Risk Intelligence in the Energy & Resources IndustryEnterprise Risk Management Benchmark Survey

Deloitte Enterprise Risk Services

Table of contents

Foreword 5Executivesummary 6Aboutthissurvey 8 Objectiveofthesurvey 8 Approach 8 Respondentsinformation 9Detailedsurveyfindings 11 CurrentstateofERM 11 ImplementingERMandorganizationalapproaches 15 Governance 15 Process 21 People 25 Technology 26TopEnergy&ResourcesRisks 29Conclusion 32 BuildingtheRiskIntelligentEnergy&ResourcesEnterprise 32 Awayforward 33Contactus 34 Authors 34 Contacts 34

4 Risk Intelligence in the Energy & Resources IndustryForeword5

Inachangingworldwhereenergyandresourcescarcityandclimatechangehavebecomekeythemes,Energy&Resourcescompaniesfaceamyriadofnewemergingrisks.Resourcescarcity,politicalinstability,infrastructureobsolescence,potentiallyadverseweatherevents,greenhousegasemissions,andrisksrelatedtodisruptivetechnologiessuchasdistributedelectricitygenerationoroilextractionfromoilsandsarejustafewoftheperilsfacedbyEnergy&Resourcescompanies.

TherecentfinancialandeconomiccrisishadalsoanimpactontheEnergy&Resourcesindustry.Manycompaniesintheindustryexperiencedturbulenttimes,withstillmanychallengesaheadforthenearfuture.

Whilesometraditionalriskmanagementapproachesmayhaveservedtheindustrywellinthepast,thescope,complexity,andinterdependenciesofemergingrisksareforcingmanyEnergy&Resourcescompaniestoadoptcomprehensiveandintegratedapproaches.

DeloittehasrecentlylaunchedanEnergy&ResourcesEnterpriseRiskManagementBenchmarkSurveyfortheEurope,MiddleEastandAfrica(EMEA)region.ThegoalofthesurveywastocaptureandreportfeedbackonthecurrentstateofEnterpriseRiskManagement(ERM)implementationforacross-sectionoforganizationswithintheEnergy&Resourcesindustry.ThisreportpresentsacompilationoftheresponsesanddevelopsprofilesoftheleadingandprevailingERMpracticesintheEnergy&Resourcesindustry.

Organizationswereinvitedtoparticipateinthesurveythroughdirectcommunicationasrepresentativesofselectedsub-industries.Organizationsparticipatedbymeansofacompletingthesurveyquestionnairecomplementedwithface-to-faceinterviews.

Therewere49responsesfromEurope,theMiddleEast,andAfricarepresentingorganizationsactivewithintheElectricPower&Utility,Oil&Gas,Water,andMetallurgy&Miningindustries.

Foreword

6 Risk Intelligence in the Energy & Resources IndustryExecutiveSummary7

ERMtrainingisstilllimitedtoriskspecialistsandpeopledirectlyinvolvedintheRiskManagementactivitiesFeworganizationsprovideERMtrainingtoallemployees.BestpracticesorganizationsintegrateERMtrainingintheircorporatetrainingprograms,goingfrombasicriskmanagementprinciples(what’sariskandwhatdoesitmeanfordailyoperations)tomorein-depthtrainingforseniormanagement.

ERM done right: the Risk Intelligent Enterprise™

Themanagementofriskisinherenttothesurvivalofmankind.Whenearlymanbuiltafireatnighttowardoffpredatoryanimalswhileheslept,hewasmanagingrisk.Allofusmanageriskonadailybasis,oftenwithoutbeingawarewearedoingit.

RiskmanagementisnotnewbutERM,anapproachtomanagingrisk,isrelativelyrecent.RiskIntelligentEnterprises™manageriskfortworeasons:toprotectwhattheyhaveandtogrowthevalueofwhattheyhave.ThepremiseofERMisthatitattemptstopresentanoverallandintegratedviewoftheriskstowhichanenterpriseisexposed.Ideally,withthisinformation,theenterpriseisthenabletomakebetterinformeddecisionsabouthowitcanprotectwhatithasandhowitcan,inanintelligentmanner,addvaluetowhatithas.Inotherwords,theorganizationcanbesmarterabouttherisksitneedstotake.Itcanbe“RiskIntelligent.”

ERMisanenablerofriskintelligence;itstruevaluemaylieinitsabilitytoenablethesystematicidentificationofpossiblecausesoffailure—failuretoprotectexistingassetsandfailuretoachievefuturegrowth,i.e.,failuretomanagebothunrewardedandrewardedrisk.Unrewardedrisksaretypicallyassociatedwithlackofintegrityinfinancialreporting,noncompliancewithlawsandregulations,andoperationalfailures;thereisnopremiumtobeobtainedfortakingthesetypesofrisks.Rewardedrisksarethosethattypicallyhavetodowithstrategyanditsexecution.

TheextenttowhichanorganizationusesriskinformationfromitsERMframeworktoinfluencedecisionmakinginbothareas(unrewardedandrewardedrisk)isadirectreflectionofthematurityofitsERMprogramandofitsriskintelligence.

Ofcourse,thepathtothisloftydesignationislongandsometimesarduous.Everyorganizationthatchartsitsprogresswillfinditselfinadifferentlocationonthemap,dependingontheuniquebusinesschallengesitfacesandthecompetenciesandcapabilitiesitpossesses.ButeveryorganizationthatattainsthestatusofaRiskIntelligentEnterprisewillfindthattheysharesimilarcharacteristics,includingthefollowing:•riskmanagementpracticesthatencompasstheentirebusiness,creatingconnectionsbetweentheso-called“silos”

thatoftenarisewithinlarge,mature,and/ordiversecorporations;•riskmanagementstrategiesthataddressthefullspectrumofrisks,includingindustry-specific,compliance,competi-

tive,environmental,security,privacy,businesscontinuity,strategic,reporting,andoperationalrisks;•riskmanagementapproachesthatdonotsolelyconsidersingleevents,butalsotakeintoaccountriskscenarios

andtheinteractionofmultiplerisks;•riskmanagementpracticesthatareinfusedintothecorporateculture,sothatstrategyanddecision-makingevolve

outofarisk-informedprocess,insteadofhavingriskconsiderationsimposedafterthefact(ifatall);and•riskmanagementphilosophythatfocusesnotsolelyonriskavoidance,butalsoonrisk-takingasameanstovaluecreation

Source:DeloitteRiskIntelligenceSeries

TechnologycanhelpleveragingtheERMprocess,thoughmanyorganizationsstillstrugglewithitTechnologycanfacilitatetheERMprocess(riskidentification,documentation,aggregation,assessments,quantitativetechniques,riskmonitoring&reportingetc.)thoughalargenumberoforganizationsindicatetheyarenotyetonthatlevel.DespiteaproliferationofvendorscompetingintheERMmarketplace,nosinglepackagesolutionhasemergedtoprovidethenecessaryfunctionalitytosupporttheentireERMcapability.

SubstantialefforthasbeendirectedtowarddevelopingenhancedapproachestoriskmanagementintheEnergy&Resourcesindustry,particularlyinthepastdecade.HalfoftheorganizationspolledreporthavingafullyoperationalERMprogram,whereasthemajorityoftheotherhalfindicateshavinganERMprogramindevelopmentformorethan1year.

Amongstthesecompanies,somekeythemesaboutERMemergedinthesurvey:

ERMprogramsareachievingenterprisewidecoverageandrisk-informeddecisionmakingisdevelopingERMscopeshaveexpandedinrecentyears,progressingtowardsarealenterprise-widemanagementpractice.Riskinformationisincreasinglyincorporatedintothecriticaldecisionmakingprocesses.Leadingorganizationsaremakingthecriticallinkbetweenriskandperformancemanagementthroughtheemergingdisciplineofrisk-adjustedperformancemeasurement(RAPM).

ERMframeworks,methodologies,andtoolsarebecomingmorematureandadvancedriskmanagementpracticesaredevelopingAlmosthalfoforganizationsreporthavinganERMpracticethathasprogressedbeyonditsearlystages.ThefundamentalsoftheERMprogram,i.e.theframework,methodology,andtoolshavebeenestablishedandserveasthebasisforthedevelopmentofmoreadvancedriskmanagementpractices.Amongstthoseare:•TheintegrationofERMwithothermanagement

practices(performancemanagement,processmanagement,compliancemanagement,qualitymanagement,etc.);

•TheuseofKeyRiskIndicators(KRIs)andothertoolstomonitorrisksonacontinuousbasis;

•Theapplicationofquantitativetechniquesforevaluationofrisk,riskmeasurement,andriskprediction;and

•Theuseofnetwork-andpattern-recognitiontechniquestoanalyzeriskand,moreaccurately,tomodelfailurepredictions,tomodelinterdependenciesbetweenrisksandtounderstandconcentrationsofriskexposures.

ThefocusisshiftingfromtheunrewardedriskstotherewardedrisksTherespondentsinthissurvey,forthemostpart,indicatethattheirorganizationsareusingtheinformationfromtheirERMprogramstodealwithunrewardedrisks.Thesetypicallyincluderiskstofinancialreporting,compliance,andoperations,suchasbusinesscontinuity,operationalperformance,inventory,treasury,insurance,etc.Thisisthetraditionaldomainofriskmanagementbecauseitfocusesontheprotectionofexistingassets.

Moreriskmatureorganizationsarestartingtofocusmoreonunrewardedrisks.Thoserisksarerelatedtostrategyanditsexecution.Thesetypicallyincludethedevelopmentofnewproducts,entryintonewmarkets,andacquisitions.Themanagementoftheserisksholdsthepotentialforgainandrewardiftheyareintelligentlymanaged,buttheycanhaveseriouslynegativeeffectsiftheyarenot.OncethereisastableandprovenERMmethodologyinplaceandERMstartstofocusmoreonriskrelatedtostrategy,ERMrisesontheagendaoftheCEOasitmovesclosertotheinterestofoperatingmanagement.

ERMprocessesareimplementedbutorganizationsstillfacechallengeswithrespecttoeffectivemonitoringandreportingOrganizationsreportbeingmatureonriskidentification,riskassessmentandriskprioritization,anddesignandimplementationofmitigatingactions.Manyorganizations,however,stillstrugglewithmonitoringandreportingrisks.Alackofappropriatetoolingisoneofthereasons.Otherreasonsarethelackofsuitablemethodologyforaggregatingrisks,thelackofabilitytomeasureandintegrateriskexposuresfromboththetop-down(organizationallevel)andthebottom-up(operationallevel),andthelackofkeyriskindicatorstomonitorrisksinacost-efficientway.

Executive summary

8 Risk Intelligence in the Energy & Resources IndustryAboutthissurvey9

About this survey

Objective of the surveyTheobjectiveofthisEnterpriseRiskManagementBenchmarkSurveyistoprovideabroadperspectiveonthestateofriskmanagementacrosstheEnergy&ResourcesIndustry.TheassessmenthasbeenstructuredaroundthefourERMcapabilities:governance,process,people,andtechnology.

Thissurveyisbasedonself-assessments.Self-assessment,bydefinition,entailsanunknowndegreeofsubjectivityandDeloittedidnotattempttovalidatetheresponses.Inaddition,thereisnostatisticalsignificancetotheresponses—theyaremerelytheopinionsheldatthetimebythosewhoresponded.Itisalsoimportanttoemphasizethatprevailingpracticeisnotnecessarily“leadingpractice.”

ApproachThebenchmarksurvey,fromwhichthefindingsaretakenforthebasisofthisreport,wasconductedonlineandviapaperintheperiodbetweenJune2009andFebruary2010,complementedwithone-on-oneinterviewswiththepartyresponsibleforriskmanagementintherespondingorganizations,Byfar,thefunctionsmostrepresentedbyrespondentsareCFOs,CEOs,ChiefRiskOfficers,andInternalAuditDirector/Managers.Thepreliminaryresultsofthebenchmarksurveyhavebeendiscussedatthe“RiskIntelligenceintheEnergy&ResourcesIndustrySeminar”organizedinMarch2010inBrussels(Belgium)withahighrepresentationofthesurveyrespondents.Therelevantdiscussionsandcommentsfromtheseminarhavebeenintegratedintheresultsthatarepresentedhereafter.

Respondents informationGeographicalcoverageRespondentsweremostlyEuropeanwithsomeanswerscomingfromAfricaandtheMiddle-East.

IndustrybreakdownAwidevarietyofdifferentsub-industries/segmentsfromtheEnergy&Resourcesindustryarerepresented,withtheheaviestconcentrationinPower&Utilities.

Exhibit 1: Deloitte ERM capability model TM

Process

Governance

Risk IntelligenceTo Create &

Preserve Value

Sustain & ContinuouslyImprove

Developand DeployStrategies

IdentifyRisks

Assess andMeasure RisksRespond

to Risks

Design& Test Controls

Monitor,Assure &Escalate

Peo

ple

Techn

olo

gy

Region %

Europe 90%

Middle-East 6%

Africa 4%

Sub-industry %

Power&Utilities 70%

•Generation&Supply(Electricity/Gas) 61%

•SystemOperators(Electricity/Gas) 39%

Water 13%

Oil&Gas 9%

Metallurgy&Mining 8%

1. Tribal & Heroic

Exhibit 2: Deloitte Risk Intelligence Maturity model TM

Ad-Hoc/chaotic

Depends primarily onindividuals

Heroics capabilities andverbal wisdom

2. Specialist silos

Reaction to adverseevents by specialists

Descrete roles established for small set of risks

Typically finance, insurance, compliance

3. Top-down

Tone set at the top

Policies, procedures,risk authorities definedand communicated

Business function

Primarily qualitative

Reactive

4. Systematic

Integrated response toadverse events

Performance-linked metrics

Rapid escalation

Cultural transformation

Underway

Bottom-up

Pro-active

5. Risk Intelligent

Built into decesion-making

Conformance withenterprise risk management processes is incentivized

Intelligent risk-taking

Sustainance

‘Risk management iseveryone’s job’

Exhibit 3: Geographical coverage

ParticipatingcountriesInEurope

10 Risk Intelligence in the Energy & Resources IndustryDetailedsurveyfindings11

OperatingrevenueParticipantsinthesurveyrepresentmostlysmallandmedium-sizedorganizationswithaturnoversmallerthan€500million(50%)andaheadcountoflessthan5000fulltimeemployees(69%).

Current state of ERMRiskmanagementactivitiesareperformedinalmostallorganizationsThesurveyrevealsthatavastmajorityoftherespondents(95%)performriskmanagementactivities.Therespondentswhostatedtheydonotperformriskmanagementactivities(4%)aresmallerorganizations(<110FTE’s).Thoserespondentsindicatedhavingconsideredtheimplementationofariskmanagementprocessandsomeplantheimplementationinatimehorizonoftwoyears.Untilnow,thoserespondentsdidnotperformriskmanagementactivitieseitherbecauseriskmanagementwasnothighontheagendaoftheirgovernancebodies(BoardofDirectors,AuditCommittee,orManagementCommittee)orbecausetheydidnotseethebenefitsofanERMprocess.Insmallorganizations,governancebodiesandseniormanagementtypicallyhaveagoodoverviewonwhathappenswithinthecompany.Thiscreatesthefeelingofhavingthecompany‘undercontrol’andweakenstheperceivedneedforimplementingriskmanagementactivities.Besidesthehighercomplexityanddifficultyofhavingaclearoverviewofrisksinlargerorganizations,regulationstendtorequirereportingonriskmanagementintheannualstatements.

HalfoftherespondentshaveafullyoperationalERMprogramERMhasbecomeanindustrywidepractice.Almosthalfoftheparticipants(48%)reporttohaveafullyoperationalERMprogram.ForERMprogramsindevelopment,76%oftherespondentsindicatebeingindevelopmentformorethan1year.Onaverage,organizationsneed3to7yearstobringERMtoanoperationallevel.Thistimeframelargelydependsonthesizeofthecompanyandthenumberofgeographicallocations.TheoperationalstatusoftheERMprogramdoesnotdependonthesizeoftheorganizationintermsofrevenuesornumberofemployees.Inaddition,thereissomeratinginfluencebuilding.Ahigherproportionoforganizationswhichmentionedhavingaratingalsohaveafullyoperationalriskorganization.Thiscanbeexplainedbytheratingagenciestakingriskmanagementmoreandmoreintoconsiderationwhengivingexternalratings.

Exhibit 5: Operating revenues (mEUR)

0%

10%

20%

30%

40%

50%

60%

>10.0005.000-10.0001.000-5.000500-1.0000-500

24%

12%

50%

5%

9%

Exhibit 6: Full time employees

0%

5%

10%

15%

20%

25%

30% 28%

13%

28%

19%

13%

>10.0005.000-10.0001.000-5.000500-1.0000-500

Exhibit 7: Does your company perform risk management activities?

96%

4%

Yes

No

52%

48%

Exhibit 8: What is the operational status of your ERM program?

In development

Fully operational

Exhibit 4: Survey received per sub-industry

70%

9%

8%

13%

Power & Utilities

Water

Oil & Gas

Metallurgy & Mining

39%

61%

Generation & Supply (Electricity/Gas)

Systems Operators (Electricity/Gas)

Detailed survey findings

12 Risk Intelligence in the Energy & Resources IndustryDetailedsurveyfindings13

OperationalperformanceandregulatorycomplianceappeartobethekeydriversofERM,strategyisanemergingdriverofERMprogramsRespondentsstatetheirorganization’sERMeffortsarebeingdrivenforthemostpartbytheneedtoimprovetheoperationalperformanceandtheneedtocomplywithregulations.Operationalperformanceistypicallyembeddedineachbusinessdepartmentinamoreorlessformalizedwaythroughalonghistoryofsiloriskmanagement.Mostofthedepartmentmanagershaveanoverviewoftheirriskswhetheritwasbuiltinadocumentedprocessorinamoreunofficialway.

Regulatorycompliancehasbeenthemaindriverforacertainnumberofyearsduetoincreasinglycomplexmultijurisdictionalcompliancerequirements.EuropeanCorporateGovernanceregulationshaveincorporatedriskmanagementforadecade,someforevenlonger(theUKsince1992,theNetherlandssince1997,Germanysince2000,Francesince2002,andBelgiumsince2004).TheEuropeanCGregulationsalsodefineabroaderscopeforERMthatincludesthemanagementofrisksforstrategic,operational,financial,andcomplianceobjectives.Typically,operationalperformanceandregulatorycompliancearethemaindriversofERMprogramsinorganizationswhoseERMprogramsareattheearlystagesofmaturityandwhohavenotyetrecognizedtheroleERMcanplayinvaluecreation.Thisfindingmayalsoreflectthebiasofthesurveyrespondentswhotypicallyrepresentfunctionsthataremorecloselyalignedwithregulationandcompliancethanwith

businessfunctions.Thoseprogramsfocusmoreonassetprotection(unrewardedrisks).StrategyisanemergingdriverofERMprograms.Fortherespondentsmentioningstrategyastheirmaindriver,operationalperformancewilloftenbeconsideredasbeingbusinessasusual.AsERMprogramsmature,thoseprogramsmayfocusmoreonvaluecreation(rewardedrisks)

BoardsaretheprimarydriversofERMbutseniormanagementtendencytopullERMthroughtheirorganizationisgrowingThekeygroupsdrivingERMwithinorganizationsaretheBoardofDirectors,theManagementCommittee,andtheAuditCommittee.TheBoard,includingtheAuditCommittee,jointlyaccountsforatleast47%ofthechampionswhopushforERMwithinanorganization.For25%oftherespondents,theManagementCommitteeisaligningERMtomorestrategicriskmanagementactivitiesandmoreoperationalperformance.Thisisconsistentwiththeobservationthatstrategyandgrowtharebecomingincreasinglyimportantdevelopmentelementsintheriskmanagementprogram.ThiscanalsoexplaintheappearanceofstrategyasanemergingdriverofERM.AsBoardsofDirectorsusuallyfocusmoreonasset

protectionandManagementCommitteesfocusmoreonfuturegrowth,theremaybeapossibledisconnectionbetweenprogramgoals(assetprotection)andexpectations(valuecreation).WhereregulationandcomplianceappeartobetheprimarydriversofERM,ManagementCommitteesarenotthekeyprogramdriver.WhentheriskmanagementsystemisdrivenbytheBoardoritscommittees,itmaybeperceivedbytheManagementCommitteeasyetanotherformofcompliance,somethingthat“must”bedoneandwhichisnotdrivenbybusinessneeds.ManagementCommitteesmaybemoreinterestedinimprovingoperationalperformanceandvaluecreationthanintheprotectionofexistingassets.Inthosecases,ERMwillbemostlypushedthroughorganizationsinsteadofpulledbythebusinessdepartments.

BenefitsofERMThetopfiveexperiencedbenefitsarealllaudablebenefits.Thesebenefitsasidentifiedbythesurveyrespondentsare:createarisk-awareculture,enablefocusontherisksthatmattermostthroughintegratedmanagementreporting,identifyandmanagecross-enterpriserisks,reducevulnerabilitytoadverseeventsandenhanceriskresponsedecisions.Althoughinterestinintegratingriskmanagementinthedecisionmakingprocessisgrowing;mostoftherespondentsarestillindevelopment.

Interestingtoobserveisthattheexperiencedbenefitsareevolvinginthesamewayastheimplementationoftheprocess.ThefirststepintheprocessissettinguptheERMframeworkandtrainingpeopletocreatearisk-awarecultureandprioritizeriskstofocusontheonesthatmattermost.ThesecondstepofanERMprocessistomanagetheidentifiedrisksandreducethevulnerabilitytoadverseevents.Finally,thelaststepistomonitorriskresponsesandincorporateriskinformationintothedecisionmakingprocess.Furtherbenefitsmaystillberealizedgiventhat50%ofthosewhorespondedtothissurveyrepresentorganizationsthathaveanERMprograminplaceforlessthan5years.

CurrentERMprogramsaretypicallyfocusedonhavingtherightbalancebetweengrowth,risk,andreturnbuttendslowlytowardsmorestrategicriskmanagementThetopfivebenefitsexpectedtoberealizedinthefutureseemtorelatemoretothemanagementoffuturegrowthandpotentiallyrewardedrisk.Thishasadirectcorrelationwithriskmaturity:organizationsbeginbyfocusingonprotectingassets(unrewardedrisks)andthenlateruseERMinformationasthebasisforstrategicdecisionsandtheirexecution(rewardedrisks).

Operationalperformance

0% 5% 10% 15% 20% 25% 30% 35%

33%

30%

16%

12%

5%

5%

Exhibit 9: First ERM driver mentionned

Other

Public image

Businesscontinuity

Strategicreasons

Regulatorycompliance

Exhibit 10: Who is driving the ERM interest?

15%

28%

25%

23%

9%

Internal Audit

Board of Directors

Management Committee

Audit Committee

Other

33%Create a risk-aware

culture

Exhibit 11: Top 5 experienced benefits of ERM

0% 5% 10% 15% 20% 25%

Identify and managecross-enterprise risks

Reduce vulnerabilityto adverse events

Enhance riskresponse decisions

Enable focus on the risksthat matter most

through integratedmanagement reporting

23%

22%

21%

21%

13%

Link growth,risk and return

24%

22%

21%

18%

13%

2%

Exhibit 12: Top 5 expected benefits of ERM

0% 5% 10% 15% 20% 25%

Align risk appetiteand strategy

Provide integratedresponses to multiple risks

Minimize operationalsurprises and losses

Seize opportunties

Other

14 Risk Intelligence in the Energy & Resources IndustryDetailedsurveyfindings15

Previousstudiesdemonstratedthatriskmanagementwasmostlyfocusedonriskstoexistingassetsandweremissingtheconnectiontofuturegrowth.Theconservativesideofriskmanagementisstillhighlypresentbutmostrespondentsindicatethattheirexpectedbenefitisonthelinkbetweengrowth,risk,andreturn.

Seizingopportunitiesthroughriskmanagementisnotmentionedbymostoftherespondentsasoneoftheexpectedbenefitsofriskmanagement.Unfortunately,suchanapproachmeansformostrespondentsthatriskmanagementdoesnotincluderisksoropportunitiesthathavetodomorewithstrategyanditsexecutionsuchasthedevelopmentofnewproducts,entryintonewmarkets,oracquisitions.Toooften,organizationslimittheirriskmanagementtotheunrewardedriskssuchasthosewholimitpotentiallosses,insteadofalsotakingintoaccounttherewardedrisks,thosewhoholdthepotentialforgainandrewardiftheyareintelligentlymanaged.Calculatedrisktakingisessentialforcompetitiveadvantageandgrowth.Therealchallengeistodevelopriskintelligence;thisentailsbecomingsmarteraboutandbettermanagingtherisksthatneedtobetakenandthosethatneedtobeavoided.

CurrentERMprogramsbroadentheirscopetomorestrategicrisksIncomparisonwithpreviousstudies,thescopeofERMisexpandingtoincludeevaluatingapraticethatisenterprise-wide.Thisisreflectedbythediversityofrisksthatareinscopeoftheriskmanagementprogram.Thesurveydemonstratedthat:•1%oftherespondentshaveafullscopeERMprogram

including16riskareas.•52%haveincludedmorethan10riskareas.•85%haveincludedmorethan5riskareas.Consistentwiththefocusonassetprotection,almostallcurrentERMprogramsincludeexternalfactors(85%),finance(85%),andcompliance(84%)riskareasintheirERMscope.Thisreflectsthehistoricalfocusoncomplianceandfinancialrisks.However,aspreviouslyobserved,respondentstendtofocusincreasinglyonthestrategicsideas73%oftherespondentsindicatedthatstrategyisincludedinthescopeoftheirERMprograms.

TheintegrationofriskmanagementinthedecisionmakingprocessisgrowingbutisstillindevelopmentformostrespondentsMostrespondentsintegrateorplantosystematicallyintegrateriskmanagementinalltheirdecisionmaking

processes.Inthecurrentstate,organizationshavemostlyfullyincorporatedtheirriskmanagementinthedecision-makingprocessoftheprocessesrelatedtocommoditytrading(58%);andInsurance(48%).However,thesurveydoesindicateagrowingtrendtowardsmoresystematicintegrationinothercriticaldecisionmakingprocessessuchasFinance(43%)andInternalAudit(42%).Theseprocessesrelatetothetraditionalareasofriskmanagementwhoseprimaryfocusisontheprotectionofexistingassetsratherthanonfuturegrowth.Oftenthelowscoreforintegrationofriskmanagementintothedecisionprocessisduetoalackofformalizationofriskmanagementintheseareas.Forinstance,manyITorganizationshaveintegratedariskdimensioninthedecisionmakingprocessofICTprojects,thoughoftennotformalizedorinconnectionwithbroaderriskmanagementprograms.

IntegratingriskmanagementindecisionmakingofallprocessesmayincreasetheunderstandingofthebenefitsofanERMprogramatManagementCommitteelevel.Inorderforoperationalmanagementtoseethevalue,theyneedtoseetheirissuesarebeingaddressedinabeneficialway.Toooftenoperationalmanagement

perceivesriskmanagementasanadministrativeburdenanddoesnotrealizethatactiveriskmanagementisrequiredforfurthergrowth.Respondentshaverealizedthischallengeandplantolinkriskwithperformanceinthefuture.

Implementing ERM and organizational approaches

GovernanceMostorganizationshaveaformalriskmanagementorganizationMostrespondents(77%)haveaformalriskmanagementorganization.Dependingontheorganization,theriskmanagementfunctioniseitheraseparatefunctionoritisintegratedwithotherfunctions.

TheprimaryreasonwhyorganizationshavenotyetestablishedaformalriskmanagementorganizationisthelackofavailableresourcesTheorganizationswithoutaformalriskmanagementorganizationarethesmallestorganizations.50%oftheseorganizationsstatedtheircompaniesdonothaveresourcesavailable(people,budget)toconductriskmanagementinaformalriskorganization.

85%

85%

84%

73%

73%

70%

67%

67%

62%

62%

58%

58%

58%

56%

49%

7%

External factors

Finance

Compliance

Strategy

Corporate assets

Information technology

Legal

Reporting

Human resources

Corporate governance

Sales, Marketing &Communication

Planning

Corporate responsibility

Product development

Ethics

Other

Exhibit 13: Scope of ERM program

0% 20% 40% 60% 80% 100%

Commodity Trading/Sourcing

Insurance

Internal Audit

Finance department

EHS

Asset Management

Legal

Ethics & Compliance

Strategic planning

Exhibit 14: Risk consideration in decisionmaking

ICT

Fully incorporated

Partially incorporated

Planto incorporate within next 12 months

No plans to incorporate

0% 20% 40% 60% 80% 100%

Exhibit 15: Does your company have a formal risk management organization for your risk management activities?

77%

23%

Yes

No

Exhibit 16: What are the primary reasons your company does not have formal ERM activities?

50%

33%

17%

No resources available (people, budget)

No benefits exist for my company

Other

16 Risk Intelligence in the Energy & Resources IndustryDetailedsurveyfindings17

Another33%indicatetheydonotseethebenefitsofaformallystructuredriskmanagementfunction.Bothresponsesaredirectlylinkedtotherelativelysmallsizeoftheorganizationsinvolved.Intheremainingresponses(17%),respondentsindicatedtheydidnotseethebenefitsofaformalriskmanagementoverseeingthewholeorganization.

MostorganizationshavestructuredtheirriskmanagementinahybridformatAvastmajorityofrespondents(82%)havestructuredtheirriskmanagementorganizationinahybridformat.Ahybridriskmanagementorganizationcombinestheadvantagesofcentralizedanddecentralizedstructuresandenablesadequateandtimelyresponsestonewemergingrisks.Inahybridstructure,thedifferentbusinessfunctionsperformtheirownriskmanagementactivities(e.g.identificationandanalysisofrisks,implementationofcontrolmeasures,etc.),supportedandcoordinatedbyacentralriskmanagementdepartment.Thetasksofthiscentralteamaretypically:•establishingcommonERMmethodology&tools;•integratingdifferentERMpractices;•consolidatingandintegratingcompany-widerisks;•monitoringandreportingoncompany-wideERM

dashboard;and•disseminatingbestERMpracticesandknowledge.Ingeneral,nooperationalriskresponsibilitiesareassignedtothiscentralriskmanagementfunction.Theownershipofrisklieswiththebusinessfunctions.Inthisset-up,Boardswilltakeonanoversightfunctionandinternalauditwillprovideindependentassessmentandmonitoringservices.Thehybridstructurefacilitatestheintegrationofdifferentapproachesthatcanexistwithregardtostrategicandoperationalrisks.Strategicriskswillusuallyneedacentralizedapproachduetotheirwideimpactwhereoperationalriskswillusuallybetackledonamoredecentralizedway.

ThenumberofFTEinvolvedinriskmanagementactivitieslargelydependsonthesizeoftheorganizationThesurveyrevealsarelationbetweenorganization’stotalresourcesandthenumberofresourcesinvolvedatcentrallevelinriskmanagement.Smallorganizations(<1000FTE)usuallyhaveeithernocentralriskdepartment(15%)oracentralriskdepartmentconstitutedof1to5FTE(24%).Medium-sizedorganizationsmostlystafftheirriskdepartmentwith1to5FTE(24%)andoftenwith5to20FTE(9%).Forlargeorganizations(>10.000FTE),nocleartrendisobserved.

GeographicallyextendedorganizationsneedlargerdecentralizedriskmanagementteamsOrganizationshavebeenstructuringtheirriskmanagementdependingontheirexistingstructureandgeographicfootprint.Thebroadertheregionwheretheorganizationisactive,themoreriskspecialistswillbeneededinthedifferentlocationstoenablerapidresponsetopossiblenewemergingrisks.

CFO’sandCEO’shaveprimaryresponsibilityforERMTheresponsibilityoftheERMprogramhasbeenassignedinprioritytotheCF0(36%)andtheCEO(27%).Thismayexplainwhyriskintegrationishighwithinthefinanceprocessaswellasthegrowingtrendtowardintegrationofriskmanagementinthestrategicprocess.Insomecases(15%),theresponsibilityoftheERMprogramhasbeenassignedtoaspecificallydesignatedChiefRiskOfficer.“Others”(20%)includeothermembersoftheManagementCommittee.Incomparisonwithpreviousanalyses,riskmanagementhasincreasinglybecometheresponsibilitytheCEO.Withriskmanagementbecomingmoreintegratedinthestrategyprocessofthecompany,ERMisrisinghigherontheagendaoftheCEO.ThisimpliesthatRiskmanagementisnotthemanagementofspecificrisksbysomespecialistsanymorebutanintegratedapproachsteeredbyseniormanagement.

MostorganizationshaveariskcommitteewithintheirorganizationAmajorityoftherespondents(59%)hasestablishedariskcommitteewithintheirorganization.

Exhibit 17: How is your risk management organization structured?

82%

3%

15%

Hybrid

Centralized

Decentralized

< 1.000

1.000 - 10.000

> 10.000

Exhibit 18: Number of FTE’s centrally involved in comparison with the total number of FTE’s

0%

5%

10%

15%

20%

25%

30%

>205-201-50

15%

7%

4%

24% 24%

4% 4% 4%2% 2%

9%

Total number of FTE’s

Exhibit 19: ERM Responsibility

36%

27%

15%

20%

2%

CFO

CEO

CRO

Other

Internal audit

Exhibit 20: Existence of risk committee

59%

41%

Yes

No

Exhibit 21: Composition of Risk Committee

39%

29%

26%

6%

Board members

Audit Committee members

Management members

Other

18 Risk Intelligence in the Energy & Resources IndustryDetailedsurveyfindings19

Theestablishedriskcommitteesaremostlyacombinationofboardmembers(39%),auditcommitteemembers(29%),andmanagementmembers(26%).Intheothercases(6%),specificbusinessexpertsareattendingtheriskcommittees.Usually,theriskcommitteemembersareappointedbytheBoardtoassistinoverseeingtheenterpriserisks.Thisexplainstheseniorityofthecompositionoftheriskcommitteeasitsmembersneedtobeabletotaketheadequatedecisions.Someorganizationsappointmorethanonecommitteetohaveadequateoversightdependingontheoperationallevelornatureoftherisks.Riskcommitteescanexistongrouplevelandonlocallevel.Dependingonthenatureoftherisks,differentbusinessexpertswillbeinvited;e.g.foraninvestmentriskcommittee,amarketandcreditriskcommitteewillbeformed.ItisinterestingtoobservethatorganizationsdonotwaitfortheirERMprogramtobefullyoperationalbeforeestablishingaRiskCommittee.

RiskmanagementisoftenaseparateandindependentfunctionThesurveyrevealsthatinanimportantnumberof

organizations(29%),riskmanagementisaseparatefunction.Fortheotherrespondents,riskmanagersalsoperformthefollowingfunctions:Insurance(17%);Internalaudit(12%);Compliance(10%);FraudManagement(3%);andOther(29%).“Other”includescombinationsofpreviouslymentionedfunctionsandotherfunctionslikecontrolling,qualitymanagement,andcreditriskmanagement.Inastart-upphase,riskmanagementisoftencombinedwithotherfunctions.Asmaturityofriskmanagementevolves,organizationsadaptandriskmanagementfollowsitsownwayinthestructureoftheorganization.

RiskmanagementisinternallyperformedMostriskmanagementactivitiesareinternallyperformed.However,someorganizationshaveusedassistancetoimplementtheframeworkwhereotherorganizationsexternalizedveryspecificpartsoftheriskmanagementtoincreasecredibilityorbuildonexperience.

TheCROreportstocommitteesandmanagementOnaverage,theChiefRiskOfficerreportstomorethantwogroupofdirectingmembers.Mostrespondents(67%)statedtheCROreportedat

leastyearlytotheBoardofDirectors.Eventhoughothergovernancegroupsareinformedofriskmanagementresults,ultimatelytheBoardofDirectorsisaccountableforriskmanagement.ReportingtotheBoardispartlylinkedtotheoperationalstatusoftheERMprogram.OftherespondentsthathaveafullyoperationalERMprogram,avastmajorityreporttotheBoardofDirectors(76%).Amongtherespondentswhoseriskprogramisindevelopment,onlyasmallmajorityreporttotheBoardofDirectors(57%).

Respondentsassessthemselvesasmorematureonthegovernancethanontheprocess,peopleortechnologycapabilitycomponentsImplementinganERMprogramstartswithgovernance.ThefirsttaskistodefineanddocumenttheERMpolicyaswellasdefinetherolesandresponsibilitiesofriskmanagement.TherespondentswiththemostmatureERMprograms(50%)haveestablishedacleardefinitionanddocumentationoftherolesandresponsibilitiestomanagerisksaswellasatopdownandbottomupapproachtowardsriskmanagement.MoreimmatureERMprogramsalsostriveforadequatepowerandindependencetoexecutetheirtasksanddutiesandtobuildcredibility.Alargepartofrespondentsindicateconsideringnotonlyconsideringthedownsideofrisksbutalsothepotentialupsideofriskstoacertainextent.Organizationsrealizethatriskmanagementisneedednotonlytoprotectexistingrisks(unrewardedrisks)butalsotoincreasegrowthbyassessingpotentialopportunities(rewardedrisks).Theintegrationofriskmanagementwithothermanagementpractices(e.g.performancemanagement,processmanagement,qualitymanagement,compliance,etc.)isstillindevelopmentinmostorganizations.Comparisonofthegovernancematuritylevelwithothercapabilitycomponentsleadstotheobservationthatgovernanceisthemostmaturecomponent.

Exhibit 22: Other performed functions by the risk manager

29%

12%

3%10%

29%

17%

No other functions are performed

Internal Audit

Fraud Management

Compliance

Insurance

Other

Exhibit 23: Does your company outsource some risk management activities?

20%

80%

Yes

No

Board ofDirectors

0% 10% 20% 30% 40% 50% 60% 70%

67%

53%

53%

51%

49%

24%

Exhibit 24: Chief Risk Officer reports to:

CEO

ManagementCommittee

AuditCommittee

CFO

Others

Exhibit 25: Governance Maturity per Quartile

Adequate resources are used

Balanced top-down & bottom-up approach is used

Defined risk appetite

Defined roles & responsibilities

Written ERM policy

Integrated ERM framework/methodology

ERM considers the down & upside of risk

ERM integrated with otherpractices/methodologies

ERM integrated in goal setting and management

dicision making

ERM has adequate power

Q4

Q3

Q2

Q1

Risk intelligent

Systematic

Top-Down

Specialist Silos

Tribal & Heroic

20 Risk Intelligence in the Energy & Resources IndustryDetailedsurveyfindings21

ProcessRiskmanagementprocessandproceduresareclearlydefinedinalargemajorityoforganizationsThesurveyrevealsthatavastmajorityoftherespondentshaveaclearlydefinedriskmanagementprocess(85%)andriskmanagementprocedures

(70%)inplace.Thedocumentationofprocessesandprocedureshelpstoensureaconsistententerprise-wideriskmanagement.

Mostorganizationswaittoformallydocumenttheirriskmanagementprocessesuntiltheseprocesseshavebecomemoreorlessstable.OncetheERMprogramisfullyoperationalalmostallorganizationshaveacleardefinedriskmanagementprocessandprocedures(respectively94%,88%).Thesmallerproportionofdocumentationofriskmanagementprocedurescanalsobeduetotheperceptionthatprocedureshavefewbenefitscomparedtotheadministrativeburdenofwritingthem.Moreover,thedocumentationofproceduresisrelatedtotheoperationalstatusoftheERMprogram.

RisksaremostlyassessedonaquarterlybasisAlargenumberoftherespondentsassesstheirrisksonaquarterlybasis(24%).Otherusualassessmentfrequenciesare:semi-annual(20%);annual(20%);andadhoc(17%).11%oftherespondentsmentionedamonthlyriskassessmentfrequencyand4%adailyriskassessment.OrganizationswithafullyoperationalERMprogrammostlyassesstheirrisksonaquarterlybasis(47%)whereas24%performariskassessmentonamorefrequentbasisand30%lessfrequently.OrganizationswhoseERMprogramisstillindevelopmentmostlyassesstheirrisksonanadhocbasis(28%),semi-annually(24%)orannually(21%).Still,28%reportmorefrequentassessments.Respondentsstatethatincaseofurgency,theirriskmanagementorganizationforeseesescalationsprocedureswhichenabletheorganizationtoinitiateriskmitigationactiononanadhocbasis.Thisallowstheorganizationtointegrateincidentsintotheriskmanagementsystemandtorespondappropriatelyandonatimelybasistotheseevents.Thefrequencyofassessmentcanvarydependingonthenatureoftherisks.Foroperationalrisks,frequencyofassessmentwilltypicallybehigherthanforstrategicrisks.

Companiesprimarilyrelyonqualitativeself-assessmentsMostrespondents(87%)usemorethanonetechniquetoassesstheirrisks.Ingeneraltherespondentscurrentlyuseabout2to5techniques(60%).Onethirdoftherespondentsplantoimplementfrom1to3additional

How to read the maturity assessments

RespondentshaveassessedthemselvesbasedontheDeloittematuritymodel

Thefigureaboveillustratesthefivematuritystepsfromtheleastmaturestage(TribalandHeroic)atthelefttothemostmaturestage(RiskIntelligent)attheright.Thesamematuritylevelsarerepresentedinthediagramsrepresentingtheresultsofthematurityassessments,goingfromtheleastmaturestageinthecentretothemostmaturestageintheouter.Thequestionsaskedarerepresentedonthevariousaxesofthefigure.Ateachextremity,mentionwasmadeofasummarizedversionofthequestion.

Eachwhitedottedlinerepresentsaquartileofrespondents.Q4(quartile4)correspondstothe25thpercentoflowestmaturityresponses,Q3tothe25thpercentofsecondlowestmaturityresponses,Q2correspondstothe25thpercentofsecondhighestmaturityresponses,andQ1correspondstothe25thpercentofhighestmaturityresponse.

Toillustratethis,inexhibit“GovernanceMaturityperQuartile”,the25percenttopperformers(Q1)assessedthemselvesRiskIntelligentwithrespectto“IntegratedERMframework/methodology”.Withrespectto“WrittenERMpolicy”,thetop50percent(Q1andQ2)indicatedhavingthehighestmaturity.

1. Tribal & Heroic

Exhibit 2: Deloitte Risk Intelligence Maturity model TM

Ad-Hoc/chaotic

Depends primarily onindividuals

Heroics capabilities andverbal wisdom

2. Specialist silos

Reaction to adverseevents by specialists

Descrete roles established for small set of risks

Typically finance, insurance, compliance

3. Top-down

Tone set at the top

Policies, procedures,risk authorities definedand communicated

Business function

Primarily qualitative

Reactive

4. Systematic

Integrated response toadverse events

Performance-linked metrics

Rapid escalation

Cultural transformation

Underway

Bottom-up

Pro-active

5. Risk Intelligent

Built into decesion-making

Conformance withenterprise risk management processes is incentivized

Intelligent risk-taking

Sustainance

‘Risk management iseveryone’s job’

Exhibit 26: A clearly defined risk management process is in place

85%

15%

Yes

No

Exhibit 27: Clearly defined risk management procedures are in place

70%

30%

Yes

No

22 Risk Intelligence in the Energy & Resources IndustryDetailedsurveyfindings23

assessmentmethodsinthe12months(26%)andhalfoftherespondentsplantoimplement1to6ofthecitedmethodsinthelongerrun(51%).Attheonsetofriskmanagement,organizationsprimarilyrelyonqualitativeself-assessments.Asmaturitygrows,organizationstendtoinvestinquantitativetechniquestocomplementqualitativeassessments.Avastmajorityoftherespondents(82%)currentlyusequalitativeself-assessmentstoperformriskmanagement.Self-assessmentsrequirelittledevelopmentastheriskinformationinputisusuallyprovidedbybusinessexperts,whoassesstherisksbasedontheirexperiences.Therefore,organizationsusuallystartbyimplementingtheself-assessmenttechniquebeforeevolvingtomoresophisticatedtechniques.Fromthosewhoimplementedonlyonetechnique(4%),allassesstheirrisksviaself-assessments.Othercommontechniquesareprobabilisticanalyses(68%),scenarioanalyses(63%),andeconomicmetrics(55%).Probabilisticanalysesareusedtoestimateuncertaintyinthevaluesofinputparametersbyusingstatisticaldistributions.Twointerpretationsofriskscenarioanalysiscurrentlyexist:thesensitivity/

probabilisticanalysis(e.g.Lognormal/WeibulldistributionswithMonteCarlosimulations)whichismostcommonlyusedandwelldeveloped;andthemodelingofinteractionsandinterdependenciesbetweendifferentrisks,whichislesscommonlyusedandnotyetwelldeveloped.Economicmetricsincludevalueatrisk,earningsatrisk,cashflowatrisk,allofwhichprovidefinancialevaluationofrisksituations.Fromthesepopularmethods,thescenarioanalysisisthemethodthatmostorganizationsplantoincorporateinthenext12months(7%)orinthelongerterm(19%).Notsocommonlyusedyetistheindustrybenchmark.Insomeorganizations,thebenchmarkisperformedbetweenorganizationsofthesamesizeinsteadofinthesameindustry.9%oftherespondentsplantoincorporatethistechniqueinthenext12monthsand21%atlongerterm.KRI’sareaswellforeseentobeimplementedintheshort(5%)orlongterm(26%).

TwothirdsoftherespondentscurrentlyusequantitativeriskanalysismethodsAmajorityofrespondentsalreadyusequantitativeriskanalyses(66%).

QuantitativeriskanalysesareusedmostlyinFinanceandTax,CommodityTradingandSourcing,andAssetManagementThesetechniquesaremostfrequentlyusedinareassuchasFinanceandTax(56%),CommodityTradingandSourcing(51%),andAssetManagement(40%).Apparently,‘measurable’businessareassuchasFinanceandCommodityTradingaretheprimarydriverfordevelopingquantitativeriskanalysistechniques.Notsurprisingly,alongerhistoryofriskmanagementexistsinthesebusinessareas.Onceimplementedintheseareas,thequantitativetechniquesareoftenappliedtootherbusinessdomains.Accordingtotherespondents,themostimportantchallengewithrespecttotheimplementationofquantitativeanalysesisatthestartofimplementation:identifyingandapplyingeffectivequantitativeriskmeasuringtechniques.Thesecondchallengeistheimplementationofsupportingtoolsforthequantitativetechniques.Theselectionofappropriatetoolingremainsanimportantchallengeforthoseattheverybeginningofthedevelopmentofquantitativetechniquesasmuch

asforthosewhoalreadyperformquantitativeriskmanagementtechniquesindifferentbusinessareas.Respondentsalsomentionedotherchallengeswithrespecttoquantitativeriskanalysis,includingtheidentificationofrequireddataandtheeffectivenessofdatacapturing.

Self-assessments

Probabilistic analysis

Scenario analysis

Economic metrics

Industry benchmark

KRI

Stress-test

Failiure mode and effect analysis

Exhibit 28: Risk assessments methods

Third party assessments

Currently in use

Plan to incorporate in next 12 month

Plan to use

No plans to incorporate

0% 20% 40% 60% 80% 100%

Exhibit 29: Does your company use quantitative risk analysis methods?

66%

34%

Yes

No

Finance and Tax

Commodity Trading/Sourcing

Asset Management

EHS

ICT

Exhibit 30: In which domains are quantitive risk analyses used?

Other

Yes

No

0% 20% 40% 60% 80% 100%

33%

23%

20%

17%

7%

0% 5% 10% 15% 20% 25% 30% 35%

Exhibit 31: Main challenges of implementing quantitative risk analysis

Identifying and applyingeffective quantitative risk

measuring techniques

Implementing supportingtools for quantitative risk

measuring techniques

Effectiveness of datacapturing

Identifying the requireddata for your quantitative

risk analysis

Timeliness and accuracyof data entry

24 Risk Intelligence in the Energy & Resources IndustryDetailedsurveyfindings25

OrganizationscapturequantitativedatathroughincidentmonitoringsystemsandpaperformatInregardtothetechniqueusedtocapturequantitativedata,respondentsnotedincidentmonitoringsystems(69%)andpaperformat(66%)arethemostfrequentlyusedtools.60%oftherespondentsindicateusing2to3techniquestocapturequantitativedata.However,unliketheriskassessmentstechniques,newmethodsforquantitativeriskanalysesarelesslikelytobeimplemented.Currently,mostofthesetechniquesaredevelopedtocapturehistoricdata(e.g.incidents).Emergingtechniquesincludeconditionmonitoringsystems(usedby45%oftherespondents)whichfacilitatepredictionoffutureincidents(e.g.withinthedomainofassetmanagement).

Organizationshaveaclearprocessfortheidentification,evaluation,andmitigationofriskbutlackmaturityonmonitoringaspectsGenerally,respondentsassessedthemselvesratherhighlyonprocessmaturity.Identification,evaluation,anddocumentationofriskshavebecomematureriskmanagementactivities.Thelowestprocessmaturitylevelswereassignedtomonitoringandreportingaspectsoftheriskmanagementprocess.ImplementationofKRIsdoesnotseemasyettobeacommonlyusedriskmonitoringpractice.

PeopleFeworganizationstrainallemployeesinEnterpriseRiskManagementAlthoughtrainingisrecognizedasanimportantcontributortothecreationofarisk-awareculture,asignificantpartofrespondents(31%)donothaveastructuredtrainingplaninplace.Approximately69%oftherespondentsstatethattheirorganizationsdohaveastructuredtrainingplan.Ofthose,thegreatestnumber(42%)focustheireffortsontheemployeesthataredirectlyinvolvedinriskmanagementactivities.20%ofrespondentsstatetheirorganizationstrainonlythosespecialistswhoperformspecificriskmanagementfunctions.FeworganizationsextendedERMtrainingtoallemployees(7%).TrainingisstronglyrelatedtotheoperationalstatusoftheERMprogram.Respondentswhostatedtheirorganizationdidnothaveastructuredtrainingplan(100%)areinthedevelopmentstageoftheirERMprogram.Similarly,mostrespondentswhostatedtheirorganizationtrainsonlyspecialists(78%)arealsoindevelopmentstageoftheirERMprogram.OrganizationsthatassessthemselvesasbeingbetterpreparedinriskmanagementinvolvemoreemployeesinanERMtrainingprogramandviceversa.Ofthoserespondentsstatingthattheirorganizationstrainallemployeesorallemployeesinvolvedinriskmanagement,amajorityassessestheirERMmaturity

abovetheaverage.AmongtheorganizationsthatonlytrainriskspecialistsorthathavenostructuredtrainingplanareonlyalimitednumberoforganizationswhoassessedtheirERMmaturityasabovetheaverage.

OrganizationshaveastrongfocusonERMskillsandknowledgeRespondentsassessedthepeople-relatedaspectsofERMfrommediumtohighmaturity.

Paper format

Statistic samplingtechniques

Mandatory fields(incident loggings)

Hand held devices(incident loggings)

Automated loggingsystems

Condition monitoringsystems

Exhibit 32: Which quantitative data capturing methods are used?

Incident monitoringsystems

Currently in use

Plan to incorporate in next 12 month

Plan to use

No plans to incorporate

0% 20% 40% 60% 80% 100%

Exhibit 33: Process Maturity per Quartile

Periodical reporting is in place

Risk mitigation plans are designed

Risks are evaluated and prioritized

Identified risks are documented

All important risks are identified

ERM process is audited

Efficiency & effectivenessis monitored

Risk limits are monitored

KRIs are in place

Q3

Q2

Q1

Q4

Risk intelligent

Systematic

Top-Down

Specialist Silos

Tribal & Heroic

Report risks/control activities

Monitor risks/control activities

Doc risks/control activities

Assess risks/control activities

Document processflows/narratives

Other

Integratedperformancemanagement

0% 10% 20% 30%40% 50% 60% 70% 80%

75%

75%

61%

68%

39%

29%

25%

Exhibit 38: Which activities are performed using the risk management tool?

Exhibit 35: People Maturity per Quartile

Risk job descriptions exist

Communication is in place

People understand their responsibilities

People have skills & knowledge

ERM is integratedin training

Company knowsERM best practices

Risk culture is promoted

Q3

Q2

Q1

Q4

Risk intelligent

Systematic

Top-Down

Specialist Silos

Tribal & Heroic

26 Risk Intelligence in the Energy & Resources IndustryDetailedsurveyfindings27

‘Hard’aspectsofpeoplematurityareassessedpositively,whereasthe‘soft’aspectsofpeoplematuritytendtobelesspositive.ThehighscoresofERMknowledgeandbestpracticesindicateahighdegreeofspecialization.Theserespondentsfeelcomfortablewiththeunderstandingofrolesenresponsibilitiesandriskjobdescriptions.Respondentsestimatethatthe‘soft’aspectsofpeoplematurity,suchascommunicationandtraining,arelessdeveloped.Oneareathatappearstobeopenforimprovementisintegrationofriskmanagementinthecompany’strainingprogram.Onlythe25%mostmatureorganizationsassessthatthisintegrationtakesplacesystematically.Thisassessmentmightresultfromtheearlierfindingthatmostorganizationsoptedtotrainonlyalimitednumberofpeopleinriskmanagement.Inamajorityoftherespondingorganizations,onlythepeoplewhodirectlyperformriskmanagementactivitiesareinvolvedinanERMtrainingprogram.TechnologyAmajorityofrespondentshaveERMsoftwareortoolstosupporttheERMprocess63%oftherespondentsindicatethattheirorganizationsareusingariskmanagementtooltosupporttheERM

process.OfthoseusingERMtools,asmallmajorityof55%areusingtoolsdevelopedin-houseinsteadofusingpurchasedtools.TheuseofatoolisrelatedtooperationalstatusoftheERMprogram.80%ofthefullyoperationalERMprogramrespondentsuseatoolcomparedtoonly50%oftheERMprogramsindevelopment.Moreover,organizationsthatassessedthemselvesasbeingbetterpreparedtomanageriskalsoreportmakinguseofasupportingERMtool.Organizationsthatassessedtheirriskmaturityratherlowdidnotuseofsuchtools.

IntheearlystagesofthedevelopmentofanERMsystem,organizationsfocusonthedevelopmentofatailoredERMmethodology.Oncethismethodologyisfine-tuned,attentionispaidtoanappropriatesupportingtool.TheuseofanERMtoolhasmanybenefits.Itcontributestoauniformapplicationofriskmanagementalongbusinessunitsandfunctionsanditallowsprocessinglargeamountsofdataintocompany-wideriskmonitoringtoolsandreports.Itismainlyinthesetwodomainsthataperformingbutuser-friendlyriskmanagementtoolcanproveitsaddedvalue.

Asobservedearlier,riskmonitoringandreportingaretheleastdevelopedaspectsoftheERMprocess.AsupportingERMtoolcanfacilitatetheimplementationofthesefinalstagesoftheERMimplementationprocess.

ERMtoolsfocusondocumentation,assessment,monitoring,andreportingoftheriskmanagementprocess.TheconnectionwithotherkeymanagementactivitieshasnotyetbeenmadeRespondentshavinganERMtoolindicatethattheirorganizationsusethetooltodocument(68%),assess(61%),monitor(75%),andreport(75%)riskandcontrolactivities.ToolingcanespeciallyhelpmakeriskmonitoringandriskreportingmoreefficientandeffectiveandhencedrivethedevelopmentofthesefinalstagesintheERMprocess(whichrespondentsindicatedastheleastdevelopedaspectoftheriskmanagementprocess).

Theconnectionwithotherkeymanagementactivitieshasnotyetbeenmade,asonly25%ofrespondentindicateusingtheirERMtooltointegrateriskmanagementwithperformancemanagement(KPIs,balancedscorecards,riskadjustedperformancemanagement).ThismaymeanthatERMisdisconnectedfromvaluecreation,andthusfromfuturegrowth,makingitdifficulttoconvincemanagementofthevalueofimprovedERMsincethereisnolinkagetovalue,onlytoloss.Onlyfeworganizationsleveragetheirriskmanagementtooltointegrateriskmanagementwithperformancemanagement.

Exhibit 37: Does your company have a risk management software or tool?

63%

37%

Yes

No

Exhibit 36: Is you risk management tool built in-house or was it aquired?

45%

55%

In house

Aquired

Report risks/control activities

Monitor risks/control activities

Doc risks/control activities

Assess risks/control activities

Document processflows/narratives

Other

Integratedperformancemanagement

0% 10% 20% 30%40% 50% 60% 70% 80%

75%

75%

61%

68%

39%

29%

25%

Exhibit 38: Which activities are performed using the risk management tool?

IT applications are used to assess & monitor risks

RM tool is integratedwith other systems

Integrated IT system are used to manage risks

Exhibit 39: Technology Maturity per Quartile

RM tool enables costefficience compliance Q4

Q3Q2

Q1

Risk intelligent

Systematic

Top-Down

Specialist Silos

Tribal & Heroic

28 Risk Intelligence in the Energy & Resources IndustryTop10Energy&ResourcesRisks29

TechnologyistheleastdevelopeddimensionofEnterpriseRiskManagementIngeneral,respondentsassesstheirtechnologymaturityratherlow.TheyindicatethatintheirorganizationstheuseofERMtoolsisoften‘silodriven.’ERMtoolsarebeingused,butnotyetonanintegratedandcompany-widebasis.Amongthefoursub-domainsoftechnologymaturity,asimilarmaturitylevelexistsinthreeofthefourtechnologysub-domains:50%ofrespondentsindicateanadhocorsilobasedapproachwithregardtotheuseofanintegratedERMsystem,theuseoftheIT-systemtoassessandmonitorriskquantitatively,andtheextenttowhichthesystemenablesthebundlingofrelatedrisksacrossfunctionalareas.TheintegrationoftheERMtoolwithotherIT-systemappearstobeevenlessmature.75%ofrespondentsstatethattheintegrationwithotherITsystemonlyhappensonanadhocbasis.Thisisconsistentwiththeearlierfindingthatonlyaminorityofrespondents

havetheirERMtoolintegratedwithperformancemanagementsystems,suchasbalancedscorecardsandERPsystems.ThisleadstotheconclusionthattechnologyistheleastdevelopeddimensionofEnterpriseRiskManagement.TheintegrationofanERMtoolwithothermanagementsystemsremainsamajorweaknessintheoverallERMperformance.DespiteaproliferationofvendorscompetingintheERMmarketplace,nosinglepackagesolutionhasemergedtoprovidethenecessaryfunctionalitytosupporttheentireERMcapability.Somemoreestablishedvendorsofferriskanalysissolutionsthatenableuserstomakebetterinformeddecisionsusingspecifiedriskparametersandrobustdatainput.However,functionalitytoallowuserstoperformafullrangeofERManalysessuchasmodelingdetailedevent-treesandscenarios,calculatingaggregateriskmeasures,facilitatingcapitalinvestmentandallocation,andgeneratingriskmanagementreportsremainselusive.

Respondentsindicatedthetop10risksfacedbytheircompanies.Resultsarebrokenoutbyindustry/sub-segment:ElectricPower&Utility(powergenerationandsupply);SystemOperators(transportationanddistributionofelectricity,gasandwater);andOil&Gascompanies(upstreamanddownstream).InsufficientresponseswerereceivedfromMetallurgy&Miningcompanies(extraction,productionandtreatmentofmetalsandminerals)toanalyzeseparately.

CommoditytradingrisktoppedthelistforElectricPower&Utilitycompanies.Secondcameperformanceriskrelatedtogenerationassets,followedbyoperationefficiencyriskandregulatoryrisk.Increasinginimportanceisproductdevelopmentrisk,relatedamongotherthingstotheriseofdecentralizedenergyproductionwithhouseholdsproducingtheirownenergy.ManyElectricPower&Utilitycompaniesarelookingfornewservicestocompensateforthislossofrevenues.

The“other”risksmentionedare:strategicinvestmentandprojectdevelopment.

Whenlookingatthetop10risksofcompanieswithsystemoperatoractivities,regulatoryriskisatthetop.Mostofthesecompaniesareworkinginaheavilyregulatedenvironment,withtheregulatorsettingpricesfortheservicestheyprovide.Thesecondrankedriskisassetperformancerisk,directlylinkedtotheircorebusinessoperatingthetransportationordistributiongrid(e.g.black-outs,gridlosses,etc.).

The“other”risksmentionedare:waterqualityrisk;projectfinancerisk;projectmanagementrisk;environmental,healthandsafetyrisk;ITinfrastructureriskandfinancialperformancerisk.

Top Energy & Resources Risks

78%

78%

70%

70%

63%

59%

59%

56%

52%

52%

48%

30%

19%

Commodity trading

Asset performance

Operation efficiency

Regulatory

Data quality and integrity

Compliance

Business continuity

People and talent

Credit

Competition

Brand and reputation

Product development

Fraud

Exhibit 40: Top Energy & Resoucres risks Electric Power & Utility

0% 20% 40% 60% 80% 100%

20%

13%

80%

73%

67%

60%

60%

53%

53%

47%

33%

33%

27%Commodity trading

Asset performance

Operation efficiency

Regulatory

Data quality and integrity

Compliance

Business continuity

People and talent

Credit

Competition

Brand and reputation

Fraud

Product development

Exhibit 41: Top Energy & Resoucres risks System Operators

0% 20% 40% 60% 80% 100%

30 Risk Intelligence in the Energy & Resources IndustryTop10Energy&ResourcesRisks31

ForOil&Gascompanies,therankingsshowninthechartdonotrepresentthewholepicturegiventhehighnumberof“other”risksfallingoutsidetherankedcategories.Analysisoftheriskslistedas“other”revealsomepatterns.GiventhatOil&Gascompanies,bothupstreamanddownstream,arecapitalintensive,risksrelatedtostrategyandputtingcapitaltogoodusecometothefore.Mostrespondentshadriskssuchasstrategicrisk,costofcapital,assetperformance(includingsubsurfaceandresourcerisk),andassetdevelopmentintheirtop5.Othermentionedrisksreflectacontinuingemphasisongeopoliticalriskduetoeitherassetsortransportationroutesbeinglocatedinornearpoliticallyunstablecountries.ThoseOil&Gasrespondentsthatengageincommoditytradinglistitasoneoftheirtop5risksandthosethatdonottradelistmarketorpriceriskintheirtop5.Peopleandtalentriskstillmakesthetop10forallbut1respondent,butisnolongerinthetop3-5asitcommonlywaspriortotheeconomicdownturninmanysurveysconducted.

The“other”risksmentionedare:adequaterawmaterials;alignmentwithkeystakeholders;assetintegrity;capitalcost/capitalcostestimation;carbon;environmental,healthandsafetyrisk,environmentrisk;managingdevelopmentprojects;market/commoditymarketprice;political/geopolitical;strategic;andsubsurface/resources.

FormanyElectricPower&UtilityandOil&Gascompanies,riskmanagementprogramsstartedintheircommoditytradingandhealth,safety,andenvironmentactivitiesandthenextendedtootherdomainstocoverallfunctionsandbusinessunits.Asenterprisewidecoveragewasachieved,thefocusshiftedfromcontrollingunrewardedrisks(lossprevention)toevaluatingrewardedrisks(valuecreation)suchasstrategicandproductdevelopmentrisks.FormanySystemOperators,ERMprogramshaveashorterhistory,arelessmature,andhaveamoreoperationalandcompliancefocus,althoughstrategicrisksarejustasrelevantforthem(e.g.productdevelopmentriskswithrespecttodecentralizedproduction,smartmetering,smartgrid,useofgassesfromseweragesystemtogeneratepower,injectionofbiogasesintothegrids,etc.).ThoughsystemOperatorsarequicklycatchingupandmayevenbemoreadvancedinsomeareas.

20%

0%

80%

80%

60%

40%

40%

40%

40%

40%

40%

20%

20%

Commodity trading risk

Asset performance risk

Operation efficiency risk

Regulatory risk

Data quality and integrity risk

Compliance risk

Business continuity risk

People and talent risk

Credit risk

Competition risk

Brand and reputation risk

Fraud risk

Product development risk

Exhibit 42: Top Energy & Resoucres risks Oil & Gas

0% 20% 40% 60% 80% 100%

32 Risk Intelligence in the Energy & Resources IndustryConclusion33

&Resourcescompaniescanincorporateriskintorelatedmanagementareassuchasstrategicplanning,capitalinvestmentandallocation,andperformancemeasurement.Withaclearriskappetiteandrisktolerance,theorganizationisguidedtopursuenewopportunitiesthatcreatevalueforstakeholders.

Incorporatingriskintocapitalandperformanceactivitiesthroughadvancedmeasurementtechniquescanprovidetheboardofdirectorsandseniormanagementwiththenecessaryconfidencetostartdeployingcapitalwiththeoverarchingobjectiveofcreatingvalueratherthansimplypreservingvalue.

A way forwardBuildingtheRiskIntelligentEnergy&ResourcesEnterprisehasproventobeadauntingtask,evenforEnergy&ResourcescompanieswiththemostadvancedandsophisticatedERMcapabilities.GiventhescopeandcomplexityofimplementingtheERMcapabilityandthediversityofstartingpointsamongmostEnergy&Resourcescompanies,aflexibleapproachisprobablymostappropriate.Belowisanapproachforbuilding/enhancingandsustainingtheERMcapabilitiesthatcanbeeffectiveformanyorganizationsalongtheERMjourney.

Build/enhancetheERMCapabilityTobuild/enhancetheERMcapability,theERMprogramshouldstartitsplanningwiththeassessmentoftheorganization’sERMcapability,relativetocapabilitycomponentsthatcorrespondtoeachstageinthecapabilitymaturitymodel,inordertoestablishabaseline.TheoutcomeofthisdiagnosticshouldprovidesufficientinformationtoevaluatethenatureandextentofgapsbetweenthecurrentanddesiredERMcapabilitymaturitystages.Itshouldalsoprovidetherelevantdatatoperformacost-benefitanalysisfortheERMcapabilityandprepareabusinesscase.MilestonesshouldbebasedonkeyattributesintheERMcapabilitymaturitymodelsothattheprogramteamcaneffectivelymonitorandreportonprogress.

SustaintheERMCapabilityAswithmostoftoday’scriticalmanagementcapabilities,sustainingtheERMcapabilityatmostEnergy&Resourcescompanieswillrequireaprocessofcontinuousimprovement.Changesinprevailingconditionsintheoperatingenvironment,theorganization’scompositionandobjectives,orthe

expectationsofkeystakeholdersmayrequireadditionalefforttomaintainthedesiredstageofERMcapabilitymaturity.Movingtomoreadvancedstageswilllikelyinvolveaniterativeprocess.DevelopinganERMcapabilitycanrequiresubstantialeffortaswellasscarceresourcesandseniormanagementattention.Thebenefitsandcostsofmovingfromless-advancedtomore-advancedstagesoftheERMcapabilitymaturitymodelshouldbecarefullyconsideredbeforelaunchingtheprogram.

TheEnergy&Resourcesindustry,alongsidethefinancialservicesindustry,keepsonfulfillingitsroleofearlyadaptorandpioneerintheongoingevolutionoftheERMcapabilitytowardsbecomingatrulyRiskIntelligentEnterprise™.

Building the Risk Intelligent Energy & Resources EnterpriseWhiletheEnergy&ResourcesindustrymaybeleadingthewayinimplementingERM,thereisstillconsiderableroomforimprovement.ManyEnergy&Resourcescompaniesareaskingthequestion:WhatwillittaketomovebeyondourcurrentstageofERM?

ThisreportshouldhelpEnergy&ResourcescompaniesidentifyopportunitiestomovetowardbecomingaRiskIntelligentEnergy&ResourcesEnterprise.

SomeoftheremainingchallengesfacedbyEnergy&ResourcescompaniesandsuggestionsformovingtowardtheRiskIntelligentEnterprisearediscussedbelow.

MovingbeyondtheinitialstageManyEnergy&Resourcescompanieshavemovedforwardbyperformingenterpriseriskassessments,implementingriskregisters,developingrisktreatmentplans,andmonitoringthestatusofcertainhigh-priorityriskexposures.AlthoughsomeEnergy&ResourcescompanieshaveconsideredimplementingmostorallcomponentsofanERMcapabilityatonce,manyhaveinsteadchosenanincrementalapproachfortheimplementationoftheirERMprogram.Startingwithafewrisktypesorbusinessunitscanprovideopportunitiestoestablishcredibilityandbolstersupportthroughearlywinswhilegraduallychangingtheenterprise’scultureandlearningvaluablelessonsalongtheway.Thechallengeistoturnthisone-offexercise,mostoftentop-downdriven,intoacontinuousprocess.Keytoovercomingthishurdleisthecriticalconnectionofthe“top-down”identifiedriskswiththeoperationalriskspeopleencounterintheirday-to-dayactivities.Oncethisisaccomplished,riskmanagementcanbetrulyembeddedintotheorganization,makingitpartofdailyprocessesandoperations.Structuresneedtobedesignedwhereoperationalriskinformationcanfeduptothehigherenterprise-levelrisksrequiredforinformed“top-down”managementoftheorganization’srisks.Incontrast,enterprise-levelriskinformationneedstobefeddown,beingtranslatedintoconcreteactivitiesontheworkfloorrequiredforeffective“bottom-up”managementofspecificexposures.Theabilitytomeasureandmanageriskexposuresfromboththetop-downandbottom-upiscriticaltobecomingafullyRiskIntelligententerprise–tobuildinformedrisk-

takingandinformationintorelevantdecision-makingthroughouttheorganizationinacontinuousprocess.

AchievingenterprisewidecoverageManyEnergy&Resourcescompanieshavedevelopedfairlyrobustapproachestomanageafewrisktypesinisolation,includinginsurablehazardrisksandreadilyquantifiablemarket(orprice)riskandcreditrisk.Somealsorelyonrelativelyhaphazardorunsophisticatedquantitativeandqualitativeriskanalysistechniquestoaddressotherrisktypesonanindividualbasis.ManyEnergy&Resourcescompaniesalsofocustheirriskmanagementactivitiesonbusinessunitsthatareassumedtoincludethemostsignificantriskexposuressuchascommoditytrading.

MovingbeyondafragmentedERMcapabilityinvolvesexpandingthecoverageofriskmanagementactivitiestoencompassallmaterialrisktypesandbusinessunits.Suchanapproachdoesnotmeanthatallriskexposuresaregivenequalconsiderationoraremanagedinthesameway;rather,itmeansthattheorganizationisabletomakeamoreinformedandconsciousdecisiononwhichrisksitshouldactivelymanageandhowitshouldmanagetheseexposures.Forexample,theorganizationmayelecttoself-insurecertainnonmaterialexposuresdependingonitsoverallriskprofileandriskappetite.

Achievinggreatercoveragerequiresdevelopingandapplyingdifferentapproachestoanalyzeandmanagethereadilyquantitativerisktypesdescribedaboveandthemorequalitativestrategic,political,legal,andregulatoryrisktypes.Forexample,commoditytradingbusinessunitsmaydecidethatindividualtransactionsandriskexposuresshouldbedirectlymodeled,measured,reported,andmonitored.Incontrast,techniquessuchasscenarioanalysismaybeappropriateformorequalitativerisktypes.

IncorporatingRiskintoStrategyBeforeriskcanbeaggregatedintostrategy,riskacrossrisktypesandbusinessunitsneedtobeintegratedandaggregatedtoprovideatrulyenterprise-wideperspective.Oncetheboardofdirectorsandseniormanagementbetterunderstandhowindividualriskexposures—arisingfromeachrisktypeandbusinessunit—contributetotheenterprise’saggregateriskexposure,theyarepositionedtouseriskinamorestrategicway.Relyingontheaggregateriskmeasures,Energy

Conclusion

34

Contact us

BelgiumLaurent Vandendooren DeloitteBedrijfsrevisorenBVo.v.v.e.CVBARiskIntelligenceLeaderEnterpriseRiskServices+3228002281lvandendooren@deloitte.com

LaurentVandendoorenisapartneratDeloitteEnterpriseRiskServicesinBelgium.LaurentistheLeaderoftheBelgianInternalAudit&RiskManagementpractice,activeinthesetupandenhancementofRiskManagementdepartmentsandsponsoringthedevelopmentofRiskManagementframeworks,processes,toolsandtechniques.

BelgiumJeroen Vergauwe DeloitteBedrijfsrevisorenBVo.v.v.e.CVBASeniorManagerEnterpriseRiskServices+32496578323jvergauwe@deloitte.com

JeroenVergauweisseniormanagerinDeloitte’sEnergy&Resourcespractice.JeroenisplayingakeyroleinthedevelopmentoftheEnergy&ResourcespracticeinBelgium,developingcomprehensiveandintegratedsolutionstomeettheneedsoftheEnergy&Resourcesmarket,developmentofthoughtleadership,performingmarketresearchandorganizingindustrytraining.

GlobalJohn England DeloitteToucheTohmatsuGlobalEnergy&ResourcesLeaderEnterpriseRiskServices+17139822556jengland@deloitte.com

DenmarkMikkel Boe DeloitteBusinessConsultingA/SPartnerBusinessConsulting+4536102494mikboe@deloitte.dk

FinlandTuomo SalmiDeloitte&ToucheOyPartnerBusinessConsulting&EnterpriseRiskServices+358407169728tuomo.salmi@deloitte.fi

FranceThomas Aragnetti DeloitteConseilPartnerEnterpriseRiskServices+33155616209taragnetti@deloitte.fr

GermanyAndreas Herzig Deloitte&ToucheGmbHWirtschaftsprüfungs-gesellschaftPartnerEnterpriseRiskServices+49711165547160aherzig@deloitte.de

ItalyCiro Trotta DeloitteEnterpriseRiskServicesSrlaSocioUnicoDirectorEnterpriseRiskServices+393351350759ctrotta@deloitte.it

NetherlandsMarko van Zwam DeloitteAccountantsB.V.PartnerDeloitteEnterpriseRiskServices+31621272904mvanzwam@deloitte.nl

NigeriaOlufemi AbegundeAkintolaWilliamsDeloitteLeader,WestAfricaOil&GasAudit+2348052090424oabegunde@deloitte.com

SouthAfricaCathy Gibson Deloitte&ToucheDirectorRiskAdvisory+27823307711cgibson@deloitte.co.za

SpainAlberto Amores González Deloitte,S.L.PartnerEnterpriseRiskServices+34915145000aamores@deloitte.es

SwedenJan Bäckman DeloitteABPartnerBusinessConsulting+46752462689jbackman@deloitte.se

UAEDr. Patchin Curtis Deloitte&Touche(M.E.)Leader,MiddleEastERMCenterofExcellenceEnterpriseRiskServices+971(4)3698999patcurtis@deloitte.com

Authors

Other contacts

Deloitteprovidesaudit,tax,consulting,andfinancialadvisoryservicestopublicandprivateclientsspanningmultipleindustries.Withagloballyconnectednetworkofmemberfirmsinmorethan140countries,Deloittebringsworld-classcapabilitiesanddeeplocalexpertisetohelpclientssucceedwherevertheyoperate.Deloitte'sapproximately169,000professionalsarecommittedtobecomingthestandardofexcellence.Deloitte’sprofessionalsareunifiedbyacollaborativeculturethatfostersintegrity,outstandingvaluetomarketsandclients,commitmenttoeachother,andstrengthfromculturaldiversity.Theyenjoyanenvironmentofcontinuouslearning,challengingexperiences,andenrichingcareeropportunities.Deloitte’sprofessionalsarededicatedtostrengtheningcorporateresponsibility,buildingpublictrust,andmakingapositiveimpactintheircommunities.

DeloittereferstooneormoreofDeloitteToucheTohmatsu,aSwissVerein,anditsnetworkofmemberfirms,eachofwhichisalegallyseparateandindependententity.Pleaseseewww.deloitte.com/aboutforadetaileddescriptionofthelegalstructureofDeloitteToucheTohmatsuanditsmemberfirms.

©April2010-DeloitteBedrijfsrevisoren/Reviseursd’Entreprises.MemberofDeloitteToucheTohmatsuDesignedandproducedbytheCreativeStudioatDeloitte,Belgium