Professional Documents
Culture Documents
Aarsh Enterprise Risk Management - 2
Aarsh Enterprise Risk Management - 2
Cutting-edge risk solutions for emerging economies Confidential & Proprietary - Not for distribution
Committee of Sponsoring Organisations of the Treadway
Commission (COSO) - Background
COSO undertook a study in December 2001 and submitted its report in September 2004. Output
of the study was
A definition of risk and enterprise risk management
Concepts, categories, principles and other elements of a comprehensive risk management
framework.
Direction for companies and other organizations to use in determining how to enhance their
risk management.
Criteria for companies use in determining whether their risk management is effective, and if
not, what is needed.
Application techniques that link directly to the framework
COSO
Concluded that there was a need for a recognized framework despite an abundance of
literature on the subject.
Believes there is consensus that all organizations can benefit from improved risk identification
and risk analysis procedures.
Recognizes that many organizations are engaged in some aspects of enterprise risk
management.
Believes that this study will help identify all of the aspects that should be present and how they
can be coordinated.
COSO Enterprise Risk Management Framework has two documents
The Framework and
Application Guidance
Cutting-edge risk solutions for emerging economies Confidential & Proprietary - Not for distribution
COSO structure
COSO
COSO Advisory
Council
Cutting-edge risk solutions for emerging economies Confidential & Proprietary - Not for distribution
Definition and Rationale of Enterprise Risk Management
(ERM)
Enterprise Risk Management definition by COSO:2004
Cutting-edge risk solutions for emerging economies Confidential & Proprietary - Not for distribution
Drivers of Enterprise Risk Management
Stakeholders Results Expected
Investors/Creditors/Policyholders Value creation juxtaposed to solvency
Environment What new risks should we be pricing now?
Regulator Requires ERM at consolidated level
Insurance company regulators - Require legal entity specific regulation
International regulators Require both legal entity and holding
company
Rating agencies Require ERM frameworks
Board of directors Attunement to firm-wide risks
Management Requirement of common language to drive
results
Cutting-edge risk solutions for emerging economies Confidential & Proprietary - Not for distribution
The ERM Framework
Entity objectives can be viewed in the context of four categories:
Strategic
Operations
Reporting
Compliance
ERM considers activities at all
levels of the organization:
Enterprise-level
Division or subsidiary
Business unit processes
Takes a portfolio / entity-level view of risks
Cutting-edge risk solutions for emerging economies Confidential & Proprietary - Not for distribution
Elements that characterise Enterprise Risk Management
ERM takes note of the interrelationships and interdependencies among risks
It improves ability to manage risks within and across business units
Improves organisations capacity to identify and seize opportunities inherent in
future events
Considers risk in the formulation of strategy
Applies risk management at every level and unit of an entity
Takes a portfolio view of risks throughout the enterprise- presents an
opportunity to set-off risks moving in opposite directions against each other
Cutting-edge risk solutions for emerging economies Confidential & Proprietary - Not for distribution
Components of ERM 1/4
Internal Environment Component
Establishes a philosophy regarding risk management. It recognizes that
unexpected as well as expected events may occur.
Establishes the entitys risk culture.
Considers all other aspects of how the organizations actions may affect its risk
culture including allocation of authority, ethics and values, and human resources
Objective Setting
Is applied when management considers risks strategy in the setting of
objectives
Forms the risk appetite of the entity a high-level view of how much risk
management and the board are willing to accept
Risk tolerance, the acceptable level of variation around objectives, is aligned
with risk appetite
Cutting-edge risk solutions for emerging economies Confidential & Proprietary - Not for distribution
Components of ERM 2/4
Event Identification
Involves identifying those incidents, occurring internally or externally, that could affect
strategy and achievement of objectives
Addresses how internal and external factors combine and interact to influence the risk
profile
Differentiates risks and opportunities
Events that may have a negative impact represent risks
Events that may have a positive impact represent natural offsets (opportunities), which
management channels back to strategy setting
Risk Assessment
Allows an entity to understand the extent to which potential events might impact
objectives
Assesses risks from two perspectives likelihood and impact
The unit of measure assess risks should be the same or congruent to measure used for
related objectives
Employs a combination of both qualitative and quantitative risk assessment
methodologies
Time horizons are related to objective time horizons
Assesses risk on both an inherent and residual basis
Cutting-edge risk solutions for emerging economies Confidential & Proprietary - Not for distribution
Components of ERM 3/4
Risk Response
Identifies and evaluates possible responses to risk
Evaluates options in relation to entitys risk appetite, cost vs. benefit of potential
risk responses and degree to which a response will reduce impact and/or
likelihood
Assessment of and response to risks are integral components of ERM; which
specific response is selected is not
Selects and executes its response based on evaluation of the portfolio of risks
and responses
Control Activities
Control activities are the policies and procedures that help ensure that the risk
responses, as well as other entity directives, are carried out
Occur throughout the organization, at all levels and in all functions
Includes application controls and general information technology controls
Cutting-edge risk solutions for emerging economies Confidential & Proprietary - Not for distribution
Components of ERM 4/4
Information and Communication
Information is needed at all levels of an entity in identifying, assessing, and
responding to risk
Management identifies, captures and communicates pertinent information in a
form and timeframe that enables people to carry out their responsibilities
Communication occurs in a broader sense, flowing down, across and up the
organization
Monitoring
Monitors the ongoing effectiveness of the other enterprise risk management
components through:
Ongoing monitoring activities
Separate evaluations
A combination of the two
Cutting-edge risk solutions for emerging economies Confidential & Proprietary - Not for distribution
Roles and Responsibilities
The Board of Directors is responsible for overseeing managements design and
operation of ERM
Management is responsible for the design of an entity's enterprise risk
management framework
Risk officers work with managers in establishing and maintaining effective risk
management
Internal auditors contribute to the ongoing effectiveness of the enterprise risk
management
Cutting-edge risk solutions for emerging economies Confidential & Proprietary - Not for distribution
Key Concepts In The Enterprise Risk Management
Framework
Events and risks
Applying risk management in strategy setting
Risk appetite and risk tolerance
Portfolio view
Cutting-edge risk solutions for emerging economies Confidential & Proprietary - Not for distribution
Events and Risk
Event is an incident or occurrence that could affect the implementation of
strategy or achievement of objectives.
Distinguishes risk and opportunity
Events that may have a negative impact represent risks.
Events that may have a positive impact represent natural offsets or,
opportunities, which management channels back to strategy setting.
Risk is the possibility that an event will occur and adversely affect the
achievement of objectives.
Cutting-edge risk solutions for emerging economies Confidential & Proprietary - Not for distribution
Applied in Strategy Setting
Information and Communication
Cutting-edge risk solutions for emerging economies Confidential & Proprietary - Not for distribution
Managing Risks Within Risk Appetite
Management forms a risk appetite at the entity level.
Risk appetite is a high-level view of how much risk management and the board
are willing to accept.
Risk appetite is encompassed in policy, guidelines and procedures.
For many, appetite is considered in relation to growth and return goals.
Cutting-edge risk solutions for emerging economies Confidential & Proprietary - Not for distribution
Three Related Aspects Capacity, Appetite and Limits*
Capacity is the maximum amount of risk that can be supported by the Company,
Capacity expressed as an aggregate capital amount
Risk Capacity is determined considering the following:
Available capital
Ability to raise capital
Earnings strength and stability, including planned growth in capital
Amount of risk that the Company is willing to take, given available risk capacity, risk
Appetite preferences and strategic business objectives
Risk Appetite serves as an overall guide to resource and capital allocation
Business strategy to be aligned with risk appetite
Assist in operationalizing Risk Appetite and serve to effectively control risks within the
Downstream context of our overall risk appetite
Limits
Expressed in specific metrics appropriate for a given risk
Shall reflect enterprise risk preferences and align to support strategic plans and
capital allocation
To be set at a level which may be periodically tested (i.e., limits should be established
at levels that may be exceeded at times of stress)
Cutting-edge risk solutions for emerging economies Confidential & Proprietary - Not for distribution
Relating Mission, Objectives, Appetite and Tolerance
Mission
To be the leading producer of premium household products in the regions in which we operate
Risk Tolerances
Measure Target Tolerances Acceptable Range
Market share 25 Percentile 23% 30%
Units of production 150,000 units +10,000 / - 7,500
Number of staff hired (net) 200 staff + 20 / - 15
Product quality index 4.0 sigma 4.0 4.5 sigma
Cutting-edge risk solutions for emerging economies Confidential & Proprietary - Not for distribution
Taking A Portfolio View
Enterprise risk Company level risk appetite
usually expressed as Earnings Enterprise Level Risk Appetite
management requires at Risk or Risk Adjusted Return (Earnings at Risk)
an entity to take a on Capital Employed
Allocate Appetite
allocated to entity / function or Appetite
how individual risks sub-function level, typically
Feedback Limits
interrelate based on proportion of risk Profit Centres / Entities
(usually Value at Risk)
Management develops contribution of each entity /
a portfolio view from function
Entity A Entity B
Cutting-edge risk solutions for emerging economies Confidential & Proprietary - Not for distribution
Examples of risk-related behaviours and grading
Cutting-edge risk solutions for emerging economies Confidential & Proprietary - Not for distribution
Examples of a risk appetite statement
Cutting-edge risk solutions for emerging economies Confidential & Proprietary - Not for distribution
Building an effective and robust ERM framework
An effective ERM framework can provide reasonable assurance that the
organizations strategic objectives can be achieved. Building an effective
framework requires a number of interrelated components including:
Cutting-edge risk solutions for emerging economies Confidential & Proprietary - Not for distribution
ERM Maturity Assessment
Risk Specific RM Governance Driven Change Driven Enterprise Wide
RM RM RM
Efficiency of Risk Management Process
Cutting-edge risk solutions for emerging economies Confidential & Proprietary - Not for distribution
ISO 31000:2009 vs. ERM(COSO II)
ISO31000:2009 ERM (COSO II)
ISO 31000 fully complies with COSO COSO ERM typically applies to large
ERM firms and / or financial services firms
ISO 31000 is practical Difficult to implement
Easy to apply (less than 30 pages) Focus on negative risk at corporate
Applicable to organisations in all level, often very confusing when apply
industries, large or small at operational level
More clearly written and terms are
explicitly defined
Wider acceptance as reference for risk
management in existing and future
standards
No need to redesign existing
management system to apply
Apply to all levels of organisation for
any type of risk, both positive and
negative consequences
Cutting-edge risk solutions for emerging economies Confidential & Proprietary - Not for distribution
Beyond box ticking: A new era for risk governance*
In May 2009, the Economist Intelligence Unit (sponsored by KPMG and ACE)
surveyed 364 executives around the world across a range of regions and
industries on their approach to risk management and corporate governance
Cutting-edge risk solutions for emerging economies Confidential & Proprietary - Not for distribution
The key challenges to implementing risk management
Board/CEO support (or lack of it)
Inadequate understanding of responsibility/ accountability
Inability to measure risk
Missing link to corporate strategy
Process to add value
Lack of common risk language
Difficulties in management buy-in
Inadequate investment in technology
Cutting-edge risk solutions for emerging economies Confidential & Proprietary - Not for distribution
Common Excuses for NOT doing Risk Management
We have no risk
The program is too small to do risk management
Making risks public performance and maturity will kill the program
The customer goes ballistic whenever he/she hears of a potential problem
We deal with problems as they arise
Identifying risks is bad for my career
Risk management creates more work for me
How can you predict what will happen from now
We plan to start implementing risk management next year
Cutting-edge risk solutions for emerging economies Confidential & Proprietary - Not for distribution
Why ERM Implementation Fails?
Allowing too much complacency
Failing to create a powerful coalition
Underestimating power of vision
Under-communicating vision
Permitting obstacles to block vision
Failing to create short term wins
Declaring victory too soon
Neglecting to anchor changes in culture
Cutting-edge risk solutions for emerging economies Confidential & Proprietary - Not for distribution
RISK MANAGEMENT TOOLS
Cutting-edge risk solutions for emerging economies Confidential & Proprietary - Not for distribution
Risk identification tools
An Organisation faces Three
Categories of Risks
Cutting-edge risk solutions for emerging economies Confidential & Proprietary - Not for distribution
Brainstorming
Brainstorming involves stimulating and encouraging free flowing conversation
amongst a group of knowledgeable people
Purpose - to identify potential failure modes and associated risks, criteria for
decisions and/or options for treatment.
True brainstorming involves particular techniques to try to ensure that people's
imagination is triggered by the thoughts and statements of others in the group.
Brainstorming can be used in conjunction with other risk assessment methods
or stand alone
Normal facilitated process is as follows:
Objectives of the session are defined and rules explained.
The idea is to collect as many diverse ideas as possible for later analysis.
There is no discussion at this point about whether things should or should
not be in a list or what is meant by particular statements because this tends
to inhibit free flowing thought.
All input is accepted and none is criticised and the group moves on quickly
to allow ideas to trigger lateral thinking.
Cutting-edge risk solutions for emerging economies Confidential & Proprietary - Not for distribution
Past Data
Risk can be identified from past records such as:
Financial statements
Process Incidents statistics
Non-compliance or complaints
Project debriefing reports
Cutting-edge risk solutions for emerging economies Confidential & Proprietary - Not for distribution
Checklists
Listing typical uncertainties which need to be
considered
Process Users refer to a previously developed list, codes or
standards and review whether items on the checklist
are present
When there is a large experience of risk which
Applicability demonstrates that the same problems repeat
It is applied to check that everything has been covered
Cutting-edge risk solutions for emerging economies Confidential & Proprietary - Not for distribution
Work system analysis
Work to be performed is separated into tasks and sub tasks to form a structure
for identifying risks, for each task think about
The environment in which it operates
Objective of the step and what could go wrong and what are opportunities
Sources of risk
Human errors
Equipment failure
Existing controls and how they could fail
Cutting-edge risk solutions for emerging economies Confidential & Proprietary - Not for distribution
Pathway Analysis
Cutting-edge risk solutions for emerging economies Confidential & Proprietary - Not for distribution
Multiple Sources and Pathways
Cutting-edge risk solutions for emerging economies Confidential & Proprietary - Not for distribution
Hazard and Operability
Separate process into components
Process Define what the component is supposed to do
Define operating conditions
Use Hazop key words to see how performance or conditions
could vary from design intent
HAZOP developed by chemical and processing industry to
Applicability identify safety /operational problems of new plant
Can be applied to any process
Provides effective systematic means to examine a system,
Strength process or procedure
It generates solutions and risk treatment action
It involves a multidisciplinary team
Cutting-edge risk solutions for emerging economies Confidential & Proprietary - Not for distribution
Failure Modes and Effects Analysis
Consider each component individually
Process Analyse how it might fail
What would be the result if it fails
Would it matter if the component fails
Look at safety, performance & operability, and ask What
would happen if this component failed?
FMEA traditionally used for equipment failure
Applicability FMEA is similar to Hazop - FMEA considers where a
component can fail vs. Hazop which considers how the
intended result may not be achieved
Identify component fault modes, causes and effects
Strength Identify problems early in the design process
Identify single point failure modes
Can identify only single failure modes
Limitation Can be time consuming and costly
Can be difficult and tedious for complex systems
Cutting-edge risk solutions for emerging economies Confidential & Proprietary - Not for distribution
Example of a FMEA application
ITEM COMPONENT FAILURE MODES FAILURE EFFECT FAILURE DETECTION
1 Valve Valve mechanism jammed close Low flow of A Flow meter line A
Motor which operates valve fails Low flow of A Warning lights
to start
Motor operating valve fails to High flow of A Warning lights
stop
Valve does not shut off due to Explosion of A resulting in Low flow meter reading
spring breakage injury
Valve leaks when closed Unwanted flow of A Direct observation
Cutting-edge risk solutions for emerging economies Confidential & Proprietary - Not for distribution
Hazard Analysis And Critical Control Point (HACCP)
Identify hazards
Identify Critical Control Points step, or procedure in a process at
Process which control can be applied
Identify Control Point Conditions
Define monitoring, record keeping, corrective actions and
verification procedures to remain in control
Used by organisations operating anywhere within the food chain to
control risks from physical, chemical or biological contaminants of
Applicability food. Also extended for use in manufacture of pharmaceuticals
and medical devices
Structured process for quality control / identifying and reducing risks
Strength Focus on how and where hazards can be prevented
Encourage risk control throughout the process
Involves identification of hazards, risks, controls as inputs to the
Limitation process to specify critical control points and control parameters
Actioned when control parameters exceed defined limits - may
miss gradual changes
Cutting-edge risk solutions for emerging economies Confidential & Proprietary - Not for distribution
Example of HACCP application
CRITICAL CONTROL SOURCE OF CONTROL CONTROL MONITORING
POINTS RISK PARAMETER MECHANISM
(Food Manufacturing)
Cutting-edge risk solutions for emerging economies Confidential & Proprietary - Not for distribution
General Model for Identifying Risks
conditions
actions
actions of people or equipment decisions
The generic model can be applied to most processes or projects. It can also
be used in a positive sense to identify opportunities
Cutting-edge risk solutions for emerging economies Confidential & Proprietary - Not for distribution
Example Failure of Required Inputs
PROJECT INPUTS REQUIRED ACTIONS EVENTS OUTCOMES RECOMMEN
STEPS CONDITIONS DATION
Cutting-edge risk solutions for emerging economies Confidential & Proprietary - Not for distribution
Scenario Analysis
Scenario analysis can be used to assist in making policy decisions
Process and planning future strategies as well as to consider existing
activities.
Scenario analysis consists of defining a simplified model of a real
system and using the model to consider what might happen given
Applicability various possible future developments. Sets of scenarios reflecting
best case, worst case and expected case may be used to identify
what might happen under particular circumstances and analyse
potential consequences and their likelihood for each scenario
Cutting-edge risk solutions for emerging economies Confidential & Proprietary - Not for distribution
Risk Analysis What to Measure?
Normally involves estimation of range of possible consequences and their
associated likelihoods in order to measure risk
Level of risk should be expressed in suitable terms for the type of risk and to
aid evaluation. In some instances risk can be expressed as a probability
distribution across a range of consequences
Taking a single consequence and its likelihood as required in the matrix is an
approximation to the level of risk
One must either take maximum consequences and their likelihood or most
likely consequences and their likelihood really is the sum of all consequences
and their likelihoods
Cutting-edge risk solutions for emerging economies Confidential & Proprietary - Not for distribution
Risk Analysis
Human error Fault trees Event Trees and Scenario Consequence
Analysis Casual Analysis modelling
Organisational analysis
analysis Detect events and reduce Respond and recover
Consequences
Critical path What the The outcomes The event Probability or Outcome or Risk rating or
for a system process try to of the process that cause frequency of impact of an risk score is the
life cycle. achieved? that we do not or lead to an event to event. There product of
Key What are the want to the occur. Can be can be more multiplying the
functions key success happen. They undesirable expressed than one likelihood level
that help a criteria for the are indicators risk qualitatively or consequence with the
system process of a process outcomes. quantitatively from an consequence
achieves its failure event, can be level. It helps to
mission positive or determine the
negative, level of risk
qualitative or whether it is
quantitative low, medium,
high or very
high
Cutting-edge risk solutions for emerging economies Confidential & Proprietary - Not for distribution
Sample Impact Ranking
Cutting-edge risk solutions for emerging economies Confidential & Proprietary - Not for distribution
Sample Likelihood Ranking
Cutting-edge risk solutions for emerging economies Confidential & Proprietary - Not for distribution
Sample Risk Analysis Matrix
Likelihood Consequences
Insignificant Minor Moderate Major Catastrophic
1 2 3 4 5
A (5) H H E E E
(Almost Certain)
B (4) M H H E E
(Likely)
C (3) L M H E E
(Moderate)
D (2) L L M H E
(Unlikely)
E (1) L L M H H
(Rare)
Applicability ETA can be used at any stage in the lifecycle of a product or process.
Used qualitatively or quantitatively to help understand potential
scenarios and sequences of events following an initiating event
Analyse how outcomes are affected by various treatments, barriers or
controls intended to mitigate unwanted outcomes
Cutting-edge risk solutions for emerging economies Confidential & Proprietary - Not for distribution
Example of an Event Tree
Initial event Alternative Immediate No modification Outcome Probability
supplier supply needed
No delay 0.252
Yes 0.9
Yes 0.7
Delay for
No 0.1 modification 0.026
Yes 0.4
Delay for
Yes 0.9 supply 0.108
Supplier No 0.3
fails to No 0.1
deliver Very late 0.012
No 0.6
Cannot 0.600
complete
1.000
Cutting-edge risk solutions for emerging economies Confidential & Proprietary - Not for distribution
Root Cause Analysis
Cutting-edge risk solutions for emerging economies Confidential & Proprietary - Not for distribution
Root Cause Analysis - Example
Lost High Speed Data Stream From
Satellite (Mission Failure)
Cutting-edge risk solutions for emerging economies Confidential & Proprietary - Not for distribution
Root Cause Analysis another example
Maximum
Objective profitability
Necessary Conditions
Dominant market
(Success Criteria)
share
Customer Leading edge
satisfaction technology
World class
communication World class
customer support Innovation
systems/products
Speed of
development
and/or response
High quality High quality, secure,
hardware, software satisfied workforce
Base Event
No
Lamp Trip and
spare Operator Internal External
Failure unplug
lamp error
Project Delay
No backup for Critical Managed Systems
Resources
Lack of standard HR
protocols
The stigma of Declining Lack of attention and
Public Health - interest in Rise in popularity of
focus
care for the hard sciences computer science
indigent
Diversion No formal training program on Lack of integrated
General lack of the job infrastructure
of awareness attention
to other
priorities
Workforce
Lack of marketing of shortage
the PHL and its stories 50 unique personnel systems
Cutting-edge risk solutions for emerging economies Confidential & Proprietary - Not for distribution
Bow Tie Analysis - focuses on the barriers to threats
Light Projector
Failure Lecture proceeds
Preventative
Setup error maintenance
Lecturer
Training Fixes
Power cut
Ventilation Projector Lecture delayed
Failure
Back up Hard
projector copy
Preventative
Globe failure maintenance
Training
Cutting-edge risk solutions for emerging economies Confidential & Proprietary - Not for distribution
Decision tree analysis
A decision tree is similar to an event tree but rather than considering only
chance events, both events and decisions are included in the analysis.
Decision nodes an a decision tree are indicated by rectangles and chance
events by circles. Below is a decision tree whether to proceed with a
development project.
$23m
-$2m
0
Cutting-edge risk solutions for emerging economies Confidential & Proprietary - Not for distribution
Organising for Risk Management The Three Lines of Defense*
Three Lines of Defence Framework
1st line 2nd line 3rd line
of defense of defense of defense
Business Risk Internal audit
Business line managers Formulate high-level policies, Assurance of the
have primary responsibility limits, risk appetite overall
for day to day risk Provide oversight, challenge effectiveness of
management.. and support to optimise the internal controls
..and bear the consequences risk/reward trade-off
of losses In the case of products, ensure
In the case of products, adherence to relevant pricing
responsible for appropriate and product design
design and pricing requirements
CEO
Own Risks Associated with Business Activities Policies Measurement Limits Monitor