Information Booklet
MANAGEMENT
www.gpic.com
ENTERPRISE RISK MANAGEMENT
1
2
First Version 2009
General Manager’s Message In the last few months, the world financial markets have seen tremendous turmoil, which has shaken the foundation of the financial industry, once regarded as the most regulated industries in the world. No doubt this unexpected upheaval has had an adverse effect on most global business activities and the petrochemical and fertilizer industries are by no means immune. We at GPIC have always been proactive in establishing systems, procedures and effective work practices to ensure that all work activities fall within agreed policies and are in full compliance with approved levels of authority.
In 2007, we established an Enterprise Risk Management Committee (ERM) to work closely with all departments to further enhance the existing systems dealing with potential risks and bring them in line with the recognised international standards. This ERM booklet gives you the opportunity to refresh your understanding of the system currently in place and encourages you to bring to the attention of the ERM Committee any issue that may pose a potential risk to the organization. I look forward to your usual positive contribution and I am confident that with everybody’s support and vigilance, GPIC will continue to effectively manage risks and enjoy a safe work environment.
3
We all manage risks continuously throughout our lives, sometimes consciously and sometimes without realising it. But when it comes to organizations, risk management is a systematic process by which companies identify, measure and manage the various types of risks inherent within their operations.
Introduction
“Enterprise risk management (ERM) is a process, effected by an entity’s Board of Directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity,
Definition of ERM and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”
Source: COSO: Committee of Sponsoring Organizations, Enterprise Risk Management – Integrated Framework, 2004
4
ERM Driving Forces Recent years have seen heightened concern and the need for a robust system to effectively identify, assess, and manage risks. The following diagram identifies few of the driving forces behind the Enterprise Risk Management.
Ad Te van ch ce no s lo in gy
Escalating Claims
Corporate Scandals
ry to lu a ns g o Re Acti
Industry Initiatives
Enterprise Risk Management e d or te M lica p m isk Co R
Portfolio Point of View
Pr Be ac st tic es
5
ERM Framework Key Components of Effective Enterprise Risk Management
In In nte tern ter te rnal al EEn nvi viro iro ron nment nm ent en
Objjeect Ob ctiv ive Shar Sh arin arin iing ng
Moniito tori tor ring rin
In Info nffo orm rmat mat atio ion & Co C ommun mm mun uni niic ica ca attio ion ion
Co C onttro rol Acti Ac cti tivi iviti viitie ties
Framework
Riskk Ri Asse sess se sssme ss sme ment me
Risk Response
The ERM framework considers activities at all levels of the organization. i.e. Enterprise/ Entity, Department, and Process level. In the past GPIC was managing risks using a silo or standalone approach whereby each individual department/ project was managing its risks separately. With the implementation of ERM, GPIC is now addressing risks in an integrated and professional
6
Even Ev nt Iden enti tifi tific ti ifica ficati fi ation n
ERM COSO
manner. At the enterprise level, risks are currently addressed by appointing risk champions who pursue the identified risks with the respective risk owners. In future, mechanism for addressing risks at the departmental/business process level will be formulated on similar lines, as also stipulated in the Company’s Risk Management Policy (Ref: Pol/
Risk/001)
Benefits of ERM
1
Minimize operational surprises and losses
2
Improve ability to predict, identify and manage cross-enterprise risks
3
Provide integrated responses to multiple risks
4
Improve information for decision making
5
Improve service quality & Protect Reputation
6
Attain enterprise objectives
7
Enhance good governance and transparency
8
Add and Create Shareholder value
9
Capture Opportunities
7
GPIC ERM
Policy and Guidelines In order to provide clear guidelines and broadly describe the Risk Management Process at GPIC a comprehensive policy document (Ref: POL/RISK/001) has been prepared and approved by the Board of Directors as per Board Resolution No: 2/139/2008. Ref. Pol/Rev /001 Date: 1 March 2008 Rev.: 0
8
GPIC produces and markets Methanol, Ammonia and Granular Urea. GPIC embraces the best practices and follows international standards in conducting its operations. To safeguard its business and protect the interest of the shareholders against potential risks (categories such as strategic risks, financial and market risks, geo-political risks, operational risks, legal and regulatory risks and reputation risks) associated with the nature of its core business, the company shall endeavour to obtain appropriate environment and framework where risks at the enterprise level as well as at the business process and functional level are appropriately assessed, evaluated and effectively managed. The management will provide support as well as the resources and technical means to develop an understanding of business risk and the measures to combat and manage these risks in a cost-efficient manner. In the case of residual
GPIC ERM
Policy and Guidelines risks, the management will establish the level to which business risks are accepted and borne/tolerated. The active participation of all employees in the implementation of this policy will be sought and the workforce will be trained and fully informed of their roles and responsibilities, enabling them to effectively discharge these responsibilities. GPIC addresses the Risk Management process through a two tiered mechanism: 1. Enterprise Risk Management (ERM): ERM Implementation Team is responsible for identifying exposure, appraisal of major risks at the enterprise level and compiling ERM Risk Profile based on the criteria and guidelines for risk appetite and tolerance set by the Management/ERM Steering Committee and approved by the Managing Director / Board of Directors. An updated ERM Risk Register listing these risks together with the recommendations for mitigation/management is forwarded to the General Manager who has the overall responsibility for reporting annually on the risk management framework and profile of exposure to the Managing Director and the Board of Directors to provide confidence to them that risks are managed to the most cost-efficient extent.
9
GPIC ERM
Policy and Guidelines 2. Business Process Risk Management (BPRM): All Managers, Supervisors and Section Heads are responsible for anticipating exposure and continuous appraisal of business process risks relevant to their area of responsibility. Business process-wise Risk Profiles are compiled based on the criteria and guidelines for risk appetite and tolerance set by the ERM Steering Committee. An updated Business Process Risk Register listing these risks together with the recommendations for risk mitigation/management at the most costefficient extent is forwarded to the General Manager on a periodic basis for perusal and approval. Risk Review and Monitoring GPIC monitors its Risk Management framework through continuous improvement of its practices and activities implemented under a regularly reviewed set of documented procedures. The ERM Implementation Team will be responsible for monitoring and annual review of risks at the enterprise level. All Managers, Supervisors and Section Heads will also conduct continuous monitoring and annual review of the risk profiles relevant to their areas and implement the recommendations made to manage/mitigate the risks.
10
GPIC ERM
Governance Model Accountability and Reporting at all levels is required to support the ERM process. The following chart gives a brief insight into the role of various entities in the GPIC ERM Governance Model.
Audit, Finance & Risk Committee: � Make policy and risk tolerance decisions
� Approve strategies and guidelines to manage risk
� Implement Im strategies � Co ommunicate guidelines � Rissk Analysis & Reportin � Up pdate Risk Catalogue
Risk Owners | Risk Champions | Risk Auditors Functional / Operating Units
11
The GPIC ERM
Process Flow Chart
12
Risk is broadly defined as “an uncertain event or condition that, if it occurs, has an impact on a project’s or business’ objectives”.
What is a Risk?
Risk Identification Techniques
The following chart shows some of the techniques employed to identify risks.
S An WO aly T sis
Brai Br ains nsto torm rm
e air nn o i t es Qu
Intternaal Documeent
Interrview st kli ec h C
Insp In sppec ectitition on
W o Gr rki ou ng p
13
GPIC Risk Categories All GPIC Enterprise Risks have been classified under the following seven risk categories. STRATEGIC OPERATIONAL BUSINESS
(FINANCE/ MARKET)
REPUTATION PEOPLE INFORMATION REGULATORY
14
Risk that relates to doing the wrong thing. Risk that relates to doing the right things in the wrong way. Risk that relates to losing monetary resources or incurring unacceptable liability. Risk that relates to the organization’s brand or image. Risk associated with employees and management Risk that relates to loss or inaccuracy of data systems or reported information. Risks related to regulatory environment.
ERM Risk Catalogue
The Risk Catalogue is the central repository for all GPIC’s Enterprise risks. It is a main register where all GPIC risks are categorized and prioritized. The Risk Catalogue is a living document updated on the basis of fresh inputs i.e. when new enterprise risks are identified by any department in the organization. Each input i.e. risk is assessed and analyzed fully by gathering all relevant facts and data before including in the Risk Catalogue. The ERM Committee is responsible for safe custody and updating the ERM Risk Catalogue.
15
Risk Management is Everybody’s Responsibility Risk Management is everybody’s job. Everyone who does anything in the company is a risk manager to some extent. Risk Management is not a one time project in fact it is a continuous process which needs to be seamlessly embedded in our existing business systems and culture. It is therefore essential that we all develop a deeper understanding of the subject and exercise flexibility and open-mindedness in our approach to adapting risk management practices. To further facilitate and encourage participation in the Risk Management process a broad system of capturing new risks and archiving them has been devised, at GPIC.
16
Process For Raising New Risks Any employee in the organization can identify and submit a new risk by completing a short form entitled “Risk Identification and Assessment Form” (FR-ERM-01).
���
��
17
18