Enterprise risk management for Corporates

September 14, 2012

Sven Heiligtag

CONFIDENTIAL AND PROPRIETARYAny use of this material without specific permission of McKinsey & Company is strictly prohibited

1

Abstract

Enterprise risk management (ERM) is not about trying

to manage every single risk centrally. It is more about

identifying the 10-20 key risks and defining the right

management approach and set-up for these. Finding the

best model to manage these risks successfully will

depend largely on a company’s business model and risk

exposure. This is one of the CFO’s central management

tasks. The challenge here is that qualitative elements

such as risk culture, organization, and governance play a

key role alongside more traditional quantitative analysis.

In this breakout, we will present the core elements of a

successful ERM system and show some best practice

examples. We will also draw on case studies of how

CFOs can use quantitative solutions, such as cash-flow-

at-risk models and mega-risk assessments, to identify

the right focus for their ERM solution

1

McKinsey & Company |

Why does Enterprise Risk Management create value?

▪ Achieving compliance/satisfying regulatory requirements

▪ Ensuring value protection (“Downside”)

▪ Driving profitability and growth ("Upside")

▪ Providing stability, continuity and "ease of mind" for stakeholders

2

▪ EPNG with focus on

value protection as

significant bulk risks

(e.g., regulatory)

▪ O&G focuses on

stability of revenues

▪ AI with focus on

compliance regarding quality and regulatory

issues, engrained in

business model

▪ Overall, value

protection the most

important goal of risk

management

▪ Value generation via

risk management with

lowest priority among respondents

Ranking of importance of goals of ERM

Corporates mean different things when they talk about “Enterprise Risk Management”

2,61,6

3,12,6

4. Stability3. Capturing the upside

2. Value pro-tection

1. Regula-tion/com-

pliance

4,03,0

2,01,0

3,62,4 2,41,6

2,51,0

2,54,0

1 = Low 4 = High

SUM

EPNG

O&G

AI

SOURCE: McKinsey

Effective risk management comprises five elements

Riskinsight and

transparency

Risk-related decisions and

processes

Risk organization

and governance

Risk culture and

performance transformation

IntegratedEnterprise risk management

Risks that affect our future performance are well understood

We keep only risks that we are competitively advantaged to own; other risks are transferred or mitigated; and our strategy is aligned with our risk capacity

All critical business decisions are made with a clear view of how they change our company’s risk profile

Structures, systems, controls, capabilities, and infrastructure are in place for us to manage risk

Our culture reinforces risk management principles; formal and informal mechanisms support the right mindsets and behaviors

SOURCE: McKinsey Risk Practice

1

2

3

4

5

1

2

Natural

ownership,

risk appetite,

and strategy

3

4

5

Conventional ERM approaches are often ineffective across all of these elements

▪ Clarity on specific risk culture

vulnerabilities and action plan in place to

strengthen risk culture

▪ Risk culture is a “fuzzy” conceptRisk culture

▪ Risk analysis done in conjunction – and

supports – key strategic and operational

decisions

▪ No link between risk analysis and key

decision processes

▪ Risk assessment lags major corporate

decisions

Risk-related decisions and processes

▪ ERM is primarily a board priority that

management executes on

▪ ERM team struggles to have traction with

line management

▪ ERM perceived as a “bureaucratic

exercise”

▪ No explicit decisions on risk ownership and

desired overall risk level

▪ Hundreds of risks

▪ Data reporting without insights

Typical compliance-focused ERM

▪ ERM is a board and top management

priority

▪ Line takes explicit ownership of key risks,

with ERM support

▪ ERM perceived as core to managing the

business

▪ Deliberate choices on risk ownership and

risk level, based on risk capacity and

strategic aspirations

▪ Clarity on top 5-10 mega risks

▪ Deep insight into root causes, indirect

effects, early warning signals

Best-practice ERM focused on improving

decision-making

Risk organization and governance

Risk appetite and strategy

Element

Insight and risk

transparency

Four archetypes of Risk DNA for Corporations

Decentral risk ownership

Central risk ownership

Checks and balances

Aggregated insight

Examples1

Priority

▪ Line management owns risks

▪ Light touch central

support as needed

▪ Risk optimization “ensured” by a strong

business and risk

culture

▪ Risk function owns and actively manages

certain key risks

centrally (e.g., FX

hedging)

▪ Business heads get approval on other risk

strategies from CRO

▪ Line management owns risks

▪ Strong central risk team

led by “Chief Risk

Officer” with a seat at

the table, acting as counterweight for

important strategic

decisions

▪ CRO acts as thought partner (blend of

collaboration and

challenge) to business

heads

▪ Line management owns risks

▪ Small central risk team

aggregates risk insight,

integrates across

enterprise, and shares across the organization

▪ Risk optimization

achieved by line with

support from central risk team

▪ “We do not believe in a separate risk

organization. Risk

management is a line

management direct

responsibility”– SVP &

Treasurer

▪ “The risk function

provides analytics,

reporting, advise and process support to

management and

Board committees” –

Head of ERM

▪ “I spend my time talking

with others. My main

role is to discuss and challenge their thinking”

- CRO

▪ "The risk function

hedges or takes out

insurance as they see fit" – CFO

Description

1. Based on filed public reports, speeches, and press articles

SOURCE: McKinsey Risk Practice

Typical for financials (banks, asset mgmt…)

Overall trend, nonfinancial institutions

The archetypes of different industries’ Risk DNA differ among risk types

SOURCE: McKinsey Risk Practice

Decentral risk ownership

Central risk ownership

Checks and balances

Aggregated insight

Financial risk

▪ Commodity

▪ FX

▪ Credit

Operational/technical and project risk

Political/regulatory and portfolio/ enterprise risk

AI

O&G

EPNG

AI

EPNG

O&G

AI

EPNG

O&G

▪ Financial Risk: AI more

independent1, rest more

centralized

▪ Operational/ Technical:

O&G majors with stronger

centralization than rest

▪ Political/ regulatory:

Dependent on reliance on politics (EPNG and O&G)

and geographical

operations

1 in particular Commodity risk

McKinsey & Company |

We believe an integrated approach to risk matters

Improve transparency and measure

Manage and decide on

improvement levers

Enhance processes to facilitate risk

mitigation

Empower skilled risk

organi-zation

Build a risk conscious mitigation

culture

Enterprise Risk Leadership

Focus of today

Ensure early warningsare monitored and facilitate

ongoing risk management

Embed risk optimization in

each major strategic decision

before launch/positive decision

Redistribute risk to other

market participants and seek

to improve flexibility to act

Proactively manage the cycle and price risk

Translate into risk tolerances, limits and triggers

Build insights into all relevant risk and their interdependencies

Develop early-warning "KPIs" to

identify issues faster than others

Establish information system that

facilitates proactive actions for top

management

8

McKinsey & Company |

…

…

2015

2014

2013

Time horizon

Revenues

– Cost of goods sold

Gross margin

– Operative costs

EBITDA

– Amortizations

– Adjustments on receivables

EBIT

+ Net financial expenses

Net profit

+ Amortizations

– CAPEX

Operating cash flow2012

Commodity risks▪ Commodity volatility

(impacting both revenues and costs)

Operations risk▪ Operative costs

volatility

▪ Plant under-

performance▪ Accidents

▪ Completion

investments delay

▪ CAPEX overrun

▪ …

Credit risk▪ Counterparties’

defaults

Exchange rate risk▪ Exchange rate

volatility

Regulatory risk▪ Changes on the

regulation of fuels in

Europe

▪ Changes on drilling

regulation in major

countries▪ …

Interest rate risk▪ Interest rates

volatility

Macro-economic▪ GDP volatility

affecting production volumes and prices

Identifying the key risks across your drivers of cash flow…

9

McKinsey & Company |

… will allow you to understand your cash flow distribution and how it can be affected

Revised operating cash flow distribution, levers include (e.g.)

▪ Commodity hedging▪ Capital structure changes

▪ Portfolio changes

▪ Others (e.g., contracting, etc.)

Higher probability of funding

strategic capex

Pre-CFAR operating cash flow distribution

Lower probability of funding strategic

capex

2

1

Operating cash flowPrioritization of cash needs

Cash flow

probability (Monte Carlo)

▪ Commodity price

scenarios

▪ Business

outcomes

Potential stress

Interest &

principal

payments

Divi-

dends

Ongoing

maintenance

capex

Sustaining

capex

Growth

capex

Strategic

capex

Oil and gas example

10

McKinsey & Company |

A tailored overall risk report is a key part of risk transparency

Mega risks identified and assigned executive ownership

Mega risks – update and action plans

Financial risk update

Leading indicators

Sensitivity analysis

Liquidity

Market

scenarios

Stakeholders risk update

Resource tax – stakeholder summary

Project #1 – stakeholder summary

Project risk update

Project-specific deep dive

Operation risk update

Asset overview

Country risk

overview

HSE

update

Key project

summary

11

McKinsey & Company | 12

Understand your credit rating exposure based on your cash flow distribution

Probability FFO/debt below targetPercent

31 42 48 78 53 60

Year

Target

50

Debt/EBITDApercent

SOURCE: McKinsey Risk Practice 12

McKinsey & Company |SOURCE: McKinsey Risk Practice

Risk management can provide different types of support to keycorporate decisions

Potential specific risk contribution

Mitigate new risks

Coordinate sufficient lock-in of fuel purchases, power sales, and fx rates to satisfy funding covenants

Customize tools

Pricing tool for valuing risk sharing options in project contract

negotiations

Share best practices

Aid project leaders to systematically incorporate risk

assessment and mitigation into overall project management

process

Challenge assumptions

Sit down with business case preparers and challenge every assumption for reasonableness prior to decision

Independent review

Review and form independent view from BU management on risk and return tradeoff in entering Asian market

Provide agreed upon assumptions for scenarios used by

each BU for its business planCentralize information

13

McKinsey & Company |

Closing remarks

Do you have a full understanding of the biggest risks for your company and a warning for detecting early?

Can you improve the way you are managing and addressing risks?

How important is mitigating these risks for your company (e.g. through cash flow, rating / funding,

reputation, etc.)?

What do you think is missing the most to better address your risks?

14