The Governance of Risk Agenda Introduction to Risk Management - - PowerPoint PPT Presentation
The Governance of Risk Agenda Introduction to Risk Management Balancing Risk and Reward 1. Whose responsibility is the governance of risk? 2. Determination of Risk Tolerance / Appetite 3. Performance of Risk Assessment Frameworks and
1.
Introduction to Risk Management – Balancing Risk and Reward
2.
Whose responsibility is the governance of risk?
3.
Determination of Risk Tolerance / Appetite Performance of Risk Assessment Frameworks and Methodologies
4.
Risk Response / Risk Monitoring / Risk Assurance Risk Disclosure / Risk Dashboard Risk Registers “Black Swans”
1. Re-energising Our Purpose
Vision, Mission, Values and 5 year strategic objectives
2. How is the Landscape Changing?
Macro Environment – External Outlook Internal Analysis
3. What Initiatives are Critical for us to Succeed?
Divisional strategic projects
4. Risk Assessment (facilitated by External Specialists)
Re-energising our purpose. Help stimulate strategic dialogue amongst the Board and Exco on the changes in our strategic context and strategic choices. Evaluate whether our strategic objectives are still relevant or there is a case for change. Update on key strategic initiatives / projects which are critical for us to succeed. Assessment of top strategic risks.
Discussion Outline
1. Re-energising Our Purpose Vision, Mission, Values and 5 year strategic objectives 2. How is the Operational Landscape Changing? Macro Environment – External Outlook Internal Analysis 3. What Initiatives are Critical for us to adopt to Succeed? Divisional strategic projects 4. Strategic Risk Risk Assessment (facilitated by ORCA)
How much of your board’s time is devoted to formal risk management compared with three years ago?
Source: Economist Intelligence Unit
Regulatory risk Governance risk Country risk Dominant individual risk Terrorism Political risk Natural hazard Product recalls Weather risk
Source: Economist Intelligence Unit
Centralised and firm-wide risk management that is overseen by the board as part of overall business strategy Decentralised risk management with formal co-ordination Decentralised risk management without formal co-ordination Other / don’t know
Source: Economist Intelligence Unit
Strategy is concerned with the long-term direction of the
Concerned with scope of the organisation’s activities
Creating opportunities by building on the organisation’s resources and competencies
Affected not only by environmental forces and strategic capability, but also by the values and expectations of those who have power in and around the organisation
What are the principal obstacles to making risk management integral with overall business strategy at your organisation?
Competition with other priorities Fear of creating a risk-averse and bureaucratic culture A lack of cost-effective risk management tools Directors consider risk management a task for line management, not the board Poor awareness among staff inhibiting implementation The board does not understand or appreciate the principles and benefits of enterprise risk management Governance requirements (e.g. Sarbanes-Oxley) Opposition from a key board member or group of members Other
Source: Economist Intelligence Unit
Which of the following have resulted from your board taking greater responsibility for risk management?
Improved internal controls Improved standards of governance Improved business strategy Reduced compliance risks More robust corporate approach to risk-taking within the organisation Improved shareholder value Reduced cost of risk management Lower insurance costs Improved returns on investment
Source: Economist Intelligence Unit
To management risk as an integral part of day-to-day board-level planning and decision making To be proactive in determining the organisation’s level of appetite for risk To spot emerging risks and develop strategies to prepare for them To sanction or reject risk assessments conducted at lower levels of the organisation To respond to risks as they arise Other
Source: Economist Intelligence Unit
Corporate governance and board responsibilities Ensuring business continuity Monitoring and identifying emergent risks Extending risk principles into the wider business strategy Implementing a risk management policy across the organisation Developing alternative risk strategies Communicating risk management policies to the workforce Evaluating insurance coverage Technical risk management skills (e.g., risk management, risk modelling)
Source: Economist Intelligence Unit
Vision
sustainable manner
Mission
Transparency, Accountability
Values
Key strategic objectives defining our agenda…
Security of supply – sufficient Safety and risk Product innovation and diversification Sustainable Business Model Customer & Stakeholder Relationship Sound corporate governance Optimise technology for Internal Processes Talent Management Good corporate citizenship
Vision Unity of purpose Shared Values
Teamwork always wins…
Objective No. Strategic Objectives Number of strategic projects / initiatives selected to support the objectives 1 Product Mix 1 2 Optimise Technology 4 3 Innovation & Diversification 2 4 Talent Management 1 5 Business Sustainability Model 3 6 Corporate Citizen 1 7 Customer & Stakeholder Relationship 1
Strategic
Financial
Operation
Commercial
Technical
Risk as an asset Risk as a liability We must manage risk to Attract members Seize opportunities Create value Push to the limits Attract investors We must manage risk to Reduce the possibility of loss Protect value Stay in control Avoid falling behind Reassure stakeholders Avoid losing members
Exercise leadership Responsible for governance of risk through formal
processes
Demonstrate it has dealt with the governance of risk
Disclose how it has satisfied itself that risk assessments,
responses and interventions are effective
Scope of responsibility of risk governance should be
expressed in its board charter
Induction and training processes for all board members Delegated responsibility for risk management to a board
Documented risk management policy and plan
Policy and Plan for approval by the board Risk Management Policy sets the tone for risk management
and indicates how risk management will support the
Risk Management Policy widely distributed throughout the
Risk Management Plan considers maturity of risk
management within organisation
Risk Management Plan should include:
Review its risk management plan regularly
Does a comprehensive risk profile exist for the
Does the risk profile evidence identification and
Are the interrelationships of risks clearly identified and
understood?
Operational Risk
What are the risks inherent in the processes chosen to
implement the strategies?
How does the organisation identify, quantify and manage
these risks, given its appetite for risk?
How does the organisation adapt its activities as strategies
and processes change?
risks identified during the risk assessment process
1. Boards are taking risk much more seriously 2. Boards are only slowly incorporating the full range of risks into decision- making 3. More needs to be done to embed risk management culture 4. Boards need better training and education on risk management 5. Companies are yet to realise the full benefits of strong risk management 6. The insurance industry is a prime source of risk management expertise
How do you know you have a supportive environment for risk management? When people at all levels in the organisation think and behave in characteristic ways. No excuses. They each take active responsibility for managing some risks. Risks are identified – and apologies are unnecessary. No complaining. They accept that sometimes bad things happen. And good things don’t. No cover ups. They are truthful and candid. They promptly communicate all issues that need to be addressed. Asking for help is not seen as a weakness. No blind spots. They understand that risks are opportunities. Aware of potential losses, they also look for potential rewards. So a healthy risk culture encourages rapid, decisive action. It feeds off honest assessments of risk, timely information on materiality, effective communication within and outside the company, and a generally positive approach that treats risk as an asset – to be exploited rather than avoided.
Level Risk Evaluation Criteria Level 1 Provide Clear Risk Management Policies and Procedures Provide Clear Risk Management Corporate Governance Structures Provide Tools and Frameworks to Train the Line to Manage Risk Leverage Company Knowledge to Identify and Assess Risk Focus on Both the Upside and Downside of Risk to Optimise Strategic Risk Taking Prioritise Risk Based on Probability and Inherent Impact Provide Clear Visibility into Key Risks and Mitigation Status Aggregate Risk and Mitigation Information into a Central Database Level 2 Prioritise Risk Based on Probability and Residual Impact Embed Risk Considerations into Day-to-Day Planning and Decision Making Link Risk Management to Employee Performance Assess Effectiveness of Risk Mitigation Efforts Coordinate Risk Assurance Activities Across the Organisation Level 3 Assess Risk Velocity to Prioritise Risk Mitigation Efforts Formally Define Business Unit Risk Appetite as Part of the Risk Opportunity Analysis Embed Feedback Loops for Continuous Improvement in Risk Strategy Leverage Predictive Risk Metrics to Assess Probable Impacts and Mitigation Strategies Develop a 360-Degree View of Counterparty Risk to Pinpoint Exposure Levels
what is going on in a world that is more complicated (or random) than they realise;
after the fact, as if they were in a rearview mirror (history seems clearer and more organised in history books than in empirical reality, and
authoritative and learned people, particularly when they create categories – when they “Platonify” (incurring the risk of using the wrong form).
Risk Definition Controls Assessment / Combined Assurance
Business / Division / Grouping Risk Description Risk Category Group / Entity Risk rating Rating Justification Gross / Net Exposure Controls in Place Control Owner In Place Assurance Provider Date of Last Audit / Review
HIGH Consider stopping activity / Obtain authorisation to continue. Commence corrective action immediately / Monitor to verify success. LOW MEDIUM Take action in line with day-to-day priorities. MEDIUM HIGH Commence corrective action within 3 months / Monitor to verify success. LOW Low priority for action
Issues Discussion