Risk Management Workshop 1 Risk management workshop Why do we - PowerPoint PPT Presentation

Risk management workshop Why do we Risk Risk and need risk assessment control matrix management process Governance Risk appetite Agenda for and risk Risk categories and risk the day management tolerance Risk COSO model management Risk reporting policy

Risk management workshop Alignment of risk-taking behaviour with strategic business objectives Objectives - Promote a risk management culture risk across the organization and improve risk transparency to the management stakeholders policy Maximise stakeholder’s value and net worth by managing risks that may impact the defined financial and performance drivers

Risk management workshop The way in which The way in which risk conflicts of interest management regarding risk performance will be management roles measured and Objectives - risk are dealt with reported management Assist the policy (cont) Organization in A commitment to enhancing and review and improve protecting those the risk management opportunities that system periodically represents the greatest service delivery benefits

Risk management workshop Risk management and internal control objectives (governance) Statement of the attitude of the organization to risk (risk philosophy and strategy) Content of a Description of the risk culture or the control environment risk Level and nature of risk that is acceptable (risk appetite) management Risk management structure and arrangements (risk architecture) policy Details of procedures for risk recognition and ranking (risk assessment) List of documentation for analysing and reporting risk (risk protocols)

Risk management workshop Risk mitigation requirements and control mechanisms (risk response) Allocation of risk management roles and responsibilities Content of a Risk management training topics and priorities risk management Criteria for monitoring and benchmarking of risks policy (cont) Allocation of appropriate resources to risk management Risk activities and risk priorities for the coming year

Risk management workshop Why do we Risk Risk and need risk assessment control matrix management process Governance Risk appetite Agenda for and risk Risk categories and risk the day management tolerance Risk COSO model management Risk reporting policy

Risk management workshop Risk universe

Risk categories Operations Compliance Financial Strategic Value Chain: Governance: Standards of Business Market: ► Design and Development Conduct : ► Board Structure & ► Interest Rate Performance ► Supply Chain and Logistics ► Corporate Social ► Foreign Currency Responsibility ► Corporate Monitoring ► Production ► Commodity ► Ethics ► Organisational Structure ► Marketing and Sales ► Fraud Liquidity and Credit: ► Service Planning and Resource ► Support Processes ► Cash Management Allocation: Regulatory: ► Business Continuity ► Funding ► Strategic Planning ► Trade ► Physical Assets: ► Hedging ► Budgeting ► Labor ► Real Estate ► Credit and Collectables ► Acquisition and Divestiture ► Environmental ► Plant and Equipment ► Insurance ► Privacy ► Inventory Stakeholders: ► Product Integrity ► People: ► Shareholder Accounting and Reporting: ► Culture ► Business Partner Legal: ► Reporting and Disclosure ► Recruitment & Retention ► Customer / Supplier ► Contract ► Internal Control ► Development & Performance ► Liability ► Tax Market Dynamics: ► Health and Safety ► Competition ► Information Technology: Capital Structure: ► Socio-Political ► IT Security and Access ► Debt ► Economic Factors ► IT Availability and Continuity ► Equity ► IT Integrity ► IT Infrastructure 51

Risk management workshop Risk Management • Identifying areas of threat to the business • Assessing the potential impacts and managing these • Growth and continued existence of the business

Risk management workshop Risk versus opportunity

Internal risk categories Knowledge and Human resources information management • Integrity & Honesty • Availability of information • Recruitment • Stability of the information • Skills & competence • Reliability and integrity of information data • Employee wellness • Relevance of the • Employee relations information • Retention • Retention • Occupational health & • Safeguarding of data and safety information

Internal risk categories Litigation Financial • • Claims by employees, public, Cash flow adequacy service providers, third parties • Liquidity and solvency • Failure to exercise certain right • Financial losses that is to its advantage. • Fruitless and wasteful expenditure • Budget allocations • Financial statement integrity • Revenue collection • Increasing operational expenditure

Internal risk categories Material resources (procurement risk) Information Technology • Availability of material • Security concerns • Costs and means of • Technology availability acquiring \ procuring (uptime) resources • Applicability of IT • The wastage of material infrastructure resources • Integration / interface of the systems • Effectiveness of technology • Obsolescence of technology

Internal risk categories Disaster recovery Third party performance and business continuity • Outright failure to perform • Disaster management procedures • Not rendering the required • Contingency planning service in time • Not rendering the correct service • Inadequate / poor quality of performance

Internal risk categories Cultural Compliance \ Regulatory • Communication channels • Failure to monitor or and its effectiveness enforce compliance • Cultural integration • Monitoring and enforcement mechanisms • Entrenchment of ethics and • Consequences of non- values compliance • Goal alignment • Fines and penalties paid • Management operating style

External risk categories Economic Environment Political Environment • Credit downgrade • Political unrest • Inflation, interest rates, • Local, Provincial and forex National elections • Oil prices • Changes in key office bearers • US/China trade war/Brexit

External risk categories Social environment Natural environment • Unemployment • Depletion of natural resources • Migration of workers • Environmental degradation • Spillage • Pollution

External risk categories Technological environment Legislative environment • Advancements and changes • Changes in legislation, in technology conflicting legislation.

Risk management workshop Why do we Risk Risk and need risk assessment control matrix management process Governance Risk appetite Agenda for and risk Risk categories and risk the day management tolerance Risk COSO model management Risk reporting policy

Enterprise Risk Management (ERM) Approach The structured ERM approach defines the key risks to business objectives across the organization and evaluates the level of management preparedness to clearly define opportunities to improve and/or monitor risks. Define Inherent Define Business Risks Recommended Course Of Action Evaluate The Level of Identify Significant Management Preparedness Inherent Risks Link Risks To Strategic Objectives IMPROVE Strategic Action Plan Operations Strategies & Mgt. & Mgt. & Mgt. & Business Control Control Control MONITOR Objectives Activities Activities Activities Financial Risk and Control Plan Compliance 63

Risk by organisational level Category Description Example Exposures, which impact the entire ► Lack of long-term business organisation and are broader in strategy nature. Entity ► Insufficient oversight by Audit Upper management assumes Committee or Board of responsibility for remediation. Directors Exposures, which are specific to the ► High transaction volumes processing of particular transactions. ► Complexity of transactions Proces Process owners usually assume processed s responsibility for remediation. ► Degree of subjectivity in the valuation Exposures, which result from the ► Lack of training execution of particular work steps, ► Lack of policies and tasks, and/or activities. procedures Activity Process owners usually assume ► Poorly implemented IT responsibility for remediation. functions 64

Risk management workshop Process universe

Risk management workshop Process risk assessment

Risk management workshop Mega, major, minor process analysis

How do we assess risks? • Risk is assessed first on an inherent basis at the entity-level – That is, without consideration of the effect of controls • Risk has two elements : – Impact – Likelihood • Impact and Likelihood determine the overall risk rating • Applied mitigating control strategies on key risks are identified, in order to obtain the residual risk • Residual risk: Represents the risk the business remains exposed to after factoring in the perceived effectiveness of existing controls 68

Risk management workshop Assess the risk Likelihood Impact Plot on Likelihood the x Impact heatmap

Risk management workshop Likelihood Likelihood LIKELIHOOD DESCRIPTION The risk is almost certain to occur more than once within the next Almost certain 12 months. (Probability = 100% p.a.) Likely The risk is almost certain to occur once within the next 12 months. (Probability = 50 – 100% p.a.) Moderate The risk could occur at least once in the next 2 – 10 years. (Probability = 10 – 50% p.a.) Unlikely The risk could occur at least once in the next 10 - 100 years. The risk will probably not occur, i.e. less than once in 100 years. Rare Refer page 47 of delegate handbook (Probability = 0 – 1% p.a.)

Risk management workshop Impact Impact Impact Description Loss of ability to sustain ongoing operations. A situation that would cause a Catastrophic standalone business to cease operation. Significant impact on achievement of strategic objectives and targets relating to the Major IDP of the organization. Disruption of normal operations with a limited effect on the achievement of Moderate strategic objectives or targets relating to the IDP. Minor No material impact on achievement of the organization’s strategy or objectives. Negligible impact. Insignificant Refer page 46 of delegate handbook

Risk management workshop Plotting the risks Almost certain 5 10 15 20 25 Likely 4 8 12 16 20 Moderate 3 6 9 12 15 Unlikely 2 4 6 8 10 Rare 1 2 3 4 5 Insignificant Catastrophic Likelihood Minor Moderate Major Impact

Assessing Risk – Likelihood cont … Score Rating Probability Frequency 5 Expected > 90% Yearly 4 Highly Likely < 90% Every 1-2 Years 3 Likely < 60% Every 3-5 Years 2 Not Likely < 30% Every 6-9 Years Every 10 Years and 1 Slight < 10% Beyond 73

Assessing risk – Impact cont … SCORE RATING FINANCIAL OPERATIONS COMPLIANCE STRATEGIC EBIT / EPS Value Disclosure Scope Legal/Regulatory Reputational Market Share Strategy Enterprise-wide; Management Indictments > 25% >25% Loss of Fiscal Year Loss of confidence in Potentially Irrecoverable Potential acquisition or Inability to continue normal 5 Critical Large Scale Class Actions Market Value Restatement all stakeholder groups (i.e., 24-36 months) bankruptcy EBIT / EPS business operations across Regulatory Sanctions all business units 2 or more changes in 3 Business Units; Management Challenged Loss of confidence by Long Term Recovery senior leadership, > 20% >20% Loss of Fiscal Quarter Significant interruptions to 4 Significant Large Legal Liabilities 3 or more stakeholder (i.e., financial restructuring, Market Value Restatement business operations within EBIT / EPS groups 12-24 months) significant changes to Regulatory Fines / DPAs 3 or more business units strategic plan. 1 or more changes in 2 Business Unit(s); Management Reviewed Loss of confidence by senior leadership, > 15% >15% Loss of Significant Moderate interruptions Mid-term Recovery (i.e., 3 High Legal Reserve Established 2 or more stakeholder significant changes to Market Value Deficiency within 2 or more business 6-12 months) EBIT / EPS groups operating plans and Regulatory Investigation unit(s). execution. Management Unaffected 1 Business Unit; Loss of confidence Refinements or > 10% >10% Loss of Short-term Recovery (i.e., 2 Moderate Control Weakness Minimal Liabilities limited to 1 stakeholder adjustments to operating Interruptions restricted to 1 Market Value less than 6 months) EBIT / EPS group plans and execution. business unit. Regulatory Attention > 5% >5% Loss of Additional Risk Limited interruptions within Limited Liabilities or Limited impact to 1 Limited Recovery (i.e., Limited Adjustment 1 Low EBIT / EPS Market Value Disclosure 1 business unit Regulatory Impact stakeholder group less than 3 months) Necessary 74

Risk Assessment Criteria (“RAC”) • Defines likelihood and consequence ratings • Maps the likelihood and impact ratings to determine the overall risk rating • Is used to consistently evaluate risk and help guide the prioritization and focus of Improve and Monitor activities Assessing Risk – Impact H M H H M L M H Impact L L L M L M H Likelihood 75

Risk map profile All Options Apply; However, Risk Controls Limited All Options Apply; Must Manage Effectively Over Long Term 2 1 The degree of High potential loss or Extraordinary Strategic harm to the financial Events Imperatives or operational Apply Preventive capabilities within and Detective 3 IMPACT the business 4 Risk Controls process Operating and Irrelevant Compliance or Insignificant Issues Low Low High Accept at Present LIKELIHOOD Level and Monitor The likelihood and duration of a Over Time threat or vulnerability impacting a key business process. 76

Risk management workshop Minimum Lean six Root cause Data IT auditing Boardroom sigma expert mining skills presence tools in the Fishbone diagram Pareto analysis toolbox

Lean Six Sigma - Integration of Two Powerful Business Improvement Approaches... Lean Six Sigma Speed + Waste Elimination Quality, Cost • Goal – Improve performance on items • Goal – Reduce waste and increase Critical to Customer Quality (CTQs) process speed • Focus – Use DMAIC with (TQM) tools to • Focus – Implementing Waste reduction eliminate variation tools • Method – Management engagement, • Method – Improvement events Value dedicated team effort Stream Mapping Lean Speed Enables Six Sigma Quality Enables Six Sigma Quality Lean Speed (Faster Cycles of (Fewer Defects Means Experimentation/learning) Less Time Spent on Rework) Efficiency Effectiveness 78

Fishbone Diagram Discovery of different Material Machine Methods discount rates occurs too late in process Computer screens Billing process not Too many “jumps” Updates accurate Product Shortages Master customer discount Effect: Too many price table not up-to-date adjustments at check-out Incomplete Training on Power Failures common complaints Management Policies Not enough staffing during peak times Marketing metrics Unfamiliarity with procedures counterproductive Notification of For vacation Mother Nature Measurements Manpower absence notification Root Cause Analysis 79

Risk management workshop Pareto Chart of Processing Errors 140 100 120 100 80 Percent 80 Count 60 60 40 40 20 20 0 0 Exception HHG TQ/TA GHS AT New Res Other Count 73 18 13 8 7 5 Percent 58.9 14.5 10.5 6.5 5.6 4.0 Cum % 58.9 73.4 83.9 90.3 96.0 100.0 2019/11/11

Risk management workshop Why do we Risk Risk and need risk assessment control matrix management process Governance Risk appetite Agenda for and risk Risk categories and risk the day management tolerance Risk COSO model management Risk reporting policy

Risk management workshop Process overview flowchart

Risk management workshop Design of RCM

Risk management workshop Populating the risk and control matrix

Risk management workshop Input and access controls

Risk management workshop Processing controls

Risk management workshop Output controls

Risk management workshop Avoid Accept Risk management strategy Transfer Mitigate

Risk management workshop Set reward/loss Cannot be avoided Intentionally targets and / fully accepted pursue tolerance levels Typical risk response Investigate and Develop recovery Develop fall-back take follow-up plans arrangements strategies - action Accept Explicitly stated, Finance the understood, Residual risk consequences monitored and approved

Risk management workshop Share (joint Insure ventures, alliances, partnerships) Typical risk response Contract out Diversify/spread strategies - (outsource, assign) Transfer Hedge

Risk management workshop Risk management require companies to be proactive rather than passive Typical risk Some degree of mitigation in response to most significant risks. response strategies - Options for risk mitigation are : Mitigate • Organisation • People & Relationships • Direction • Operational • Monitoring

Risk management workshop Cease activity Pull out of market Typical risk response Change or Divest recalibrate strategies - objective Avoid Redesign (e.g. Business processes, Reduce scale systems, tools)

How do I choose the right mix of responses? Previous slides provide a ‘menu’ of choices. However, given that the desired result is a structured and integrated portfolio of risk responses, the choices must be carefully considered; intentional rather than ad hoc, and linked together. Design decisions are influenced by factors such as: • The business environment and constraints • The level and relative importance of the business objective (e.g. strategic vs. operational) • The nature of the risk, and whether it has an ‘upside‘ or ‘downside’ potential • The perceived significance of the risks (impact and likelihood) • The ‘risk appetite’ (level of acceptable risk) • The cost and desirability of applying various risk responses • The ability to directly or indirectly influence outcomes • What has been done in the past, how well it has (or has not) worked, lessons learned 93

Assessing response to risks – Management preparedness Score Rating Action Description Controls and/or Management Activities properly designed and 5 Very High Effective operating as intended Limited Improvement Controls and/or Management Activities properly designed and 4 High Opportunity operating, with opportunities for improvement identified Moderate Improvement Key controls and/or Management Activities in place, with 3 Moderate Opportunity significant opportunities for improvement identified Significant Improvement Limited controls and/or Management Activities in place, high 2 Low Opportunity level of risk remains Critical Improvement Controls and/or Management Activities are non-existent or 1 Very Low have major deficiencies and don’t operate as intended Opportunity 94

Entity level residual risk profile Representative Example Residual High 25.0 risk no. Tier 1 residual risks Credit Risk – Customer 1 default 1 Improve Liquidity — Cash Monitor 2 Management 20.0 Controls Access to capital to 6 3 3 finance expansion 5 Inability to reach some 2 (Impact x likelihood) 4 niche markets (local or Risk exposure 15.0 overseas) 9 4 5 Failing to plan for LT 7 Inability to recruit and 6 10.0 retain talent 8 High dependency on 7 few decision-makers / owners Monitor Accept 5.0 Increased demand for Risks Optimize more timely and 8 comprehensive reporting and disclosure 0.0 Low Greater vulnerability re. 9 changes in economic 1.0 2.0 3.0 4.0 5.0 factors Low High Management preparedness Residual risk = ((impact x likelihood) x (1-(management and control level /5)) + (0.2 x (impact x likelihood))) NOTE: The quadrants on this chart are intended to provide directional guidance for potential mitigation activities for each risk, based on the risk impact and likelihood rating, and level of management/control activities. Desired risk mitigation actions for each risk will vary based on the risk appetite of the organization and the desired level of management/control activities. 95

Management action plans for key risks Representative Example – Risk Action Plan Tracking Key Business Risks Assess Improve Monitor Risk Risk Classification Inherent Management Existing Management Enhancement Action Audit Other Monitoring Key Impact Risk Description Likelihood Exposure Effectiveness and Control Activities Opportunities Owner Coverage Activity Metrics Tier 1 Risk Profile Raw Material Pricing: 4.8 Operations 4.3 20.6 1.6 Purchases of raw materials, and energy represent a large portion Value Chain ● ● ● ● of the Company’s costs. Increases in the costs of these inputs may increase the Company’s costs, and the Company may not be able to pass these costs on to customers through higher prices. Increases in the costs of materials may adversely impact our customers’ demand for printing and related services. Vehicle Inventories / Sales Incentives Strategic 4.1 4.8 19.7 1.9 Slower-than-expected sales in the first two months of 2004 have Customer ● ● ● ● nudged inventories slightly above the industry’s “normal” level of 60-day supply, increasing dealer carrying costs and the prospect of production cuts later this year if the trend continues. Sales incentives will remain high as a result, at least through the first quarter of 2004, to mitigate a further rise in inventories that would be even more expensive to clear out once new GM/Ford/DaimlerChrysler car models start arriving later this year. Warranty Costs and Liabiliites 4.8 3.4 16.3 2.2 Operations As manufacturers look to push warranty exposure down the Value Chain ● ● ● ● supply chain, the risks for suppliers are potentially catastrophic—the liability for a single component defect, spread over a large number of vehicles, especially if the defect is determined to be safety related, could jeopardize the future of a company. The number of vehicle recalls is rising, and TREAD Act compliance (a result of the Firestone/Ford debacle) in particular is increasing costs for tire makers and vehicle manufacturers. Integration of Acquired Businesses: Strategic 4.6 2.8 12.9 2.0 Achieving the anticipated benefits of acquisitions, including the Acquisition & Divestiture ● ● ● ● recent acquisitions, will depend in part upon the Company’s ability to integrate these businesses in an efficient and effective manner. The integration of companies that have previously operated independently may result in significant challenges, and the Company may be unable to accomplish the integration Supply Chain Sustainability: 3.4 Operational 4.0 13.6 2.4 Many vehicle component suppliers have been pushed to the Value Chain ● ● ● ● financial brink by years of cost-cutting by their customers. Many suppliers have high debt levels, cash flow deficiencies, and marginal businesses. In addition, Tier 1 suppliers face an increasing risk that their production will be disrupted because troubled second- and third-tier suppliers won’t be able to deliver parts. Intellectual Property Protection: Operational 3.4 3.7 12.6 2.4 ● ● ● ● The problem of counterfeit aftermarket parts being sold in the US Knowledge market continues to increase, with most of the fraudulent parts coming from China. The Chinese government has taken only token steps to shore up the legal framework around intellectual property rights in that country, and automakers and suppliers remain under threat of having their IP rights subverted and having little recourse against the proliferation of potential dangerous fakes by enterprises that are difficult to bring to 96

Design, build and implementation of Key Risk Indicators Example KPI, KCI and KRIs Design ▪ Establish extent of existing management information and other Control: Risk: data flows – indicators in place if applicable Daily monitoring, Point of entry Clients default on deals ▪ procedures, Collateral cover Identify committees, forums, management meetings etc currently in place that can be used to discuss risk and control issues on an ongoing basis KPI: KCI: ▪ Define and document roles and responsibilities of risk and Number of deals executed for clients who Number of clients identified with control owners have defaulted in the past insufficient collateral cover Build Process ▪ Assign ownership for risks and controls KRI: ▪ Communication with risk and control owners relating to their Number of deals executed for clients who have defaulted in the past who do not have sufficient collateral cover ongoing responsibilities ▪ Carry out workshops with all risk and control owners to design indicators to be put in place ▪ Define how existing information flows and committees etc are to be used to minimise additional workload Control: ▪ Risk and control owners refine the indicator monitoring process Risk: Adequate remuneration & motivation ▪ Overall analysis of indicators for gaps and dual coverage Loss of key personnel packages allied to communication. Bonus Pool ▪ Design reporting protocols Ongoing Operation of Process KCI: ▪ KPI: Design review mechanism (i.e. Corporate Risk department or Number of employees kept as a Number of staff leaving without a Internal Audit, etc.) result of remuneration change / planned successor ▪ bonus payment Create storage mechanism for information ▪ Perform ongoing consistency checks of indicators set up across the organisation KRI: Number of staff leaving without a planned successor due to remuneration / bonuses not being sufficient 97

Risk management workshop Why do we Risk Risk and need risk assessment control matrix management process Governance Risk appetite Agenda for and risk Risk categories and risk the day management tolerance Risk COSO model management Risk reporting policy

Risk management workshop Residual risk versus risk appetite

Risk management workshop Why do we Risk Risk and need risk assessment control matrix management process Governance Risk appetite Agenda for and risk Risk categories and risk the day management tolerance Risk COSO model management Risk reporting policy