Upload
ferma
View
599
Download
1
Embed Size (px)
DESCRIPTION
Citation preview
•1
ERM:
Fact or Fiction?
Monday 30 September 2013
Speakers
Edwin Meyer – General Manager Risk & Insurance, ArcelorMittal
Dr Grant Foster – Head of Enterprise Risk Management, Aon
Risk Solutions
Mark Harman – CEO Continental Europe, Middle East & Africa,
Crawford & Company
Agenda
Evolution of risk management
What risks are facing global companies facing?
10 Hallmarks of Best Practice in Risk Management
What skills does insurance bring to ERM?
What should Risk Managers be better at?
Where are we on the journey to risk maturity?
Can we identify value?
Risk Management 1993
Executive management barely thinking about it
Finance as “the conscience of the business”
Non-executive directors – the great and the good,
informal
Auditors focused only on financial statements
In house insurance manager focuses on procuring
insurance
Legal department reactive
Overall – low importance, disparate, trusting
Risk Management 2003
Post Enron, Sox – executive management climate of fear
Finance – louder voice, more centralised control
More professional NEDs with formal roles – audit committees
Requirement to report on risk and controls
Auditors signing off on controls
More internal audit, big increase in certification
Insurance manager morphing into risk manager – better trained,
focus extended to uninsured risks, more linkage to other functions
More widespread use of ERM models and risk maps
Overall – higher profile, more joined up, less trust, focus on
compliance
Risk Management 2013
Executive management ownership and engagement
Embedded within governance structures and processes
Linked to strategy
Risk managers – higher calibre, central role, at top table
Board of Directors driving governance
Compliance embedded and now BAU
Auditors and internal audit becoming risk consultants
Overall – moving from compliance driven to value driven
ERM – A basic business principle
ERM
Business
Compliance
Insurance
Finance Market
Product / Service /
Operations
HSE
What Are Companies Worried About?
Results from the 2013 Aon Global Risk Management Survey
24Crime / theft /
fraud / employee
dishonesty
25Injury to workers
21Lack of technology /
infrastructure to
support business
22Inadequate
succession
planning
23Failure of disaster
recovery plan /
business continuity
16Weather / natural
disasters
17Property damage
18Computer crime /
hacking /viruses /
malicious codes
19Growing burden &
consequences of
Corp. Governance /
20Counter party
credit risk
14Distribution or
supply chain failure
10Increasing
competition
11Exchange rate
fluctuation
9Cash flow /
liquidity risk
15Capital availability
/credit risk
8Commodity price
risk
12Technology failure
/ system failure
13Third-party liability
4Damage to
reputation / brand
5Failure to attract or
retain top talent
6Failure to innovate/
meet customer
needs
7Business
interruption
1Economic
slowdown / slow
recovery
2Regulatory /
Legislative changes
3Increasing
competition
Insurance is a
useful tool… but
business risk is
much wider
Aon Risk Maturity Index
Current Aon Risk Maturity Index Dataset
(September 2013)
• Organizations Represented: 650+
• Countries Represented: 20
• Industries Represented: 30+
The Index will continue to capture global data
throughout 2013 and beyond
All Organizations (870+Participants Globally)
• Developing capabilities to identify, assess and prioritize risks across the organization
• Developing capabilities to analyze risk consistently, but approach may be primarily qualitative
• Developing capabilities for monitoring existing risk exposure across the organization
• Informal and inconsistent consideration of risk and risk management information in decision making
• Developing understanding of Enterprise Risk Management (ERM) and its application
Professional Services Industry Average (35 Participants Globally)
• Developing capabilities to identify, assess and prioritize risks across the organization
• Inconsistency in risk management practices or approaches across the organization (i.e., “silos”)
• Limited capabilities for monitoring existing risk exposure across the organization
• Informal and inconsistent consideration of risk and risk management information in decision making
• Developing understanding of Enterprise Risk Management (ERM) and its application
CILENT X Risk Maturity Rating
• Developed capabilities to identify, assess and prioritize risks across the organization
• Developing capabilities to analyze risk consistently, using qualitative and quantitative techniques
• Developing set of loss and / or tolerance guidelines for key risks
• Developed capabilities for monitoring existing risk exposure across the organization
• Explicit consideration of risk and risk management information in decision making
10 Hallmarks Of Good
Risk Management
1. Board Understanding & Commitment to Risk Management
2. Executive Level Risk Management Stewardship
3. Risk Communication
4. Risk Culture: Engagement & Accountability
5. Risk Identification
6. Stakeholder Participation in Risk Management
7. Risk Information & Decision Making Processes
8. Integrating Risk Management & Human Capital Processes
9. Risk Analysis & Quantification to Understand Risk & Demonstrate
Value
10. Risk Management Focus on Value Creation
What Skills Do Insurance
Risk Managers Bring?
1. Board Understanding & Commitment to Risk Management
2. Executive Level Risk Management Stewardship
3. Risk Communication
4. Risk Culture: Engagement & Accountability
5. Risk Identification
6. Stakeholder Participation in Risk Management
7. Risk Information & Decision Making Processes
8. Integrating Risk Management & Human Capital Processes
9. Risk Analysis & Quantification to Understand Risk & Demonstrate
Value
10. Risk Management Focus on Value Creation
Risk Analysis
Risk register
Scoring risks
Risk prevention measures
Balanced business scorecard
Heat map
Communicating risk
Risk Register 2008 Risk Register Report Dated:
Risk
No.
Status of
Mitigation
(RAG)
Country
Specific/EM
EA Owner Description of Risk Impact if it occurs
Impact
(Critical, Major,
Manageable)
Probability
(High,
Medium,
Low) Current Control Activities
MKT01 Amber UK Martin
Weinthrop
Retention of key clients.
Top 25 clients account for
70% of revenue.
- General erosion of Reputation in the marketplace
- Potential for A domino EFFECT
- Financial Loss of revenue
Major Medium Key Account Management (KAM) team
REP01 Green EMEA Martin
Weinthrop
Serious reputational issue
arises anywhere in the
world.
Could seriously impact our EMEA reputation and competitive
position
Major Low Country Managers pack sets out the standard to be
adopted.
Media Policy sets out the structure of our external
communications
REG01 Amber UK Stephen
Pearsall
Lose FSA authority to
conduct regulated
business
Severe direct impact upon the regulated business.
There would also be a severe reputational impact the non-
regulated parts of our business.
Major Low Peter J Ward has advisory role
FIN01 Amber EMEA Stephen
Pearsall
Top 25 Client organisation
fails
Would impact upon the EMEA revenue and margin heavily, Critical Low Appoint a designated client relationship manager who
would be expected to identify early warning signs.
Monthly credit control reports detailing status of
current debt and identify adverse trends.
PP01 Amber UK Nicola Fu Key staff leave or are
otherwise unavailable.
Could seriously impact the ability of the EMEA to achieve its
corporate objectives.
Loss of key staff or revenue could result in collapse of business
within that country, e.g Greece. Plus loss of team culture.
Also have a country manager without a contract.
Major Low Informal
OPS01 Amber UK Sam Friend Lack of adequate disaster
recovery provision in the
event of the total loss of
key IT infrastructure
Inability to trade effectively. Specifically inability to:-
- Update claim systems
- Raise Invoices
- Review electronic claim files
- send/receive e-mail
Critical Low Cobit Controls (Framework used for SOX compliance)
in place to ensure integrity of data.
People
Operational
Projects
Market
Reputational
Regulation
Financial
Present Risk Register
14
Simple Axis
15
4 Quadrants
4 quadrants with risks plotted
4 quadrants applied to a risk (‘heat’)
map
Risk dots coloured to reflect risk
management effectiveness
What Could Insurance
RMs Be Doing Better?
1. Board Understanding & Commitment to Risk Management
2. Executive Level Risk Management Stewardship
3. Risk Communication
4. Risk Culture: Engagement & Accountability
5. Risk Identification
6. Stakeholder Participation in Risk Management
7. Risk Information & Decision Making Processes
8. Integrating Risk Management & Human Capital Processes
9. Risk Analysis & Quantification to Understand Risk & Demonstrate
Value
10. Risk Management Focus on Value Creation
A Journey To Risk Maturity
Hallmark 10. Risk Management Focus
on Value Creation
8/10/2013 23 23 8/10/2013 23 23
Best Practice Stumbling blocks…
No recognizing ‘value’
Corporate culture views risk
management as a staff function, not a
source of added value.
Employees are not encouraged to
optimise risk-reward activities.
Assuming lasting value will be
maintained through single iterations of risk
management assessments.
Balancing short term gains with long
term sustainability
The upside of risk is acknowledged in risk
assessments
Processing trends versus events
Project risk profile is taken into account
when making capital investment decisions.
Insurance portfolio optimised through
robust analysis of risk exposures and
tolerances. These combine to drive decision
making.
Conclusions
Evolution of risk management
What risks are facing global companies facing?
10 Hallmarks of Best Practice in Risk Management
What skills does insurance bring to ERM?
What should Risk Managers be better at?
Where are we on the journey to risk maturity?
Can we identify value?
8/10/2013 24
8/10/2013 25
1 Board Understanding & Commitment
to Risk Management
Best Practice… Stumbling blocks…
Key risk exposures, risk
appetite and controls are consistent
and embedded into corporate
strategy.
Coordinated reporting cycles that
are conducted frequently for full
Board and its committees.
Alignment of agreed risk
management strategy with the
firm’s overall strategic direction.
‘Intuitive management’ means
decisions are not based on a clear
understanding of the organization’s
risk exposure and appetite.
Board maintains a one-
dimensional attitude to risk –
effective risk taking is avoided.
Risk is managed purely to meet
compliance requirements.
2. Executive Level Risk Management
Stewardship
8/10/2013 26
Best Practice…
Formal assignment of executive-
level risk champion
Risk Management leader’s full
involvement in strategic decisions
and overall RM strategy.
“Walk the Talk”
“It’ll never happen to us...”
Demoting risk management
function to that of administrator.
Risk management competency
not valued as an important invisible
asset.
Management temptation to avoid
bureaucracy by not tying down
accountabilities.
Stumbling blocks…
3. Risk Communication
8/10/2013 27
Best Practice…
Consistent and coordinated content
reported on a routine basis.
Risk disclosures are expressed in both
quantitative and qualitative terms.
Enterprise-wide use of risk terminology,
encouraging open dialogue and
centralised tools to facilitate this.
Active sharing of war stories and
subsequent lessons learned.
Full disclosure of negative feedback
facilitated via formal and informal
channels.
As simple as possible; but no simpler
External and internal risk factors around
decisions are not formally justified and
documented.
Bearers of ‘bad news’ are deemed
unwelcome and negative disclose swept
under the rug.
No formal sanctions for failure to
disclose negative risk information.
Stumbling blocks…
4. Risk Culture: Engagement &
Accountability
28 8/10/2013 28 28
Best Practice…
Managers take ownership of risks
and how this fits with the organization’s
RM strategy.
Risk management expectations are
articulated in executives’ job descriptions
and updated periodically.
Performance metrics are embedded
and implemented consistently, driving
behaviour and communicating results.
Risk management results are formally
incorporated into incentive structures.
Work on shared risks… not just my risks
Leadership sends ambiguous
signals regarding management-level
engagement and accountability.
Corporate culture which assumes
everyone knows how to manage risks
without appropriate training.
People are not rewarded for effectively
managing their ascribed risk portfolio.
Accountability is not assigned to a single
risk owner.
Innovation not supported
Stumbling blocks…
5. Risk Identification
8/10/2013 29
Best Practice…
Lack of resources leading to a low risk
awareness.
Failure to prioritise the organization’s
Crown Jewels: critical processes and key
revenue generators.
Extensive risk mapping to the detriment
of its practical use.
Failing to realise risk identification is a
dynamic process and subject to change at
any given moment.
External information is integrated into
strategic planning, supplementing
identification of actual/ emerging risks.
Defined channels facilitate collaboration
between the organization and strategic
partners to identify and address its risks.
Internal subject matter experts are
consistently privy to all risk identification,
validation and response discussions.
Risk drivers (causes) are well
understood & analysed.
Risk metrics are identified and
objectively track a number of key risk
indicators.
Stumbling blocks…
6. Stakeholder Participation in Risk
Management
8/10/2013 30
Best Practice…
Forums at executive and management
levels seek consensus to address cross-
functional risk.
Demonstrate that stakeholder
expectations are analysed and
incorporated into the organization’s risk
and compliance management processes.
Ensure effective communication
channels to optimise information sharing
and strategy development.
Cross function approach to risk
Failing to incorporate a range of
stakeholder positions into decision making
process.
No developed stakeholder
communication plan and no common
understanding of risk tolerance between
parties.
Withholding key risk information from
stakeholders
Stumbling blocks…
7. Risk Information & Decision Making
Processes
8/10/2013 31
Best Practice… Formal collection and incorporation of
risk information into decision-making
and governance processes.
Risk identification / assessment activities
follow given methodologies and are
considered in project /investment decisions.
Budget allocations incorporate risk
assessment plans and considers risk-return
expectations for each business unit.
Review systems make reference to RM
results and are formally communicated to
group and stakeholders.
BI exposures independently valued at
predetermined intervals, with set triggers to
prompt emergency valuations.
Risk information disconnected from
strategic and operational decisions.
Inconsistent benchmarking and use of
risk information across business units.
No measurable comparisons developed
across time and business units.
Failure to benchmark and review the
process on a periodical basis.
“Something needs to be done….. And
this is something”
“Decide in haste – repent at leisure”
Stumbling blocks…
8. Integrating Risk Management &
Human Capital Processes
8/10/2013 32
Best Practice…
Monitoring of key HR processes are part
of a complete review process, and explicitly
linked to RM processes.
Employee engagement is valued by
executives, quantitative in nature and
maintained on a periodic basis.
Talent management is aligned with the
organization’s future needs.
Leadership development plans are
consistent and in place for critical positions.
Retirement plan risks are managed and
reviewed quarterly and supported
externally.
“Any one person can bring a company
down” - Failure to realise the value of risk
management in the HR space today.
Cost-cutting dictates external support to
help manage HR risks is outlawed by the
organization.
Managing numbers to the detriment of
employee satisfaction.
Stumbling blocks…
9. Risk Analysis & Quantification to
Understand Risk & Demonstrate Value
8/10/2013 33
Best Practice Stumbling blocks…
Link between reward and
appropriate risk taking not considered.
Historical data not incorporated into risk
management decisions.
Quantitative and qualitative analysis
aligned to risk appetite and supported by
additional evaluations.
Common risk drivers are formally identified
and relationships between risks analysed.
Risk KPIs are measured quantitatively and
documentation includes qualitative
commentary and quantitative evidence.
Self-insured valuations are conducted
annually and are developed by actuaries.
Market assumptions are documented
consistently and organizational projects
developed through complex modelling
techniques.
ERM Process Standards
ERM process standards and
guidance are available (e.g.
COSO, ISO 31000)
But these are generally
implemented in different
ways by different companies
So, from all this risk
management activity… what
really gives value to
companies?