malaysia institute of accountants (mia) regional ... · attest & tax services • focus on core...

Malaysia Institute of Accountants (MIA)Regional Conference 2009

Creating and Sustaining Enterprise Value –the ERM Journey

10 10 --11 August 200911 August 2009

Presenter: Jomar Nieva (ERM and Consulting Lead, Protiviti South East Asia)

1© 2009 Protiviti Inc. An Equal Opportunity Employer.CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.

How much do you know about How much do you know about

Enterprise Risk Management (ERM)?Enterprise Risk Management (ERM)?

1.“What’s that?...”

2.“I’ve heard/read about it…”

3.“I know the basics, but…”

4.“I know enough to implement it in my company…”


Exploring Opportunities, Inspiring Exploring Opportunities, Inspiring

Growth Towards SustainabilityGrowth Towards Sustainability

Enterprise Risk ManagementEnterprise Risk Management

Our Conference is All about Managing RiskOur Conference is All about Managing Risk

for Sustainable Growthfor Sustainable Growth


Our AgendaOur Agenda

• The ERM Journey – Moving from Theory to Practice

• Common Failures of Risk Management

• A Capability Maturity Perspective for ERM

• Embedding Risk Management within Your

Organisation

• Question and Answer


Key TakeKey Take--AwaysAways

• Why care about risk management?

• What are the risks that you face?

• What risks are you accountable for?

• How effective is your organisation in managing risk?

• Do you know your role in effective risk management?


About ProtivitiAbout Protiviti


Quick Facts about ProtivitiQuick Facts about Protiviti

• Protiviti is a global business, risk consulting and internal auditorganization

• Approximately 3,000 professionals in 60 offices in 17 countries.

• The organisation currently serves approximately 25 percent of both FORTUNE® 500 and Global 1000 corporations

• One of the largest and most significant risk consultancies in the world.

• Kennedy Information cited Protiviti as the sixth-largest risk consulting firm, behind the Big Four accounting firms and IBM.

• In Kennedy’s study, Protiviti was named the “leading so-called pure play risk consultant.”


Risk Consulting is our BusinessRisk Consulting is our Business

The Protiviti “Difference”

Boutique:• Responsive client

service• Free from SEC

restrictions• Better teaming with

external auditors• Independent from

attest & tax services• Focus on core offerings

Big Four / Andersen:• Methodologies & tools• Experienced

professionals• Depth of risk consulting

services• Financial &

management stability• Recognized• Global presence

Protiviti combines the strengths of the large

consulting companies and independent

alternatives…without compromise


Quick Facts About MyselfQuick Facts About Myself

• Business Risk and Corporate Governance Consultant

• Leads the ERM practice for Protiviti in South East Asia

• 15 years of international work experience in Asia

• Career Experience: Uniden (Japan), SGV Consulting (Phil), Andersen Business Consulting (Australia), KPMG Consulting (Singapore)

• Industrial Engineer / MBA (AGSM -UNSW)

• First time in Sarawak (Great Place!)


Advancing Risk Management Capability Using ORM and ERM Frameworks

Risk Barometer

Protiviti ERM Special Report -

Strategic Risk Magazine:

Guide to Enterprise Risk Management: Frequently Asked Questions

Building Enterprise Risk Management on the Foundation Laid by

Sarbanes-Oxley:

“Which Comes First…Managing Risk

or Strategy Setting? Both!”:

Protiviti’s Enterprise Risk Management in Practice: Profiles of Companies Building Effective ERM Programs

Our Thought LeadershipOur Thought Leadership


KnowledgeLeaderKnowledgeLeaderTMTM

KnowledgeLeader is a subscription website with tools, best practices, white papers, risk models, and other materials that you can use on a daily basis to manage risk and improve your company's business processes. KnowledgeLeader will help you save time, stay abreast of business and technology risks, and improve your internal controls.

The website is a one-stop-shop for internal audit and risk management information. Information is updated weekly and offers access to hundreds of tools, samples and templates including:Audit work programs Policies and proceduresRisk assessment tools Process auditing methodologiesInformation technology guidance Pre-formatted questionnaires/surveys

Topics addressed by KnowledgeLeader include:Internal audit best practices Corporate governance Audit committeesFraud and business ethics Technology audit Security and privacyControl self assessment Risk assessment Business continuity

30-day free trials are available. Subscription discounts are given to Protiviti clients.


Enterprise Risk Management:Enterprise Risk Management:

Moving From Theory to PracticeMoving From Theory to Practice


Risk Never SleepsRisk Never Sleeps


What is your understanding of What is your understanding of ““RiskRisk””??

1. “Something that results in monetary loss…”

2. “It’s out there, but we don’t know what it is…”

3. “Anything that can happen in the future…”

4. “It is part and parcel of running a business/ organisation…”

5. “Something adverse and negative…”


We Live In An Increasingly Risky WorldWe Live In An Increasingly Risky World……

Rapidly changing risk profiles due to:

• Scale, pace and impact of globalization

• New competitive threats

• Operating Complexity

• Recessionary pressures

• Toughening regulatory environment

• Too Big to Fail Companies

• Others: Pandemic Flu, Terrorism, Rogue States


Combined Code of Corporate Governance

(UK)Sarbanes-Oxley Act

2002

ASX Principles of Good Corporate Governance and

Best Practice Recommendations

Code of Corporate Governance 2001 (Revised July 2005)CVM Recommendations

of Corporate Governance (Brazil)

Guidelines on Corporate

Governance Practices by Public Listed Companies

(Kenya)

Corporate Governance Initiative for Economic Democracy in

Romania: Corporate Governance Code

Global Codes of Corporate GovernanceGlobal Codes of Corporate Governance


Requirements for risk management in SingaporeRequirements for risk management in SingaporeThe need for risk management is implied in…

Companies Act

• Focus on internal accounting controls and safeguarding of assets

• Role of AC in evaluating the effectiveness of internal control systems

SGX Listing Manual

• Focus on disclosure of prospectus-type risk information

• Explanations of deviations from Code of Corporate Governance

• Additional requirements in the Proposed Amendments to Listing Manual

Risk management is recommended as good

practice in …

MAS Guidelines on Sound Risk Management Practices

• Applicable to financial institutions

• Best practice guidelines for managing credit, market and liquidity risks

Code of Corporate Governance

• Good practice principles and guidelines in corporate governance

• Board’s roles and responsibilities for internal controls and risk management

Workplace Safety & Health Act

• Risk management is mandated as part of MOM’s Safety & Health Management System.

• Focus is on identification, assessment and control of risks at workplace.

PSCOE Public Sector ERM Guide

• Project initiated by PSCOE to promote the adoption and implementation of ERM in the Public Service.

• A good practice guide, containing case studies and methodology guidance has been published for the public sector.


Change Makes Risk Management a Change Makes Risk Management a

Valuable Strategic ToolValuable Strategic Tool

CHANGES IN THEOPERATING

ENVIRONMENTRisk

Time

Exposure to Risk

Risk Appetite

Existing Risk Management Activities

Comprehensive and Holistic Risk

Management

Strategic Management choices and actions

Tactical activities to reduce exposure to acceptable level

$

2008 2011


Focus

Objective

Scope

Emphasis

Risk Management

Financial and hazard risks and internal controls

Protect enterprise value

Treasury, insurance and operations involved

Financial and operations

Selected risk areas, units and processes

“CURRENT STATE” CAPABILITIES “FUTURE STATE” VISION

Application

Business risk and internal controls, taking an entity-level portfolio view of risk

Protect and enhanceenterprise value

Applied across the enterprise, at every level and unit

Strategy-setting

Enterprise-wide to all sources of value

Enterprise Risk Management

Business Risk Management

Business risk and internal controls, taking a risk-by-risk approach

Protect enterprise value

Business managers accountable

Management

Selected risk areas, units and processes

ERM Builds on Existing CapabilitiesERM Builds on Existing Capabilities


ProtivitiProtiviti’’s Point of View s Point of View

ERM is about establishing the oversight,

control and discipline to drive continuous

improvement of an organization’s risk

management capabilities in a constantly changing operating environment.

Think continuous improvement; NOT silver bullet


ERM Is About Embedding a Risk Culture ERM Is About Embedding a Risk Culture –– To To

Do This, You Need To Do Two Things WellDo This, You Need To Do Two Things Well

ERM Implementation

Risk Management Framework

Risk Identification,Assessment and

Treatment

RISK MANAGEMENT

CULTUREPROCESSCONTENT

What are therisks and how significant

are these?

Is there a framework topro-actively manage risks

on an ongoing basis?


The Financial Crisis The Financial Crisis

““A Wake Up Call for Risk ManagementA Wake Up Call for Risk Management””


Systemic changes in the financial system Systemic changes in the financial system

enabled the debt bingeenabled the debt binge• Development and use complex

models, which fueled the rise of PhDs in financial institutions

• Emergence of innovative financial products

• Rise in hedge funds

• Dramatic increases in bank executive management compensation levels

Growth of Assets and Leverage in the Hedge-Fund Industry

Source: Credit-Suisse 2008Q4 Projections


Questions to Ponder Questions to Ponder

• Why did executive and boards not exercise more oversight?

• Why did CFOs and Treasuries not highlight emerging financial risks?

• How come financial models written by prize-winning PhDs did not predict the financial crisis?

• Why audit risk assessments, financial controls, corporate governance activities did not reveal the extent of the crisis?

• Where were the internal and external auditors?

• Did the rating agencies fail to adequately understand, assess and report on risks taken by these companies?


Did Risk Management Fail? Did Risk Management Fail?

“….the financial crisis is the result of a failure of risk

management [ in the banking and securities markets] at a

colossal scale….We may need to tear up the manual of

enterprise risk management and start all over” – Insurance

Information Institute

“ All I can say is, beware of geeks….bearing formulas”–Warren Buffet during an interview with PBS. The Public

Broadcasting Service (PBS) is an American non-profit

public broadcasting television service


Every company or person involved in the financial Every company or person involved in the financial

crisis were making bets. Do you know what they crisis were making bets. Do you know what they

were?were?


Common Failures of Risk ManagementCommon Failures of Risk Management


Jerry Seinfeld: On Risk ManagementJerry Seinfeld: On Risk Management


A risk is defined as an occurrence that A risk is defined as an occurrence that

has a negative impact on thehas a negative impact on the……

1.Achievement of organisations’objectives

2.Bottom-line

3.Morale of the staff

4.Operations of the organisation


1.Poor governance and “tone at the top”

2.Reckless Risk Taking

3.Nonexistent, inefficient or ineffective risk assessment (Enterprise List Management)

4.Lack of understanding of, or inability to implement, enterprise risk management

5.Not integrating risk management with strategy setting and enterprise performance management

Common Risk Management MistakesCommon Risk Management Mistakes


– CFO Magazine,

2 March, 2009


Not Defining Risk Appetite and TolerancesNot Defining Risk Appetite and Tolerances

Governance Governance Governance Governance

Strategy

Risk Appetite

Execution Execution Execution Execution

Risk Tolerances

Objectives


A risk is defined as an occurrence that A risk is defined as an occurrence that

has a negative impact on thehas a negative impact on the……

1.Achievement of organisations’objectives

2.Bottom-line

3.Morale of the staff

4.Operations of the organisation


What Keeps You Awake At Night?What Keeps You Awake At Night?


Case Study: New Technology (Strategic Risk)Case Study: New Technology (Strategic Risk)

Strategic Risk: Failure to anticipate changesin new technology

• Event: Polaroid was a leader in the instant camera technology in the 1980's.

• The company filed for federal bankruptcy protection in October 11, 2001.

• This bankruptcy was widely believed to be the result of the failure of its senior management to see the effect of digital cameras on its film business, a fate that also befell its primary rival, Kodak.


Case Study: Sabotage (Reputation Risk) Case Study: Sabotage (Reputation Risk)

• In 1982, Johnson and Johnson experienced a major crisis when it was discovered that numerous bottles of its Extra-Strength Tylenol capsules had been laced with cyanide.

• By the end of the crisis, seven people had died. The share price and market share were hit.

Note: How Johnson and Johnson dealt with this situation set

a new precedent for crisis management. The company

was lauded for its quick decisions and sincere concern

for its consumers.


• Nucor Corporation Inc. failed to control the amount of pollution released from its steel factories in seven US states

• Spent nearly $100 million to settle a environmental suit

Case Study: PollutionCase Study: Pollution


Case Study: Safety RiskCase Study: Safety Risk

• A number of workers from the Ranger Uranium Mine, a mine operated by a Rio Tinto subsidiary, were exposed to unsafe levels of uranium.

• Workers drank water contaminated with levels of uranium 400 times the safe maximum under Australian standards (OHN 587).

• The mine will face landmark charges, which have been brought for the first time under the Northern Territory Mining Management Act 2001


� Overstatement of profit

� Inflation of revenue

� Poor risk management

� Criminal breach of trust

� Fraudulent / forged documents

� Weak internal controls

Case Study: Accounting FraudCase Study: Accounting Fraud


Other questions to ask yourselfOther questions to ask yourself

1. What level of risk should I take?

2. What risks should I prioritise?

3. How should I manage those risks?


Sample Risk MapSample Risk Map

Risk - Moderate to High

Risk - HighRisk – Moderate to High

Risk – Moderate

Risk – Very HighRisk - High

Risk – Low to Moderate

Risk – ModerateRisk – Low

Insignificant

Minor

Moderate

Major

Catastrophic

Remote10%

Unlikely25%

Reasonably Possible50%

Probable75%

Almost Certain90%

C

V

LN

M

K

O

P

R

T

X

A

G

IMPACT

LIKELIHOOD

Disaster recoveryD

Security/VulnerabilityV

ReputationU

Change ManagementG

Client RetentionN

Business ModelM

Resources AllocationR

Cost ManagementC

CommunicationO

Technology SupportT

Performance MonitoringA

Product DevelopmentPRegulatory ComplianceL

HR Knowledge capitalK

Performance ExecutionX

9876432 51

9

8

7

6

4

3

2

5

1

D

U


Risk Assessment Best PracticesRisk Assessment Best Practices

• Link back to key objectives

• Understand the organization’s culture

• Use a common risk language

• Understand the organization’s risk appetite and communicate that appetite

• Use consistent assessment criteria

• Involve all key stakeholders

• Encourage information sharing and dialogue

• Continually refine value of improving risk management capabilities

DEFINITION: Risk appetite is the

overall level of risk an entity is willing

to accept as it pursues value

creation objectives, strategies, and

performance goals


Best Practice: Strategy and Risk Articulation MapBest Practice: Strategy and Risk Articulation Map


Who should be responsible for managing risks?Who should be responsible for managing risks?

1.Board of Directors / Chairman

2.The CE

3.The Risk Manager

4.The Finance Department, Director

5.Everyone


A Capability Maturity Perspective of ERMA Capability Maturity Perspective of ERM


If your risk management framework was a car today, If your risk management framework was a car today, what would it be?, what would it be?, ieie. The Current State . The Current State

1.Hyundai

2.Ferrari

3.Toyota

4.Volvo

5.Proton


Where are you in the ERM Journey? Where are you in the ERM Journey?

INCREASING RISK MANAGEMENT CAPABILITIES

Establish sustainable competitive

advantage

Improve enterprise

performance

Quantify multiple risks

enterprise-wide

Continuouslyimprove

Design/implement

capabilities

Establish oversight and

governance

Assess risk and develop

strategies

Adopt common

language

Categories of ERM Journey Elements

FOUNDATION ELEMENTS PROCESS

ELEMENTS

ENHANCEMENT

ELEMENTS

ERM

Value Proposition

Don’t forget the importance of change management and

cultural alignment during this Journey!

Where are you in this journey?


Implement ERM components through staged improvementsImplement ERM components through staged improvements

• Risk Identification

Improved ERM Capabilities:

Initial Repeatable DefinedManaged/

Optimizing

• Defined process

• ERM responsibilities

• Policy guidelines followed across the organization

• Risk measurement

• Consistent risk reporting

• Enterprise-wide limits

• Common language

• Dedicated resources

• Risk management policy

• Executive mgmt oversight

• Risk sourcing

• Enterprise-wide risk strategies

• Risk diversification exploited competitively

• Quantification of risk versus tolerances

• Integrated risk measurement systems

• Risk measures applied to performance goals


Risk Measurement Alternatives Vary According to Risk Measurement Alternatives Vary According to CapabilityCapability


Dashboard & Reporting Examples

Continuous improvement of ERM CapabilitiesContinuous improvement of ERM Capabilities


Risk Management Risk Management –– Lines of DefencesLines of Defences

Board

Management SupervisionThird lineof defence

Business Processes & ControlsSecond lineof defence

People - StaffFirst line

of defence

Internal AuditFourth lineof defence

Business Risks – Fraud Risks


What kind of car would you like your risk management What kind of car would you like your risk management

framework to be? framework to be? ieie. The Desired State . The Desired State

1.Hyundai

2.Ferrari

3.Toyota

4.Volvo

5.Proton


Failure #4: Lack of Understanding ofFailure #4: Lack of Understanding ofor Inability to Implement, Enterprise Risk Management (ERM)or Inability to Implement, Enterprise Risk Management (ERM)

Key Indicators:

• Lack of executive management support and involvement of the right people

• Lack of clarity as to business motivation, leading to endless dialogue about what and why

• Lack of traction due to delegation of initiative to lower levels in the organization

• Viewing the existing risk management silo functions as “ERM”since they cover the risks

• Initiative is neither enterprise-wide in scope nor strategic in focus


Who should be Who should be ultimatelyultimately responsible for risk responsible for risk

management?management?

1.Board of Directors / Chairman

2.The CEO

3.The Risk Manager

4.The Finance Department, Director

5.Everyone


Convergence of Risk Management and Convergence of Risk Management and

Performance ManagementPerformance Management


Governance and Risk Management ChallengeGovernance and Risk Management Challenge

Send out MS Excels

Workshop afterworkshop

Ask for additional

input

Brainstormone-off response

possibilities

Siloed risk thinking

Focus only onnegative risks

Risk Managers:

What is the statusof our top risks?

What risks don’t weknow about?

Am I on track toreach my goals?

Another assessment to fill out?

Lines of Business

Management & Executives

Will we meet analyst / market expectations?

What are our top 10 risks?

Enterprise Risk ManagementSOX Compliance Team

Internal AuditRevenue Assurance

Business Process Management

Multiple, disparate functions responsible for governance and risk

management


Enterprise Risk Management Enterprise Risk Management -- Integrated FrameworkIntegrated Framework

ERM is a process, applied in strategy setting and across the enterprise, to identify key events, manage risk within the entity’s risk appetite and provide “reasonable assurance” that key objectives are achieved.


ProtivitiProtiviti’’s Performance/Risk Integrated Management Model s Performance/Risk Integrated Management Model

(PRIM(PRIM22))

• Primase helps in replicating DNA, essential to sustaining human life.

• Similarly, PRIM2 applied to business, is vital to keeping management’s finger on the pulse of the DNA of the business.

Risk Management

Strategy Setting

Enterprise Performance Management ERM=

++


PRIMPRIM22: A Model for Integrating Risk Management, : A Model for Integrating Risk Management,

Strategy Setting and Enterprise Performance ManagementStrategy Setting and Enterprise Performance Management

An enterprise-wide program that establishes and maintains

alignment of strategy, risk

management capabilities and

performance management

processes in a changing operating environment


Breaking Down PRIMBreaking Down PRIM22

Aspire – Sets the direction for the enterprise and identifies the capabilities and infrastructure necessary to achieve its ASPIRATIONS.

Protect – Identifies and sources the risks and compliance requirements inherent in the strategy and establishes risk appetite and needed capabilities to PROTECT shareholder value.


Breaking Down PRIMBreaking Down PRIM22

Enable – A robust technology platform is necessary to ENABLE the effective and timely capture of operating results and their reconciliation to targets.

Aim – Allows the organization to take AIM at reaching its risk-adjusted aspirations by setting key metrics and targets that translate the strategy and risk appetite into performance expectations.

Plan – Integrated business PLANs establish the roadmap for achieving performance expectations and driving tactics and actions to implement the roadmap.

Measure – MEASURE results to monitor and evaluate the progress made towards the achievement of performance expectations.

Achieve – Reinforce and realign strategy and tactics when necessary to ACHIEVE performance expectations


Explaining PRIMExplaining PRIM22 into a Process Perspectiveinto a Process Perspective

Key Metrics

Integration

Key Metrics and

Targets

Integration

EnterprisePerformanceManagementInfrastructure

• Establish / Maintain flexible corporate structure that can govern in a changing business climate

Realign and Achieve

Monitoring and

Evaluation

Integrated Business Planning

Risk Assessment

Strategy, Capabilities

and Infrastructure

• Establish risk tolerances for specific risks• Establish key performance indicators

(KPIs) and key risk indicators (KRIs)

• Identify risks inherent in strategy • Identify emerging risks• Assess and prioritize risks and

opportunities• Source risks• Establish risk appetite

• Measure results against KPI and KRI targets

• Monitor and evaluate risk mitigation plans against established tolerances

• Develop integrated plans to:– Execute strategy– Manage risks– Assign ownership

• Develop risk responses• Allocate risk management

resources

• Take corrective action if out of tolerance or missing KPI/KRI targets

• Management review• Dashboard reporting• Exception escalation

GOVERNANCE

• Articulate organization’s strategic aspirations

• Define the capabilities and infrastructure needed to execute


Lines of Business

Executives

Risk Managers

The Ultimate Goal: The Ultimate Goal: Integrating Risk Management, Strategy Setting Integrating Risk Management, Strategy Setting and Enterprise Performance Managementand Enterprise Performance Management

� Applications to mitigation top risks

� Role-based best practice playbooks

� Enable risk management innovation

� Risk in context of corporate strategy and performance

� Understand true exposure resulting from risk correlation

� Achieve proactive transparency

� Automatic risk identification

� End-to-end risk processes across the value chain

� Become a driver of business change


Failure #5: Risk Management Is Not Integrated with Strategy Failure #5: Risk Management Is Not Integrated with Strategy

Setting and Enterprise Performance ManagementSetting and Enterprise Performance Management

Key Indicators:Key Indicators:Key Indicators:Key Indicators:

• No connectivity of risk management to key management activities

• No linkage of risk to value with periodic risk assessments rarely impacting business plans

• No effort to anticipate risk scenarios that could derail execution of the strategy

• Poor alignment of risk responses with strategy

• There is unacceptable risk taking or risk adverse activity


What companies should be doing? What companies should be doing?


The Tenants of a Successful ERM The Tenants of a Successful ERM

ImplementationImplementation

“Very Effective” companies are more likely to have:

� Set the foundation

� Integrated risk management with business planning and strategy-setting

� Quantified risk to a greater extent

� Maintained the appropriate balance

� Avoided surprises

� An anticipatory approach to continuous improvement of their risk management capabilities

•These companies appear to have taken a comprehensive and holistic approach to managing their risks

Source: 2007 Protiviti Risk Barometer


Sample of Companies Implementing ERMSample of Companies Implementing ERM

Protiviti’s Enterprise Risk Management in Practice: Profiles of Companies Building Effective ERM Programs


In Summary: What Companies Should Be DoingIn Summary: What Companies Should Be Doing

• Critically assess objectives for embarking on the ERM journey

• Undertake a review of risk management practices

• Re-invigorate, re-vitalise, re-focus efforts if momentum or effectiveness is hampered

• Don’t hesitate to seek advice or leverage on the experience of others.


Enterprise Risk Assessment (ERA)

• Risk Identification• Risk Assessment• High Level Gap

Analysis

Sample Implementation Approach and TimelineSample Implementation Approach and Timeline

Project Management, Communication and Knowledge Transfer

Q3 2008

Ph

as

e 1

-E

RA

Ph

as

e 2

-A

na

lys

is

Q4 2008Q2 2008

Formed Steering Committee / Selection

of Protiviti / Project Scoping

Detailed Risk Management Analysis

• Detailed analysis for 1 - 2 high priority risks

• Detailed analysis on current risk management infrastructure

• Development of action plans

Implement Action Plans

(Phase 3)

Au

dit

Co

mm

itte

e

Re

qu

es

t /

Ma

na

ge

me

nt

Re

sea

rch

Building Organizational Risk Awareness

Q1 2009

Project Launch

Fiscal Year


The greatest benefit of ERM isThe greatest benefit of ERM is……..?..?

1. Increased awareness of risk management

2. Ensure delivery of quality service

3. Be accountable to stakeholders

4. Reduce uncertainty in decisions

5. Allocate resources efficiently


In Closing:In Closing:

• Enterprise risk management is about sustainability!

• Without risk management, value that has been created cannot be sustained or protected.

“Sustainability is meeting the needs of the present without compromising the ability of future

generations to meet their needs”.

Quote from YB Dato Sri Wong Soon Koh(Minister of Finance II,, Minister of Environment and Public Health


Any Questions?Any Questions?


Jomar [email protected]+65 6220 6066


Case Study: Establishing Objectives and Case Study: Establishing Objectives and Setting the FoundationSetting the Foundation

Background and Initial Value Proposition:

– Fortune 50 Retailer operating over 1300 stores with annual sales over $45 billion

– Key stakeholders: CFO, Treasurer, Strategic Planning, SOX, Internal Audit, Business Process Improvement and Risk Management

– Initial ERM value proposition:

– Improve company’s ability to proactively manage risks

– Maintain competitive advantage over closest industry rival

– Improve corporate governance


Step 1: Perform Enterprise Risk Assessment (ERA)

– Understand Strategic Objectives

– Gathered Internal audit and strategic planning documents

– Risk identification

– Developed common risk language with 35 unique risks

– Conducted 15 executive level risk interviews

– Identified over 50 risk scenarios

– Risk Assessment

– Identified top 15 risks to the successful execution of the strategy

– Facilitated a 4 hour risk assessment session with senior company executives

– The facilitated risk assessment session identified two high priority risks for further risk mitigation

Step 2: Develop ERM Implementation Roadmap

– Integrate into existing strategic planning and business planning processes

Implementation ApproachImplementation Approach


Linking Risks To Strategy ArticulationLinking Risks To Strategy Articulation

Expand NA Footprint

Open 20 New Stores

Finding Profitable Locations

Comply With Local Zoning

Laws

Case Study


Client Risk ProfileClient Risk Profile

Likelihood of OccurrenceLikelihood of Occurrence

Impact

Impact

LOW

LO

W

HIGH

HIG

H

L. IT Infrastructure

O. Business Interruption

N. Real Estate

M. Cycle Time

K. Environment

J. Customer Satisfaction

I. IT Security

H. Customer Wants

G. Competition

F. U.S Economy

E. Political

D. Image and Brand

C. Supply Chain Disruption

A. Compliance

Scenario LegendScenario LegendScenario LegendScenario Legend

Increasing Exposure

Decreasing Exposure

Neutral

A

C

D

E

F

G

I

K

LM

NO

H

J


Overall Implementation BenefitsOverall Implementation Benefits

• Confirmed and refined ERM value proposition

• Refined common risk language and risk assessment criteria

• Developed consensus view of organization's highest priority risk

• Developed approach to consistently improve management of high priority risks

• Improved allocation of company resources, including a more targeted Internal Audit plan

• Developed roadmap for integrating ERM into existing risk management activities

• Integrated risk management into strategic planning process

Case Study


Internal Audit ServicesInternal Audit ServicesInternal Audit Services Risk and Business Consulting ServicesRisk and Business Consulting ServicesRisk and Business Consulting Services

• Business Intelligence

• Data Mining & Analytics

• Enterprise Application Strategy,

Selection & Project Risk Mgmt

• IT Organization Effectiveness

• IT Security & Privacy Mgmt

• IT Process Improvement

• Business Continuity

Management

• ERP Control Optimization

• Revenue Risk

• Supply Chain & Working Capital

• Capital Projects & Construction

• Global Sourcing

• Loss Prevention

• Policy & Strategy Communications

• Finance Remediation &

Reporting Compliance

• Finance Process Optimization &

Integration

• Corporate Performance Mgmt

• Litigation Consulting

• Discovery Risk Management

• Fraud Risk Management

• Forensics

• e-Discovery

• Financial Investigations

• Corporate Restructuring &

Recovery

• M&A Due Diligence

• M&A Integration• Enterprise Risk Assessment

• Sarbanes-Oxley & Financial

Reporting Controls Compliance

• Regulatory Compliance (incl.

Anti-Money Laundering)

• Market & Commodity

Risk

• Credit Risk

• Operational Risk

• Model Validation

Business Operations Improvement

Business Operations Improvement

Governance, Risk, & Compliance

Governance, Risk, & Compliance

Finance TransformationFinance Transformation

Financial Risk Strategy & Management

Financial Risk Strategy & Management

Enterprise Information ManagementEnterprise Information Management

IT SolutionsIT Solutions

Litigation, Restructuring, & Investigative Services

Litigation, Restructuring, & Investigative Services

• Content & Records Management

• Data Mgmt & Information Architecture

• Full Outsourcing

• Co-Sourcing & Special Projects

• IT Internal Audit

• Quality Assurance Reviews

• Internal Audit Transformation

• Audit Committee / CAE Advisory

Protiviti Services OverviewProtiviti Services Overview

malaysia institute of accountants (mia) regional ... · attest & tax services • focus on core...

Documents