Professional Documents
Culture Documents
GRC November 2022 Course Slides
GRC November 2022 Course Slides
GRC November 2022 Course Slides
Management and
Compliance (GRC)
Peter Hofmann
November 2022
Course overview & objectives
• Provide an understanding of the concepts, guiding principles and elements of
integrated GRC frameworks
• Review the link between GRC and business strategy, performance and business
sustainability
• Understand the key principles and elements of sound corporate governance
frameworks
• Review key concepts applicable to risk management frameworks
• Linking compliance structures to support governance, risk management and
value creation
US$74bn US$50bn
the total value lost by shareholders the amount hidden via loans disguised
in the 2001 Enron accounting as sales by Lehman Brothers in 2008
scandal
9.2 75%
the average number of company the increase in the number of publicly
directors serving on company traded companies reporting on ESG
boards in the United States (Bloomberg database 2008 – 2011)
Governance
Risk management – determines
• Strategy the areas exposed to potential
•
•
Goals and objectives
Policies and procedures
risks
• Structures and processes
Governance – manages the risks
to the execution of the strategy
as well as the risks from the
Risk Management
• Identify risks
Compliance
• Comply with policy and
chosen strategy
• Risk analysis procedures
• Risk profiles • Laws and regulations Compliance – is the tactical
• Risk monitoring • Controls action to mitigate risk
• Achievement of objectives • Activities
Source: Deloitte – May 2013
Abilities to be Competitive
Do we think “out of the
box” about what could
be, rather than about
what is, or what is POSSIBILITY Are we alert to what’s
happening around
impossible? THINKING us, and do we learn
and change fast
enough?
Do we understand
our challenges, and LEARNING &
do we have a clear
view about what we CHANGE
must do?
STAKEHOLDER IMPLEMENTATION
STRATEGY
SUPPORT CAPABILITY
Do we have what it
Do we actively seek takes to meet our
to win “votes” ambitions, and will
through strategic our practices deliver
conversation? the results we want?
Compliance
Quality
Manage-
ment
GRC & Ethics
Manage-
ment
Process optimisation
Improved effectiveness
Protected reputation
Reduced costs
Implementing GRC
Implementing a strategic approach to GRC:
• Consider the big picture first
• Form a cross-functional team / committee
• Define roles and responsibilities early in the process
• Beware of building another silo
• Get the process worked out before investing in the technology
• Seek out overlaps and build efficiencies
• Create a common language and understanding around risk
• Don’t lose the detail in the convergence process
• Remember that GRC is a gradual process
Source: Institute of Chartered Accountants in Australia / KPMG – 2012
GRC Stakeholders
highly stakeholders in line with policy, regulations Strategic threat or opportunity – invest
dependant on and industry norms. Otherwise endeavour in engagement process to understand
organisation – to keep stakeholders satisfied insofar as concerns and develop solutions
stakeholder
Risk Process
Business unit responsibility Risk Identify
Assess & Integrate Respond
Design, Monitor,
Business Units and
evaluate risks implement & assure &
risks to risks
Ownership risks test controls escalate Supporting
Support of pervasive functions Risk Classes
Strategy & Operations / Functions
Governance Planning Infrastructure Compliance Reporting
Risk Governance
#1 – A common definition of risk, #2 – A common risk framework #3 – Key roles, responsibilities and
which addresses both value supported by appropriate standards authority relating to risk management
preservation and value creation, is is used throughout the organisation are clearly defined within the
used consistently throughout the to manage risks organisation
organisation
#5 – Governing bodies have appropriate transparency and visibility into the organisation’s risk management practices to
discharge their responsibilities
Risk Ownership
#7 – Business units are responsible for the performance of
#8 – Certain functions have a widespread impact on the
their business and the management of risks they take
business and provide support to the business units as it
within the risk framework established by executive
relates to the organisation’s risk programme
management
HO
Risk Intelligence Maturity Model
Stakeholder value LEVEL 1 LEVEL 2 LEVEL 3
Risk intelligent
Integrated
Fragmented Top down
Initial Stages of risk maturity
Representative attributes
• Ad hoc / chaotic • Independent risk- • Identified risk universe • Coordinated risk • Risk discussion is
• Depends primarily on management activities • Common risk management activities embedded in strategic
individual heroics, • Risk is managed in silos framework and policy across silos planning, capital
capabilities and verbal • Limited focus on • Routine risk • Risk appetite is fully allocation and product
wisdom linkages between risks assessments defined development.
• Limited alignment of • Communication of top • Enterprise-wide risk • Early warning system
risk to strategies strategic risks to the monitoring, measuring (KRIs) to notify board
• Disparate monitoring board / executive and reporting and management to
and reporting functions • Action plans • Technology risks above established
implemented in implementation thresholds
response to high- • Contingency plans and • Linkage to performance
priority risks escalation procedures measures and
• Knowledge sharing • Risk management incentives
across risk functions training • Risk modelling /
• Formal risk consulting • Clear input into Internal scenarios
• Dedicated team Audit and other • Industry
assurance activity plans benchmarking used
regularly
Source: Deloitte – May 2013; August 2015
GRC framework
Governance, Risk and Compliance
Corporate Governance
Risk Management Compliance Management
Management
Regulatory and
Corporate Strategic and Entity Internal Control SoD Matrix
Legislation Compliance
Governance Model Level Risk Matrix Development Development and
Development and
Evaluation Assessment and Maintenance Maintenance Maintenance
Risk Monitoring
Organisational strategy
Governance
Functional strategies
Performance
Ops HR IT Mkt
management
Risk Compliance
management management
People
Process
Technology / systems
Organisational strategy
Characteristics associated with strategy:
• Concerned with the scope of activities
• Matching activities to the operating environment
• Matching activities to resource capabilities
• Major resource implications
• Likely to affect operational decisions
• Influenced by stakeholder values and expectations
• Affect long-term organisational direction
Developing strategy
Culture and
stakeholder
Elements of The
environment
expectations
Resources
and
strategic strategic
capability
management
Strategic
analysis
Identifying Planning
strategic Strategic Strategy and
options choice implementa- allocating
tion resources
Evaluating Organisation
options structure and
design
Selecting Managing
strategy strategic
change
Macro environment
• Each business is subject to different macro environment influences
• Influences can affect the GRC framework
– Political – legislative
– Economic – interest rates, exchange rates, taxes, surcharges
– Social – community influence: environmental
– Technological – progress
– Labour – strikes and labour action
Pest analysis
• Helpful in obtaining information that can be used in other strategic
analysis models
• Identify key environmental influences
• Identify long-term drivers of change
• Examining the differential impact of external influences – historic and/or
future impacts
Pest analysis
1. What environmental factors are affecting the organisation?
2. Which of these are the most important at the present time? In the next few years?
Political / legal Economic
• Monopolies legislation • Business cycles
• Environmental protection laws • GNP trends
• Taxation policy • Money supply
• Foreign trade regulations • Inflation
• Employment law • Unemployment
• Government stability • Disposable income
• Energy availability and cost
Socio-cultural Technological
• Population demographics • Government spending on research
• Income distribution • Government and industry focus of
• Social mobility technological effort
• Lifestyle changes • New discoveries / development
• Attitudes to work and leisure • Speed of technology transfer
• Consumerism • Rates of obsolescence
• Levels of education
Economic environment – business cycle
Total Spending
Peak
Recession
Product life cycle
Introduction Growth Maturity Decline
• Slow sales • Rapid • Slow down • Sales reflect
growth market in sales a
• Create acceptance growth downward
product • Profit • Defending shift
awareness improvemen market • Profits
Sales
Threat of
substitutes
Substitutes
HO
Boston growth matrix
High
10%
Support Activities
and Costs Support functions ……...... SHE ……..…. GRC ……
Focus on client orders, purchases to manufacture client-specific vehicles, product quality and customer service
Support Activities
and Costs Support functions ……...... SHEQ ……..…. GRC ……
Focus on cost efficiencies (influences competitive positioning), operational efficiencies and “pushing”
manufactured vehicles into the markets
Performance
Management
Balanced Scorecard
• Developed by Robert Kaplan and David Norton
• Harvard Business School
• Management beyond financial measures
• System to set, track and achieve strategies
• Four perspectives (adaptable)
– Customer
– Financial
– Internal business process
– Knowledge, education and growth
• Key measurements (KPIs)
• Performance scorecards and dashboards
Scorecard perspectives
Financial
Financial
perspective
Customer Process
perspective perspective
Learning and
growth
perspective
Non-financial
Scorecard perspectives
External
Financial
perspective
Customer Process
perspective perspective
Learning and
growth
perspective Internal
Scorecard perspectives
Lagging
Outcome
Financial
perspective
Result
Customer Process
perspective perspective
Learning and
growth
perspective Leading
Input Driver
Scorecard linkages
Financial Business process and
product quality
Improvement in employee
perspective improvements drive cost
engagement drives reductions that result in
improved productivity that Profitability improved profitability
results in cost decreases Revenue Costs
and improved profitability
PROTECTING
STAKEHOLDER
RIGHTS AND
INTERESTS
CREATING
MANAGING
BUSINESS
RISK
VALUE
Elect Engages
Board of
Regulators
Open dialogue Directors
Compliance
Appoints Risk Management Finance
Internal Audit Services
Board monitors
results of
business activities
and issues
identified in the
process
Source: Deloitte – 2013
Governance operating model
A governance operating model is the
mechanism used by the board and
management to translate the elements
of the governance framework and
policies into practices, procedures, and
job responsibilities within the corporate
governance infrastructure.
The King Report on corporate governance which can be used as a reference when compiling corporate governance codes and frameworks can be accessed at
http://c.ymcdn.com/sites/www.iodsa.co.za/resource/resmgr/king_iv/King_IV_Report/IoDSA_King_IV_Report_-_WebVe.pdf
HO
Governance frameworks
• UN Global Compact – 10 fundamental principles covering human rights,
labour standards, environment and anti-corruption
• G20/OECD Principles of Corporate Governance – six fundamental
principles
• UN Principles for Responsible Investment (PRI) – six fundamental principles
• Global Reporting Initiative (GRI) – sustainability reporting standards
• IIRC <IR> Framework
The Global Reporting Initiative's GRI Standards can be accessed using the following link https://www.globalreporting.org/standards/gri-standards-download-center/
The webpage for the International Integrated Reporting Committee (IIRC) is http://integratedreporting.org/ with the <IR> framework itself being available at
http://integratedreporting.org/resource/international-ir-framework
UN Global Compact
Human Rights
• Principle 1: Businesses should support and respect the protection of
internationally proclaimed human rights; and
• Principle 2: make sure that they are not complicit in human rights abuses
UN Global Compact
Labour Standards
• Principle 3: Businesses should uphold the freedom of association and the
effective recognition of the right to collective bargaining;
• Principle 4: the elimination of all forms of forced and compulsory labour;
• Principle 5: the effective abolition of child labour; and
• Principle 6: the elimination of discrimination in respect of employment and
occupation
UN Global Compact
Environment
• Principle 7: Businesses should support a precautionary approach to
environmental challenges;
• Principle 8: undertake initiatives to promote greater environmental
responsibility; and
• Principle 9: encourage the development and diffusion of environmentally
friendly technologies
Anti-corruption
• Principle 10: Businesses should work against all forms of corruption,
including extortion and bribery
G20/OECD Principles of Corporate Governance
• Endorsed in 1999
• Reviewed in 2004 and 2015
• International benchmark
• Offers non-binding standards and good practices
• Apply to OECD and non-OECD countries
• Focus on governance problems arising from the separation of ownership
and control
• To be applied in conjunction with other “checks and balances”
G20/OECD Principles of Corporate Governance
Principle I
The corporate governance framework should promote transparent and fair
markets, and the efficient allocation of resources. It should be consistent with
the rule of law and support effective supervision and enforcement.
G20/OECD Principles of Corporate Governance
The rights and equitable treatment of shareholders and key ownership functions
Principle II
The corporate governance framework should protect and facilitate the
exercise of shareholders’ rights and ensure the equitable treatment of all
shareholders, including minority and foreign shareholders. All shareholders
should have the opportunity to obtain effective redress for violation of their
rights.
G20/OECD Principles of Corporate Governance
Principle III
The corporate governance framework should provide sound incentives
throughout the investment chain and provide for stock markets to function in
a way that contributes to good corporate governance.
G20/OECD Principles of Corporate Governance
Principle IV
The corporate governance framework should recognise the rights of
stakeholders established by law or through mutual agreements and
encourage active co-operation between corporations and stakeholders in
creating wealth, jobs, and the sustainability of financially sound enterprises.
G20/OECD Principles of Corporate Governance
Principle V
The corporate governance framework should ensure that timely and
accurate disclosure is made on all material matters regarding the
corporation, including the financial situation, performance, ownership, and
governance of the company.
G20/OECD Principles of Corporate Governance
Principle VI
The corporate governance framework should ensure the strategic guidance
of the company, the effective monitoring of management by the board, and
the board’s accountability to the company and the shareholders.
UN Principles for Responsible Investment
• Launched in April 2006 at the NYSE
• Set of best practices for responsible investment
• Supported by the UN
• Illuminates the financial relevance of ESG issues and provides a framework to
support stable and sustainable financial systems
• Incorporating ESG factors to:
– Enhance financial returns
– Reduce risk
– Meet stakeholder expectations
UN Principles for Responsible Investment
Principle 1: We will incorporate ESG issues into investment analysis and
decision-making processes.
Possible actions:
• Address ESG issues in investment policy statements.
• Support development of ESG-related tools, metrics, and analyses.
• Assess the capabilities of internal investment managers to incorporate ESG issues.
• Assess the capabilities of external investment managers to incorporate ESG issues.
• Ask investment service providers (such as financial analysts, consultants, brokers, research firms, or rating
companies) to integrate ESG factors into evolving research and analysis.
• Encourage academic and other research on this theme.
• Advocate ESG training for investment professionals.
UN Principles for Responsible Investment
Principle 2: We will be active owners and incorporate ESG issues into our
ownership policies and practices.
Possible actions:
• Develop and disclose an active ownership policy consistent with the Principles.
• Exercise voting rights or monitor compliance with voting policy (if outsourced).
• Develop an engagement capability (either directly or through outsourcing).
• Participate in the development of policy, regulation, and standard setting (such as promoting and protecting
shareholder rights).
• File shareholder resolutions consistent with long-term ESG considerations.
• Engage with companies on ESG issues.
• Participate in collaborative engagement initiatives.
• Ask investment managers to undertake and report on ESG-related engagement.
UN Principles for Responsible Investment
Principle 3: We will seek appropriate disclosure on ESG issues by the entities
in which we invest.
Possible actions:
• Ask for standardised reporting on ESG issues (using tools such as the Global Reporting Initiative).
• Ask for ESG issues to be integrated within annual financial reports.
• Ask for information from companies regarding adoption of/adherence to relevant norms, standards, codes of
conduct or international initiatives (such as the UN Global Compact).
• Support shareholder initiatives and resolutions promoting ESG disclosure.
UN Principles for Responsible Investment
Principle 4: We will promote acceptance and implementation of the Principles
within the investment industry.
Possible actions:
• Include Principles-related requirements in requests for proposals (RFPs).
• Align investment mandates, monitoring procedures, performance indicators and incentive structures accordingly
(for example, ensure investment management processes reflect long-term time horizons when appropriate).
• Communicate ESG expectations to investment service providers.
• Revisit relationships with service providers that fail to meet ESG expectations.
• Support the development of tools for benchmarking ESG integration.
• Support regulatory or policy developments that enable implementation of the Principles.
UN Principles for Responsible Investment
Principle 5: We will work together to enhance our effectiveness in
implementing the Principles.
Possible actions:
• Support/participate in networks and information platforms to share tools, pool resources, and make use of
investor reporting as a source of learning.
• Collectively address relevant emerging issues.
• Develop or support appropriate collaborative initiatives.
UN Principles for Responsible Investment
Principle 6: We will each report on our activities and progress towards
implementing the Principles.
Possible actions:
• Disclose how ESG issues are integrated within investment practices.
• Disclose active ownership activities (voting, engagement, and/or policy dialogue).
• Disclose what is required from service providers in relation to the Principles
• Communicate with beneficiaries about ESG issues and the Principles.
• Report on progress and/or achievements relating to the Principles.
• Seek to determine the impact of the Principles.
• Make use of reporting to raise awareness among a broader group of stakeholders.
UN Sustainable Development Goals
PRI Survey
• 65%of respondents agree that
acting on the SDGs ‘aligns with
their fiduciary duties.
• 62%of respondents believe that
acting on the SDGs ‘can create
opportunities for increased
investment returns.
• 44% agree that ‘weak progress
towards the SDGs represents a
material risk to their organisation.
• 75%of respondents are already
taking action on three or more of
the SGDs.
Global Reporting Initiative
• GRI – reporting standards for sustainability reporting
• Guidelines developed through global multi-stakeholder process
• International reference:
– Governance approach
– Environmental performance and impacts
– Social performance and impacts
– Economic performance and impacts
GRI framework – aspects & boundaries
GRI framework – specific disclosures
• Universal standards (GRI101 – GRI103)
• Economic (GRI200 – GRI206: covers 13 aspects)
• Environmental (GRI300 – GRI308: covers 30 aspects)
• Social (GRI400 – GRI419: covers 34 aspects):
– Labour practices and decent work
– Human rights
– Society
– Product responsibility
IIRC <IR> framework
• IIRC focused on evolution of corporate reporting
• 2011 – “Towards Integrated Reporting – Communicating Value in the 21st
Century”
• July 2012 – draft outline
• November 2012 –prototype framework
• April 2013 – consultation draft
• December 2013 – international <IR> framework
– Principles-based approach
– Comply or explain basis
– Guiding principles and content elements governing reporting
<IR> framework fundamental concepts
• Value creation
– Short-, medium-, long-term
– Organisational value –
shareholder returns
– Value for other stakeholders
– Inter-relationship between
internal/external value
<IR> framework fundamental concepts
• The capitals:
– Financial capital
– Manufactured capital
– Intellectual capital
– Human capital
– Social and relationship capital
– Natural capital
• The role of the capitals in the framework
Value creation and preservation
Direction
The The “Directing
“Entrepreneurial” and Controlling”
Board Board
3 4
1 2
Controlling
How boards spend their time
McKinsey Research
% of time directors % of time directors % of time directors
Area spend on each spend on each spend on each
topic, 2013 topic, 2015 topic, 2017
Strategy 28 27 27
Performance management 18 22 20
Organisational health and talent
12 9 13
management
Investments and M&A 16 10 12
Core governance and compliance 13 12 10
Risk management 12 10 9
Shareholder and stakeholder management N/A 9 9
Based on an average total of 24 days spent per year (per director)(2017)
Ideal number of days = 30 per year
Days spent in 2015 = 26 days
Source: McKinsey, The Board Perspective, No.2, March 2018
McKinsey
Building a forward-looking board
HO
Forward-looking board agenda
An effective ERM program may help not only preserve value in the traditional risk
management sense but also help create value for the respective organisations
Source: Committee of Sponsoring Organizations (COSO)/ Deloitte, Risk Assessment in Practice, October 2012
Identify risks
• Produces a comprehensive list of risks (and opportunities)
• Organised by category (e.g. financial, operational, strategic)
• And sub-category (e.g. market, credit, liquidity)
• Risks at a business unit level differ from business-level risks
• Prioritisation provides for senior management and board attention on key
risks
• Prioritisation accomplished by undertaking a risk assessment
Source: Committee of Sponsoring Organizations (COSO)/ Deloitte, Risk Assessment in Practice, October 2012
Develop assessment criteria
• Common set of assessment criteria to be deployed across business units,
corporate functions and large projects
• Typically assessed in terms of likelihood and impact
• Unlikely events occur too often – and likely events sometimes never occur
• Need to also gauge the vulnerability (to determine what response is
needed) and the speed of onset (to understand the need for agility and
rapid adaptation)
Source: Committee of Sponsoring Organizations (COSO)/ Deloitte, Risk Assessment in Practice, October 2012
Develop assessment criteria
• Assessment scales provide a form of measurement
• Scales comprise rating levels and definitions that foster consistent
application by different constituencies
• The more descriptive the scales the more consistent their interpretation by
users
• Need to find the right balance between simplicity and comprehensiveness
• Five-point scales yield better results
• Scales customised to fit industry, size, complexity and culture of the
organisation
Source: Committee of Sponsoring Organizations (COSO)/ Deloitte, Risk Assessment in Practice, October 2012
Impact scales
Rating Descriptor Definition
5 Extreme • Financial loss of $X million or more
• Significant prosecution and fines, litigation
• Significant injuries or fatalities to employees or third parties
• Loss of multiple senior staff members
4 Major • Financial loss of $X million up to $X million
• Long-term negative media coverage, loss of market share
• Limited in-patient care required for employees or third parties
• Some senior managers leave, high staff turnover
3 Moderate • Financial loss of $X million up to $X million
• Short-term negative media coverage
• Out-patient medical treatment required for employees or third parties
• Widespread staff morale problems, high staff turnover
2 Minor • Financial loss of $X million up to $X million
• Local reputational damage
• Minor injuries to employees or third parties
• General staff morale problems, increasing staff turnover
1 Incidental • Financial loss up to $X million
• Local media attention rapidly remedied
• No injuries to employees or third parties
Source: Committee of Sponsoring Organizations (COSO)/ Deloitte, Risk Assessment in Practice, October 2012
Likelihood scales
Annual Frequency
Annual Frequency Probability
Rating Descriptor Definition
Rating Descriptor Definition Descriptor Definition
5 Frequent Up to once in 2 years or
more
5 Frequent Up to once in 2 years or Almost certain 90% or greater chance of occurrence over
more life of asset or project
4 Likely Once in 2 years up to once in
4 Likely 25
Onceyears
in 2 years up to once in Likely 60% up to 90% chance of occurrence
25 years over life of asset or project
3 Possible Once in 25 years up to once
3 Possible Once in 25 years up to once
in 50 years Possible 35% up to 60% chance of occurrence
in 50 years over life of asset or project
2 Unlikely Once in 50 years up to once
2 Unlikely Once in 50 years up to once
in 100 years
Unlikely 10% up to 35% chance of occurrence
in 100 years over life of asset or project
1
1 Rare
Rare Once
Once in
in 100
100 years
years or
or less
less Rare Less than 10% chance of occurrence over
life of asset or project
Source: Committee of Sponsoring Organizations (COSO)/ Deloitte, Risk Assessment in Practice, October 2012
Vulnerability scales
Rating Descriptor Definition
5 Very high •
•
No scenario planning performed
Lack of enterprise-level capabilities to address risks
• Responses not implemented
• No contingency plans in place
4 High •
•
Scenario planning for key strategic risks performed
Low enterprise-level capabilities to address risks
• Responses partially implemented / not achieving control objectives
• Limited contingency plans in place
3 Medium •
•
Stress testing and sensitivity analysis of scenarios performed
Medium enterprise-level capabilities to address risks
• Responses implemented and achieving control objectives most of the time
• Most contingency plans in place
2 Low •
•
Strategic options defined
Medium to high enterprise-level capabilities to address risks
• Responses implemented and achieving control objectives except under extreme circumstances
• Contingency plans in place
1 Very low •
•
Real options deployed to maximise strategic flexibility
High enterprise-level capabilities to address risks
• Responses implemented and achieving objectives – regularly tested for critical risks
• Contingency plans in place and rehearsed regularly
Source: Committee of Sponsoring Organizations (COSO)/ Deloitte, Risk Assessment in Practice, October 2012
Speed of onset scales
Rating Descriptor Definition
5 Very high • Very rapid onset, little or no warning, instantaneous
4 High • Onset occurs in a matter of days to a few weeks
3 Medium • Onset occurs in a matter of a few months
2 Low • Onset occurs in a matter of several months
1 Very low • Very slow onset, occurs over a year or more
Source: Committee of Sponsoring Organizations (COSO)/ Deloitte, Risk Assessment in Practice, October 2012
Assess risks
• Often performed as a two-stage process
– Initial screening using qualitative techniques
– Followed by a more quantitative treatment of more important risks and opportunities
(not all can be quantified)
• Qualitative assessment uses the assessment scales
• Supported by review of internal and external data
• Assessment conducted through various means – including interviews,
cross-functional workshops, surveys, benchmarking, scenario analysis, at-
risk modelling
Source: Committee of Sponsoring Organizations (COSO)/ Deloitte, Risk Assessment in Practice, October 2012
Assess risk interactions
• Requires breaking down silos
• Various methods to review risk interactions:
– Grouping related risks and assigning ownership and oversight for the risk area
– Risk interaction maps
– Correlation matrices
– Fault trees
– Event trees
– Bow-tie diagrams
Source: Committee of Sponsoring Organizations (COSO)/ Deloitte, Risk Assessment in Practice, October 2012
Risk interaction maps
Customer preference
Economic downturn
Local competitor
New substitutes
Exchange rate
Cost of capital
enters market
increase >5%
Risk
Supply chain
fluctuations
disruption
available
shift
Supply chain disruption X X
Customer preference shift X X X X
Economic downturn X X X X X X
Local competitor enters market X X X X
New substitutes available X X
Cost of capital increase >5% X X
Exchange rate fluctuations X X X X
Bow-tie diagrams
Source: Committee of Sponsoring Organizations (COSO)/ Deloitte, Risk Assessment in Practice, October 2012
Prioritise risks
• View risks as a comprehensive portfolio – enables prioritisation for
determining risk responses and for reporting to different stakeholders
• Ranking and prioritisation normally a two-step process:
– First risks are ranked according to one or more criteria, such as impact multiplied by
likelihood or impact multiplied by vulnerability
– Second the ranked risks are reviewed against additional considerations, such as
impact alone, speed of onset, gap between current and desired risk level (risk
tolerance threshold)
• Aggregating risks – hierarchies, heat maps
Source: Committee of Sponsoring Organizations (COSO)/ Deloitte, Risk Assessment in Practice, October 2012
Risk hierarchies
Source: Committee of Sponsoring Organizations (COSO)/ Deloitte, Risk Assessment in Practice, October 2012
Risk and opportunity maps
• Usually two-dimensional representations of impact plotted against
likelihood
• Can also depict other relationships such as impact versus vulnerability
Source: Committee of Sponsoring Organizations (COSO)/ Deloitte, Risk Assessment in Practice, October 2012
Heat maps
Source: Committee of Sponsoring Organizations (COSO)/ Deloitte, Risk Assessment in Practice, October 2012
MARCI* charts
Source: Committee of Sponsoring Organizations (COSO)/ Deloitte, Risk Assessment in Practice, October 2012
Heat maps vs. MARCI charts
Source: Committee of Sponsoring Organizations (COSO)/ Deloitte, Risk Assessment in Practice, October 2012
Risk assessment process
Key principles for effective risk assessments
• Governance over the risk assessment process must be clearly established
• Risk assessment begins and ends with specific objectives
• Risk rating scales are defined in relation to organisations’ objectives in
scope
• Management forms a portfolio view of risks to support decision making
• Leading indicators are used to provide insight into potential risks
Risk assessment process
Essential steps for performing a risk assessment
• Identify relevant business objectives.
• Identify events that could affect the achievement of objectives.
• Determine risk tolerance.
• Assess inherent likelihood and impact of risks.
• Evaluate the portfolio of risks and determine risk responses.
• Assess residual likelihood and impact of risks.
Risk assessment process
Common challenges to effective risk assessment
• Risk assessment is viewed as an episodic initiative providing limited value.
• The amount of information and data gathered is difficult to interpret and use.
• Results of the risk assessment are not acted upon.
• Over-controlling risk can be costly and stifle innovation.
• Risk assessments become stale, providing the same results every time.
• Risk assessment is added onto day-to-day responsibilities without being integrated into
business processes.
• Too many different risk assessments are performed across the organisation.
• Risk assessment will not prevent the next big failure.
Risk assessment
• Strategic risk assessment
• Operational risk assessment
• Compliance risk assessment
• Internal audit risk assessment
• Financial statement risk assessment
• Fraud risk assessment
• Market risk assessment
• Credit risk assessment
• Customer risk assessment
• Supply chain risk assessment
• Security risk assessment
• Product risk assessment
• Information technology risk assessment
Risk responses
• Addresses risks identified as unacceptable / tolerable
• Identify options to control / respond to risks:
– Risk avoidance
– Risk transfer
– Risk reduction
– Risk retention
• In-balance sheet tools – financiers
• Off-balance sheet tools – insurance, forward cover
Source: Committee of Sponsoring Organizations (COSO)/ Deloitte, Risk Assessment in Practice, October 2012
Risk management process
Monitor and review risks:
• Identify, analyse, and plan for new risks
• Track identified risks and monitor trigger conditions
• Review project performance information such as progress/status reports,
issues, and corrective actions
• Re-analyse existing risks to see if the probability, impact, or proper
response plan has changed
• Review the execution of risk responses and analyse their effectiveness
• Ensure proper risk management policies and procedures are being utilised
HO
Enterprise Risk Management
COSO defines ERM as a process that is:
• affected by an entity’s board of directors, management, and other
personnel;
• applied in strategy setting and across the organisation;
• designed to identify potential events that may affect the entity, then
manage risk and keep it within the organisation’s risk appetite; and
• provide reasonable assurance regarding the achievement of the entity’s
objectives.
Scenario
Analyses
without considerations for its ling term • Assess risks using scenario analysis
Risk
and
• Different risk language and risk • Define a common risk language that cuts across silos
Unrewarded Siloed Risk
management approaches across the • Coordinate roles and responsibilities across the
organisational silos organisation
• Poor communication across these silos • Rationalise and standardise controls for risk
management
• Focus on compliance, security, financial • Take calculated risks to obtain a competitive
Rewarded
issues advantage
Risk vs.
Risk
• Mitigating risks of fraudulent activities, • Taking risks for attracting more and high-value
physical safety customers
HO
Organising for risk-taking
Several keys to becoming a strong risk-taking enterprise:
• Hiring the right people
• Creating incentives for good risk taking
• Aligning organisational size and structure with risk taking
• Understanding the decision-making context
• Integrating risk analysis with the strategy process
• Monitoring and responsiveness
• Ensuring adequate capital for risks retained
• Preserving the enterprise’s options
• Building the optimal risk governance and management structures
• Balancing quantitative and qualitative decision making
Leading practices
• Risk management should be integrated into corporate culture, starting at the board level and with the
governance capability
• Ensure the ERM fundamentals, i.e., the framework, methodology, and tools are established before developing
more advanced risk management practices
• Buy in from CEO and executive team is imperative to the program’s success
• Elevated CRO visibility and responsibility: direct reporting to the board and/or CEO, and increasing frequency of
CRO executive sessions with the board
• Integration of ERM with other management practices (performance management, process management,
compliance management, quality management, etc.)
• Leaders actively shape their risk culture into something purposeful that is aligned with business strategy — and
where each employee takes personal responsibility for managing risk in their work every day understands how
to make the right risk-based decisions
• Integration of risk discussions and ERM monitoring into everyday business is essential – not a documentation
exercise
• Build common language and common metrics
Source: Deloitte, Practical Enterprise Risk Management, 2012
Potential challenges
• ERM training is still limited to risk specialists and people directly involved in the risk
management activities
• Just in this past decade, many companies’ failures were the result of bad decisions on the
part of a handful of people – in these cases, the human factor is the root cause
• In the midst of the recent economic challenges, many companies with well established
ERM functions, processes, and controls still failed
• Missing the cultural and organizational components that may help guard against
ineffective or just plain poor decision-making on the part of individuals
• ERM processes are implemented but organizations may still face challenges with respect
to effective monitoring and reporting
• Lack of awareness is a common barrier to effectiveness
HO
Compliance structures
• Strategic
• Operational
• Internal – IAS, SHEQ, etc.
• External – external audit, quality audit, etc.
• Departmental
• Combined assurance framework
Developing codes of best practice
• Complex legal environment
• Norms that impact on corporate governance practices:
– International laws (treaties, agreements, directives)
– National laws (legal codes)
– Subnational legislation (state laws)
– Regulations
– Listing rules
– Standards, guidelines, and codes of best practice
– Organic documents of the corporation (company charter)
– Corporate rules and provisions (company by-laws)
Developing codes of best practice
• International reference frameworks
• Professional associations
• Areas to consider:
– Establishing a corporate governance committee
– Chairman of the committee
– Project leader
– Committee members and secretary
– Master schedule (what is to be done)
– Terms of reference
– Stakeholder engagement (who, when, how, etc.)
– Implementation and monitoring – change management
Business ethics
• Principles and standards that determine acceptable conduct within
a business environment
• Integral to governance
• Recognising ethical issues most important step
– Conflict of interest
– Fairness and honesty
– Communications
– Business relationships
Business ethics and social responsibility
– Employee relations
community and
quality of life
Ethical Responsibilities
– Customer relations being ethical; doing what is right,
just and fair; avoiding harm
Economic Responsibilities
being profitable
Ethics and compliance
Deloitte Ethics and Compliance Framework
Risk Management
• Conduct regulatory risk prioritisation Risk
Internal Audit
Management
• Facilitate completion of compliance risk-register
with ratings and mitigating actions
• Ensure awareness on the part of management &
board on risk consequences of noncompliance
Thank You
Peter Hofmann
MFX Options and Solutions (Pty) Ltd
peter@mfxsa.co.za
www.mfxsa.co.za