june 2013 - pwc · 3. simple inherent vs. residual risk (on 5*5 matrix) 4. hira 5. value at risk...
TRANSCRIPT
June 2013
Leading Risk Management Practices
Rob Newsome Partner PwC
PwC
Agenda
• Introduction
• Risk management objectives
• What does good risk management look like
• Building blocks to get there
• The risk appetite debate
• Implementation barriers of Risk Management
• Conclusion
2
PwC
Risk management objectives
Risk management is central to strategic management. It is the process where risks are methodically addressed through focusing on the identification and treatment of risk
• to achieve maximum sustainable value to all aspects of the organisation, and
• to create better transparency and accountability for the operations of the organisation.
3
PwC
Risk management objectives
• Link growth, risk and returns
• Rationalise resources
• Exploit opportunities
• Reduce operational surprises and losses
• Report with greater confidence
• Satisfy legal and regulatory requirements
• Greater management comfort in decision-making
• Know the risks you take
• Be able to control your risks
• Creating trust and credibility
• Focus on real issues
4
PwC
Legal requirements
1. In some countries there are legal requirements to affect risk management in corporation level legislation, specific regulatory provisions (Solvency II, Basel III, Health and Safety regimes)
2. Most corporate governance codes include risk management requirements
3. Risk management is a clear defence for proving compliance with fiduciary duties
5
PwC
What does good risk management look like?
6
PwC 7
1. Greater management comfort in decision making
2. Improving credit rating and cost of capital
3. Reducing insurance expenses
4. Reducing the overall cost of business contingency planning
5. Experiencing less loss events
6. Information and transparency on risks and opportunities
7. Assessment of management performance
8. Understanding the risk exposures
9. Leverage the response to SOX and internal audit
10. Developing and enhancing trust and credibility with stakeholders
11. Ensuring compliance with rules and regulations
What constitutes good risk management
PwC
Risk maturity
ERM Element Basic Developing Developed Advanced
Organisation and governance 1 3
Strategic Planning & Risk Appetite
1 2
Risk Policies and Standards 2
Risk Identification & Representation
1 2
Risk Measurement & Reporting 3 1
Risk Communication & Escalation
2 3
Infrastructure 2 1
Stakeholder Disclosure 1 1
TOTAL 1 9 12 4
9
PwC
S&P’s four-level scoring scale
• Limited capabilities to consistently identify, measure, and comprehensively manage risk exposures and thus, limit losses.
• Sporadic execution of its risk-management program.
Weak
• Manages risk in separate silos, but maintains complete control processes.
• Loss-/risk-tolerance guidelines less developed, but risk and risk management often considered.
Adequate
• Demonstrates an enterprise-wide view of risks, but still focused on loss control.
• Risk and risk management usually important considerations in the firm's corporate judgement.
Strong
• Demonstrates risk/reward optimisation. • Well-developed capabilities to consistently identify, measure,
and manage risk exposures and losses.
Excellent
Per S&P, “Standard & Poor’s to Apply Enterprise Risk Analysis to Corporate Ratings,” May 7, 2008
10
PwC 11
PwC 12
PwC
Combined assurance
13
Processes
Three lines of defence assurance providers
First line of defence -
Management
Second line of defence – Risk
and legal based assurance
Third line of defence –
Independent assurance
Control
self
assess
Mgt review Special
project
ERM SOX Complianc
e
External
audit
Internal
audit
Special
project
Strategic
Funding
Sustainability
Growth
Operational
Treasury
Products and
services
Finance
Extensive
assurance
Moderate
assurance
Inadequate assurance Not applicable
PwC 14
1. How do we integrate risk management with the corporation’s strategic direction and plan?
2. What are our principal business risks?
3. Are we taking the right amount of risk?
4. How effective are our processes for identifying, assessing and managing business risks?
5. How is risk coordinated across the organisation?
6. How do we ensure that the organisation is performing according to the business plan and within appropriate risk tolerances?
7. How does the Board help establish the “tone at the top” that reinforces the organisation’s values and promotes a “risk aware culture”?
Challenges facing Board’s today
PwC
Building blocks to get there
15
• Structures
• Frameworks
• Process for managing risks
• Responsibilities
PwC
Structures
16
Board of Directors
Audit Committee
Risk Committee
Exco
Group Risk Function
Group risk managers
Standards of good practice H
um
an
Re
so
urc
es
RISK
COMMITTEE
EXCO
Te
ch
no
log
y
an
d
sys
tem
s
Pro
ce
ss/
op
era
tio
nal
Go
ve
rna
nce
co
mp
lia
nce
& r
eg
ula
tory
Fin
an
cia
l
STRATEGIC RISK REGISTERS – TOP RISKS PER OPERATION OR DIVISION
EXTERNAL
ENVIRONMENT
CONTINUOUS / ONGOING RISK ASSESSMENTS
Checklists in terms of the Mine Safety Management/Planned Maintenance Systems
ISSUE BASED RISK ASSESSMENTS / CHANGE MANAGEMENT PROCEDURE
After an accident or when new equipment, methods or processes are introduced
BASE LINE RISK ASSESSMENTS AND RISK PROFILE
Initial hazard identification and risk assessment of all HSEC hazards and risks on the site
OP
ER
AT
ION
AL
RIS
K
S
TR
AT
EG
IC a
nd
BU
SIN
ES
S R
ISK
FOUNDATION OF RISK MANAGEMENT – RISK CULTURE
Country and
political risk
Operational
site legal
and
commercial
assessments
Strategic
King III COSO II
ISO 31000
PwC
Frameworks
The framework provides:
• A definition of enterprise risk management;
• The critical principles and components of an effective risk management process;
• Direction for organisations to use in determining how to enhance their risk management; and
• Criteria to determine whether their risk management is effective, and if not, what is needed.
18
PwC
Process for Managing Risks
19
Establishing the context
Risk treatment
Monitoring
and
review
Communication
and
consultation
Risk evaluation
Risk analysis
Risk identification
Risk assessment
PwC 20
PwC 21
PwC
Responsibilities
22
ERM Stakeholders
Board
Audit Committee
Risk Committee
Executive Committee
Risk Owner
Risk Management Function (Risk Manager)
Business Unit Risk Managers
Operational staff
Internal Audit and the Chief Audit Executive
Other Assurance Providers
PwC 23
3. Simple inherent vs. residual risk (on 5*5 matrix)
4. HIRA
5. Value at risk models using subjective criteria
6. Measurement of risk tolerance (target risk)
7. Loss events and near miss integration
8. Value at risk models using statistical modelling techniques
9. Actuarial risk determination
Different models applied to risk management
PwC
Where risk management has worked and not worked – and why.....
• Wells Fargo Bank – avoiding the global credit crunch
• Global gold mining company – incident linking, yield improvement
• BP Gulf oil spill - abdication
• Sishen mineral rights - assumptions
• Newcastle furnace burn through - measurement
• Mining company forex – surprise?
• Logistics company – contract renewals, early completion of contract
• Black swans – contingencies planned – Hurricane Sandy
24
PwC
The risk appetite debate
Monetary value
Composite view
Profile view
25
PwC
Profile view
26
PwC
Implementation Barriers of Risk Management
• Governance fatigue
• Lack of buy-in from management;
• Risk management is positioned as compliance;
• Ignorance;
• Risk is being managed in silos;
• Too many other “turn around” type strategies;
• Board v management tension;
• Past mistakes are overlooked; and
• There is no clear road map for improvement.
27
PwC
Conclusion
28
PwC
ERM is not
• A method to eliminate all risks or a guarantee that the organisation will avoid loss;
• A collection of longstanding and disparate practices nor a rigid set of rules to be followed under all circumstances;
• Limited to compliance and disclosure requirements;
• A replacement for internal controls;
• Identical for all companies in all sectors;
• Exactly the same from year to year; and
• A passing fad.
29
Thank you...
© 2011 PwC. All rights reserved. Not for further distribution without the permission of PwC.
"PwC" refers to the network of member firms of PricewaterhouseCoopers International Limited
(PwCIL), or, as the context requires, individual member firms of the PwC network. Each
member firm is a separate legal entity and does not act as agent of PwCIL or any other
member firm. PwCIL does not provide any services to clients. PwCIL is not responsible or
liable for the acts or omissions of any of its member firms nor can it control the exercise of their
professional judgment or bind them in any way. No member firm is responsible or liable for the
acts or omissions of any other member firm nor can it control the exercise of another member
firm's professional judgment or bind another member firm or PwCIL in any way.