the governance of risk - crm.bhfglobal.comcrm.bhfglobal.com/files/bhf/bhf governance of risk...
TRANSCRIPT
The Governance of Risk
Agenda
1. Introduction to Risk Management – Balancing Risk and Reward
2. Whose responsibility is the governance of risk?
3. Determination of Risk Tolerance / Appetite
Performance of Risk Assessment
Frameworks and Methodologies
4. Risk Response / Risk Monitoring / Risk Assurance
Risk Disclosure / Risk Dashboard
Risk Registers
“Black Swans”
Discussion Outline
1. Re-energising Our Purpose
Vision, Mission, Values and 5 year strategic objectives
2. How is the Landscape Changing?
Macro Environment – External Outlook
Internal Analysis
3. What Initiatives are Critical for us to Succeed?
Divisional strategic projects
4. Risk Assessment (facilitated by External Specialists)
Objectives of today:
Re-energising our purpose.
Help stimulate strategic dialogue amongst the Board and Exco on the changes in our strategic context and strategic choices.
Evaluate whether our strategic objectives are still relevant or there is a case for change.
Update on key strategic initiatives / projects which are critical for us to succeed.
Assessment of top strategic risks.
Discussion Outline
1. Re-energising Our Purpose
Vision, Mission, Values and 5 year strategic objectives
2. How is the Operational Landscape Changing?
Macro Environment – External Outlook
Internal Analysis
3. What Initiatives are Critical for us to adopt to Succeed?
Divisional strategic projects
4. Strategic Risk
Risk Assessment (facilitated by ORCA)
Seinfeld Risk Management
How much of your board’s time is devoted to formal risk management compared with three years ago?
Source: Economist Intelligence Unit
Has your board reassessed risk management in light of any of the following?
Regulatory risk
Governance risk
Country risk
Dominant individual risk
Terrorism
Political risk
Natural hazard
Product recalls
Weather risk
Source: Economist Intelligence Unit
Which of the following best describes how your organisation manages risk?
Centralised and firm-wide risk management that is overseen by the board as part of overall business strategy
Decentralised risk management with formal co-ordination
Decentralised risk management without formal co-ordination
Other / don’t know
Source: Economist Intelligence Unit
The Governance of Risk
Board’s Responsibility for Risk Governance
The Link between Corporate Governance, Strategy and Risk
Corporate Governance
“Corporate governance is the system by
which companies are directed and
controlled”
Cadbury Report, 1992
The Link between Corporate Governance, Strategy and Risk
Strategy is the direction and scope of an organisation
over the long-term, which achieves advantages in a
changing environment through its configuration of
resources and competencies with the aim of fulfilling
stakeholder expectations.
The Link between Corporate Governance, Strategy and Risk
Strategy
Strategy is concerned with the long-term direction of the
organisation
Concerned with scope of the organisation’s activities
Trying to achieve some advantage for the organisation
over competition
The Link between Corporate Governance, Strategy and Risk
Search for strategic fit with the business environment
Creating opportunities by building on the organisation’s resources and competencies
Affected not only by environmental forces and strategic capability, but also by the values and expectations of those who have power in and around the organisation
The Link between Corporate Governance, Strategy and Risk
Risk
The process of analysing an entity’s exposure to
financial and non-financial risk and determining
how best to mitigate / control such risk
What are the principal obstacles to making risk management integral with overall business strategy at your organisation?
Competition with other priorities
Fear of creating a risk-averse and bureaucratic culture
A lack of cost-effective risk management tools
Directors consider risk management a task for line management, not the board
Poor awareness among staff inhibiting implementation
The board does not understand or appreciate the principles and benefits of enterprise risk management
Governance requirements (e.g. Sarbanes-Oxley)
Opposition from a key board member or group of members
Other
Source: Economist Intelligence Unit
Which of the following have resulted from your board taking greater responsibility for risk management?
Improved internal controls
Improved standards of governance
Improved business strategy
Reduced compliance risks
More robust corporate approach to risk-taking within the organisation
Improved shareholder value
Reduced cost of risk management
Lower insurance costs
Improved returns on investment
Source: Economist Intelligence Unit
In your view, what is the board’s primary responsibility regarding risk management?
To management risk as an integral part of day-to-day board-level planning and decision making
To be proactive in determining the organisation’s level of appetite for risk
To spot emerging risks and develop strategies to prepare for them
To sanction or reject risk assessments conducted at lower levels of the organisation
To respond to risks as they arise
Other
Source: Economist Intelligence Unit
In which of the following areas have your board members received the most training?
Corporate governance and board responsibilities
Ensuring business continuity
Monitoring and identifying emergent risks
Extending risk principles into the wider business strategy
Implementing a risk management policy across the organisation
Developing alternative risk strategies
Communicating risk management policies to the workforce
Evaluating insurance coverage
Technical risk management skills (e.g., risk management, risk modelling)
Source: Economist Intelligence Unit
RE-ENERGISING
OUR PURPOSE
Vision, Mission & Values
• To be a centre of excellence in healthcare funding systems
Vision
• Providing all members with products and related services in a sustainable manner
Mission
• Excellence, Respect, Integrity, Value Diversity, Honesty, Transparency, Accountability
Values
2015 Strategic Objectives
Key strategic objectives defining our agenda…
Security of supply – sufficient
Safety and risk Product innovation and diversification
Sustainable Business Model
Customer & Stakeholder Relationship
Sound corporate
governance
Optimise technology for
Internal Processes
Talent Management
Good corporate citizenship
Vision Unity of purpose
Shared Values
Teamwork always wins…
HOW IS THE
LANDSCAPE
CHANGING?
WHAT INITIATIVES
ARE CRITICAL FOR
US TO SUCCEED?
Is Each Strategic Objective Supported by at Least One or More Projects?
Objective No. Strategic Objectives Number of strategic projects / initiatives selected to support the objectives
1 Product Mix 1
2 Optimise Technology 4
3 Innovation & Diversification 2
4 Talent Management 1
5 Business Sustainability Model 3
6 Corporate Citizen 1
7 Customer & Stakeholder Relationship 1
Business Risks can be Divided into 5 Main Groups
Strategic
•Risks of plans failing:
•poor marketing strategy
•Poor acquisitions strategy
•Changes in consumer behaviour
•Political/regulatory change
Financial
•Risks of financial controls failing:
•treasury risks
•lack of counterparty/credit assessment
•sophisticated fraud
•systems failure
•poor stock/receivables reconciliation
Operation
•Risks of human error or omission:
•design mistakes
•unsafe behaviour
•employee practices risks
•sabotage
Commercial
•Risks of business interruption:
•loss of a key executive
•supplier failure
•lack of legal compliance
Technical
•Risks of physical assets failing or being damaged:
•equipment breakdown
•infrastructure failure
•fire
•explosion
•pollution
•drought and other natural perils
Looking at Risk from Both Sides
Risk as an asset Risk as a liability
We must manage risk to Attract members Seize opportunities Create value Push to the limits Attract investors
We must manage risk to Reduce the possibility of loss Protect value Stay in control Avoid falling behind Reassure stakeholders Avoid losing members
The Risk Management Cycle
Risk Management
The Board should be Responsible for the Governance of Risk
Exercise leadership
Responsible for governance of risk through formal
processes
Demonstrate it has dealt with the governance of risk
comprehensively
Disclose how it has satisfied itself that risk assessments,
responses and interventions are effective
The Board should be Responsible for the Governance of Risk
Scope of responsibility of risk governance should be
expressed in its board charter
Induction and training processes for all board members
Delegated responsibility for risk management to a board
committee (?)
Documented risk management policy and plan
The Board should be Responsible for the Governance of Risk
Policy and Plan for approval by the board
Risk Management Policy sets the tone for risk management
and indicates how risk management will support the
organisation’s strategy
Risk Management Policy widely distributed throughout the
organisation
Risk Management Plan considers maturity of risk
management within organisation
The Board should be Responsible for the Governance of Risk
Risk Management Plan should include:
◦ organisation’s risk management structure
◦ Risk management framework
◦ Standards and methodology adopted (?)
◦ Risk management guidelines
◦ Integration through training and awareness programmes
◦ Details of assurance and review of risk management process
Review its risk management plan regularly
Identifying and Assessing Risk
Does a comprehensive risk profile exist for the
organisation? If not, why not?
Does the risk profile evidence identification and
evaluation of non-traditional risk exposures?
Are the interrelationships of risks clearly identified and
understood?
Identifying and Assessing Risk
Operational Risk
What are the risks inherent in the processes chosen to
implement the strategies?
How does the organisation identify, quantify and manage
these risks, given its appetite for risk?
How does the organisation adapt its activities as strategies
and processes change?
Definition of Risk Categories
• Strategic Risks
• Financial and Treasury
• Legal and Regulatory Risks (Compliance)
• Political Risks
Definition of Risk Categories
• Environmental Risks
• Health and Safety Risks
• Stakeholders’ Risks
• Market Risks
Definition of Risk Categories
• Infrastructure Risk
• People Risks
• Operational Risks
• Project Risks
Definition of Risk Categories
• IT Risks
Fraud
Competition
Obsolescence
The board should ensure that management considers and implements appropriate risk responses
• Management identify and consider different ways organisation can respond to risks identified during the risk assessment process
• Options for responses include:
avoiding the risk by not starting the activity that creates exposure to the risk
treating, reducing or mitigating the risk
transferring the risk exposure
tolerating or accepting the risk
exploiting the risk
terminating the activity
integrating some or all of the risk responses
• Ts of risk response
Take-Aways
1. Boards are taking risk much more seriously
2. Boards are only slowly incorporating the full range of risks into decision-making
3. More needs to be done to embed risk management culture
4. Boards need better training and education on risk management
5. Companies are yet to realise the full benefits of strong risk management
6. The insurance industry is a prime source of risk management expertise
Risk Management
How do you know you have a supportive environment for risk management? When people at all levels in the organisation think and behave in characteristic ways. No excuses. They each take active responsibility for managing some risks. Risks are identified –
and apologies are unnecessary.
No complaining. They accept that sometimes bad things happen. And good things don’t.
No cover ups. They are truthful and candid. They promptly communicate all issues that need to be addressed. Asking for help is not seen as a weakness.
No blind spots. They understand that risks are opportunities. Aware of potential losses, they also look for potential rewards.
So a healthy risk culture encourages rapid, decisive action. It feeds off honest assessments of risk, timely information on materiality, effective communication within and outside the company, and a generally positive approach that treats risk as an asset – to be exploited rather than avoided.
Risk Management Self-Evaluation Framework
Level Risk Evaluation Criteria
Level 1
Provide Clear Risk Management Policies and Procedures
Provide Clear Risk Management Corporate Governance Structures
Provide Tools and Frameworks to Train the Line to Manage Risk
Leverage Company Knowledge to Identify and Assess Risk
Focus on Both the Upside and Downside of Risk to Optimise Strategic Risk Taking
Prioritise Risk Based on Probability and Inherent Impact
Provide Clear Visibility into Key Risks and Mitigation Status
Aggregate Risk and Mitigation Information into a Central Database
Level 2
Prioritise Risk Based on Probability and Residual Impact
Embed Risk Considerations into Day-to-Day Planning and Decision Making
Link Risk Management to Employee Performance
Assess Effectiveness of Risk Mitigation Efforts
Coordinate Risk Assurance Activities Across the Organisation
Level 3
Assess Risk Velocity to Prioritise Risk Mitigation Efforts
Formally Define Business Unit Risk Appetite as Part of the Risk Opportunity Analysis
Embed Feedback Loops for Continuous Improvement in Risk Strategy
Leverage Predictive Risk Metrics to Assess Probable Impacts and Mitigation Strategies
Develop a 360-Degree View of Counterparty Risk to Pinpoint Exposure Levels
Using frameworks and methodologies to identify “Black Swans”
• The illusion of understanding, or how everyone thinks he knows what is going on in a world that is more complicated (or random) than they realise;
• The retrospective distortion, or how we can assess matters only after the fact, as if they were in a rearview mirror (history seems clearer and more organised in history books than in empirical reality, and
• The overvaluation of factual information and the handicap of authoritative and learned people, particularly when they create categories – when they “Platonify” (incurring the risk of using the wrong form).
Risk Register
Risk Definition Controls Assessment / Combined Assurance
Business / Division / Grouping
Risk Description
Risk Category
Group / Entity Risk rating
Rating Justification
Gross / Net Exposure
Controls in Place
Control Owner
In Place Assurance Provider
Date of Last Audit / Review
HIGH Consider stopping activity / Obtain authorisation to continue. Commence corrective action immediately / Monitor to verify success.
LOW MEDIUM
Take action in line with day-to-day priorities.
MEDIUM HIGH
Commence corrective action within 3 months / Monitor to verify success.
LOW Low priority for action
Warren Buffet on Risk Management
Conclusion
Issues
Discussion