Lessons learned from ERM Stephen Vink Senior Vice President Group Risk Management and Internal Audit
Agenda – Overview − − − −
Setting the context What is ERM What is “not” not ERM Visible impact of ERM
– ERM in the region − Prior to global financial crisis − Post global financial crisis
– Lessons learned from ERM implementations − Key issues that impede ERM implementations − How to overcome the key implementation issues
2
Overview Setting the context What is ERM What is not ERM Vi ibl iimpactt off ERM Visible
3
Setting the context
– ERM in corporate world can be compared with making money in share market over a period of time − − − − −
Everyone wants to do it M Many ffalsely l l claim l i tto d do it - it is i jjustt llosses th thatt th they h have made d Those few who have done it, did it accidently and not over a period of time Only a handful knows how to do it and have done it well over a period of time People love to hear stories of it
– Quite often discussed topic in many board rooms and various conferences “… a process, effected by an entity's board of directors, management and other personnel, applied p pp in strategy gy setting g and across the enterprise, p designed g to identifyy potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.” Source: COSO Enterprise Risk Management – Integrated Framework. 2004
4
What is Enterprise Risk Management Enterprise Risk Management is – A process, ongoing and flowing through an entity – Effected by people at every level of an organization – Applied A li d iin strategy t t setting tti – Applied across the enterprise, at every level and unit, and includes taking an entity level portfolio view of risk – Designed g to identify yp potential events that, if they y occur, will affect the entity y and to manage risk within its risk appetite – Able to provide reasonable assurance to an entity’s management and board of directors – Geared to achievement of objectives in one or more separate but overlapping categories Important COSO’s integrated framework is a guiding post and not the only approach to implement ERM, you can have your own approach customized to your requirements. 5
What is “NOT” an Enterprise Risk Management
Enterprise Risk Management is – NOT a one time activity – NOT the responsibility of your Risk Management Department / CEO / Board – NOT independent of business strategy / business – NOT to be run in silo – NOT applied to only part of the business – NOT about preparing heat map / bubble chart chart, a heat map is just the beginning. – NOT a system to prevent the potential events – NOT something g that can be implemented p in days y – NOT something that gives immediate results after implementation
6
Visible impact of ERM (1/2) The impact comes over a period of time and is not a matter of overnight success
The impact comes in to phases depending on approach
7
Visible impact of ERM (2/2)
Impact of ERM that can be felt over a period of time once ERM is institutionalized
Kick-Start • • • •
8
Compliance with controls Risk driven decisions Improved communications on risk Initiative to create awareness of integrated risk approach
Accelerate • Better utilization of capital • External communications on risk management • Safeguard shareholder value
Steady State • Improving shareholder value • Improving governance
ERM in Middle East Prior to global financial crisis Post global financial crisis
9
ERM in Middle East - Prior to global financial crisis
– ERM as an integrated framework was issued by COSO in September 2004 – Risk management was existing before COSO issued the framework − − − −
Mainly operated in silos Not viewed as enterprise wide Not linked with strategy Viewed as control function only
– The early adapters of ERM − C Companies i h having i parents t iin US / E Europe / A Australia t li − Public sector organizations more particularly in the energy sector − A handful private sector organizations
– Key reasons for lower penetration of ERM in Middle East − − − −
10
Excess liquidity available in the system Global boom - boom in real estate - boom in local businesses Absence of shareholder activism / stakeholder activism Familyy owned businesses - Corporate g governance is nothing g but as g governed by families
ERM in Middle East - Post global financial crisis
– Impact of global financial crisis that created need for ERM − Liquidity constraints in the system − Global recession – local real estate and local business – you know better − Resulted in questions from f shareholders / stakeholders regarding management of various risks at the enterprise level, regarding good corporate governance
– Many private sector organizations have, either willingly or forced by regulator or forced byy lenders,, started taking g various risk management g initiatives – New awakening amongst regional central banks and other regulators
11
Lessons learned from ERM implementations Key issues that impede ERM implementations How to overcome key implementation issues
12
Key issues that impede ERM implementation – ERM objectives not aligned to corporate objectives – Creates friction / jeopardize the initiatives among groups / individuals
– No insight / Insufficient commitment from the top management – Failure to set clear risk appetite – Delays the implementation / Failed implementation, i.e., no benefit
– Inadequate conceptualization of ERM model / approach – Inadequate / Inappropriate model will not yield desired benefits suitable to “your” business needs – Managerial decisions does not embed risk in the process
– Insufficient/inadequate risk management resources – Adequately knowledgeable resources needed for special jobs – Poor systems y / Stone age g tools will make implementation p sub - optimal p
– Cultural mismatch – – – – 13
ERM brings in change management Your organizational culture will be changed Change g management g is not easy y and not at all in Middle East Organization’s culture not aligned with risk strategy
How to overcome key implementation issues 1
Risk transparency and insight
2
5
Risk appetite and strategy
Risk culture
Best Practices * for ERM implementations
4
3
Risk Ri k organization i ti and governance
14
Risk related business processes and decisions
*Source: McKinsey
How to overcome key implementation issues 1. 2.
1
Risk transparency and insight
3. 2
5
Risk appetite and strategy
Risk culture
Best Practices for ERM implementations
4
3
Risk organization and governance
15
Risk related business processes and decisions
Prioritize risk heat map Board to provide insight on big bets that really matter S Share information f with risk management
How to overcome key implementation issues 1
Risk transparency and insight
2
5
Risk appetite and strategy
Risk culture
Best Practices for ERM implementations 1.
4
3
Risk organization and governance
16
Risk related business processes and decisions
2.
Clear definition of risk appetite approved by board, with matching operational levers Risk strategy linked with insights provided by the Board
How to overcome key implementation issues 1
Risk transparency and insight
2
5
Risk appetite and strategy
Risk culture
Best Practices for ERM implementations
1.
2. 4
3
Risk organization and governance
17
Risk related business processes and decisions
Managerial decisions optimized by embedding risk considerations in the process Strong links between RM function, key business units and other areas
How to overcome key implementation issues 1
Risk transparency and insight
2
5
Risk appetite and strategy
Risk culture
1.
2. 3.
18
Adequate changes in governance to fit in the risk management process Adequate knowledgeable resources Adequate q Technology gy
Best Practices for ERM implementations
4
3
Risk organization and governance
Risk related business processes and decisions
How to overcome key implementation issues 1
1.
2 2.
Risk transparency and insight
Clear understanding of organization’s risk culture gaps Ali Alignment off culture l with risk strategy
2
5
Risk culture
Risk appetite and strategy