The Governance of Risk

Agenda

1. Introduction to Risk Management – Balancing Risk and Reward

2. Whose responsibility is the governance of risk?

3. Determination of Risk Tolerance / Appetite

Performance of Risk Assessment

Frameworks and Methodologies

4. Risk Response / Risk Monitoring / Risk Assurance

Risk Disclosure / Risk Dashboard

Risk Registers

“Black Swans”

Discussion Outline

1. Re-energising Our Purpose

Vision, Mission, Values and 5 year strategic objectives

2. How is the Landscape Changing?

Macro Environment – External Outlook

Internal Analysis

3. What Initiatives are Critical for us to Succeed?

Divisional strategic projects

4. Risk Assessment (facilitated by External Specialists)

Objectives of today:

Re-energising our purpose.

Help stimulate strategic dialogue amongst the Board and Exco on the changes in our strategic context and strategic choices.

Evaluate whether our strategic objectives are still relevant or there is a case for change.

Update on key strategic initiatives / projects which are critical for us to succeed.

Assessment of top strategic risks.

Discussion Outline

1. Re-energising Our Purpose

Vision, Mission, Values and 5 year strategic objectives

2. How is the Operational Landscape Changing?

Macro Environment – External Outlook

Internal Analysis

3. What Initiatives are Critical for us to adopt to Succeed?

Divisional strategic projects

4. Strategic Risk

Risk Assessment (facilitated by ORCA)

Seinfeld Risk Management

How much of your board’s time is devoted to formal risk management compared with three years ago?

Source: Economist Intelligence Unit

Has your board reassessed risk management in light of any of the following?

Regulatory risk

Governance risk

Country risk

Dominant individual risk

Terrorism

Political risk

Natural hazard

Product recalls

Weather risk

Source: Economist Intelligence Unit

Which of the following best describes how your organisation manages risk?

Centralised and firm-wide risk management that is overseen by the board as part of overall business strategy

Decentralised risk management with formal co-ordination

Decentralised risk management without formal co-ordination

Other / don’t know

Source: Economist Intelligence Unit

The Governance of Risk

Board’s Responsibility for Risk Governance

The Link between Corporate Governance, Strategy and Risk

Corporate Governance

“Corporate governance is the system by

which companies are directed and

controlled”

Cadbury Report, 1992

The Link between Corporate Governance, Strategy and Risk

Strategy is the direction and scope of an organisation

over the long-term, which achieves advantages in a

changing environment through its configuration of

resources and competencies with the aim of fulfilling

stakeholder expectations.

The Link between Corporate Governance, Strategy and Risk

Strategy

Strategy is concerned with the long-term direction of the

organisation

Concerned with scope of the organisation’s activities

Trying to achieve some advantage for the organisation

over competition

The Link between Corporate Governance, Strategy and Risk

Search for strategic fit with the business environment

Creating opportunities by building on the organisation’s resources and competencies

Affected not only by environmental forces and strategic capability, but also by the values and expectations of those who have power in and around the organisation

The Link between Corporate Governance, Strategy and Risk

Risk

The process of analysing an entity’s exposure to

financial and non-financial risk and determining

how best to mitigate / control such risk

What are the principal obstacles to making risk management integral with overall business strategy at your organisation?

Competition with other priorities

Fear of creating a risk-averse and bureaucratic culture

A lack of cost-effective risk management tools

Directors consider risk management a task for line management, not the board

Poor awareness among staff inhibiting implementation

The board does not understand or appreciate the principles and benefits of enterprise risk management

Governance requirements (e.g. Sarbanes-Oxley)

Opposition from a key board member or group of members

Other

Source: Economist Intelligence Unit

Which of the following have resulted from your board taking greater responsibility for risk management?

Improved internal controls

Improved standards of governance

Improved business strategy

Reduced compliance risks

More robust corporate approach to risk-taking within the organisation

Improved shareholder value

Reduced cost of risk management

Lower insurance costs

Improved returns on investment

Source: Economist Intelligence Unit

In your view, what is the board’s primary responsibility regarding risk management?

To management risk as an integral part of day-to-day board-level planning and decision making

To be proactive in determining the organisation’s level of appetite for risk

To spot emerging risks and develop strategies to prepare for them

To sanction or reject risk assessments conducted at lower levels of the organisation

To respond to risks as they arise

Other

Source: Economist Intelligence Unit

In which of the following areas have your board members received the most training?

Corporate governance and board responsibilities

Ensuring business continuity

Monitoring and identifying emergent risks

Extending risk principles into the wider business strategy

Implementing a risk management policy across the organisation

Developing alternative risk strategies

Communicating risk management policies to the workforce

Evaluating insurance coverage

Technical risk management skills (e.g., risk management, risk modelling)

Source: Economist Intelligence Unit

RE-ENERGISING

OUR PURPOSE

Vision, Mission & Values

• To be a centre of excellence in healthcare funding systems

Vision

• Providing all members with products and related services in a sustainable manner

Mission

• Excellence, Respect, Integrity, Value Diversity, Honesty, Transparency, Accountability

Values

2015 Strategic Objectives

Key strategic objectives defining our agenda…

Security of supply – sufficient

Safety and risk Product innovation and diversification

Sustainable Business Model

Customer & Stakeholder Relationship

Sound corporate

governance

Optimise technology for

Internal Processes

Talent Management

Good corporate citizenship

Vision Unity of purpose

Shared Values

Teamwork always wins…

HOW IS THE

LANDSCAPE

CHANGING?

WHAT INITIATIVES

ARE CRITICAL FOR

US TO SUCCEED?

Is Each Strategic Objective Supported by at Least One or More Projects?

Objective No. Strategic Objectives Number of strategic projects / initiatives selected to support the objectives

1 Product Mix 1

2 Optimise Technology 4

3 Innovation & Diversification 2

4 Talent Management 1

5 Business Sustainability Model 3

6 Corporate Citizen 1

7 Customer & Stakeholder Relationship 1

Business Risks can be Divided into 5 Main Groups

Strategic

•Risks of plans failing:

•poor marketing strategy

•Poor acquisitions strategy

•Changes in consumer behaviour

•Political/regulatory change

Financial

•Risks of financial controls failing:

•treasury risks

•lack of counterparty/credit assessment

•sophisticated fraud

•systems failure

•poor stock/receivables reconciliation

Operation

•Risks of human error or omission:

•design mistakes

•unsafe behaviour

•employee practices risks

•sabotage

Commercial

•Risks of business interruption:

•loss of a key executive

•supplier failure

•lack of legal compliance

Technical

•Risks of physical assets failing or being damaged:

•equipment breakdown

•infrastructure failure

•fire

•explosion

•pollution

•drought and other natural perils

Looking at Risk from Both Sides

Risk as an asset Risk as a liability

We must manage risk to Attract members Seize opportunities Create value Push to the limits Attract investors

We must manage risk to Reduce the possibility of loss Protect value Stay in control Avoid falling behind Reassure stakeholders Avoid losing members

The Risk Management Cycle

Risk Management

The Board should be Responsible for the Governance of Risk

Exercise leadership

Responsible for governance of risk through formal

processes

Demonstrate it has dealt with the governance of risk

comprehensively

Disclose how it has satisfied itself that risk assessments,

responses and interventions are effective

The Board should be Responsible for the Governance of Risk

Scope of responsibility of risk governance should be

expressed in its board charter

Induction and training processes for all board members

Delegated responsibility for risk management to a board

committee (?)

Documented risk management policy and plan

The Board should be Responsible for the Governance of Risk

Policy and Plan for approval by the board

Risk Management Policy sets the tone for risk management

and indicates how risk management will support the

organisation’s strategy

Risk Management Policy widely distributed throughout the

organisation

Risk Management Plan considers maturity of risk

management within organisation

The Board should be Responsible for the Governance of Risk

Risk Management Plan should include:

◦ organisation’s risk management structure

◦ Risk management framework

◦ Standards and methodology adopted (?)

◦ Risk management guidelines

◦ Integration through training and awareness programmes

◦ Details of assurance and review of risk management process

Review its risk management plan regularly

Identifying and Assessing Risk

Does a comprehensive risk profile exist for the

organisation? If not, why not?

Does the risk profile evidence identification and

evaluation of non-traditional risk exposures?

Are the interrelationships of risks clearly identified and

understood?

Identifying and Assessing Risk

Operational Risk

What are the risks inherent in the processes chosen to

implement the strategies?

How does the organisation identify, quantify and manage

these risks, given its appetite for risk?

How does the organisation adapt its activities as strategies

and processes change?

Definition of Risk Categories

• Strategic Risks

• Financial and Treasury

• Legal and Regulatory Risks (Compliance)

• Political Risks

Definition of Risk Categories

• Environmental Risks

• Health and Safety Risks

• Stakeholders’ Risks

• Market Risks

Definition of Risk Categories

• Infrastructure Risk

• People Risks

• Operational Risks

• Project Risks

Definition of Risk Categories

• IT Risks

Fraud

Competition

Obsolescence

The board should ensure that management considers and implements appropriate risk responses

• Management identify and consider different ways organisation can respond to risks identified during the risk assessment process

• Options for responses include:

avoiding the risk by not starting the activity that creates exposure to the risk

treating, reducing or mitigating the risk

transferring the risk exposure

tolerating or accepting the risk

exploiting the risk

terminating the activity

integrating some or all of the risk responses

• Ts of risk response

Take-Aways

1. Boards are taking risk much more seriously

2. Boards are only slowly incorporating the full range of risks into decision-making

3. More needs to be done to embed risk management culture

4. Boards need better training and education on risk management

5. Companies are yet to realise the full benefits of strong risk management

6. The insurance industry is a prime source of risk management expertise

Risk Management

How do you know you have a supportive environment for risk management? When people at all levels in the organisation think and behave in characteristic ways. No excuses. They each take active responsibility for managing some risks. Risks are identified –

and apologies are unnecessary.

No complaining. They accept that sometimes bad things happen. And good things don’t.

No cover ups. They are truthful and candid. They promptly communicate all issues that need to be addressed. Asking for help is not seen as a weakness.

No blind spots. They understand that risks are opportunities. Aware of potential losses, they also look for potential rewards.

So a healthy risk culture encourages rapid, decisive action. It feeds off honest assessments of risk, timely information on materiality, effective communication within and outside the company, and a generally positive approach that treats risk as an asset – to be exploited rather than avoided.

Risk Management Self-Evaluation Framework

Level Risk Evaluation Criteria

Level 1

Provide Clear Risk Management Policies and Procedures

Provide Clear Risk Management Corporate Governance Structures

Provide Tools and Frameworks to Train the Line to Manage Risk

Leverage Company Knowledge to Identify and Assess Risk

Focus on Both the Upside and Downside of Risk to Optimise Strategic Risk Taking

Prioritise Risk Based on Probability and Inherent Impact

Provide Clear Visibility into Key Risks and Mitigation Status

Aggregate Risk and Mitigation Information into a Central Database

Level 2

Prioritise Risk Based on Probability and Residual Impact

Embed Risk Considerations into Day-to-Day Planning and Decision Making

Link Risk Management to Employee Performance

Assess Effectiveness of Risk Mitigation Efforts

Coordinate Risk Assurance Activities Across the Organisation

Level 3

Assess Risk Velocity to Prioritise Risk Mitigation Efforts

Formally Define Business Unit Risk Appetite as Part of the Risk Opportunity Analysis

Embed Feedback Loops for Continuous Improvement in Risk Strategy

Leverage Predictive Risk Metrics to Assess Probable Impacts and Mitigation Strategies

Develop a 360-Degree View of Counterparty Risk to Pinpoint Exposure Levels

Using frameworks and methodologies to identify “Black Swans”

• The illusion of understanding, or how everyone thinks he knows what is going on in a world that is more complicated (or random) than they realise;

• The retrospective distortion, or how we can assess matters only after the fact, as if they were in a rearview mirror (history seems clearer and more organised in history books than in empirical reality, and

• The overvaluation of factual information and the handicap of authoritative and learned people, particularly when they create categories – when they “Platonify” (incurring the risk of using the wrong form).

Risk Register

Risk Definition Controls Assessment / Combined Assurance

Business / Division / Grouping

Risk Description

Risk Category

Group / Entity Risk rating

Rating Justification

Gross / Net Exposure

Controls in Place

Control Owner

In Place Assurance Provider

Date of Last Audit / Review

HIGH Consider stopping activity / Obtain authorisation to continue. Commence corrective action immediately / Monitor to verify success.

LOW MEDIUM

Take action in line with day-to-day priorities.

MEDIUM HIGH

Commence corrective action within 3 months / Monitor to verify success.

LOW Low priority for action

Warren Buffet on Risk Management

Conclusion

Issues

Discussion