Enterprise Risk
Management (ERM)
By:
Ahmed AwladThani
Chief Internal Auditor- Oman LNG L.L.C
1
Agenda
What is Risk?
Why Risk Management?
What is Risk Management?
ERM framework
Risk Examples
2
What is Risk?
3
4
Basic Concepts
5
What is Risk?
ANYTHING that may affect the achievement of an
organization’s objectives.
It is the UNCERTAINTY that surrounds
future events &outcomes.
It is the expression of the likelihood and impact of
an event with the potential to influence the
achievement of an organization’s objectives.
6
Why Risk Management?
7
ERM Quotes
“The only alternative to risk management is crisis management --- and crisis management is much
more expensive, time consuming and embarrassing.”
JAMES LAM, Enterprise Risk Management, Wiley Finance © 2003
“Risk comes from not knowing what you`re doing.”
Warren Buffett
“Risk is like fire: If controlled it will help you; if uncontrolled it will rise up and destroy you.”
Theodore Roosevelt
“Risk management is about people and processes and not about models and technology.”
Trevor Levine
“Even a correct decision is wrong when it was taken too late.”
Lee Iacocca
“Good Risk Management fosters vigilance in times of calm and instills discipline in times of
crisis.”
Dr. Michael Ong
8
Risk Management is a responsibility of …………………………………………….?
Why Risk Management?
• Increase risk Awareness:
What could affect the achievement of objectives?
• Increase understanding of risk Trend:
What makes my risks increase/decrease/disappear?
• Promote a “healthy” risk Culture:
Talk about risk in an Open and transparent Environment.
• Develop a common and consistent Approach across the organization.
Not individual / group based.
• Focuses Efforts:
Helps prioritize Top Key Risks.
• Is proactive…. not reactive
Prepare for risks before they happen and risk mitigating strategies.
• Improve outcomes Achievement of Objectives
9
What is Risk Management?
10
ERM Definition
Committee of Sponsoring Organizations (COSO):
“A process, effected by an entity’s board of directors,
management and other personnel, applied in strategy-setting
and across the enterprise, designed to identify potential events
that may affect the entity, and manage risk to be within its risk
appetite, to provide reasonable assurance regarding the
achievement of entity objectives.”
ISO 31000:2009 – Developed by the International Organization for Standardization (ISO):
“A process that provides confidence that planned objectives will
be achieved within an acceptable degree of residual risk.”
11
What is ERM? (cont’d)
To help assist with the implementation of the ERM process, COSO
developed the ERM Integrated Framework (2004), also known as the
COSO Cube. This cube is an update to the initial COSO I framework
developed in 1992:
12
What is ERM? (cont’d)
High level goals that are aligned
with and support the
Organisation’s mission.
13
What is ERM? (cont’d)
Relate to the ongoing
management process and daily
activities of the organization.
14
What is ERM? (cont’d)
Protection of the organization’s
assets and quality of financial &
non-financial reporting.
15
What is ERM? (cont’d)
Organization’s adherence to
applicable laws and regulations.
16
What is ERM? (cont’d)
General culture, values and
environment in which an
organization or entity
operates (Tone at the Top)
17
What is ERM? (cont’d)
The process management
uses to set its strategic
goals and objectives.
Establishes the
organization’s risk appetite
and risk tolerance.
18
What is ERM? (cont’d)
Process by which an
organization identifies
events that influence
strategy and objectives, or
could affect an
organization’s ability to
achieve its objectives.
19
What is ERM? (cont’d)
The process of evaluating
the impact and likelihood
of events, and prioritizing
related risks.
20
What is ERM? (cont’d)
Determining how
management will respond
to the risks an organization
faces.
21
Typical Risk Responses
Take, Treat, Transfer, or Terminate (4 T’s):
Take: Accept the risk as estimated and proceed with the Activity.
Treat: Take appropriate action to reduce likelihood or Consequences
Transfer: Contractual re-allocation or the purchase of insurance
Terminate: Avoid risk by cancelling the activity
22
Reducing impacts and likelihood
Understanding the causes, controls and potential impacts of a risk is key to
estimating the residual impact and likelihood
Cause 1
Preventative
controls
Cause 2
Controls
Cause 3
Cause 4
Controls
Controls
Corrective
controls
Controls
Risk
Controls
Impact 1
Impact 2
Impact 3
Most risks have a variety of possible Causes
Preventative controls reduce the likelihood or impact from these causes
Corrective controls reduce the impact if the risk event happens, they can’t
reduce its likelihood
23
Selecting additional controls
The wrong control strategy can be expensive and ineffective
Decision on what risks to control is central to effective risk management
Control:
Too little
Just right
Too much
Balance is very important:
• Under control can lead to increased costs as risks materialise, and
unacceptable risk exposure
• Over control can also lead to increased cost through excessive mitigation,
and reduced innovation
24
What is ERM? (cont’d)
Policies and procedures
that organisation
implements to address the
risks.
25
What is ERM? (cont’d)
Practices that ensure that
the right information is
communicated at the right
time to the right people.
26
What is ERM? (cont’d)
Ongoing evaluations to
ensure controls are
functioning as designed,
and taking corrective action
to enhance control activities
if needed.
27
Threats and opportunities
Threat – a risk that may HINDER the achievement of objectives
Opportunities - a risk that may HELP in the achievement of objectives
 Interest rates
 Foreign exchange rates
 Supply of service/product/resources
 Demand/uptake for service/product/resources
 The economy
 The weather
 The stock market
28
ERM Framework?
29
A Simple Framework
Step 1
Establish
Objectives
Step 2
Identify
Risks &
Controls
Step 3
Assess
Risks &
Controls
Step 4
Evaluate
& Take
Action
Step 5
Monitor
&
Report
Communicate, learn, improve
30
Enterprise Risk Management
h
is
bl
ta
Evaluate
Communication
& Learning
Id
e
nti
fy
Division
Level
Es
r
nito
o
M
Assess
Periodic Summary Analysis & Report
Communication
& Learning
Ide
nti
fy
I
d
e
nti
fy
Assess
Assess
h
is
bl
ta
Communication
& Learning
Es
Evaluate
h
is
bl
ta
Assess
r
nito
Mo
Es
Communication
& Learning
Ide
nti
fy
I
d
e
nti
fy
Evaluate
h
is
bl
ta
Evaluate
h
is
bl
ta
Communication
& Learning
r
nito
Mo
Es
r
nito
Mo
Es
Evaluate
Branch
Level
r
nito
Mo
Assess
Periodic Summary Analysis & Report
Es
h
is
bl
ta
Communication
& Learning
Ide
nti
fy
Ide
nti
fy
Evaluate
h
is
bl
ta
Communication
& Learning
Assess
r
nito
Mo
Es
Ide
nti
fy
Evaluate
h
is
bl
ta
Communication
& Learning
Assess
r
nito
Mo
Es
Ide
nti
fy
Evaluate
h
is
bl
ta
Communication
& Learning
Assess
r
nito
Mo
Es
Ide
nti
fy
Evaluate
h
is
bl
ta
Communication
& Learning
Assess
r
nito
Mo
Es
Evaluate
Unit or
Project
Level
r
nito
Mo
Assess
31
Risk rating
Combining impact and likelihood (Organisation Wise)
RISK PRIORITIZATION MATRIX
5
RISK
IxL
IMPACT
4
RISK
IxL
3
2
RISK
IxL
1
1
2
3
4
LIKELIHOOD
Slide 32
5
32
Risk Prioritization – likelihood and impact
Likelihood of a risk event occurring
Risk Impact: Level of damage that can
occur when a risk event occurs
• Very High: Is almost certain to occur
• High: Is likely to occur
• Very High: Threatens the success of
the project
• High: Substantial impact on time, cost
or quality
• Medium: Is as likely as not to occur
• Low: May occur occasionally
• Very Low: Unlikely to occur
• Medium: Notable impact on time,
cost or quality
• Low: Minor impact on time, cost or
quality
• Very Low: Negligible impact
33
Slide 33
Risk Assessment Matrix (RAM)
Example
34
Slide 34
Risk reporting and communications
Risk Level
Critical Risk
High Risk
Moderate Risk
Low Risk
Action and Level of Involvement Required
 Inform Chief Executive Officer and Board of Directors
 Immediate action required
 Inform Chief Executive Officer
 Strategy Team involvement/attention is essential to manage risks
– provide report to Board as appropriate
 Management mitigation and ongoing monitoring required
 Inform relevant Strategy Team members
 Accept, but monitor risks
 Manage by routine procedures within the program and site
35
Why Risk Management May
Fail
 Limitations of scope
 Lack of top management support – Do Not See Added Value
 Did not engage all stakeholders – Lack of Communication
 Failure to share information
 RM not embedded within planning & management system
 Too Optimistic Program in a very short time
 Quick Wins could not be realised
36
Risk Examples?
37
Strategic Risks
Strategic Planning
Resource Allocation
Reputation
Stakeholder
Management
Business plans are not driven by creative and intuitive input or not based on accurate
assumptions.
Resource allocation process does not establish and sustain competitive advantage or maximize
returns for shareholders.
Reputation and Image is not strong as perceived by one or more key stakeholders (public,
suppliers, customers, media, employee,…etc).
Organisation is not effective in managing key stakeholders in order to attain sustainable business.
Political
Adverse consequences through political actions in a country in which Organisation is operating.
Unrest
Organisation is susceptible to employee or external unrest affecting company operation and
continuity.
38
Operational Risks
Leadership
Human Resources
Quality
Health & Safety
Access
Interfaces
Management
Leadership & management of critical business processes is not effective.
Vacancies on critical resources to manage key business process or/and major competency
gaps.
Quality Management System is not effective to prevent major quality issues.
Organisation is exposed to significant liabilities, financial loss & negative publicity due to
Health & Safety incidents.
Access to information or systems is inappropriately granted or used.
Key and critical interfaces are not well identified, not managed sufficiently or/and
significant miss-alignment between parties.
39
Financial Risks
Cash Flow
Organisation’s cash flow is not healthy and Organisation is unable to fund the operational or
financial obligations.
Currency
Organisation is exposed to fluctuations in exchange rates as a result of activity in foreign
markets or/and investment in foreign currency denominated securities.
Budget & Planning
Budgets and business plans are not realistic or/and based on inappropriate assumptions or
cost drivers.
Product/Service
Pricing
Organisation’s price is more than customers are willing to pay or does not cover production
& distribution costs.
Contract
Commitment
Contractual commitments outstanding data is not accurate or not up to date.
Accounting
Information
Financial accounting information is not accurate or not up to date.
40
Compliance Risks
Compliance
Failure to conform with laws & regulations at the international, country, state and local
level.
Fraud
Fraudulent activities perpetrated by management, employees, customers, suppliers and
third-party against the organization for personal gain.
Illegal Acts
Managers and employees individually or in collusion commit illegal acts.
Unauthorized Use
Organisation’s employees (or others) use its physical and financial assets for
unauthorized or unethical purposes.
Ethical Behaviour
The organization does not demonstrate its commitment to ethical and responsible
business behavior.
41
Reporting Risks
Financial Reporting Financial reports include material misstatements or omit material facts.
Internal Control
Taxation
Pension Fund
Regulatory Reporting
Failure to accumulate sufficient relevant & reliable information to assess the design and operating
effectiveness of internal control over financial reporting.
Failure to comply with tax regulations or/and significant transactions have adverse tax
consequences.
Pension funds are not actuarially sound or insufficient to satisfy benefit obligations defined by the
plan.
Reports of operating and financial information required by regulatory agencies are incomplete,
inaccurate or untimely, exposing the company to fines, penalties and sanctions.
42
Risk Register Example
43
Questions?
44
45
Backup Slides
46
ISO 31000 Framework
Overview
47
ERM Maturity Model
48
ERM Maturity Model (Cont.)
49
ERM Maturity Model (Cont.)
50
ERM Maturity Model (Cont.)
51
Management Discussion
1. Do we have an effective management strategy that supports the identification, assessment, and
management of risk? Are the right people engaged and accountable for the results?
2. Are there suggestions for how we should better manage the high probability / high impact risks that
we have identified?
3. Is the Governing Body satisfied that management is periodically monitoring changes in the
environment to identify significant impacts on the assumptions and risk inherent in the strategy?
4. Do we have an effective “tone at the top” and “tone of the organization” with respect to ERM?
5. What should be our appetite for risk?
52
For further reading:
A Wake-up Call: Enterprise Risk Management at Colleges and Universities Today, Association of
Governing Boards of Universities and Colleges and United Educators, 2014.
“Negative Outlook for US Higher Education Continues Even as Green Shoots of Stability
Emerge,” Moody’s Investors Service, July 11, 2014.
Janice M. Abraham, Risk Management: An Accountability Guide for University and College
Boards, AGB Press, 2013.
“The Five Lines of Defense – A Shareholder’s Perspective,” Board Perspectives: Risk Oversight,
Issue 51, Protiviti, 2013.
53