Deloitte-Risk Management Presentation- BHEL IOM February 2014

Enterprise Risk Management

BHEL Inter-Organisation Meet 2014Delhi

©2014 Deloitte Touche Tohmatsu India Private Limited

Agenda

Section 1: Deloitte’s Point of View on Risk Management

Section 2: Risk Management Process

Section 3: Risk Management Infrastructure

Section 4: Risk Governance


What is Risk?

“The potential for loss or sub-optimization of gain caused by an event (or series of events) that can adversely affect the achievement of a company’s

objectives”

3

“The potential for loss or sub-optimization of gain caused by an event (or series of events) that can adversely affect the achievement of a company’s business objectives”

Deloitte’s Point of View: Two Sides of Risk

Correct Financial Reporting

Health and Safety Measures

Compliance with Laws and Regulations

Target new markets

New product development

New pricing models

Manage risks to create stakeholder value (future gr owth)

Manage risks to protect stakeholder value (existing assets)

Unrewarded risks

Rewarded risks

VALUE

© 2014 Deloitte Haskins & Sells4


Risk Intelligent Enterprises adopt a balanced perspective of risk management, supported by fundamental principles:

The Risk Intelligent Enterprise

Deloitte’s Point of View: Risk Intelligent Enterpri se

5


Nine Fundamental Principles for Building the Risk I ntelligent Enterprise

Deloitte’s Guiding Principles- Risk Intelligent Ente rprise

Organizations should keep in mind the following nine foundational principles when they start building a n effective risk management program

Principle 1: A common definition of risk , which addresses both value

preservation and value creation, is used consistently throughout the organization

Principle 2: A common risk framework supported by appropriate standards (e.g., COSO ERM, ISO, etc.) is used

throughout the organization to manage risks

Principle 3: Key roles, responsibilities and authority relating to risk

management are clearly delineated within the organization

Principle 4: Governing bodies (e.g., Boards, Audit Committees, etc.) have appropriate transparency and visibility into the organization’s risk management practices to discharge their responsibilities for oversight

Principle 8: Business units (departments, agencies etc.) are responsible for the performance of their business and the management of risks they take within the risk framework

established by the executive management

Principle 9: Certain functions (e.g. Finance, Risk Management, IT, Compliance, etc.) have a pervasive impact on the business

and provide support to the business units as it relates to the organization’s risk program

Principle 5: Executive management has primary responsibility for

designing, implementing and maintaining an effective risk program

Principle 6: A common risk management infrastructure is used to support the business units and functions

in the performance of their risk responsibilities

Principle 7: Certain functions (e.g. internal audit, risk management,

compliance etc.) provide objective assurance as well as monitor & report on the effectiveness of the

organization’s risk program

Risk Governance

Risk Infrastructure & Management

Risk Ownership

6


Stages of Risk Management Capability Maturity

Sta

keho

lder

Val

ue

Integrated

RiskIntelligent

Top DownFragmentedInitial

• Ad hoc/chaotic

• Depends primarily on individual heroics, capabilities, and verbal wisdom

• Independent risk management activities

• Limited focus on the linkage between risks

• Limited alignment of risk to strategies

• Disparate monitoring & reporting functions

• Common framework, program statement, policy

• Executive/Steering Committee for risk oversight and provide updates to the Board

• Periodic knowledge sharing across risk functions

• Mission critical risks are identified and assessed to achieve the enterprise's objectives

• Functions have ownership of risks within their operations

• Coordinated risk management activities across silos

• Enterprise-wide risk monitoring, measuring, and reporting

• Contingency plans and escalation procedures including specific tasks, resources required and responsibilities

• Key risk related controls are appropriately tested across key processes, systems and functions

• Technology implementation

• Provide pertinent individuals regular and appropriate training to understand and execute their risk management responsibilities

• Risk discussion is embedded in strategic planning, capital allocation, product development, etc.

• Early warning risk indicators used

• Linkage to performance measures and incentives

• Risk modeling/scenarios • Industry benchmarking

used regularly

Representative Attributes Describing Each Maturity L evel

Initial Fragmented Top Down Integrated Risk Intelligent

Deloitte’s Guiding Principles- Risk Intelligent Ente rprise


Risk Management Process

8


Risk Management Process – Regulatory RequirementsIndian Regulations

Companies Act, 2013

Company shall attach a statement in board report indicating identification of elements of risk, if any, which in the opinion of the Board may threaten the existence of the company.

DPE Guidelines

It is everybody's responsibility to follow the Risk Management Framework of the Company to identify the business risks that surround function or area of operation of the Company and to assist in the company-wide process of managing such risks .

Clause 49The company shall lay down procedures to inform Board members about the risk assessment and minimization procedures .

Global Regulations

FRC GuidelinesThe Board shall identify and review risks

Global Principles of Corporate Governance

The board has the responsibility to ensure that the company has implemented an effective and dynamic ongoing process to identify risks, measure their potential outcomes, and proact ively manage those risks to the extent appropriate.


Risk Identification

• Context: Industry trends, country/regional surveys, strategy and plans, audit reports, strategic plan, investment council etc.

• Process: Risk survey, workshops, business risk environment scanning and focused discussions in Risk Council and Risk Management Committee

• Frequency: Identification at set frequency; Ongoing risk identification for critical issues from time to time


Risk Assessment

• Assessment Framework: Impact, Likelihood, Vulnerability, Speed of onset

• Process: Scenario planning, Risk interactions

• Frequency: Assessment at set frequency –Bi-annual/Annual

• Forums: All business units, Risk management steering committee, Audit committee, Independent experts

• Prioritisation and Mitigation: Further evaluations by senior management teams and other forums to prioritise and mitigate key risks


Risk Management Infrastructure

Deloitte12


Risk Framework – Regulatory RequirementsIndian Regulations

Companies Act, 2013• Risk management policy shall be developed and implemented

DPE Guidelines

• It is everybody's responsibility to follow the Risk Management Framework of the Company to identify the business risks that surround function or area of operation of the Company and to assist in the company-wide process of managing such risks.

Clause 49• Procedures about the risk assessment and minimization shall be

periodically reviewed to ensure that executive management controls risk through means of a properly defined framework .

Global Regulations


• Company should promote a risk-focused culture and a common risk management framework should be used across the entire organization


The COSO ERM FrameworkEntity risk can be viewed in the context of four categories: • Strategic • Operations• Reporting• Compliance

ERM considers activities at all levels of the organization:• Enterprise-level• Division • Business unit• Subsidiary level

The eight components of the framework are interrelated


ISO 31000 Risk Management Framework

15


Risk Framework

• Components: Risk organisation structure, Risk governance structure, Risk policy and process

• Review: Periodic review of framework and changes to it

• Assurance and Monitoring: Involvement of functions such as Internal Audit, Independent assessment by experts

16


Risk Organisation

• Risk Management Function: Separate function to run and coordinate risk management activities

• Chief Risk Officer (CRO): CXO level official coordinating with business unit heads, RMSC and board on risk management activities; training and education on risk management

• Divisional Risk Officers: CRO role at each business unit/division

• Risk Owners and champions: Risk mitigation, monitoring and reporting responsibility for each key risk

• Risk Management Steering Committee (RMSC): Committee of senior management to review risk reports

17


Risk Governance

Deloitte18


Risk Governance – Regulatory RequirementsIndian Regulations

The Companies Act 2013

• Every Audit Committee shall act in accordance with the terms of reference specified in writing by the Board which shall, inter alia, include evaluation of risk management systems.

• The Independent directors shall bring an independent judgment on issues like risk management and satisfy themselves that the systems of risk management are robust and defensible

DPE Guidelines

• Board should ensure the integration and alignment of the risk management system with the corporate and operational objectives and also that risk management is undertaken as a part of normal business practice

• Considering the significance of risk management in the scheme of corporate management strategies, its oversight should be one of the main responsibilitie s of the Board/Management.

Clause 49• There shall be periodic review to ensure that executive management controls risk

through means of a properly defined framework.

Global Regulations


• Board is responsible for a company’s risk management philosophy, organizational risk framework and oversight.

• At least annually, the board should approve the risk management plan which it is then the responsibility of management to implement.


Risk Governance

• Risk Oversight: Board, Audit Committee, Board’s Committee for Risk Management; Risk management responsibility included in charters

• Review: Periodic review of critical risks, mitigation and framework; Risk part of board agenda; CRO reporting to board/committee

• Senior Management: Risk Management Steering Committee (RMSC) to oversee risk management process, reports, top risks and their mitigation; CRO convenes RMSC meetings

• Decision Making: Risk identification and assessment an input to/ingredient of strategy, business plans, major decisions (M&A, investments)


Thank You!

Abhay GupteSenior DirectorDeloitte Touche Tohmatsu India Private LimitedTel:[email protected]

Abhiram BudhkarSenior ManagerDeloitte Touche Tohmatsu India Private LimitedTel:022-61854817Mob:[email protected]

Private and Confidential


Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms.

This material and the information contained herein prepared by Deloitte Touche Tohmatsu India Private Limited (DTTIPL) is intended to provide general information on a particular subject or subjects and is not an exhaustive treatment of such subject(s) and accordingly is not intended to constitute professional advice or services. The information is not intended to be relied upon as the sole basis for any decision which may affect you or your business. Before making any decision or taking any action that might affect your personal finances or business, you should consult a qualified professional adviser.

None of DTTIPL, Deloitte Touche Tohmatsu Limited, its member firms, or its and their affiliates shall be responsible for any loss whatsoever sustained by any person who relies on this material.”

© 2014 Deloitte Touche Tohmatsu India Private LimitedMember of Deloitte Touche Tohmatsu Limited

22

Documents

Deloitte-Risk Management Presentation- BHEL IOM February 2014