Organisational risk managementAnton Usher19 March 2014

2

Overview A whistle stop risk review Risk in Australian corporate governance The benefits of organisational risk maturity Risk management and in-house counsel

� The evolution of in-house counsel’s role

� In-house counsel’s contribution to risk management

Integrating risk management within your organisation� Using an enterprise risk management framework

� Using a compliance framework

� Using a risk based internal auditing approach

Key takeaways

3

A whistle stop risk review

4

A global view: top risks in 2013Aon global Lloyds global Deloitte global Aon Asia-Pac

Economic slowdown / slow recovery

High taxation Economic trends

Brand & image

Regulatory / legislative changes

Loss of customers / cancelled orders

Business model

Market environment (economic slowdown)

Increasing competition

Cyber risk Reputation Regulative / legislative changes

Damage to reputation / brand

Price of material inputs

Competition Business interruption

Failure to attract or retain top talent

Excessively strict regulation

Human resources

Failure to innovate Changing legislation Lack of innovation

5

A selected industry view: top risks in 2013

Industry 1st risk concern 2nd risk concern 3rd risk concern

Banks, Insurance, Investment & Finance

Regulatory / legislative changes

Economic slowdown Brand & image

Education & not for profit

Regulatory / legislative changes

Brand & image Human resources

Government Political risk & uncertainties

Human resources Business interruption

Utilities Political risk & uncertainties

Regulatory / legislative changes

Natural disasters

Natural resources Property damage Environmental risk Commodity price risk

Non-aviation Transport Services

Economic slowdown

Human resources Injury to workers

6

Risk in Australian Corporate

Governance

7

Increasing risk management prominence (1)

(Proposed) third edition of ASX Corporate Governance Principles and Recommendations

Increases risk management prominence by recommending listed entities:� establish a risk committee� undertake risk management reviews at board / board

committee level at least annually

� disclose whether, and if so how, they have regard to economic, environmental and social sustainability risks

8

Increasing risk management prominence (2)

New APRA risk governance measures:

• New Risk Management standard - CPS 220

• Revised Governance standard - CPS 510

Increases risk management prominence by requiring:

� a separate board risk committee & designated CRO� a risk management framework that:

• includes a risk management appetite and strategy

• addresses material risk (financial, operational, strategic)

• adopts a ‘three lines of defence’ risk governance model

� annual risk management declarations and three yearly risk management reviews at board risk committee level

9

Risk governance: three lines of defence model

Source: Draft Prudential Practice Guide CPG 220 Risk Management, APRA, January 2014, p19.

10

The benefits of organisational risk maturity

11

Prosperity is connected to risk maturity

Lacking

Basic

Defined

OperationalAdvanced

Risk management maturity

Prosperity

12

Some characteristics of risk maturityBoard set risk management strategy & commit to it being critical in decision making

A senior executive drives & facilitates implementation of risk management

Transparency of risk communication

Risk culture encourages full engagement & accountability at all levels

Risk identification uses internal & external information

Operational & financial risk information included in decision making processes

Risk & risk management options are leveraged to extract value

13

Risk management &

in-house counsel

14

Evolution of in-house counsel’s roleAn Australian in-house counsel survey % response

What does your executive team expect from you? Contributions to risk management Help in making commercial decisions

75%51%

What recent development has most impacted your role? Technological developments Increased regulations

66%53%

What is the greatest challenge for in-house counsel? Maintaining a work/life balance Keeping pace with legislative changes

32%32%

15

In-house counsel’s contribution to risk management

HELP your Executive/Board answer these questions:� Do we have a handle on critical organisation risks and our ability to respond?

� Is the top-down strategic view of critical organisation risks right?

� Is the effort being put into risk processes aligned with the risk priorities?

� Are our systems and people capable of responding to these risks?

� Is risk management “built into” the way we do business or is it “added-on”?

USE an enterprise risk management approach that is:� Consistent with ISO AS/NZS 31000

� Tailored to your organisation

� Practical and value adding

16

Integrating risk management

17

Enterprise risk management framework

18

Identifying risks that matter

Successfully achieved corporate objectives

Risks that

matter

Risks that don’t

matter

19

A risk to successful delivery of objective

Objective

Critical success factor 1

Critical success factor 2

Risk

2020

Using sources of risk to identify risk• Stakeholders

• Community• Political / Government• Clients• Suppliers• Competitors

• Reputation• Regulatory / contractual

External

• Stakeholders• Strategic and business• Budgetary• Governance• Legal• IT• Human resources and skills• Knowledge management• Change management

Internal

21

An example risk

Objective Critical success factors

Reduce workers compensation premium by 10% by FY14/15 renewal

Existing claims liability reserves are reduced

Systemic claim causes are mitigated Risk: poor incident data

quality

22

Use a heat map to assess and report risk

23

Using a compliance framework A compliance framework defines what you:

�HAVE to do (legal and regulatory obligations)

�WANT to do (organisational requirements)

�VOLUNTARILY do (organisational commitments)

24

An empowering compliance framework Compliance = achieving business objectives safely

GOVERNING BODY

Guidance Enablement Reinforcement

CHANGE MANAGEMENT & CONTINUOUS IMPROVEMENT

Management Direction

Key Performance

Indicators

Empowered Accountable

Employees/Agents/ Service Providers

EXTE

RN

AL

OB

LIG

ATI

ON

S (L

aw, r

egul

atio

ns, g

uide

lines

, cod

es e

tc)

LEADERSHIP, PEOPLE,

ACCOUNTABILITIES

Core Business Functions

Policies

Processes / Procedures /

Training

POLICIES, PROCEDURES,

TRAINING

Measurement Reporting & Risk

Profiling

Controls Self-

Assessment (CSA)

External Audit & Reviews

MONITORING & REPORTING

25

Prioritising legislative compliance obligations

26

Why use a risk based internal auditing approach

Risk based internal auditing (RBIA):

� is independent and objective

�evaluates and improves risk management effectiveness

�helps achieve corporate objectives

27

RBIA adds value RBIA is linked to the risk assessment process

RBIA focusses on:

�areas of high risk

� key control systems for high risk areas, testing:• control design – operational effectiveness • control operation – operational compliance

28

Use risk based internal audit ratingsInternal audits should be given overall risk ratings reflecting the level of inherent risk associated with the activity within the audit scope and the effectiveness of internal controls

29

Key takeaways Risk management is becoming more prominent in

Australian corporate governance

Risk mature organisations do better

In-house counsel has a key role in contributing to effective organisational risk management

Enterprise risk management adds value by:� prioritising risk mitigation effort� prioritising and helping to ensure compliance obligations are met� helping to ensure risk mitigation effectiveness� helping to achieve corporate objectives

Thank you