Enterprise Risk Management ~ Inovastra

Enterprise Risk Management ~ The Pathway for Assuring the Achievement of Corporate Vision

Nik Mohd Hasyudeen YusoffExecutive ChairmanKHR Business Advisory Sdn. Bhd.21 December 2006

Agenda

• Strategic Objectives and Risks• The Concept of Enterprise Risk

Management (ERM) • Steps in Implementing ERM• The Role Play in making ERM works

• The underlying premise of Enterprise Risk Management (ERM) is that every entity exists to provide value for its stakeholders.

• Value is maximized when management sets strategy and objectives to strike an optimal balance between growth and return goals and related risks, and efficiently and effectively deploys resources in pursuit of the entity’s objectives.

Strategic Objectives and Risks

• For governmental agencies, the purpose of their creation goes beyond providing financial returns

• The balancing between commercial aspects and people expectation makes realising strategic objectives more challenging

• That’s why the GLCs need so many books!



Vision and Mission

StrategicObjectives

Programmesand

Projects

Outcome

Cascading Strategy into Action

Feedback Feedback Feedback

• The next question then is, what is RISK?

• Is “risk” all bad?




Mark Beasley, North Carolina State University


Mark Beasley, North Carolina State University, 2004 Survey

Disconnect


Inovastra Risk Model

Potential Areas of Risks to Organisations

• Some examples of Strategic Risks– A property development company plans to

develop link houses surrounding a beautiful natural lake (Demand risk)

– A scientific research agency sets up an education institution offering business courses (Competition risk)

– An agency enters into a business which it has no expertise (Capability risk)


• Some examples of Other Risks– A deposit taking company promises fixed return to

investors when its investment generates fluctuating returns (Financial ~ Market risk)

– A company sets new strategy that requires people with different attitude and mindset (Operational ~ People risk)

– An entity makes investment into new information technology infrastructure without considering potential changes in technology (Operational – Technology


• Some examples of Other Risks– An agency entered into a joint venture and relied on

the joint venture’s partner to draft the joint venture agreement (Compliance ~ Contractual risk)

– A company has to provide a huge impairment losses as its fleet of vessels is no longer allowed to transport certain cargo due to changes in maritime rules (Compliance ~ Regulatory risk)

– A company which certifies its products as HALAL is involved in corrupt practices (Compliance ~ Corporate values risk)



• Full service• Convenience• Full of legacy• Government linked

company

• Low cost• Price driven• New start-up

(technically)• Privately controlled

There are also situations where multiple of risks are involved:

Politics

Economy

Education

Society

Technology

EnvironmentSpirituality

GlobalRegionalNational

Organisation


The world keeps on changing!

Technology• Keeps changing and changing

very fast!• New products and services• New way of doing business• Increased production

efficiency and effectiveness• New markets• New threats


Economy• More open and globalised economy• Movement from production based to

service based economy, driven by knowledge capital

• Intangible (Intellectual) assets are main value driver for business, not easily measured though

• Companies becoming less “nation” based

• 9MP introduces the “regional” concept of development


Education• Driver of intellectual capital –

Knowledge Workers• Global based education

standards• Shorter lifespan of knowledge, 12

months for IT!• Continuous Re-education is the

way forward • What matters is “What do you do

with the knowledge you learned?”


Environment• Matters to a lot of people now –

Corporate Responsibility Reporting

• Environment based compliance standards – Eco Labelling

• New “barrier” to trade


Society• Its all about people, remember

Enron, WorldCom?• Public views are easily influenced

through digital media• Society with global values? – War

on terrorism, Freedom of expression


Politics• A shift in political direction would

have impact on business environment

• Globalisation of political issues? • Influence the level of transparency in

business dealings


Spirituality• Islamic financial market is

an example of influence of spirituality on business

• Ethical funds• Cuts across borders, based

on people’s belief


The Concept of Enterprise Risk Management

How Organisations manage their risks?

Risk managementequals buying insurance

Regulators are demandingrisk management activities

We need a sustainableProcess to monitor all risks

We need to know theEconomic impact of ourLargest risks

Risks need to bequantified comprehensively

Shareholders demand arisk/return framework

Decision making acrossfirm is linked to buildingeconomic value

I

III

II

VI

V

IV

VII

Mercer Oliver Wyman analysis (modified)

Value add for organisations


Source: Protoviti Inc.


StrategicMarket Risks

Operations Risks

Finance Risks

HumanCapital Risks

ITRisks

Reputation Risks

Legal Risks

Enterprise Focus On Risks

Risks are managed in silos, each business unit or entity manage only theirs


StrategicMarket Risks

Operations Risks

Finance Risks

HumanCapital Risks

ITRisks

Reputation Risks

Legal Risks

Enterprise Focus On Risks

Value Creation and Preservation

Risks are managed on integrated basis

• Enterprise risk management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.


Enterprise Risk Management – Integrated Framework, COSO

• Enterprise – Not just selected “silo” of risks• Process – Ongoing, living, systematic• Consideration of risk on portfolio basis

– Collection of risks– Interactions of risks

• Done to enhance entity value– Heavily integrated with business

strategy


• Focus is on coordinated programme for identification, measurement, assessment, and response to risks primarily across 2 dimensions– Probability (Likelihood)– Criticality (Consequence)

• Key part of entity’s corporate governance– Responsibility of senior management and

board– Pushed down to key business segment

management


• How does ERM enhance Value?– Aligning risk appetite and strategy

~ management considers the entity’s risk appetite in evaluating strategic alternatives, setting related objectives, and developing mechanism to manage related risks

– Enhancing risk response decisions ~ ERM provides the rigor to identify and select among alternative risks responses – risk avoidance, reduction, sharing and acceptance


• How does ERM enhance Value?– Reducing operational surprises and

loses ~ Entities gain enhanced capability to identify potential events and establish responses, reducing surprises and associated costs or losses

– Identifying and managing multiple and across-enterprises risks ~ ERM facilitates effective response to the interrelated impacts, and integrate responses to multiple risks


• How does ERM enhance Value?– Seizing opportunities ~ By considering

a full range of potential events, management is positioned to identify and proactively realise opportunities

– Improving deployment of capital ~ Obtaining robust risk information allows management to effectively assessed overall capital needs and enhance capital allocation


Steps in Implementing ERM

Eight componentsof ERM

Considers alllevels of the enterprise

ERM helps entity to achieveObjectives across these categories


Internal Environment

Objective Setting

Risk Response

Risk Assessment

Event Identification

Control Activities

Info

rmatio

n &

Com

munica

tion

Mon

itorin

g

• Internal Environment– Foundation of other components of ERM.

Sets the management philosophy, risk appetite, the composition and role of the board, corporate values and culture.

– Risk appetite is the amount of risk, on a broad level, an entity is willing to accept in pursuit of value.


• Objective Setting– Objectives must exist before management

can identify potential events affecting their achievement. ERM ensures that management has in place a process to set objectives and that the chosen objectives support and align with the entity’s mission and are consistent with its risks appetite.

– Risk tolerance is the acceptable level of variation to the achievement of objectives.


• Event Identification– Internal and external events affecting

achievement of an entity’s objectives must be identified, distinguishing between risks and opportunities. Opportunities are channelled back to management’s strategy or objective-setting process


• Risk Assessment– Risks are analysed, considering likelihood

and impact, as a basis for determining how they should be managed. Risks are assessed on an inherent and residual basis


• Risk Response– Management selects risk responses –

avoiding, accepting, reducing or sharing – developing sets of actions to align risks with the entity’s risk tolerance and risk appetite


• Control Activities– These are policies and procedures that are

developed to ensure the risk responses are carried out. These activities occur throughout the entity, at all levels and in all functions. They include approvals, authorisations, verification, reconciliation, review of performance, performance indicators and segregation of duties.


• Information and Communication– Relevant information is identified, captured

and communication in a form and timeframe that enable people to carry out their responsibilities, flowing down, across and up the entity


• Monitoring– The entirety of ERM is monitored and

modifications made as necessary. Monitoring is accomplished through ongoing management activities, separate evaluations or both


How a Risk Profile Matrix Works

Likelihood of Occurrence of Risk

Low High

Low

High

Potential Impact of

Risk

• Key Focus AreaEnsure actions are in place

to mitigate the riskDevelop plans to allow

a quicker recoveryMonitor progress of action

plans

• Monitor to ensure that • risk profile does not

increase and that cost of

mitigation is not excessive

XX

X

X

X

X

X

X

XX

XX

X

X

X

X

X

• Monitor changes to risks and evaluate implications


• Case Study I– Strategic objective: Increase rate of research commercialisation– Risk: Research commissioned does not meet the need of

industry– Assessment: High risk ~ no consideration of market demand in

research approval– Response: Reduce risk by changing the process of research

approval– Control: Head of business development included in research

approval committee– Communication: Change of process communicated to all

relevant parties, including potential customers– Monitoring: Nature and number of research and commercialised

research monitored quarterly by the Board


• Case Study II– Strategic objective: Increase in market share of new product by

increasing sales on credit– Risk: Increase in bad debts– Assessment: High risk ~ no data on consumer behaviour in view

of new market– Response: Reduce risk by enhancing credit evaluation process*– Control: Only potential customer with income exceeding RM

2,000 will be given credit– Communication: Salesperson are required to inform potential

customers of the conditions– Monitoring: Debts exceeding 30 days are reviewed by Head of

Credit

* An entity with higher risk appetite may accept this risk


• Implementing ERM – it is an evolution, not revolution! For example:


Phase 1

Assessing the current state

Phase 2

Developing the ERM Framework

Phase 3

ImplementingERM

•Risk identification•Risk assessment•Risk management capabilities

•Infrastructure•Risks policies and procedures•Technology•Communication and reporting

•Integrate ERM into existing risk management process•Integrate risk management into strategic planning, budgeting, performance measurement etc•Integrate risk management into entity’s culture•ERM software integration

• Key Success Factors– Commitment from the leadership– Consensus of the vision for the future– Well defined and communicated plan– Realistic goals and timeframe– Quick early wins to gain support and

confidence– Integration with key process: Strategic

Planning, Investment, Performance appraisal


• Pitfalls– Implementing ERM without strategic plan– Lack of visible, active support, from CEO– Implementing ERM as a part time job– Treating ERM as a project rather than a long term

journey– Lack of integration with strategic planning, budgeting

etc– Failing to realise the need for change management– Lack of leadership and passion


The Role Play in Making ERM Works• Board

– Provides important oversight of ERM by:• Knowing the extent to which management has

established effective ERM• Being aware of and concurring with the entity’s risk

appetite• Reviewing the entity’s portfolio view of risk and

considering it against the entity’s appetite• Being appraised of the most significant risks and

whether management is responding appropriately

The Role Play in Making ERM Works• Management

– The management is directly responsible for all activities of ERM and the CEO has the ultimate responsibility for the ERM

– The CEO’s responsibilities include seeing that all components of ERM are in place through:

• Providing leadership and direction to senior managers

• Meeting periodically with senior managers responsible for functional areas to review how they manage risks

The Role Play in Making ERM Works• Management

– Senior managers is responsible for risks related to their units’ objectives, converts strategy into actions and guide application of ERM components within their spheres of responsibility

– Specific ERM procedures are assigned to managers of specific processes, functions or departments. They also make recommendations on related control activities and provide feedback to the top management

The Role Play in Making ERM Works• Other key players

– Risk officer, if created, works with managers in establishing ERM in their areas of responsibilities

– Financial executives are critical in managing the finance and controllership functions which cut across the entity. Important in the reporting function as well as linking budget to strategy

– Internal auditors play key role in evaluating the effectiveness and provide recommendation for the improvement of ERM of the entity

Key Points

• Risk is the possibility that an event will occur that and adversely affect the achievement of objectives of an organisation.

• ERM is a structured way of managing the portfolio of risks across the organisation guided by its risk appetite.

• Implementation of ERM could be done in phases depending on the readiness of the organisation, which normally already has some form of risk management process.

• Everybody in the organisation is important in ERM, leadership by the CEO with the oversight of the Board is key in the success of the implementation of ERM

Thank You

Enterprise Risk Management ~ Inovastra

Business

examples of strategic

agenda strategic objectives

multiple of risks

entitys objectives

risks mark beasley

market risk

regulatory risk

contractual risk