(Company Name)Enterprise Risk Management Seminar

Facilitated by

Jabulani Mbengo(Head Internal Audit)

Date: 12 April 2014

SEMINAR OBJECTIVES

• Understand the concept of Enterprise Risk Management• Appreciate the benefits of Effective Risk Management

• Understand pressures for adopting Effective Risk Management

• Identify appropriate structure for Effective Risk Management

• Profile potential risks facing the Company• Understanding current controls in place • Propose additional responses to mitigate identified risks

INTRODUCTION

AIG, once considered “too big to fail” had to

be bailed out by the US government (Why

– because they did not identify and manage product and strategic

risks)

The disappearance of Flight MH370 of

Malasia, who could have thought a plane

can disappear with trace?

The Westgate terrorist saga in Kenya in 2013

(Security risk)

DEFINITION OF ENTERPRISE RISK MANAGEMENT

“… a process, effected by an entity's board of directors, management and other personnel, applied in strategy setting

and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.” COSO

Identify potential Events that may affect the

company

Manage risks within the company’s risk appetite

Provide reasonable assurance of how risks are

being managed

Benefits of ERM

Greater likelihood of achieving company objectives; Consolidated reporting of disparate risks at board level; Improved understanding of the key risks and their wider

implications; Identification and sharing of cross business risks; Greater management focus on the issues that really matter; Fewer surprises or crises; More focus internally on doing the right things in the right

way; Increased likelihood of change initiatives being achieved; Capability to take on greater risk for greater reward More informed risk-taking and decision-making.

PRESSURES FOR EFFECTIVE RISK MANAGEMENT IN ORGANISATIONS

RISKS FACING ORGANIZATIONS

WHY INSURANCE COMPANY BECOME INSOLVENT? (This is USA statistics)

THE ACTIVITIES INCLUDED IN ERM

Articulating and communicating the objectives of the organisation; Determining the risk appetite of the organisation; Establishing an appropriate internal environment, including a risk

management framework; Identifying potential threats to the achievement of the objectives; Assessing the risk i.e. the impact and likelihood of the threat occurring; Selecting and implementing responses to the risks; Undertaking control and other response activities; Communicating information on risks in a consistent manner at all levels in

the organisation; Centrally monitoring and coordinating the risk management processes

and the outcomes, and Providing assurance on the effectiveness with which risks are managed.

EFFECTIVE STRUCTURE OF ERM

Board

Chief Executive Officer/ Managing Director/General

Manager

Management Risk Committee

Chief Risk Officer/ERM

Champion

Board Risk Committee

INTERNAL AUDIT ROLES IN RISK MANAGEMENT

WHAT IS RISK ASSESSMENT?

A risk assessment is simply a careful examination of what, in your work, could go wrong to cause harm to people, and the organization, so that you can weigh up whether you have taken enough precautions or

should do more to prevent harm

A risk assessment is an important step in protecting

your workers and your business, as well as

complying with the law. It helps you focus on the risks

that really matter in your workplace – the ones with the potential to cause real

harm

OUR TASK TODAY

We need to be able to complete the following Total Risk Profiling table- terms are described in the following slides

Risk No

Vulnerability

Trigger

Consequences

Severity Probability/Likelihood

Current Controls /Management actions to Improve

EXPLAINING TERMS IN THE TOTAL RISK PROFILING TABLE

Terms VulnerabilityThis is the ‘what’, and the ‘where’This column describes the inherent potential vulnerability in the enterprise being analyzedWe need to identify all risks that can negatively impact on FICO

Trigger: The ‘how’ or the ‘why’Describes the failure or initiating that triggers an unintended release of the threat or development of the weakness described in the ‘vulnerability’ column

Consequences The ‘how bad’ or the ‘how big’This column describes the nature and magnitude of the consequences which result from the unintended release of the threat or development of the weakness described in the vulnerability and trigger columns

EXPLAINING TERMS IN THE TOTAL RISK PROFILING TABLE….

SEVERITY LEVEL DEFINITION

I Catastrophic Threatens viability of the businessII Critical Serious damage to financial condition,

reputation or ability to meet business objectives

III Significant Limits ability to operate within budgets and achieve business development and financial targets

IV Marginal Minor impact

EXPLAINING TERMS IN THE TOTAL RISK PROFILING TABLE….

PROBABILITY LEVEL DEFINITIONA Very High It will happen soon Often experienced or

likely to occur frequently

B High It will happen sooner or later

Several times experienced or occurring

C Occasional It can happen sooner or later

Sometimes experienced or occurring

D Low It is expected to happen one day

Maybe experienced or occurring

E Very Low It is not expected but can happen

Unlikely to be experienced or to occur

F Almost impossible

Theoretically possible Theoretically impossible

KEY FOCUS AREAS

Strategic RiskInsurance RiskOperational RiskCredit and Investment RiskFinancial Risk