Purpose To safeguard the organisation, its customers, reputation, assets and the interests of stakeholders by identifying and managing all risks and to meet the achievement of its business objectives to ensure that growth is achieved in a controlled, responsible and sustainable manner.

Presentation:

Quality Risk Management

Peter D. Schellinck Antwerp, 6 June 2011

Risk Assessment?

A strategic approach to planning, at all levels and across all functions of an organization, that identifies exposures of activities and assists in making risk adjusted business decisions every day. GET RID OF SILOS

Risk Appetite? •  Risk appetite is the degree of uncertainty an organisation is

willing to accept to reach its goals. •  Risk appetite is a key factor in evaluating strategic options. •  Risk Assessment helps management consider risk appetite

when setting goals that align with overall company strategy, and managing risks related to that strategy.

Work with the company’s management to decide: •  What is your company’s risk tolerance?

•  How much or what are you willing to risk to accomplish the mission or activity?

•  How much can your company afford to lose in any one occurrence or in the aggregate?

Understanding the company and the activity

What does the Company do?

(Mission, Goals, Objectives)

Does the activity fit the Company’s

mission, goals, objectives?

What could happen?

•  Could there be bodily injury, property damage or other liability exposures caused by this service or activity?

•  Is there any impact on workload?

•  Could there be any damage to the systems?

What is Risk?

The danger or probability of loss.

Group Risk Management

Charter

Develop a Group Risk Governance

1.  Get a good understanding of the company’s risk profile 2.  Manage and monitor the key risk within their tolerances 3.  Get Organised: Organisation and Framework 4.  Establish a process for assessing risk appetite taking into account:

a)  Current risk portfolio b)  External stakeholders expectations: regulators, rating agencies, investors (long

term / short term), employees, customers,… c)  Economic cycles d)  Board of Directors

Risk Management:

1.  Driven by strategy 2.  Part of the management process of the company 3.  Inherent to good governance

Risk Management Approach

The conventional approach to risk defines it as being the chance, in quantifiable terms, of an accident occurrence. The process of risk assessment and management is generally based on three sets of sequenced and inter-related activities:

–  the assessment of risk in terms of what can go wrong, the probability of it going wrong, and the possible consequences;

–  the management of risk in terms of what can be done, the options and trade-offs available between the costs, benefits and risks; and

–  the impact of risk management decisions and policies on the future options and undertakings.

Performing each set of activity requires multi-perspective analysis and modelling of all conceivable sources and impacts of risks as well as viable options for decision making and management.

Risk Assessment: agree on a definition

Risk Management for each activity consists of:

–  Data Model –  Risk Management Processes – Application Development –  RM Framework & Sub-process References

•  Definition of Scope and Framework •  Monitor and Review •  Operational Processes •  Risk Acceptance •  Risk Assessment •  Risk Communication •  Risk Treatment

Risk Assessment structure

Risk Management infrastructure bridges organizational silos to help the organization in its efforts to:

• Synchronize – coordinate risk management across institutional boundaries • Harmonize – help risk managers all speak the same language and define risk in the same

manner • Rationalize – eliminate duplication of effort

The goals of a common risk management infrastructure include:

• Get everyone “singing from the same song sheet” – Constrain, guide, or channel behaviours in ways that align with the goals, strategies, and tactics established by management and the board

• Create the ability to manage risk exposures so that the organization can take enough of

the right risks to pursue its strategic goals • Create “risk aware” thinking and decision making at all levels • Enable appropriate flows of risk information up, down, and across the organization • Enable and support management of risks at the appropriate level

Risk Management Infrastructure

•  The framework to be established can be inspired from the recommendations of the Committee of Sponsoring Organisation of the Treadway Commission (COSO I and II), the Institute of Risk Management, based on AIRMIC (Association of Insurers and Risk Managers), ISO 31000, the Australia and New Zealand standard 4360 (AS/NZ 4360 - 1999), the AMRAE (Association pour le Management des Risques et des Assurances de l’Entreprise), the RIMS (Risk and Insurance Management Society), ECGI (European Corporate Governance Institute) and other internationally respected advisers on risk management.

•  The Occupational Health and Safety Assessment Series, OHSAS 18000, has been developed to

help organizations control and minimize occupational health and safety risks. OHSAS 18001 is a specific standard for occupational health and safety management systems designed to eliminate or minimize the risk to employees and other interested parties who may be exposed to occupational health and safety risks associated with the business’ activities. OHSAS 18001 is compatible with ISO 9001 and ISO 14001 management systems. OHSAS 18001 represents a progression of a management system philosophy, from quality to environmental, continuing to occupational health and safety.

•  One of the main elements of the security amendment of the Community Customs Code ( Regulation (EC) 648/2005) is the creation of the AEO concept. On the basis of Article 5a of the security amendments, Member States can grant the AEO status to any economic operator meeting the following common criteria: customs compliance, appropriate record-keeping, financial solvency and, where relevant, security and safety standards.

Regulatory context: In Belgium: as from April 6, 2010 a corporate governance statement is mandatory!

Rules and Regulations: snap shot!

Identify Risk

Risk Mitigation

Option

Analyze Risk

Monitor Risk

Mitigation Plan

Lessons Learned

Implement Mitigation

Plan

Identify risk by: •  Main assumptions •  Brainstorm •  Past Experience •  Potential sources •  Examine the context •  Worst case scenario

•  Evaluate potential impact of risk •  Estimate probability •  Rank and Prioritise Risk

•  Assign owner •  Level of effort required •  Estimated cost •  Schedule of risk reduction activities •  Program activities and milestones •  Metrics for tracking & monitoring •  Party responsible for managing mitigation & avoidance •  Escalation strategy

Control

Assumption

Transfer

Avoidance

Monthly Reporting •  Review effectiveness

•  Review risk approach •  Confirm project/activity is within risk parameters

Ongoing Risk Assessment

Risk Management Methodology

Risk Assessment Cycle

Risk Management

Planning

Risk Monitoring &

Control

Risk Identification

Qualitative Risk

Analysis

Quantitative Risk

Analysis Risk

Response Planning

Decide how?

Find them

Sift

Measure

Decide actions

Act and measure

Reporting: •  Risks •  Incidents

•  Avoid, reduce, share, accept •  Action plans linked to budget and planning

Risk Universe

To fulfil their responsibilities and to provide value, board members should:

• Put risk on the agenda. Make time for risk before risk demands it. Every board meeting is not too often to discuss risk.

• Inventory the current risk structure. How are risks managed? Are silos being bridged?

• Summon the management team. Engage in periodic risk dialogue. Identify risks that will prevent the organization from executing on its key strategies.

• Discuss risk scenarios. Where do the greatest opportunities lie? What could thwart the organization’s strategic objectives?

• Check organizational appetite — and diet. Determine how much risk the organization is able to take on. How much is it willing to take on? And how much is it actually taking on? Are these in line?

• Get reasonable assurance. Ask management: How confident are you? Why?

• Get independent reassurance. Have internal audit or an outside consultant evaluate the effectiveness of the full risk management program. Can management’s assurances be relied upon?

Board Recommendations

Books have been written on what went wrong. But here’s a quick summary: 1) The potential interaction of multiple risks was underestimated or

disregarded. 2) Probabilistic modelling was overemphasized; shortcuts were taken;

scenario planning was underutilized; transparency into potential issues was absent.

3) Risk managers were isolated in silos. 4) Warnings were ignored; those who delivered them were dismissed as

naysayers or criticized for not being team players. 5) A short-term perspective with a single-minded focus on making the

quarterly numbers predominated. 6) Companies lacked a comprehensive approach to firm-wide risk

management; authority and responsibility were poorly controlled and defined.

7) Risk management often focused on compliance rather than performance, leading to inadequate assessments and responses.

In other words: It’s time to become Risk Intelligent with QRM.

Risk intelligent

1. With QMR, a common definition of risk, which addresses both value

preservation and value creation, is used consistently throughout the organization.

2. With QMR, a common risk framework supported by appropriate standards is used throughout the organization to manage risks.

3. With QRM, key roles, responsibilities, and authority relating to risk management are clearly defined and delineated within the organization.

4. With QRM, a common risk management infrastructure is used to support the business units and functions in the performance of their risk responsibilities.

5. With QRM, governing bodies (e.g., Boards, Audit Committees, etc.) have appropriate transparency and visibility into the organization’s risk management practices to discharge their responsibilities.

QRM: Quality Risk Management 1

6. With QRM, executive management is charged with primary

responsibility for designing, implementing, and maintaining an effective risk program.

7. With QRM, business units (departments, agencies, etc.) are responsible for the performance of their business and the management of risks they take within the risk framework established by executive management.

8. With QRM, certain functions (e.g., HR, finance, IT, tax, legal etc.) have a pervasive impact on the business and provide support to the business units as it relates to the organization’s risk program.

9. With QRM, certain functions (e.g., internal audit, risk management, compliance, etc.) provide objective assurance as well as monitor and report on the effectiveness of an organization’s risk program to governing bodies and executive management.

QRM: Quality Risk Management 2

Matrix for Risk Reporting

Financial

0 mln €

1 mln €

5 mln €

10 mln €

20 mln €

50 mln €

100% 80% 40% 20% 0% 60%

Loss of Cash Flow

Sustainability Reporting

Social performance

Our employees

Number of full time employees (FTE) Gender (female representation) % Employee engagement % Performance appraisals %

Safety

Lost time injury frequency (LTIF) frequency Fatalities number

Economic performance

Revenue Euro million

Electricity cost Euro million

Sustainability Reporting

Environmental performance Energy consumption Fuel oil 1,000 tonnes Diesel 1,000 tonnes Natural gas 1,000 tonnes Electricity 1,000 MWh Energy consumption GJ Greenhouse gas (GHG) emissions GHG emissions 1,000 tonnes CO2 Direct GHG emissions (Scope 1 GHG Protocol) CO2 1,000 tonnes CH4 1,000 tonnes N2O 1,000 tonnes HFC 1,000 tonnes PFC 1,000 tonnes SF6 1,000 tonnes Indirect GHG emissions (Scope 2 GHG Protocol) CO2 1,000 tonnes CH4 1,000 tonnes N2O 1,000 tonnes

Other air emissions SOx 1,000 tonnes NOx 1,000 tonnes VOCs 1,000 tonnes Particulate matters 1,000 tonnes Other resource consumption Steel consumption 1,000 tonnes Waste total e 1,000 tonnes – recycled (composting, reused, recycled) 1,000 tonnes – solid (landfill, on-site storage, incineration) 1,000 tonnes – hazardous (controlled deposit) 1,000 tonnes Water consumption 1,000 m3 – surface water 1,000 m3 – ground water 1,000 m3 – rain water 1,000 m3 – municipal water supplies /water utilities 1,000 m3 Spills m3

Sustainability Reporting

Injuries by activity Activity Total Equipment Overhaul – Major Insulation/Fire Proofing

Shore leave

Working aloft (at heights) Anchor handling Small Craft Operations Falling Object Towing

Tank Cleaning Equipment Overhaul – Minor Unknown

General Movement Bunker transfer operation Enclosed space activities Gangway/pilot operations Welding/burning

Safety drill, training

Maintenance - Minor Painting/Blasting Crane Operations Use Of Power Tools

Mooring/Unmooring Operation Off-duty activities Cargo Operations Domestic Manual Handling Other Maintenance – Major Totals

Total