risk management principles & guidelines dubai – 2010 presented by: george s. dakis nexia asr...

RISK MANAGEMENT PRINCIPLES & GUIDELINES

Dubai – 2010

Presented by:George S. Dakis Nexia ASR Melbourne

Session Contents

Extension of India 2008 Conference Current Play in Risk Management Enterprise Wide Risk Management Risk Management Process Implementing Risk Management Example of Key Documents and Tools Caseware Risk Tools Other Risk Tools Risk and Current Audit Climate

Singapore Enterprise Risk Management Survey 2010

Conducted by KPMG Singapore

Found at www.kpmg.com under “risk management services”


About the Survey Conducted between October 2009 and early 2010 Assess recent developments within private sector

organisations in Singapore Seeks to understand what organisations see as the role of

ERM moving forward and what its likely focus could be 203 organisation participated Small to medium enterprises as well as major multinational

companies in Singapore More than 52% were part of senior management team 25% were part of the company’s Board of Directors Mix of publicly listed and private companies

24% 25%

26%

5%

10%10%

S$50 million – S$199 million

Less than S$50 million

More than S$2 billion

S$1 – 2 billion



Respondents by global annual revenue


Respondents by industry %

Manufacturing 17

Real estate/Construction 17

Financial Services 15

Transportation/Logistics 7

Retail, recreation & tourism services 7

Trading & distribution 6

Oil & gas 6

Healthcare, pharmaceuticals and biotechnology 5

Information & communications 4

Utilities (Water/Waste/Electricity) 2

Education 1

Agriculture 1

Others 10


Year Respondents who have implemented ERM

2006 35%

2009 51%

2012 78%

More companies are implementing ERM programmes

Size and ownership matters

Of the publicly listed companies surveyed

59% have implemented an ERM programme

43% currently manage their key risks to a large extent

78% communicated their ERM programmes/initiatives to all personnel in the organisation

20% do not have an ERM programme and are not intending to implement one


Current State of ERM

24%

16%

15%

12%

5%

4%

Enterprise risk management drivers


Key ERM objectives

77%

72%

69%

57%

26%


Why companies are not implementing an ERM programme

51%

46%

42%

34%

26%

23%

11%

Note | Respondents were asked to identify three reasons each, so percentages do not sum to 100%


The Risk SuiteResponsibility for risk oversight role

Board of directors

Need to basis

Board risk management committee

Oversight role not clearly defined and attributed within organisation

39%

24%

39%

6%


Risk related roles/committee in your organisation

51%

54%

32%

43%

49%

46%

68%

57%

Yes No


Dedicated risk management resources – appointment of risk managers

79% have appointed management level risk committees

75% have appointed risk owners


Organisations’ ERM priorities in the next 1-2 years

Rank ERM priorities

1 Align our risk management approach with our business objectives

2 Integrate risk management into corporate management processes (e.g. corporate planning, budgeting, forecasting)

3 Improve risk assessment methodology/framework and/or re-asses key risk exposure

4 Review/audit effectiveness of risk management programme

5 Enhance risk culture across the organisation (e.g. through risk trainings

6 Integrate risk management objectives into Key Performance Indicators

7 Perform risk management forecasting, testing and scenario planning

8 Re-define risk management roles and responsibilities

9 Use IT systems and tools to embed ERM

10 Re-articulate and communicate risk appetite

11 Analyse inter-relationships of risks and develop a portfolio view of risks

12 Align and coordinate fragmented risk-related programmes/functions

13 Improve quality and frequency of reporting of risk information to stakeholders

14 Establish or develop a dedicated risk function


Progressing in your ERM Journey

Companies with more mature ERM programmes are more able to manage risks

Respondents who said that they have managed their key risks ‘to a large extent’.

19% Among companies without an ERM programme

31% Among companies with a one year old ERM programme

53% Among companies that have implemented an ERM programme for more than three years


A riskier business environment

76% Respondents said that risks had increased over the past three to five years

13% Felt that risks had increased ‘significantly’

26% Said they do not continuously flag, monitor and report on new and emerging risks


Key existing and emerging risks

Rank Existing Emerging

1 Competition (e.g. new competitors/non-traditional entrants)

Prolonged economic downturn

2 Prolonged economic downturn Legal and regulatory risks (e.g. contracts, intellectual capital issues, labour and safety

3 Product risk (e.g. product liability, changes in consumer demand)

People (e.g. key man risk, recruitment, retention and grooming)

4 People (e.ge. Key man risk, recruitment, retention and grooming)

Competition (e.g. new competitors/non traditional entrants

5 Market risks (e.g. interest rate, foreign exchange)

Increasing operating costs


Do you plan to increase resources to strengthen risk management capabilities within the next one to two years?

Yes, plan for a moderate increase

Yes, plan for a significant increase

No, no change to resources

40% 56%

2%2%

No, plan to reduce resources


Moving Towards Risk Management Excellence

Enterprise Wide Risk Management

Risk Categories

StrategicStrategic

StakeholderStakeholder Market StructureMarket

StructureGovernanceGovernance

InformationInformation

IT SystemsIT Systems Intellectual Property

Intellectual Property

Information ManagementInformation Management

FinancialFinancial

Liquidity & Credit

Liquidity & Credit

Capital Structure

Capital StructureMarketMarket ReportingReporting

OperationsOperations

ProcessProcess Physical AssetPhysical Asset People & CulturePeople

& Culture LegalLegal

Enterprise Wide Risk Management

Risk Management Process

AS / NZS ISO 31000:2009 Risk Management – Principles and guidelines

Standards Australia

Risk Management Institute of Australasia

Definitions

Risk – effect of uncertainty on objectives Risk Management – coordinated activities to direct

and control an organisation with regard to risk Consequence – outcome of an event affecting

objectives Likelihood – chance of something happening Risk Treatment – process to modify risk Residual Risk – risk remaining after risk treatment

Communication and Consultation

Communication and Consultation

During all stages of risk management Develop communication and consultation plans early Help establish context Ensure interests of stakeholders are understood Identify expertise in organisation Secure endorsement and support for a treatment

plan Develop an appropriate external and internal

communication and consultation plan Facilitate truthful, relevant, accurate and

understandable exchanges of information

Establishing the Context

Establishing the Context

General Articulates objectives Defines internal and external parameters Sets the scope and risk criteria

External Context External environment in which the organisation seeks to achieve its

objectives Based on organisation wide context Social and cultural, political, legal, regulatory, financial, technological,

economic, natural, whether international, national or regional. Key drivers and trends impacting organisation Relationships with, perceptions and value of external stakeholders

Internal Context Internal context in which the organisation seeks to achieve it’s objectives Risk management takes place in the context of the objectives of the

organisation

Establishing the Context (cont’d)

The context of the risk management process will vary according to the needs of an organisation. It can involve, but is not limited to:

defining the goals and objectives of the risk management activities;

defining responsibilities for and within the risk management process;

defining the scope, including specific inclusions and exclusions;

defining the activity, process, function, project, product, service or asset in terms of time and location;

defining the relationships between a particular project, process or activity and other projects, processes or activities of the organisation;

defining the risk assessment methodologies;

defining the way performance and effectiveness is evaluated in the management of risk;

identifying and specifying the decisions that have to be made; and

identifying, scoping or framing studies needed, their extent and objectives, and the resources required for such studies.

Establishing the Context (cont’d)

Defining risk criteria

When defining risk criteria, factors to be considered should include the following: the nature and types of causes and consequences that can occur

and how they will be measured; how likelihood will be defined; the timeframe(s) of the likelihood and/or consequence(s); how the level of risk is to be determined; the views of stakeholders; the level at which risk becomes acceptable or tolerable; and whether combinations of multiple risks should be taken into

account and, if so, how and which combinations should be considered.

Risk Assessment

Risk Identification

Risk Analysis

Risk Evaluation

Risk Identification

Identify sources of risk, areas of impact, their causes and potential consequences

Identify risks associated with not pursuing an opportunity

Identify risks, whether or not their source is under the organisations control

Consider knock-on effects of particular consequences, including once-off and cumulative effects

All significant causes and consequences should be considered

Risk Analysis

Risk Analysis

Process to comprehend the nature of risk and to determine the level of risk

Consider causes and sources of risk, positive and negative consequences and likelihood

Level of risk means the magnitude of a risk or combination of risk, expressed in terms of the combination of consequences and their likelihood

Consequence means outcome of an event affecting objectives Likelihood means chance of something happening Involves developing an understanding of the risk The way in which consequences and likelihood are expressed

should reflect the type of risk, the information available and the purpose for which the risk assessment output is to be used

Risk Evaluation

Risk Evaluation

Process of comparing the results of risk analysis with risk criteria to determine whether the risk and/or its magnitude is acceptable or tolerable

Decisions on priority for treatment Compare to risk criteria Consider tolerance for risk May lead to further analysis

Risk Treatment

Risk Treatment

General

Process to modify risk

Risk treatment involves a cyclical process of: assessing a risk treatment; deciding whether residual risk levels are tolerable; if not tolerable, generating a new risk treatment;

and assessing the effectiveness of that treatment.

Risk Treatment

Risk treatment options are not necessarily mutually exclusive or appropriate in all circumstances. The options can include the following: avoiding the risk by deciding not to start or continue with the activity

that gives rise to the risk; taking or increasing the risk in order to pursue an opportunity; removing the risk source; changing the likelihood; changes the consequences; sharing the risk with another party or parties (including contracts and

risk financing); and retaining the risk by informed decision.

Risk Treatment

Selection of Risk Treatment Options

Cost vs effort vs benefit

Legal or other regulatory requirement

Consequences and likelihood

Consider values and perception of stakeholders

Priority order

Risk treatment plan may introduce new risks

Risk Treatment

Preparing and Implementing Risk Treatment Plans

The purpose of risk treatment plans is to document how the chosen treatment options will be implemented. The information provided in treatment plans should include: the reasons for selection of treatment options, including expected

benefits to be gained; those who are accountable for approving the plan and those

responsible for implementing the plan; proposed actions; resource requirements including contingencies; performance measures and constraints; reporting and monitoring requirements; and timing and schedule.

Monitoring and Review

Monitoring and Review

Continual checking, supervising, critically observing status in order to identify change from the performance level required or expected

Activity undertaken to determine the suitability, accuracy and effectiveness of the subject matter to achieve established objectives

The organisation’s monitoring and review processes should encompass all aspects of the risk management process for the purposes of: ensuring that controls are effective and efficient in both design and

operation; obtaining further information to improve risk assessment; analysing and learning lessons from events (including near-misses),

changes, trends, successes and failures; detecting changes in the external and internal context, including

changes to risk criteria and the risk itself which can require revision of risk treatments and priorities; and

identifying emerging risks.

Implementing Risk Management

Leadership from the top Champions through the organisation Share success stories Continual improvement and culture of open reporting Centre for excellence Training

Full accountability for risks

Application of risk management in all decision making

Full integration in the organisations’ governance structure

Support tools

Examples of Key Documents & Tools

Appendix A - Generic sources of risk and their areas of impact

Appendix B - Examples of risk definition and classification

Appendix C - Examples of quantitative risk expressions

Appendix D - Events Port Stephens Appendix E - Cunningham Construction

Australia Pty Ltd Appendix F - ACT Insurance Authority

Caseware Risk Tools

www.caseware.com

www.riskspace.com

Caseware Audit Tool

Caseware Audit Tool

Refer Appendix G For detailed audit program for Risk Assessment;

Refer Appendix H For detailed Risk Report

Risk Space

Other Risk Tools

Combined Risk Assessment – refer Appendix I

Risk Matrix – refer Appendix J

ORIM – refer Appendix K (www.orim.com.au)

ORIM Features

Risk and Current Audit Climate

Insolvent Trading

– RG217 Duty to Prevent Insolvent Trading

– Keep themselves informed about company’s affairs

– Regularly assess the company’s solvency and investigate financial difficulties

– Obtain appropriate

Subsequent events Impairment of assets Goodwill and intangibles Receivables

Risk and Current Audit Climate

Loan impairments Inventories Deferred tax assets Pension plan obligations Contingencies and guarantees Fair value measurements and accounting estimates Fraud Off balance sheet arrangements

Questions

Nexia ASRt: 03 9608 0100

www.nexiaasr.com.au