think continuous improvement; NOT silver bullet
22© 2009 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
ERM Is About Embedding a Risk Culture ERM Is About Embedding a Risk Culture –– To To
Do This, You Need To Do Two Things WellDo This, You Need To Do Two Things Well
ERM Implementation
Risk Management Framework
Risk Identification,Assessment and
Treatment
RISK MANAGEMENT
CULTUREPROCESSCONTENT
What are therisks and how significant
are these?
Is there a framework topro-actively manage risks
on an ongoing basis?
23© 2009 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
The Financial Crisis The Financial Crisis
““A Wake Up Call for Risk ManagementA Wake Up Call for Risk Management””
24© 2009 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Systemic changes in the financial system Systemic changes in the financial system
enabled the debt bingeenabled the debt binge• Development and use complex
models, which fueled the rise of PhDs in financial institutions
• Emergence of innovative financial products
• Rise in hedge funds
• Dramatic increases in bank executive management compensation levels
Growth of Assets and Leverage in the Hedge-Fund Industry
Source: Credit-Suisse 2008Q4 Projections
25© 2009 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Questions to Ponder Questions to Ponder
• Why did executive and boards not exercise more oversight?
• Why did CFOs and Treasuries not highlight emerging financial risks?
• How come financial models written by prize-winning PhDs did not predict the financial crisis?
• Why audit risk assessments, financial controls, corporate governance activities did not reveal the extent of the crisis?
• Where were the internal and external auditors?
• Did the rating agencies fail to adequately understand, assess and report on risks taken by these companies?
26© 2009 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Did Risk Management Fail? Did Risk Management Fail?
“….the financial crisis is the result of a failure of risk
management [ in the banking and securities markets] at a
colossal scale….We may need to tear up the manual of
enterprise risk management and start all over” – Insurance
Information Institute
“ All I can say is, beware of geeks….bearing formulas”–Warren Buffet during an interview with PBS. The Public
Broadcasting Service (PBS) is an American non-profit
public broadcasting television service
27© 2009 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Every company or person involved in the financial Every company or person involved in the financial
crisis were making bets. Do you know what they crisis were making bets. Do you know what they
were?were?
28© 2009 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Common Failures of Risk ManagementCommon Failures of Risk Management
29© 2009 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Jerry Seinfeld: On Risk ManagementJerry Seinfeld: On Risk Management
30© 2009 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
A risk is defined as an occurrence that A risk is defined as an occurrence that
has a negative impact on thehas a negative impact on the……
1.Achievement of organisations’objectives
2.Bottom-line
3.Morale of the staff
4.Operations of the organisation
31© 2009 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
1.Poor governance and “tone at the top”
2.Reckless Risk Taking
3.Nonexistent, inefficient or ineffective risk assessment (Enterprise List Management)
4.Lack of understanding of, or inability to implement, enterprise risk management
5.Not integrating risk management with strategy setting and enterprise performance management
Common Risk Management MistakesCommon Risk Management Mistakes
32© 2009 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
– CFO Magazine,
2 March, 2009
33© 2009 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Not Defining Risk Appetite and TolerancesNot Defining Risk Appetite and Tolerances
Governance Governance Governance Governance
Strategy
Risk Appetite
Execution Execution Execution Execution
Risk Tolerances
Objectives
34© 2009 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
A risk is defined as an occurrence that A risk is defined as an occurrence that
has a negative impact on thehas a negative impact on the……
1.Achievement of organisations’objectives
2.Bottom-line
3.Morale of the staff
4.Operations of the organisation
35© 2009 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
What Keeps You Awake At Night?What Keeps You Awake At Night?
36© 2009 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Case Study: New Technology (Strategic Risk)Case Study: New Technology (Strategic Risk)
Strategic Risk: Failure to anticipate changesin new technology
• Event: Polaroid was a leader in the instant camera technology in the 1980's.
• The company filed for federal bankruptcy protection in October 11, 2001.
• This bankruptcy was widely believed to be the result of the failure of its senior management to see the effect of digital cameras on its film business, a fate that also befell its primary rival, Kodak.
37© 2009 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Case Study: Sabotage (Reputation Risk) Case Study: Sabotage (Reputation Risk)
• In 1982, Johnson and Johnson experienced a major crisis when it was discovered that numerous bottles of its Extra-Strength Tylenol capsules had been laced with cyanide.
• By the end of the crisis, seven people had died. The share price and market share were hit.
Note: How Johnson and Johnson dealt with this situation set
a new precedent for crisis management. The company
was lauded for its quick decisions and sincere concern
for its consumers.
38© 2009 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
• Nucor Corporation Inc. failed to control the amount of pollution released from its steel factories in seven US states
• Spent nearly $100 million to settle a environmental suit
Case Study: PollutionCase Study: Pollution
39© 2009 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Case Study: Safety RiskCase Study: Safety Risk
• A number of workers from the Ranger Uranium Mine, a mine operated by a Rio Tinto subsidiary, were exposed to unsafe levels of uranium.
• Workers drank water contaminated with levels of uranium 400 times the safe maximum under Australian standards (OHN 587).
• The mine will face landmark charges, which have been brought for the first time under the Northern Territory Mining Management Act 2001
40© 2009 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
� Overstatement of profit
� Inflation of revenue
� Poor risk management
� Criminal breach of trust
� Fraudulent / forged documents
� Weak internal controls
Case Study: Accounting FraudCase Study: Accounting Fraud
41© 2009 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
42© 2009 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Other questions to ask yourselfOther questions to ask yourself
1. What level of risk should I take?
2. What risks should I prioritise?
3. How should I manage those risks?
43© 2009 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Sample Risk MapSample Risk Map
Risk - Moderate to High
Risk - HighRisk – Moderate to High
Risk – Moderate
Risk – Very HighRisk - High
Risk – Low to Moderate
Risk – ModerateRisk – Low
Insignificant
Minor
Moderate
Major
Catastrophic
Remote10%
Unlikely25%
Reasonably Possible50%
Probable75%
Almost Certain90%
C
V
LN
M
K
O
P
R
T
X
A
G
IMPACT
LIKELIHOOD
Disaster recoveryD
Security/VulnerabilityV
ReputationU
Change ManagementG
Client RetentionN
Business ModelM
Resources AllocationR
Cost ManagementC
CommunicationO
Technology SupportT
Performance MonitoringA
Product DevelopmentPRegulatory ComplianceL
HR Knowledge capitalK
Performance ExecutionX
9876432 51
9
8
7
6
4
3
2
5
1
D
U
44© 2009 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Risk Assessment Best PracticesRisk Assessment Best Practices
• Link back to key objectives
• Understand the organization’s culture
• Use a common risk language
• Understand the organization’s risk appetite and communicate that appetite
• Use consistent assessment criteria
• Involve all key stakeholders
• Encourage information sharing and dialogue
• Continually refine value of improving risk management capabilities
DEFINITION: Risk appetite is the
overall level of risk an entity is willing
to accept as it pursues value
creation objectives, strategies, and
performance goals
45© 2009 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Best Practice: Strategy and Risk Articulation MapBest Practice: Strategy and Risk Articulation Map
46© 2009 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Who should be responsible for managing risks?Who should be responsible for managing risks?
1.Board of Directors / Chairman
2.The CE
3.The Risk Manager
4.The Finance Department, Director
5.Everyone
47© 2009 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
A Capability Maturity Perspective of ERMA Capability Maturity Perspective of ERM
48© 2009 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
If your risk management framework was a car today, If your risk management framework was a car today, what would it be?, what would it be?, ieie. The Current State . The Current State
1.Hyundai
2.Ferrari
3.Toyota
4.Volvo
5.Proton
49© 2009 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Where are you in the ERM Journey? Where are you in the ERM Journey?
INCREASING RISK MANAGEMENT CAPABILITIES
Establish sustainable competitive
advantage
Improve enterprise
performance
Quantify multiple risks
enterprise-wide
Continuouslyimprove
Design/implement
capabilities
Establish oversight and
governance
Assess risk and develop
strategies
Adopt common
language
Categories of ERM Journey Elements
FOUNDATION ELEMENTS PROCESS
ELEMENTS
ENHANCEMENT
ELEMENTS
ERM
Value Proposition
Don’t forget the importance of change management and
cultural alignment during this Journey!
Where are you in this journey?
50© 2009 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Implement ERM components through staged improvementsImplement ERM components through staged improvements
• Risk Identification
Improved ERM Capabilities:
Initial Repeatable DefinedManaged/
Optimizing
• Defined process
• ERM responsibilities
• Policy guidelines followed across the organization
• Risk measurement
• Consistent risk reporting
• Enterprise-wide limits
• Common language
• Dedicated resources
• Risk management policy
• Executive mgmt oversight
• Risk sourcing
• Enterprise-wide risk strategies
• Risk diversification exploited competitively
• Quantification of risk versus tolerances
• Integrated risk measurement systems
• Risk measures applied to performance goals
51© 2009 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Risk Measurement Alternatives Vary According to Risk Measurement Alternatives Vary According to CapabilityCapability
52© 2009 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Dashboard & Reporting Examples
Continuous improvement of ERM CapabilitiesContinuous improvement of ERM Capabilities
53© 2009 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Risk Management Risk Management –– Lines of DefencesLines of Defences
Board
Management SupervisionThird lineof defence
Business Processes & ControlsSecond lineof defence
People - StaffFirst line
of defence
Internal AuditFourth lineof defence
Business Risks – Fraud Risks
54© 2009 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
What kind of car would you like your risk management What kind of car would you like your risk management
framework to be? framework to be? ieie. The Desired State . The Desired State
1.Hyundai
2.Ferrari
3.Toyota
4.Volvo
5.Proton
55© 2009 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Failure #4: Lack of Understanding ofFailure #4: Lack of Understanding ofor Inability to Implement, Enterprise Risk Management (ERM)or Inability to Implement, Enterprise Risk Management (ERM)
Key Indicators:
• Lack of executive management support and involvement of the right people
• Lack of clarity as to business motivation, leading to endless dialogue about what and why
• Lack of traction due to delegation of initiative to lower levels in the organization
• Viewing the existing risk management silo functions as “ERM”since they cover the risks
• Initiative is neither enterprise-wide in scope nor strategic in focus
56© 2009 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Who should be Who should be ultimatelyultimately responsible for risk responsible for risk
management?management?
1.Board of Directors / Chairman
2.The CEO
3.The Risk Manager
4.The Finance Department, Director
5.Everyone
57© 2009 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Convergence of Risk Management and Convergence of Risk Management and
Performance ManagementPerformance Management
58© 2009 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Governance and Risk Management ChallengeGovernance and Risk Management Challenge
Send out MS Excels
Workshop afterworkshop
Ask for additional
input
Brainstormone-off response
possibilities
Siloed risk thinking
Focus only onnegative risks
Risk Managers:
What is the statusof our top risks?
What risks don’t weknow about?
Am I on track toreach my goals?
Another assessment to fill out?
Lines of Business
Management & Executives
Will we meet analyst / market expectations?
What are our top 10 risks?
Enterprise Risk ManagementSOX Compliance Team
Internal AuditRevenue Assurance
Business Process Management
Multiple, disparate functions responsible for governance and risk
management
59© 2009 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Enterprise Risk Management Enterprise Risk Management -- Integrated FrameworkIntegrated Framework
ERM is a process, applied in strategy setting and across the enterprise, to identify key events, manage risk within the entity’s risk appetite and provide “reasonable assurance” that key objectives are achieved.
60© 2009 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
ProtivitiProtiviti’’s Performance/Risk Integrated Management Model s Performance/Risk Integrated Management Model
(PRIM(PRIM22))
• Primase helps in replicating DNA, essential to sustaining human life.
• Similarly, PRIM2 applied to business, is vital to keeping management’s finger on the pulse of the DNA of the business.
Risk Management
Strategy Setting
Enterprise Performance Management ERM=
++
61© 2009 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
PRIMPRIM22: A Model for Integrating Risk Management, : A Model for Integrating Risk Management,
Strategy Setting and Enterprise Performance ManagementStrategy Setting and Enterprise Performance Management
An enterprise-wide program that establishes and maintains
alignment of strategy, risk
management capabilities and
performance management
processes in a changing operating environment
62© 2009 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Breaking Down PRIMBreaking Down PRIM22
Aspire – Sets the direction for the enterprise and identifies the capabilities and infrastructure necessary to achieve its ASPIRATIONS.
Protect – Identifies and sources the risks and compliance requirements inherent in the strategy and establishes risk appetite and needed capabilities to PROTECT shareholder value.
63© 2009 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Breaking Down PRIMBreaking Down PRIM22
Enable – A robust technology platform is necessary to ENABLE the effective and timely capture of operating results and their reconciliation to targets.
Aim – Allows the organization to take AIM at reaching its risk-adjusted aspirations by setting key metrics and targets that translate the strategy and risk appetite into performance expectations.
Plan – Integrated business PLANs establish the roadmap for achieving performance expectations and driving tactics and actions to implement the roadmap.
Measure – MEASURE results to monitor and evaluate the progress made towards the achievement of performance expectations.
Achieve – Reinforce and realign strategy and tactics when necessary to ACHIEVE performance expectations
64© 2009 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Explaining PRIMExplaining PRIM22 into a Process Perspectiveinto a Process Perspective
Key Metrics
Integration
Key Metrics and
Targets
Integration
EnterprisePerformanceManagementInfrastructure
• Establish / Maintain flexible corporate structure that can govern in a changing business climate
Realign and Achieve
Monitoring and
Evaluation
Integrated Business Planning
Risk Assessment
Strategy, Capabilities
and Infrastructure
• Establish risk tolerances for specific risks• Establish key performance indicators
(KPIs) and key risk indicators (KRIs)
• Identify risks inherent in strategy • Identify emerging risks• Assess and prioritize risks and
opportunities• Source risks• Establish risk appetite
• Measure results against KPI and KRI targets
• Monitor and evaluate risk mitigation plans against established tolerances
• Develop integrated plans to:– Execute strategy– Manage risks– Assign ownership
• Develop risk responses• Allocate risk management
resources
• Take corrective action if out of tolerance or missing KPI/KRI targets
• Management review• Dashboard reporting• Exception escalation
GOVERNANCE
• Articulate organization’s strategic aspirations
• Define the capabilities and infrastructure needed to execute
65© 2009 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Lines of Business
Executives
Risk Managers
The Ultimate Goal: The Ultimate Goal: Integrating Risk Management, Strategy Setting Integrating Risk Management, Strategy Setting and Enterprise Performance Managementand Enterprise Performance Management
� Applications to mitigation top risks
� Role-based best practice playbooks
� Enable risk management innovation
� Risk in context of corporate strategy and performance
� Understand true exposure resulting from risk correlation
� Achieve proactive transparency
� Automatic risk identification
� End-to-end risk processes across the value chain
� Become a driver of business change
66© 2009 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Failure #5: Risk Management Is Not Integrated with Strategy Failure #5: Risk Management Is Not Integrated with Strategy
Setting and Enterprise Performance ManagementSetting and Enterprise Performance Management
Key Indicators:Key Indicators:Key Indicators:Key Indicators:
• No connectivity of risk management to key management activities
• No linkage of risk to value with periodic risk assessments rarely impacting business plans
• No effort to anticipate risk scenarios that could derail execution of the strategy
• Poor alignment of risk responses with strategy
• There is unacceptable risk taking or risk adverse activity
67© 2009 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
What companies should be doing? What companies should be doing?
68© 2009 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
The Tenants of a Successful ERM The Tenants of a Successful ERM
ImplementationImplementation
“Very Effective” companies are more likely to have:
� Set the foundation
� Integrated risk management with business planning and strategy-setting
� Quantified risk to a greater extent
� Maintained the appropriate balance
� Avoided surprises
� An anticipatory approach to continuous improvement of their risk management capabilities
•These companies appear to have taken a comprehensive and holistic approach to managing their risks
Source: 2007 Protiviti Risk Barometer
69© 2009 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Sample of Companies Implementing ERMSample of Companies Implementing ERM
Protiviti’s Enterprise Risk Management in Practice: Profiles of Companies Building Effective ERM Programs
70© 2009 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
In Summary: What Companies Should Be DoingIn Summary: What Companies Should Be Doing
• Critically assess objectives for embarking on the ERM journey
• Undertake a review of risk management practices
• Re-invigorate, re-vitalise, re-focus efforts if momentum or effectiveness is hampered
• Don’t hesitate to seek advice or leverage on the experience of others.
71© 2009 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Enterprise Risk Assessment (ERA)
• Risk Identification• Risk Assessment• High Level Gap
Analysis
Sample Implementation Approach and TimelineSample Implementation Approach and Timeline
Project Management, Communication and Knowledge Transfer
Q3 2008
Ph
as
e 1
-E
RA
Ph
as
e 2
-A
na
lys
is
Q4 2008Q2 2008
Formed Steering Committee / Selection
of Protiviti / Project Scoping
Detailed Risk Management Analysis
• Detailed analysis for 1 - 2 high priority risks
• Detailed analysis on current risk management infrastructure
• Development of action plans
Implement Action Plans
(Phase 3)
Au
dit
Co
mm
itte
e
Re
qu
es
t /
Ma
na
ge
me
nt
Re
sea
rch
Building Organizational Risk Awareness
Q1 2009
Project Launch
Fiscal Year
72© 2009 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
The greatest benefit of ERM isThe greatest benefit of ERM is……..?..?
1. Increased awareness of risk management
2. Ensure delivery of quality service
3. Be accountable to stakeholders
4. Reduce uncertainty in decisions
5. Allocate resources efficiently
73© 2009 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
In Closing:In Closing:
• Enterprise risk management is about sustainability!
• Without risk management, value that has been created cannot be sustained or protected.
“Sustainability is meeting the needs of the present without compromising the ability of future
generations to meet their needs”.
Quote from YB Dato Sri Wong Soon Koh(Minister of Finance II,, Minister of Environment and Public Health
74© 2009 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Any Questions?Any Questions?
75© 2009 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Jomar [email protected]+65 6220 6066
76© 2009 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Case Study: Establishing Objectives and Case Study: Establishing Objectives and Setting the FoundationSetting the Foundation
Background and Initial Value Proposition:
– Fortune 50 Retailer operating over 1300 stores with annual sales over $45 billion
– Key stakeholders: CFO, Treasurer, Strategic Planning, SOX, Internal Audit, Business Process Improvement and Risk Management
– Initial ERM value proposition:
– Improve company’s ability to proactively manage risks
– Maintain competitive advantage over closest industry rival
– Improve corporate governance
77© 2009 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Step 1: Perform Enterprise Risk Assessment (ERA)
– Understand Strategic Objectives
– Gathered Internal audit and strategic planning documents
– Risk identification
– Developed common risk language with 35 unique risks
– Conducted 15 executive level risk interviews
– Identified over 50 risk scenarios
– Risk Assessment
– Identified top 15 risks to the successful execution of the strategy
– Facilitated a 4 hour risk assessment session with senior company executives
– The facilitated risk assessment session identified two high priority risks for further risk mitigation
Step 2: Develop ERM Implementation Roadmap
– Integrate into existing strategic planning and business planning processes
Implementation ApproachImplementation Approach
78© 2009 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Linking Risks To Strategy ArticulationLinking Risks To Strategy Articulation
Expand NA Footprint
Open 20 New Stores
Finding Profitable Locations
Comply With Local Zoning
Laws
Case Study
79© 2009 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Client Risk ProfileClient Risk Profile
Likelihood of OccurrenceLikelihood of Occurrence
Impact
Impact
LOW
LO
W
HIGH
HIG
H
L. IT Infrastructure
O. Business Interruption
N. Real Estate
M. Cycle Time
K. Environment
J. Customer Satisfaction
I. IT Security
H. Customer Wants
G. Competition
F. U.S Economy
E. Political
D. Image and Brand
C. Supply Chain Disruption
A. Compliance
Scenario LegendScenario LegendScenario LegendScenario Legend
Increasing Exposure
Decreasing Exposure
Neutral
A
C
D
E
F
G
I
K
LM
NO
H
J
80© 2009 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Overall Implementation BenefitsOverall Implementation Benefits
• Confirmed and refined ERM value proposition
• Refined common risk language and risk assessment criteria
• Developed consensus view of organization's highest priority risk
• Developed approach to consistently improve management of high priority risks
• Improved allocation of company resources, including a more targeted Internal Audit plan
• Developed roadmap for integrating ERM into existing risk management activities
• Integrated risk management into strategic planning process
Case Study
81© 2009 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Internal Audit ServicesInternal Audit ServicesInternal Audit Services Risk and Business Consulting ServicesRisk and Business Consulting ServicesRisk and Business Consulting Services
• Business Intelligence
• Data Mining & Analytics
• Enterprise Application Strategy,
Selection & Project Risk Mgmt
• IT Organization Effectiveness
• IT Security & Privacy Mgmt
• IT Process Improvement
• Business Continuity
Management
• ERP Control Optimization
• Revenue Risk
• Supply Chain & Working Capital
• Capital Projects & Construction
• Global Sourcing
• Loss Prevention
• Policy & Strategy Communications
• Finance Remediation &
Reporting Compliance
• Finance Process Optimization &
Integration
• Corporate Performance Mgmt
• Litigation Consulting
• Discovery Risk Management
• Fraud Risk Management
• Forensics
• e-Discovery
• Financial Investigations
• Corporate Restructuring &
Recovery
• M&A Due Diligence
• M&A Integration• Enterprise Risk Assessment
• Sarbanes-Oxley & Financial
Reporting Controls Compliance
• Regulatory Compliance (incl.
Anti-Money Laundering)
• Market & Commodity
Risk
• Credit Risk
• Operational Risk
• Model Validation
Business Operations Improvement
Business Operations Improvement
Governance, Risk, & Compliance
Governance, Risk, & Compliance
Finance TransformationFinance Transformation
Financial Risk Strategy & Management
Financial Risk Strategy & Management
Enterprise Information ManagementEnterprise Information Management
IT SolutionsIT Solutions
Litigation, Restructuring, & Investigative Services
Litigation, Restructuring, & Investigative Services
• Content & Records Management
• Data Mgmt & Information Architecture
• Full Outsourcing
• Co-Sourcing & Special Projects
• IT Internal Audit
• Quality Assurance Reviews
• Internal Audit Transformation
• Audit Committee / CAE Advisory
Protiviti Services OverviewProtiviti Services Overview