ERM- A Case Study

AGENDA

ERM- Business Drivers

ERM- Implemented

ERM - Approaches

Lessons Learned

Introduction

Client Background

Background- Client

• A transnational BFSI BPO with operations in 6 countries and 8500 people with a turnover of 1.3 B $

• Has a software development centre to support its own insurance and broking software with 1000 professionals in 5 countries

• Listed in UK, Need to comply with Turnbull recommendation

• Grown via acquisition, creating a complex structure and risks too

Client has risks spread in multiple countries with a challenge to manage and report at the Board level Accountability and responsibility for risks spread over different units in different countries was not clearThere was no common process or framework for risk management

Introduction

Enterprise Risk Management is

• A process, effected by an entity’s board of directors, management, and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives

[COSO Definition - ]

Business Drivers

• Client is a listed company and hence needs to adhere to the requirements of the Turnbull report and the Combined Code for corporate governance.

• Compliance to various contractual requirement, standard requirement, continual improvement of internal controls within Client’s business drives the need for Risk Management.

• Client had a Risk Register process as a method by which the key risks were being identified and the means of controlling these risks were clearly documented and monitored. It was bottom-up approach for identifying, documenting and managing risks. But it failed to get the required board attention due to non strategic in nature and was not broad based with scenarios inclusion

Current State

• Different businesses are managing risk differently with no visibility to the group’s objectives

• Accountability and responsibility of the risk and its control was not very clear and defined

• Potential risks were identified and managed on an ad hoc basis leading to a reactive approach and the potential for short-term solutions.

• Risk awareness was low due to limited communication between management levels (Execs vs. Line Management) and across business/functional units. Risk is viewed as a negative topic and is not actively discussed.

• Risk management activities were not prioritized and were not linked to strategy and/or the company’s sources of value

Current State of Risk Management

• Client has a process called as “Risk Register”, a bottom up approach to report, manage and monitor risks

• Client’s risk register process is a structured process to ensure that key risks are identified, monitored, mitigated and – on an aggregated level and reported at each level of the organisation

• Risk register creates an accurate representation of the risk profile to the business. It provide a framework through which the risks facing the business, and the means of controlling those risks, are clearly documented and monitored.

• Risk register demonstrates the companies risk appetite by flagging those areas where controls can be improved further to mitigate these risk

Risk Register- Explained in Detail

Group Risk Register

Regional Risk Register

Entity Level Risk Register

1. Each entity performs risk assessment in their own operating unit2. Operating unit risk register documents key risks faced by The entity as well as procedures and controls in place to mitigate the risk3. The operating unit risk is approved by operating unit head

1.The sector of regional risk register is compiled from alThe operating unit risk registers which inventory all the risksThat a sector as a whole faces2. Along with the amalgamated operating unit risk register, theSector heads draft risks which are applicable to the sector as a whole3. The sector unit risk is approved by sector head

1. Group risk register contain the risks which are pervasive To the group as a whole and inventory risks which are materialFrom the group perspective2. The group risk register is derived from operating unit, sector Risk registers along with the input from XMB members andGroup performance function heads3. The Group Risk Register is approved by the XMB and the Group Board.

Risk Register- Example

Risk NoPerformance function/com

petencyRisk Owner

Risk Source

Date Risk Raised

Business Objective Risk Title Description

1 Sales Head of SalesHead of Sales

8/12/2009Revenue to meet annual objective of £xxx

Downturn puts pressure on achieving sales and profit targets

There is an operational risk that we will not meet our sales targets for the year for due to - external market conditions- main target customer negatively impacted by downturnThere is a probable impact on Revenue and EBIT of £1 million and £200k

Root Cause

Inherent Risk

Mitigating Actions and

Controls

Residual Risk  

Future actions for where

residual scores are 8 or above

Action Owner

Action Due Date

Embedded monitors/

Early warning

indicators, if relevant

Likelihood(1-4)

Consequen

ce(1-4)

Risk(1-16)

Likelihood(1-4)

Consequence(1-4)

Risk(1-16)

Assurance over mitigating controls that

help to reduce inherent risk of

8 or above

Economic conditionsLack of fast reaction to changing conditions

4 4 16

Increased SMT Meetings to focus on both sales and cost

4 3 12

Monthly review with Group Finance teamMonthly review

Defined offeringsSales CollateralThe ability to leverage the new regional structure's customer base

person X

11/30/2009

Monthly SC reportingRevenue and EBIT below budget

Challenges of Bottom Up Risk Register Process

• Bottom up risk approach was not getting appropriately connected to board members due to its non-strategic nature and the way risk was being measured was not getting linked to company’s objective

• It was difficult to run scenario’s to justify probability

• There was no linkage to value

• Client asked to create a better model.

• Let’s see the top-down ONE

Top-Down

• In a typical top down risk management approach, the Senior Management (CxO), audit committee, and often the board members have the overall responsibility for assessing and managing risks

• The benefit of the top down risk management is that there is a buy-in from Senior Management and risk is mitigated and perceived from the top

• For top down Risk management to succeed, Management should have clear and measurable strategic objectives and then identify the risks to those objectives

• Typically the risk to achieving the objectives are scenario based and depending on the probability of a scenario materializing and the impact it has on attainment of the objectives, controls are designed

• Out of multiple risks and scenarios obtained from the risk management process, management prioritize the risk and then appropriately treat the risk

Which one is Better

• There is no right answer- Both the Bottom-up and Top-down approach has its own merits and limitations.

• Top down approach works best to identify the strategic risks and risk scenarios while bottom up risk management approach works best for measuring and managing specific risks including operational risks

• A good Enterprise Risk Management approach relies on both a top-down structure and bottom-up information, this combined approach also create a powerful synergy as it has Senior Management buy-in and risk ownership at the origin of the risks.

• Client’s current risk register process is bottom-up approach and its STA (Strategy to Assurance) is its top-down approach, by this powerful combination, Client intend to create an excellent risk management framework

Top-Down Approach- ERM

Strategy

Objectives

Risks

Mitigating actions and

controls

Assurance

Vision

Strategy is set by the Board and driven through the MC

Objectives are set by the Board, Regional and BU management and in individual PDRs. Reporting against objectives and resulting actions is governed through MD

Vision is set by the Board

Significant risks are identified through top down STA, bottom up risk analysis and checked for completeness through risk hierarchy process.

Enterprise

Risk

Management Mitigating actions are taken at Board, Region and BU level. Controls are identified and tested in the controls/compliance tool.

Assurance is provided either to meet specific risks and associated objectives or as required by regulatory or compliance needs – as set out in the controls/compliance tool.

ERM- Linkages to Strategy/BO

Risk No

Performance

function/competency/

global

Risk Owner

Person who

identified risk

Date Risk

Raised

Strategy

Business Objective Risk Title Risk Area Risk Type Description

                     

1 Finance ABC XYZ   Lean Process

or

Maintain cost arbitrage opportunity between costs in US / UK / EMEA and India

Exchange Rate Foreign Exchange Financial Costs are in Indian Rupees while all revenue is in USD, GBP or Euros. Rates for converting of USD, GBP or Euros into INR impact the net profit realized as well as the effective cost of operations in USD, GBP or Euro terms. This impacts the cost differential available between the regions and India.

Root CausesRisk owner of root causes

(if not the risk owner)

Inherent Risk

Mitigating Actions and Controls

Residual Risk

Likelihood

(1-4)

Consequence(1-4)

Risk(1-16)

Likelihood(1-4)

Consequenc

e(1-4)

Risk(1-16)

                 

Macro economic conditions and money supply.

3 4 12 Draw up a FX management policy and take up sufficient forward covers / options to peg in foreign exchange rates at levels that we would be comfortable with. Give up some upside benefit, but minimize downside risk.

3 2 6

ERM- the COSO way

Control environment

Risk assessment

Control activities

Information & communication

Monitoring

Strate

gic

Ope

ratio

nsRep

ortin

gCom

plia

nce

Clien

t’s Grou

p

Reg

ion

Ope

rating

un

it

• Top of cube

• Within the context of Client’s vision, management establishes strategic objectives and sets aligned objectives to cascade through the company. The ERM framework is geared to achieving client’s objectives, set out in four categories:

• Strategic – high-level goals, aligned with and supporting its mission

• Operations – effective and efficient use of its resources

• Reporting – reliability of reporting

• Compliance – Compliance with applicable laws and regulations

• Facing side of cube

• Client’s enterprise risk management consists of five interrelated components. These components are

• Control environment – “Controls and risk management tone” set by the Board - HR policies, ethical guidelines. Quality is a an example of a strong “tone”.

• Risk assessment – how risks are analysed and managed eg risk register and risk summary report

• Control activities – “hard” controls that address identified risks, such as IT application controls and bank reconciliations

• Information and communication – the level and quality of communications, IT strategy and architecture

• Monitoring – self assessments, PCQ, internal audit

• Side of cube• Control objectives should be at each business unit, region and group level

– for example group delegated authorities should then be cascaded into a more detailed DA for each region and then each BU

Benefits & Conclusion

• Incorporate risk evaluation in decision making• Make informed risk aware decisions with respect to

corporate objectives and its linkages• Strategic and operational risks, all identified and

monitored• Responsibility and accountability clearly defined• Common understanding of risk across regions• Local regulation mapping was done for local assessment

but not feasible for the same team to do it for every country as it needs expertise in legal and compliance advisory for local regulation (though mostly they are similar in nature but decoding is difficult sometimes)

• Process is not easily repeatable across every industry• Going forward the plan is to use a automated tool for

tracking and reporting