SPO

NSO

RS

CORPORATE MEMBERS:

Monthly Newsletter Issue 3/ August 2018

A Look Back at the IERP® Global Conference 2018

ENTERPRISE RISKMANAGEMENT:

THE NEW PARADIGM

1 The IERP® Monthly Newsletter August 2018

CHAIRMAN'S MESSAGE

Dear readers, This year, the theme of the IERP ® GlobalConference was Enterprise Risk Management:The New Paradigm. Attending sessionsfeaturing speakers who are foremost experts intheir respective fields, conference delegatesaccessed two days of insights into the main areaswhere global leaders need to turn their

RAMESH PILLAIChairman of the Boardof Governors, IERP®

attention to in order to ensure their organization remains competitive andsuccessful. This issue focuses on a selection of key takeaways from the conference,covering a range of topics from Big Data and disruptive technologies tocognitive biases and money laundering. All in all, the conference reinforced the need for vigilance as well as action:it's not enough to be aware of new technology, the latest news, or updatedbest practices. What is your organization doing to anticipate and preparefor the future?

TABLE OF CONTENTSTABLE OF CONTENTS

Selected Sessions from the IERP GlobalConference 2018 Keynote Address: Tan Sri Abdul Wahid Omar Global Economic Overview Global Spotlight Discussion on Emerging Risks Cognitive Biases and Their Impact on Decision-Making Embedding Risk Culture Employing Gamification Strategies in ERM Spotlight Group Managing Director Interactions on ERM Disruptive Technologies are Changing Our World butCan the Risks be Managed? The Future of GRC Awards and Graduation Ceremony Training Calendar 2018 Upcoming Events and Training Programs

3 4 6 8 9 11 10 11 12 14

The IERP® Monthly Newsletter August 2018 2

Opening Keynote Address: Tan Sri AbdulWahid Omar, Former Group Chairman, PNB

3 The IERP® Monthly Newsletter August 2018

Following brief opening remarks by Ramesh Pillai, Chairman of the Board of Governors of theIERP® , Tan Sri Abdul Wahid Omar, fromer group chairman of Permodalan Nasional Berhad, setthe tone for the conference with his keynote address. He espoused the importance of riskmanagement for business value, but more particularly, he emphasized the importance ofchoosing the right people to be part of your organization:

"Competence is important, but so areintegrity and humility."

Given the uncertainty of the global economy, there is an overall trend of monetarytightening by central banks worldwide. As Chief Economist at Ambank Research, Dr.Anthony Dass stresses that fears over the trade war are not just over the impact on GDP,but also on the competitive depreciation of currency that could potentially lead to acurrency war. Tariffs alone are not the issue – it’s the knock-on impacts bound to resultdue to the interrelated nature of the world’s economies. Related to this, economists are keeping an eye on the emerging market debt that couldturn into a full-blown crisis -- Dass notes that foreign currency debt has tripled since 2008. In Malaysia, the equity market is not doing well post-election, with a high net outflow.With the public debt standing at 1.09 billion (80% of GDP), the nation is quite vulnerableto contagion effects from other countries. That is because much of the money is tied tothe US market, where the unpredictability of Trump can produce far-reachingconsequences. At the same time, Ambank predicts that Bank Negara will maintain theinterest rate this year and next. Looking forward, global business sentiment is turning optimistic in spite of overalluncertainty. There are two key elections that economists and investors will look at: theUS House of Representatives elections in November and Japan’s internal LiberalDemocratic elections for party presidency in September, the outcomes of which wouldfurther determine the volatility of the market.

The IERP® August Newsletter August 2018 4

Global Economic OverviewDr. Anthony Dass, Chief Economist, Ambank Research

Global Spotlight Discussion onEmerging Risk

Given geopolitical unpredictability in recent years, emerging risks are similarly ever-shifting.Panellists in this session focused both on a global view of risk as well as the local. For Dato’ Steven Wong of the Institute of Strategic and International Studies, he is of the opinionthat global security issues in the last 3 decades have increased, with the full implications stillyet to be seen. The uncertainty of developing risks is such that they are not necessarily onspreadsheets and are difficult to quantify as hard data. His top four emerging risks: 1) A decline of democracy and democratic practices worldwide. Without the rule of law, socialorder will be impacted, with impacts on corporate operations. 2) The deterioration of global security and intrastate security, especially with the rise of cyber-related crimes. In recent times, there have been around 350 major cyber attacks on governmentfacilities, defense contractors, and the like, via Denial-of-Service attacks (DoS) and theimmobilization of infrastructure. 3) The increasing frequency and complexity of gray-zone conflicts, which are not fought on thefront lines or with traditional military strength, for example proxy wars instigated by Iran, theUS, China, Russia, and Saudi Arabia, or manipulation of political elections, such as thosesuspected in the US and France.

Moderator:Daragh O'Byrne, Head of Global Research, Nucleus SoftwarePanelists:Dato' Steven CM Wong, Institute of Strategic and InternationalStudiesDr. Anthony Dass, Chief Economist, Ambank Research

The IERP® Monthly Newsletter August 2018 6

> continued

Dr. Anthony Dass of Ambank Research concurred that we are witnessing anincreasing prevalence of security risks. This is concerning for Malaysia, where, inhis view, businesses run the risk of being quite complacent. As technology reconfigures the structures of how business is conducted, there isalso room for sociocultural mores to change as well. For SMEs in Malaysia, forexample, there still exists the practice of having to pay ‘protection money’ to illicitthird parties in order to ensure smooth operations. In this digital landscape, howwill old practices fare? The US is worried about Made in China 2025 initiative. With the push of automationand Deep Learning, China won’t need to offshore their production in the future. In Dass’ view, it’s not all doom and gloom with emerging risks, but states andbusinesses need to lay down the groundwork to keep up with the pace of change.In the 70s, Malaysia used to benchmark with South Korea. Now, Malaysia is startingto compete with Myanmar, which has become a fast-developing economic hub. In the 80s, globalization was talked about as myth, and now, it’s a fact of business.In 20 years, where will we be? Will Africa or Eastern Europe emerge as biggerplayers? For the panellists, most of the world has yet to recognise the extent of theemerging risks, and it’s critical to do so in order to identify the full range ofvulnerabilities you face.

7 The IERP® Monthly Newsletter August 2018

While we’d like to trust ourselves to make rational decisions, all our thoughts aresubject to cognitive biases based on our experiences, assumptions, andpreconceived notions. The awareness of these biases are especially critical forsenior management and board directors, whose plans and guidance can make orbreak an organization. In this session, Sameer Kumar, Partner at McKinsey andCompany, outlines some of the top cognitive biases most relevant to businessleaders. According to client needs, Kumar delivers 3 primary interventions: procedural(involving process and structure), analytical (Kumar notes that in his experience,this is not as effective in Southeast Asia), and cultural. He emphasized thatawareness is only one part of debiasing yourself; another part is to be willing toidentify and analyze biases, as well as be willing to change if necessary. Kumarillustrated a case of the sunk-cost fallacy for example, points to the tendency ofbusinesses to stick with an investment long even after it has accrued a large amountof cost. No one wanted to take the blame for the mistake, and hundreds of thousandsof dollars were lost each year. Kumar: “The problem arises when you refuse to be aware of your biases, or whenyou stop actively thinking that it’s necessary to curb them.” Biases occur when you rely entirely on your experience to make decisions.Experience or a ‘gut feeling’ can be a useful starting point, but after that, it’simportant to get into the details of the issue to prevent any costly mistakes basedon faulty reasoning.

Cognitive Biases and Their Impacton Decision-MakingSameer Kumar, Partner, McKinsey and Co.

The IERP® Monthly Newsletter August 2018 8

9 The IERP®Monthly Newsletter August 2018

The discussion in this session revolved around the insights gleaned from creating a risk-aware risk culture in their organizations. Key Takeaways

- Risk management should not be about micromanaging. An enterprise-wideawareness of risk can foster proactive initiatives in employees, contributing to acohesive effort of working towards common objectives. - It's vital to get buy-in at the top as well as to create positive associations with risk,rather than have risk management be one done out of a mandatory nature. Capabilitybuilding and training is necessary to create a network of risk champions. - Risk management frameworks should not be made over-complex; lean, simplifiedprocesses and templates will be easier to engage with across all business levels. - Risk appetite statements are often difficult to apply organization-wide as they areoften not linked to value. Strategic thought should be put into them so that they canbe put to practical use top-down. - Responsibility and accountability sits with the leaders/ respective business units,while the risk manager's role is to facilitate and implement the risk frameworks, andto ensure all processes are running smoothly.

Panel Discussion: Embedding Risk CultureModerator:Nasiruddin Abdullah, Former General Manager, Barakah OffshorePanelists:Anita binti Esa, Head, Group Risk Management, CCM DuopharmaBiotechMohd Shahari Idris, Director of Group Risk Management,Kumpulan Perangsang SelangorDaniel Atkin, Director of Enterprise Risk Management, CountryFire Authority (Victoria, Australia)

11 The IERP® Monthly Newsletter August 2018

In this era of smartphones, apps, mobile internet, and an oversaturation of media, ourdevices have come to affect the release of dopamine into our systems -- dopaminehelps to regulate the part of our brains that controls reward, motivation and pleasure.As a result, attention and engagement have become rare commodities to vie for --including the workplace. Employee engagement is a good indicator of the success ofa company’s processes. However, based on a study by Gallup, it’s been found that only13% of the global workforce can be considered highly engaged. As Gen Y adults cometo more prominence in the global economy, it’s important to consider the ways acompany can enhance workplace productivity. Pillai noted that there are tangible financial benefits to gamification strategies.Insurance company Swiss Re, for example, saw a $3 million reduction in data storagecosts when it teamed up with an app developer to encourage employees to delete theirold data off their network. They also drastically reduced printing and paper consumptioncosts by normalizing the use of gamification software that prompted employees tothink twice before printing. Amidst the myriad of claims that they drive participation and engagement, dogamification strategies live up to their hype? Pillai observes that leaders often fail tosee results when they have inflated expectations of what gamification can do for theirorganization. For gamification strategies to work, they must be aligned with bothemployee expectations as well as company objectives -- in this sense, they areparticularly well-suited for Enterprise Risk Management, which espouses enterprise-wide cohesion that works towards common objectives. At the bottomline, gamification is about influencing human behavior; it’s aboutunderstanding motivation. Gamification has been become increasingly commonplace,but organizations have to employ it with purpose for it to be effective, both to improvework culture and create business value.

Gamification Strategies in ERMRamesh Pillai, Group Managing Director, FridayConcepts Risk Consulting

As with any tool or strategy, there arepotential risks to employinggamification. The design of anysoftware for employees should createa positive environment: be careful notto motivate some at the expense ofdemotivating others. The use ofgamification strategies shouldenhance work, and not exploit.

The IERP® Monthly Newsletter July 2018 12

Spotlight Group Managing DirectorInteractions in ERMLeonard Ariff Abdul Shatar, Group ManagingDirector, CCM Duopharma Biotech

A common excuse given by those who are not convinced of the use of risk management isthat there is ‘no time’ for it, especially if management often has to make quick decisions.However, Leonard Ariff Abdul Shatar, Group Managing Director of CCM Duopharma Biotech,notes that many mistakes (and the subsequent costs) could have been avoided if additionalthought and effort had been put in. As a public-listed company, it’s a requirement for CCM tohave a risk management function. For CCM Duopharma Biotech, risk management was splitup as it was thought that the audit function was overshadowing it. At CCM Duopharma Biotech, Leonard Ariff faced the monumental task of reshaping thebusiness to resolve issues relating to ageing products as well as ageing assets. A key part ofthe strategy was to move into biosimilar medicine, which is medicine that is highly similar totheir reference product (distinct from generics, which are exactly identical to their referenceproduct). In order to build the capabilities required of this endeavor, the company needed toestablish partnerships with companies already in the field -- CCM had concluded that buildingin-house capabilities would take 8-9 years. The Integration of ERM with Operational Plans When it comes to proposing or executing plans, the ones who do the risk reviews should notbe the risk managers but the promoters of the investment or the staff on the project. In effect,ERM and operational plans need to be in parallel with each other. This can start with theAnnual Business Review, where best practice is to delineate goals, articulate the budgets,risks, and KPIs, so that you will be 80% confident when bringing the plan to the board. ERM should be embedded into everyday business processes. For example, induction lists fornew staff, for example, should include the risk register to communicate its importance to thecompany’s ecosystem. Risks, resolved or not, should be included in the risk register -- therisks identified should not just be operationally-focused as assumptions made at the beginningmay become irrelevant at any time. All in all, it’s vital that organizations consider (1) what could go wrong (the risks), (2) what thecompany has in place to prevent them from happening (the controls), and (3) what else thecompany can do about the risks (the treatment).

Disruptive technologies are about making making predictions using robotic processesand automation, said Daragh O’Byrne, Head of Research at Nucleus Software. The paceof innovation is accelerating, and companies need to know how to wield the newtechnology in productive ways, instead of buy into buzzwords without strategicpurpose. In many ways, Asia is leading the way in innovation. Singapore's Smart Nation initiativehas seen strides in the development of facial recognition technology. However, newtechnology at its infancy can often have many sociocultural blindspots. Certain facialrecognition software created in Silicon Valley, for example, have reportedly beenunable to identify non-white faces in some cases -- the result of non-inclusive datainput by their engineers, most likely young, white men. To what extent will new, innovative technology change the economy? A delegate inthe audience asked, “How will those at the bottom be able to rise to get jobs at thetop or experience upward mobility with AI displacing jobs? And with lower upwardmobility, how will sufficient income be generated to drive private consumption andGDP?" In response, O'Byrne notes that just as in every technological revolution, old jobs madeobsolete will be replaced by new jobs with new functions. There is a sense of digitaldarwinism occurring; new breeds of organizational structures, job functions, skillsets,and technology are emerging, overhauling what it means to be a successful orsustainable business. A critical risk to disruptive technologies is cybercrime: estimatessay that cybercrime has the potential to cost the global economy $6 trillion by 2021. What can we do? O'Byrne sums it up in three points: 1) expect more attacks; 2) don'tpanic or be complacent, and 3) solutions are available to help.

Disruptive Technologies are ChangingOur World but can the Risks beManaged?

13 The IERP® Monthly Newsletter August 2018

Daragh O'Byrne, Head of Research, Nucleus Software

Just as in any industry, automated cognition and machine learning are in thefuture of GRC, said Philip Rao, a Partner at Ernst and Young. Internal audit in thefuture will encompass more cybersecurity reviews to secure the network so thatprocesses can run efficiently. Alex Tan, Partner at PwC, noted that the accelerated pace of innovation meansthat for GRC professionals, it would be unrealistic to become experts at emergingtechnologies. What is necessary, however, is to surround themselves with peoplewho are (most likely from the younger generation). Given the geopolitical shifts as of late, the discussion revolved around obstaclesto escalating issues to senior management and the board. Other Key Takeaways For Rao, the traditional lines of defense are increasingly blurring. With the surprisewin of Pakatan Harapan at the Malaysian election, GRC professionals saw howthe risk profile around government policy changed overnight. Boards have to start understanding that cybersecurity issues are not just “ITissues” -- they are business issues. From a risk perspective, it is, without exception,necessary to map out where your data resides and where it goes.

Panel Discussion: The Future ofGovernance, Risk, and Compliance Moderator:Daniel Atkin, Director of ERM, Country Fire AuthorityPanelists:Philip Rao, Partner, Ernst and YoungAlex Tan, Partner, PwC

The IERP®Monthly Newsletter August 2018 14

> continued

However, post-election, boards have become more focused on cost-saving andausterity measures, complicating any desire or need to invest more on cybersecuritycapabilities. In Asia, decision-making tends to take a long time. Rao agrees, pointing out that in his opinion, boards are sometimes out of touch withthe realities on the ground. This is further reinforced by the fact that Malaysia scoredthe highest on the power distance index compared to other countries -- meaningMalaysian culture espouses a high level of deference for authority. Thus, those lowerin the job hierarchy might find it difficult to raise issues or communicate disagreementwith those at a more senior level. For boards, it is crucial to have the awareness that risk management assists withbusiness, not just with compliance. The session closed out with a Q&A, during whichRamesh Pillai, Group Managing Director of Friday Concepts Risk Consulting, pointedout that by highlighting the opportunity in risks rather than the hazards can helpduring communication with boards.

15 The IERP®Monthly Newsletter August 2018

Awards and Graduation Ceremony

IERP® Training Calendar

Topic Aug Sep Oct Nov Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec

Evolution of ERM Models and Standards 3 25 23RCSAs and Internal Control Models 5 26 24Corporate Ethics 4 27 25Corporate Governance 6 28 26Market Risk, Credit Risk and Operational Risk 1 25 21CyberSecurity Risk Management 2 26 22Investment Risk Management 3 27 23Measuring Corporate Performance 4 28 24Corporate Strategic Risk Management 12 22 18Business Continuity Management 13 23 19

Implementing ERM as a Strategic Management Tool &

Key Risk Indicators (KRIs)14-15 24-25 20-21

ERM Models 28Fraud Risk Management 29Operational Risk Management 30Enterprise Risk Management 31

Evaluating Risk and Internal Controls 13 5Corporate Governance 14 6Project Risk Management 15 7Establishing a CyberSecurity Framework 16 8

(B) Risk Oversight Practices 2(S) Corporate Culture and ERM 2(S) Risk Appetite, Tolerance and Board Oversight 19(B) Strategic ERM: A Primer for Directors 19

(S) Evolving Expectations for Boards 20 24

(S) The Role of Boards in Fraud Risk Management 20 24(B) Establishing an empowered Board Risk Committee 13 14(B) Directors Guide to ERM and ISO 31000 13 14(B) Directors Guide to BCM and ISO 22301 27 3(B) Directors Guide to Crisis Management and Leadership

during crisis27 3

(B) Directors guide to Risk Maturity Frameworks 22 17(B) Cybersecurity Oversight in the Boardroom 22 17(S) Establishing an empowered Audit Committee 8 2

(S) Audit Committee’s guide to COSO 2013 and Internal

Controls 8 2

(S) Directors guide to GRC (Governance, Risk, and

Compliance)22

4

(S) Governance and ERM, including MCCG 2017

Considerations22

4

International ERM Models and Standards 26 15 2Effective RCSAs 27 16 3Ensuring effective ERM practices 28-29 17-18 4-5

Introduction to BCM and Standards 18 19Strategies and Analysis 19 20BCM Plans 20 21

Emergency Preparedness 12 29Crisis Management 13 30Audits and Response Plans 14 31

Enterprise Governance 20Crisis Communication and Management 21Fraud Risk Management 11-12Operational Risk Management 1Implementing ISO 31000 effectively 2ERM Lab 3-4

Tentatively 8-11

Singapore 25 -29 August (S)Bali 9 - 12 December (B)

Singapore Online 19 August - 04 October, Face to Face 14 - 18 OctoberLondon Online 18 March - 03 May, Face to Face 13 - 17 May

Bali 15 - 18 October (B)Singapore 4 - 7 December (S)

IERP Global Conference

**Schedules are subject to change**

2019

Qualified Risk Director Programme

Qualified Risk Auditor Programme

Business Continuity Leader

Business Continuity Manager

Enterprise Risk Professional

Enterprise Risk Manager

Enterprise Risk Technician

Enterprise Risk Advisor

2018

E

X

A

M

TRAINING CALENDAR 2018-2019

+603-23811900enquiry@insterp.comwww.insterp.com

UPCOMING EVENTS

Chief Risk Officers Networking Group (CRONG)September 7

Tea Talk: Drafting a Statement on Risk Management and InternalControl (SORMIC) – Critical Success Factors and Pitfalls to AvoidSeptember 14 REGISTER NOW

Risk ClinicNovember 9

Tea TalkNovember 16

Directors Networking Group (DiNG)November 30

Chief Risk Officers Networking Group (CRONG)December 3

For more information about our events and programs, emailenquiry@insterp.com or visit our website.

The IERP®Monthly Newsletter August 2018 18

For more photos from the conference, visitinsterp.com/conference-2018-photos/ View IERP® Programs