scrutinising your erm framework for effectiveness

SCRUTINIZING YOUR ERM FRAMEWORK FOR EFFECTIVENESS

Presentation by Eneni Oduwole

IQPC ERM Africa Conference 2013, Johannesburg – South Africa

1

Eneni Oduwole – IQPC ERM Africa Conference 2013, Johannesburg – South Africa

Mandate

How to identify key risk indicators specific to your organisation and ensuring these are accounted for

Over managed or just right – how to prioritize risks within your framework

Evaluating failure of risk mitigation strategies – how to ensure processes are followed at an operational level

How to track results and prevent follow-on risks

Measurement – how to conduct qualitative risk assessments and relate this back to your framework

2


Overview

Risk management = identification of risks + measurement of identified risks + control / mitigation strategy + monitoring risk exposures + reporting risk

Effective Risk Management requires that a holistic, balanced and strategic outlook toward managing prevalent and likely risk factors is employed; this concept is now christened “Enterprise-wide Risk Management (or ERM)”

ERM looks at all facets of the business from strategic planning to operations, and encompasses all exposures to risk whether operational, credit, market, liquidity, strategic, reputational, business or compliance risks that may impede achievement of set objectives

It aims at achieving the highest level of customer and shareholder value possible

3


Risk Identification – A Key Element in Risk Management

This process entails the recognition, categorization, prioritization and enlisting of prevalent risks in the organization

It usually starts with the review of issues / concerns affecting a business process, product or service; thereafter close monitoring and tracking of key issues that might affect set goals and objectives is embarked upon

The identification of risks also allows for conduct of causal analysis which enables better understanding and categorization of risk drivers

Classification of risk drivers reduces redundancy and ensures easier management of risk factors in later phases of the risk management process

Classifying risks also provides for the creation of risk checklists, risk registers, and databases for future projects

4


Tools Deployed for Risk Identification

Documentation Review

Other Information Gathering Techniques such as Interviews with Process Owners, Nominal Group and Delphi Techniques

Conduct of Surveys

Checklist Analysis

Root Cause Analysis

Assumption Analysis

Diagramming Techniques

All of these tools can be used in developing a database of key risk

factors to be monitored by the organization… “Key Risk Indicator Dashboard

Key Risk Indicator Dashboard”

All of these tools can be used in developing a database of key risk

factors to be monitored by the organization… “Key Risk Indicator Dashboard

Key Risk Indicator Dashboard”

5


Key Risk Indicators (KRIs)

Are measurable metrics that identify trends and track possible exposures

They are quantitative parameters used to identify changes in the risk profile of business activities and processes

KRIs enable the following: Determination of volatility of risks across the business

environment Determination of risk concentrations Determination of risk patterns

Objectives for having defined KRIs should include: Ensuring that a process for predicting the pattern / behaviour of

current risk profile is in place Enabling early warning signs for emerging risks to be picked up

as they crystallize

6


Identifying Organization- Specific Key Risk Indicators

Understand the strategic intent of the organization in the short, medium or long term

Drill this into expected deliverables within the respective timeframes

Determine core business activities that would be focused on to achieve these expected deliverables

Isolate the core drivers of these core business activities

Develop quantitative parameters for tracking these core drivers

Agree on trigger limits with business process owner

7


Identifying Organization- Specific Key Risk Indicators

(cont’d) Monitor the trends of these parameters, where adverse trends

are observed:

Conduct a Causal Analysis to determine prevalent risk factors

Determine areas of the business affected by this adverse trend

Identify likely constraint to the organization resulting from this adverse trend

Estimate impact and severity to the organization should the risk crystallize

Report on risk trend identified

8


Prioritizing Risks

Requires the estimation of risk factors into defined categories for risk treatment

These categories are: High – Medium – Low Risks (for 3-tiered Risk Bands) High – Medium/High – Medium – Medium/Low and Low Risks

(for 5-tiered Risk Bands)

These bands are defined to direct the organization on appropriate risk treatments required for identified risk factors

Defined risk categories are also indicative of likely risk exposure (impact x probability)

High Probability

Medium Probability

Low Probability

Low Impact Medium Impact High Impact

9


Prioritizing Risks In Your Organization

Risk prioritization must be based on the following:

The Risk Appetite of the organization

The Business Model of the organization

Regulatory Requirements

Business objectives in the short, medium and long terms

Risk – Reward Analysis

Response style of the organization

Maturity of the Risk-Aware Culture

10


Dealing with the Risk Exposures

Terminate: when cost is higher than benefit; no competencies for managing risk

Tolerate: when cost is within risk appetite levels or insignificant to benefit; no brainer

Treat: when benefit from business venture is seriously threatened; staff and business model / structure can implement and support control

Transfer: when benefit is threatened but staff / business model may not support required control (risk may be shared or transferred completely)

11


Considerations for Selecting Appropriate Action Plans

Policy Changes: Consider regulatory / legal / ethical issues such as modifications of banking & related policies

In-House Actions: Consider appropriate plans that would fit into the organization’s business strategy / model / structure, and culture

Simplicity: Action plans should be rid of complexities / complex methodologies which might sabotage the correction process; new process / control should be easy for auditors to review

Implementation: Incorporation of related activities into routine business processes should be seamless; relevant parties should be carried along; controls should be cost effective

Review: Tracking of implementation should be easy; effectiveness of control should be tested periodically

12


Tracking Results of Action Plans

11

22

3344

55

If If RequiredRequired

13


Conclusion

A qualitative Risk Assessment is usually the first step required for identifying prevalent risk drivers and attributes

It is important that the Risk Assessment approach adopted is based on the Organization’s culture, behaviour and attitude in managing issues

The Risk Maturity of the Organization should also be considered

For very structured organizations, brainstorming approaches would yield better results whilst for less structured organizations the conduct of interviews would be more worthwhile

For optimal results, I strongly recommend a hybrid approach with all levels of staff involved; this way both strategic and operational risk exposures organization-wide are unearthed

14


Food for Thought

“The key to successful ERM practices depends on the behavioural attributes of the organization at all levels.” – RIMS

“One of the greatest contributions of a risk manager – arguably the single greatest – is just carrying a torch around and providing transparency.” Enterprise Risk Management, (Chapter 5 “Becoming the Lamp Bearer” by Anette Mikes)

15


Thank you!Contact details:

E-mail – [email protected]

Tel.: 234-8033045896

Thank you!Contact details:

E-mail – [email protected]

Tel.: 234-8033045896

16