11 embedding risk culture in your organization’s dna
TRANSCRIPT
11
Embedding Risk Culture in your Organization’s
DNA
22
Could you use a crystal ball for risk management (1).flv
33
About KNPC
What is ERM?
Why is ERM important?
What do we mean by : Risk Culture
Embedding
How to embed ERM in your organization A- Assess your As-Is situation
B- Plan for Embedding
C- Implementation of plans
Key success factors
Agenda
44
About KNPC
KNPC established in Oct. 1960 as joint venture between the government & private sector
In 1975 State of Kuwait acquired full ownership of KNPC
In 1980 Kuwait Petroleum Corporation (KPC) was established as the state owned asset & mother company
for all oil companies in Kuwait
KNPC is one of KPC’s subsidiaries is responsible for all domestic Crude Oil Refining & Gas Processing
along with fuels retailing for the local market in Kuwait.
KNPC has 3 operating refineries working as a refining complex has a total capacity of 936,000 Bbls/day
KPC started an Enterprise Risk Management (ERM) Program in late 2005, After the approval of the KPC Enterprise Risk Management Policy, all subsidiaries were required to set up
their own ERM capability On December 2007 KNPC decided ERM implementation project to define and implement an ERM
framework in order to improve management of the risks that could affect the company’s objectives
Refinery Date of Establishment Date of Major Expansion Current Capacity ‘000 Bbls / Day
Mina Al-Ahmadi Refinery 1949 1984-1986 466
Mina Abdulla Refinery 1958 1988 270
Shuaiba Refinery 1968 1975 200
55
The Committee of Sponsoring Organizations (COSO) points out that ERM, among other things:
Is an ongoing process
Is designed to identify & manage potential events that, may affect the enterprise objectives
ISO 31000 states that risk management is an integral part of organizational processes as well as a part of decision making.
We believe Enterprise Risk Management (ERM) can be summed up as follows:
What is ERM?
ERM is systematic approach to identify, categorize, quantify, and proactively deal with all risks within an organization, that may effect achieving your strategic goals in order to protect and enhance value.
ERM provides performance and compliance to optimize decision-making across the organization.
66
Why is ERM important?
In his book,
The Upside, Adrian J. Slywotzky
Presents a profound case for ERM and preparedness:
Unmanaged risk is the greatest source of waste in your business and in our economy as a whole. -Major projects fail; -Customer shifts make our offers irrelevant; -Billion-dollar brands erode, then collapse; -Entire industries stop making money; -Technology shifts -Companies deteriorate needlessly.
When these risk events happen, -Thousands of jobs get lost, - Brilliant organizations are disassembled, - Expertise gets lost, and assets are destroyed.
Yet all of these risks can be understood, identified, anticipated,
mitigated, or reversed, thereby averting hundreds of billions of
dollars in unnecessary losses
77
Proactively deal with all threats & opportunities to protect & enhance value
Optimizes the balance between risk and return
Enables organization to prioritize and allocate resources against those risks
Enhances value creation opportunities
Optimizes capital allocation of risk
Provides confidence on external & internal compliance (polices& procedures)
Enables a company to make intelligent risk-based decisions
Prevention hundreds of billions of dollars in unnecessary losses
Why is ERM important?
88
Risk culture is complex and multidimensional
Simply, it is how ‘risk management’ is factored into decision making
How management is rewarded for taking appropriate risks
How senior management encourage communication on risk and respond to bad news
What do we mean by:
Risk culture
A common definition of risk culture is:
'an organization's system of ethics, values and risk-based behaviors ,from the beliefs of the chair of the board, to the attitudes of the most junior staff
members'.
99
ERM is an integral or natural part of the organizational processes and procedures
fundamental part of business planning and decision making;
done at all levels (strategic, tactical and operational)
seen and understood in the organization as a value enhancing
What do we mean by:
Embedding
As a conclusion embedding means : - Making a fundamental part of the day-to-day activities of the business , Or - under Solvency II more accurately… Providing evidence of embedding and demonstrating ‘it’ is happening
1010
AAssess your As –Is-
situation
Embedding Risk Culture
B Plan for
Embedding
CImplementation
of plans
How to embed ERM in your organization
1111
To determine the steps to be taken in moving from :
a current ERM Maturity level to a desired ERM future-level
"Where are we?“ TO "Where do we want to be?"
Use known techniques to evaluate risk management implementation and identify gaps related to ERM embedding in your organization such as:
1- Assess adequacy of ERM using ISO 31000
2-Maturity Model Approach
3-Consider best practices
How to embed ERM in your organization
A
Risk Culture
BC
A- Assess your As-Is situation
1212
A- Assess your As-Is situation
1- Institute of Internal Auditors issued a paper December 2010 – “Assessing the adequacy of risk management using ISO 31000.”
A
Risk Culture
BC
1- Assess adequacy of ERM using ISO 31000
1313
Maturity Description Commentary
Level 5Strategic
Risk management is built into decision-making. The organization selectively seizes opportunities because of its special ability to exploit risks.
• Focus on value creation and preservation• Institutionalized • Confidence in ability to manage risks based
on track record
Level 4Integrated
Risks are treated as a portfolio at the enterprise level and are correlated and aggregated across risk types and business units.
• Calculation of risk measures that can be aggregated
• Risk treatment integrated and costs optimized
Level 3Comprehensive
Risk management is enterprise-wide and encompasses all risk types including strategic and operational.
• Risks clearly linked to strategic objectives• Defined and documented• Forward looking• Clear accountability
Level 2Fragmented
Risk management functions independently within business units. Risk types managed are limited to hazard, financial, and compliance.
• Capabilities vary across BUs• No cross-BU coordination• Some expertise within limited number of risk
types such as market, credit, or hazard
Level 1Initial/Ad Hoc
Risk management activities are ad hoc. No overarching risk management philosophy or objectives are defined.
• Success depends on individuals• People are unaware of risks• Risks managed reactively
By Embedding ERM
2-Maturity Model Approach
A
Risk Culture
BC
A- Assess your As-Is situation
1414
Score each department against key element of a framework or ‘culture tests’A
Risk Culture
BC
Activity
Summary of scope
Dept. 1
Dept. 2
Dept. 3
Dept. 4
Dept. 5
Target end
2012
Average
Risk Strategy
Risk Management Framework understood & communicated. Policy direction championed actively.
3
3
2
2
3
4
2.5
Risk Standards
Risk Standards are adopted, gap analysis completed and improvement plan agreed.
2
2
2
2
2
4
2.0
Risk Appetite & Tolerances Risk appetites and tolerances are agreed and risks are monitored against these.
3
3
2
2
3
4
2.7
Accountabilities andOwnership
Accountabilities within the risk process are understood, agreed and acted upon.
3
3
3
2
4
4
2.9
Risk identification&assessment methodology
Risks are proactively identified, discussed and evaluated using the risk system to capture conclusions.
3
2
2
2
4
4
2.5
Risk Response
Improvement plans are agreed and acted upon where necessary to address deficiencies or risk events.
3
2
2
2
2
4
2.0
Risk Reporting
Risks, including emerging risks and risk events are proactively reported by coordinators with limited input from the risk function.
2
2
1
1
3
4
2.1
Risk Review & Governance
Governance arrangements are clearly defined and acted upon. Management and Boards review & challenge risk data.
3
3
1
2
3
4
2.7
ERM IS Software -friendliness Confidence level of WTM and interacting with “Avanon”
Awareness /communication Awareness of departments’ middle management on ERM
ERM value & benefits Added values to the department by implementing ERM
ERM Team performance Department manpower perception on ERM team co-operation
Average2.8 2.5 1.9 1.9 3.0 4.0 2.4
5 4 3 2 1
Strongly agree
agree Somehow agree
disagree Strongly disagree
A- Assess your As-Is situation 3-Consider best practices
EXAMPLE 1
1515
The 7 embedding ‘tests
Test Is Risk Management…
Meaning
1 Sponsored Leadership clearly sponsor and challenge activity.
2 Owned Ownership accepted and acted upon at all levels.
3 Decisive Influences key decisions.
4 Communicated Outcomes are visible and actively discussed.
5 Integrated Part of day-to-day core processes and procedures
6 Valued Pride and commitment drives continuous improvement
7 Sustained Robust, reproducible and not dependent on single individuals
A- Measure & assess your As-Is situation
A
Risk Culture
BC
3-Consider best practices
EXAMPLE 2
1616
AAssess your As –Is-
situation
Embedding Risk Culture
B Plan for
Embedding
CImplementation
of plans
How to embed ERM in your organization
1717
List out effective Key elements to be in your plan for risk culture embedding
Describe each key element & define the ‘embedding’ plans per element
Break the plans down into action plans (activities)
Define what is most important to the organization & prioritize the quick wins
Schedule the activities in a timeline and get management buy-in
Make it visible and link delivery to Key performance management targets
Track progress and provide support
Report progress and address issues that arise
A
Risk Culture
BC
How to embed ERM in your organization
B- Plan for Embedding
1818
Directors
Responsibility & accountability in org. risk governance
Scorecards, JD’s & appraisals
1
Strategic Intent
ERM process & Risk reporting
5Lessons learnt Lessons learnt Benefits of good risk
management Benefits of good risk management
2 3
674
KEY ELEMENTS FOR EMBEDDING RISK CULTURE
List out effective Key elements
Describe each key element
Break the plans down into action plans
How to embed ERM in your organization
B- Plan for Embedding
1919
AAssess your As –Is-
situation
Embedding Risk Culture
B Plan for
Embedding
CImplementation
of plans
How to embed ERM in your organization
2020
A
Risk Culture
BC
How to embed ERM in your organization
Key Element 1
Directors on your side
Leadership are the real driver of change
They set the right tone and provide support
They practice risk management by example
They participate in the annual risk assessment & give
sufficient time to risk management (new & emerging
risks ,upside and downside risks ) associated with the
business
Are well prepared for risk committee meetings with healthy
challenge & discussions
They have a real aspiration to practice good risk management
C- Implementation of Embedding Plans
Description 1. Develop training plan to grow & sharpen director’s overall knowledge set
to explain how risk management is built into decision-making
2. To include a member of the directors in risk committee who is passionate
about proper and effective risk management
3. Put risk on agenda of directors at least quarterly
4. Design and roll-out risk reporting and dashboards for the directors.
5. Define direct communication channel between the risk functions and BOD
6. Invite representatives from all departments to Risk Oversight Committee
7. Restructure ROC meetings to focus on detailed analysis of Top Risks
Element -1- Action plans :
2121
A
Risk Culture
BC
How to embed ERM in your organization
Key Element 2
Scorecards, Job descriptions and appraisals
Risk management is a component of each staff members job
profile and scorecard
Accountabilities for risk management understood at all
levels in the organization and written in their appraisal
Training offered particularly where evolving risk
requirements specific in nature to all levels(directors & staff )
C- Implementation - Embedding plans
Description
1. Update job descriptions with risk management roles and responsibilities
2. Implement risk management performance metrics for Directors &
management line and staff
3. Develop recruiting and training plans to support job requirements
4. Develop necessary performance standard
5. Develop ERM function resourcing plan & implement
6. Provide special risk management training including certified training by
known institutes
Element – 2-Action plans :
2222
A
Risk Culture
BC
How to embed ERM in your organization
Key Element 3
Establish clear ERM process with Regular reporting
Risks identified, assessed, monitored, managed and
reported in an easily understood and effective manner
ERM process & reports facilitate decision making and
management actions/ remedies
Risk transparently reported and Staff fearless to report
A whistle blowing line and whistleblowers are protected
C- Implementation - Embedding plans
Description
1. Prepare and distribute clear & simple ERM processes & procedures
2. Update department business processes and procedures documentation
with risk management activities
3. Propose uniform risk categories, sub categories, and risk names
4. Update company assessment scales to reflect risk appetite and tolerance
statement
5. Identify Key Risk Indicators, develop monitoring plans, and Implement risk
treatment plans
6. Design and roll-out loss event tracking system
7. Establish easy link for transparent risk reporting (Risk Proposal System)
Element -3- Action plans :
2323
How to embed ERM in your organization
Key Element 4
Selling the benefits of good, solid and robust risk management
ERM team in place who are energetic to create awareness
and understanding
ERM must be live in your organization not just a case that
the boxes can be ticked
A
Risk Culture
BC
C- Implementation - Embedding plans
Description 1. Develop hiring plan to match required knowledge and skill set in ERM team
2. Develop training plans to support job requirements
3. Develop competency model with HR to include knowledge, skills and
abilities mapped to different levels for different types of positions
4. Develop a catalog of risk expertise [pool model (Internal & External)]
5. ERM team to provide training & awareness sessions for all company staff
6. Conduct ERM survey / audit on departments to measure ERM awareness
7. Conduct ERM events , campaigns & celebrations , send emails & quizzes
through webmaster, distribute booklets ,flyers , posters ,…
Element -4- Action plans :
2424
Key Element 5
Responsibilities and accountabilities are clearly defined in a well described governance
- Setting up strategy, vision, mission- Responsible for strategic decision making & responses- Setting up Risk Appetite and ERM policy
- Provides guidelines, directives, policies for ERM process - Act as advisor to top management- Implement risk responses on behalf of management
- Carrying out day to day risk management activities- Executive ERM processes & procedures- Prepare Risk related reports
- Implement ERM processes & procedures- Collect data, identify & Assess risks- Implement treatment plans & ensure controls in place- Report to ERM on ERM performance
Strategic Level
Tactical Level
Operational level
Business Level
Role
s &
Res
pons
ibili
ties
Departments & Business unit
ERM Team
CRO & ROC
Internal Audit
BOD
A
Risk Culture
BC
How to embed ERM in your organization
C- Implementation - Embedding plans
Description 1. Develop necessary performance standard & ROC charter
2. Review & Update Risk Governance Structure
3. ERM meet with BOD quarterly ,for communication & decision making
4. Update ERM policies with risk governance changes
5. Internal & External Audits to review ERM strategy implementation
Element -5- Action plans :
2525
A
Risk Culture
BC
How to embed ERM in your organization
Key Element 6
Strategic Intent
To include risk management in the main strategic focus
areas
C- Implementation - Embedding plans
Description 1. Focus on strategic risks in ROC , Leadership and Board meetings
2. Include Strategic Planning manager as a member in the risk oversight
committee (ROC)
3. Link risks with performance and achievement of strategic objectives &
strategic projects execution
Element -6- Action plans :
2626
A
Risk Culture
BC
How to embed ERM in your organization
Key Element 7
Lessons learnt
To heightened awareness of what can go wrong and does
go wrong so as to widen the knowledge of potential risks
To demonstrate reflection by management and BOD of
emerging/evolving risk
C- Implementation - Embedding plans
Description 1. Knowledge-sharing sessions
2. Training for BOD, top management and ERM team
3. Conduct meetings & risk discussions with other companies of similar industry
4. Attend ERM related conferences , workshops ,training sessions
5. Write papers ,articles in ERM magazines
6. Participate as a case study in one of the universities
Element - 7 -Action plans :
2727
AAssess your As –Is-
situation
Embedding Risk Culture
B Plan for
Embedding
CImplementation
of plans
How to embed ERM in your organization
Repeat the process when it is necessary
2828
Key Success factors
Top management & BOD support
• Dedication, buy in & alignment with the plans
• all strategic and operational goals are linked to appropriate risk management
• commitment to the plans & completion of tasks within the timeframe
Clear processes & Single ownership • Risk management processes are understood by all (simplicity)
• Everyone in the company is risk aware and everyone recognizes his/her responsibility for risk
Detailed execution plan
• Carry out detail planning and scheduling for the ERM embedding implementation
Budget estimate and approval
• Proper budget estimation and required approval for implementing plans
Effective communication plan
• Assuring timely and accurate communication plans with stakeholders in placeQualified manpower
• Attract/Retain skilled manpower and experts for the implementation stage
Risk Management department
• There are structures to support risk management e.g risk department
• All departments own risk management and only seek guidance from specialist departments such as risk management, internal audit ,etc;
• Key issues should be solved by a single entity with clear decisions for specific milestones
2929
THANK YOU
3030
Questions ?