introducing enterprise risk management (erm) - the koc experience
DESCRIPTION
Introducing Enterprise Risk Management (ERM) - The KOC Experience. November 2012. Khaled Al-Awadhi Risk Management Team Kuwait Oil Company. Index. Introduction Why we are doing it? Doing the same thing Behavioral aspects in ERM Risk - key definitions Implementation journey - PowerPoint PPT PresentationTRANSCRIPT
1
Introducing Enterprise Risk Management (ERM) - The KOC
ExperienceNovember 2012
Khaled Al-AwadhiRisk Management Team
Kuwait Oil Company
2www.kockw.com
Index► Introduction
•Why we are doing it?•Doing the same thing•Behavioral aspects in ERM
► Risk - key definitions► Implementation journey
•Risk policy• Enterprise Risk Management (ERM) Manual• ERM Pilot• ERM Rollout
► Way forward
3www.kockw.com
Introduction
► Global demand for improved visible governance► Examples of risks facing large companies ( both major
and complete collapse ….–Rawdatain Gas Well incident (KOC)– Bank failures
Why we are doing it?Why we are doing it?
4www.kockw.com
• KOC adopted it because of KPC directives and because of its benefits
• Benefits:– Demonstrate improved governance to all stake holders– No surprises / Improved preparedness– Risk reduction/treatment– Improved confidence in decision making– reduce risk to company objectives
Continue…..Continue…..
5www.kockw.com
►Are you really doing the same thing?– The scenario changes!– The person doing it changes!!– The objectives change!!!– Unknown unknown !!!!
Doing the same thingDoing the same thing
► Can you do the same thing again and again and expect the same result?
Continue…..Continue…..
6www.kockw.com
► Can personality types affect risk perception?► Can past experience affect risk perception?► Can laws affect risk perception?► What else?
Behavioral aspects of ERM Behavioral aspects of ERM
Continue…..Continue…..
7www.kockw.com
KOC’s Risk Exposure
7
Global Oil Market
Global/ Domestic Products Market
KOC
KPC
Sister Companies
Exposure Barriers
8www.kockw.com
Macro to Micro (and back again)Leaders
Strategic Tactical Activity
Workforce
Risk Profile
Leaders need firm information on which to base decision making and objective setting. Risk profiling does this.
Consequence
What are the worst case crediblescenarios for each category of consequence (target)?
Consequence
What are the worst case crediblescenarios for each category of consequence (target)?
Probability
How likely is it to occur / reoccur?
How effective are the controls we have in place?
Probability
How likely is it to occur / reoccur?
How effective are the controls we have in place?
Consequence
What are the worst case crediblescenarios for each category of consequence (target)?
Consequence
What are the worst case crediblescenarios for each category of consequence (target)?
Probability
How likely is it to occur / reoccur?
How effective are the controls we have in place?
Probability
How likely is it to occur / reoccur?
How effective are the controls we have in place?
Consequence
What are the worst case crediblescenarios for each category of consequence (target)?
Consequence
What are the worst case crediblescenarios for each category of consequence (target)?
Probability
How likely is it to occur / reoccur?
How effective are the controls we have in place?
Probability
How likely is it to occur / reoccur?
How effective are the controls we have in place?
Work force needs strategic information to make right detailed operational planning.
9www.kockw.com
Risk - key definitionsRisk - key definitions
Continue…..Continue…..
10www.kockw.com
Risk – framework (AS/NZ 4360: 2004) Risk – framework (AS/NZ 4360: 2004) StandardStandard
Establish the Context
Identify Risks
Evaluate Risks
Treat Risks
Accept Risks?
Likelihood Consequences
Level of Risk
Analyse Risks
yes
no
Establish the Context
Identify Risks
Evaluate Risks
Treat Risks
Accept Risks?
Likelihood Consequences
Level of Risk
Analyse Risks
Likelihood Consequences
Level of Risk
Analyse Risks Monitor &
Review
yes
no
Com
mun
icat
e &
Con
sult
Continue…..Continue…..
11www.kockw.com
Implementation Journey
1. KOC Risk Policy2. ERM Procedure3. ERM Pilot4. ERM Rollout5. Way forward
12www.kockw.com
Implementation Journey …
KOC Risk Policy
13www.kockw.com
Implementation Journey …
KOC Risk Policy
• Consistent with international best practice
•Recognizes that risk is inherent in our business
•Risk Management is fundamental to achieving our objectives
•Visibility will help to monitor actions
• Improve decision making
14www.kockw.com
ERM Framework
ERM Policy
Organisation & Capability
ERM Process
Acceptance & Appetite
Communication
Risk Register
Stakeholders
Operational Functions
En
terp
rise
Ris
k M
anag
emen
t S
yste
m
Assurance
15www.kockw.com
RM Policy
Organisation & Capability
RM Process
Acceptance & Appetite
Communication
Risk Register
Stakeholders
Operational Functions
Co
rpo
rate
Ris
k M
anag
emen
t S
yste
m
Assurance
Assess the Risk Exposures
IDENTIFYDetermine areas of
exposure
EVALUATEMagnitude of
the risk
ANALYSEConsequences of events and probability of reoccurrence
IDENTIFYDetermine areas of
exposure
EVALUATEMagnitude of
the risk
ANALYSEConsequences of events and probability of reoccurrence
Establish Context
Implement Plans
Mon
itor
& R
evie
w
Define Risk Management Plans
TERMINATEAvoid or
eliminate the exposure
TREATApplying risk
control activities
TOLERATEAcceptable level of risk
TRANSFERSharing the
exposure with other parties
TERMINATEAvoid or
eliminate the exposure
TREATApplying risk
control activities
TOLERATEAcceptable level of risk
TRANSFERSharing the
exposure with other parties
Com
mun
icat
e &
Con
sult
Com
mun
icat
e &
Con
sult
18www.kockw.com
Implementation Journey …
Risk Matrix
RISK CONSEQUENCECost of EventProfit ReductionHealth and SafetyNatural EnvironmentSocial or Cultural HeritageCommunity, Government, Reputation, MediaLegal
Consequence
What are the worst case crediblescenarios for each category of consequence (target)?
Consequence
What are the worst case crediblescenarios for each category of consequence (target)?
Probability
How likely is it to occur / reoccur?
How effective are the controls we have in place?
Probability
How likely is it to occur / reoccur?
How effective are the controls we have in place?
Consequence
What are the worst case crediblescenarios for each category of consequence (target)?
Consequence
What are the worst case crediblescenarios for each category of consequence (target)?
Probability
How likely is it to occur / reoccur?
How effective are the controls we have in place?
Probability
How likely is it to occur / reoccur?
How effective are the controls we have in place?
Consequence
What are the worst case crediblescenarios for each category of consequence (target)?
Consequence
What are the worst case crediblescenarios for each category of consequence (target)?
Probability
How likely is it to occur / reoccur?
How effective are the controls we have in place?
Probability
How likely is it to occur / reoccur?
How effective are the controls we have in place?
Impact
Likelihood1 - Incidental 2 - Minor 3 - Moderate 4 - Major 5 - Severe
1 - Frequent Medium High High Very High Very High
2 - Likely Medium High High Very High Very High
3 - Possible Medium Medium High High Very High
4 - UnlikelyLow Medium High High High*
5 - RareLow Low Medium Medium High*
6 - Very Rare Low Low Medium Medium High
19www.kockw.com
Corporate
Directorate
Group
Team
Inability to export
Corrosion of Export Manifolds
Loss of Key Manifold
Backlog in internal manifold inspections
Risk Hierarchy
Top-level Risks
Risk register allows “drill down” from corporate level risks to detailed exposures
www.kockw.com
20www.kockw.com
Risk Profile
The risk hierarchy allows senior managers to understand the current level of exposure and the trend over time. From this they can set improvement objectives for the following period.
Operational
Financial
Human Resources
Health, Safety & Environmental
Governance, Reputation & Compliance
Tech
nical S
ervices D
irectorate
Gen
eral Man
agem
ent
No
rth K
uw
ait Directo
rate
E&
PD
Directo
rate
West K
uw
ait Directo
rate
So
uth
& E
ast Ku
wait
Directo
rate
Ad
min
istration
D
irectorate
0
10
20
30
40
50
60
1st Qtr 2nd Qtr 3rd Qtr 4th Qtr
Critical
Intolerable
BroadlyTolerable
Acceptable
Corporate Risk Profile
Are
as o
f R
isk
Areas of Exposure & ControlP
lann
ing
& G
as Directo
rate
21www.kockw.com
Implementation Journey …
ERM Pilot
• Workshops held in two Groups
• Risks Identified
• Risks Analyzed
• Actions Identified
• Responsibility assigned
• Risk Register prepared
22www.kockw.com
Implementation Journey …
ERM Roll out
• Implementation of ERM in all groups in KOC.
• Risk Review workshop for LC
• KOC Risk Register
• Training of
• Risk Management for Managers
• General Awareness
• Super Users
• RM Team capability building
• Because of the unique case of Ahmadi Hospital, building the Risk Register was done alone not with the company roll out.
23www.kockw.com
Embed ERM in KOC Continuous updated vision of Risks facing KOC is available to leadership to support risk aware decision making.
»Compile and analyze risk profile»LC Risk review»Communicate risk profile to stakeholders
Support KPC Enterprise Risk Management Project.Modeling of key risks
Proactive support to Auditors as partners, to find opportunities for improvementWe are now linking the internal audit report with Risk Register. This year we will include London Office Risks to the Risk Register.
ERM Way forward
24www.kockw.com
Basis : Survey & Audits
Basis : Work Shops
Basis : Annual Update
KPM : Risk Index (Treated) is linked to SMAIP
ERM Profile in KOC
25www.kockw.com